Despite its swift growth and mass adoption, DeFi has earned notoriety as one of the most hacked blockchain protocols over the last few years. In 2020 alone, over US$470 million was lost to criminals.
Let’s examine some of the worst hacks that have happened lately, and see the vulnerabilities in DeFi they have exposed.
Why This Happens
Firstly, DeFi is open-source, meaning that its code is exposed to anyone, which comes with benefits but also risks.
Secondly, DeFi applications are vulnerable to external exploitation due to the principle of composability.
Lastly, DeFi projects tend to be launched in a rush. Willing to pursue a piece of the new financial market pie, some developers turn a blind eye to errors and vulnerabilities.
How Do DeFi Exploiters Game the System?
You may be wondering how DeFi exploiters fool their victims. Well, an examination of the key hack events shows that there are quite a few ways.
According to Ivan on Tech, the most common ways to trick DeFi protocols are as follows:
- Reentrancy attack – caused by a contract calling externally an untrusted contract before resolving.
- Price oracle manipulation – caused by an oracle smart contract being manipulated by hackers, for example, while smart contracts are requesting token price details.
- Logic errors – caused by internal errors that may open up a particular smart contract to an external exploit.
Let’s see how the above have affected some of the most well-known crypto platforms.
DeFi Hack #1: Yearn.Finance – DAI Exploit
Amount lost: $11m
Hacking style: flash loan attack
Yearn.Finance (YFI), a popular decentralized finance protocol, was subject to a hacking exploit, which cost it a whopping $11m.
The exploit occurred in one of Yearn.Finance’s stablecoin DAI lending pools. The drainage of the vault was caused by an Aave flash loan. Since the vault was sourcing DAI prices from the pool, it allowed for the repeated contract withdrawal, which further enabled stealing flash-borrowed funds.
Although the exploit has been mitigated, the platform experienced a major coin price drop and had to open a Maker vault to mint 9.7m DAI tokens as a refund to its users.
DeFi Hack #2: bZx Hack
Amount lost: $8m
Hacking style: flash loan attack
bZx was a victim of hack attacks three times throughout 2020. This generated a total of $8m in losses, draining an impressive 30% of its funds.
According to Bitcoin.com’s engineer Marc Thalen, the possibility of duplicating “i tokens” on the protocol exposed bZx to hack attacks.
The first two attacks were executed through flash loans, allowing hackers to use borrowed funds to manipulate DeFi token prices, eventually draining the liquidity pool at the most favorable prices.
The latest exploit targeted a bug in its protocol, which let hackers mint unbacked tokens, and eventually trade them for DAI, USDT, ETH and LINK.
DeFi Hack #3: DODO DEX Exploit
Amount lost: $3.8m
Hacking style: flash loan attack
DODO, one of the top 10 DEXes by Total Value Locked (TVL), lost $3.8m in an exploit targeting its mining pools.
The platform’s liquidity for traders is ensured through the so-called “crowdpools” contributed by miners. The exploit targeted some of its pools, namely ETHA, FUSI, WSZO and WCRES. Since these pools had some bugs in their protocol, criminals managed to generate counterfeit tokens and drain them through flash loans.
Halborn reports that the bug lied in the init() function of DODO’s smart contracts, which enabled multiple calling of the same function with modified parameters. The attack took four steps to complete:
- Generating a counterfeit token and calling a contract’s init() function.
- Using the sync() function for setting the “reserve” variable to 0, which eventually turns the token balance into 0.
- Calling the init() function another time pointing to an authentic token from a crowdpool.
- Using a flash loan to finally drain the real tokens out of the affected pool.
DeFi Hack #4: Furucombo dApp Drain
Amount lost: $14m
Hacking style: “evil contract” exploit
Furucombo, a tool for managing multiple DeFi interactions and transactions from one dashboard, has been subject to a so-called “evil contract” exploit, a build-up on last year’s “evil jar” and “evil spell” attacks.
This type of hack attacks involves creating a smart contract that convinces the protocol that it is part of it, which eventually grants access to the funds deposited therein. In Furucombo’s case, the hacker managed to wipe the funds of all those who had given token permissions to the “fooled” contract.
DeFi Hack #5: dForce & Lendf.Me
Amount lost: $25m
Hacking style: reentrancy attack
Lendf.Me, a DForce-powered lending market, fell victim to a hack attack amounting to a total of $25m.
The exploit happened soon after introducing imBTC, an ERC777 token. Since Ethereum tokens have the long-known issue of callback notifications causing reentrancy attacks, Lendf.Me became vulnerable upon adopting ERC777 tokens, too.
Similar to other reentrancy attacks, hackers managed to supply and withdraw tokens over and over again, while the balance was not being updated adequately.
What’s interesting, the full amount of funds have almost been completely returned.
DeFi Hack #6: Hegic
Amount lost: $48K
Hacking style: logic error
Hegic’s case is different from the previously described attacks, yet it exposes an issue that may affect other similar projects.
Hegic is a platform that enables its users to insure against price volatility through options. This means that a trader acquiring an option at a higher price can sell the tokens in the future even if their current market price goes below that.
The platform spotted a typo in its smart contracts: ‘options.length’ instead of ‘optionIDs.length’. This was locking user assets whenever they did not use their options, resulting in no liquidity for expired contracts. Fixing the issue and providing a refund to affected users cost Hegic $48K.
DeFi Hack #7: Cheese Bank
Amount lost: $3.3m
Hacking style: flash loan attack
Cheese Bank, an Ethereum-based decentralized digital bank, is another example of a flash loan attack, which cost it $3.3m worth of USDC, USDT and DAI.
The platform was exposed to attacks through AMM-based oracle value measuring such as Uniswap or Curve. Thus, wherever price manipulation on Uniswap took place, a hacker could run through a series of borrowings to drain funds from Cheese Bank.
As Ivan on Tech points out, the hacker used dYdX flash loans, Uniswap swaps and Cheese Bank borrow calls to manipulate the CHEESE<>ETH pool and get away with the yields.
DeFi Hack #8: DeFi Protocol Harvest Finance Hacked
Amount lost: $34m
Hacking style: flash loan attack
Harvest Finance witnessed one of the biggest hack attacks among DeFi platforms. The hacker managed to get away with $34m following a 7-minute flash loan attack.
The loan was targeting the platform’s reserves deposited in Curve, one of the major DeFi protocols. The attack crashed the prices of USDC and USDT, which the hacker used to their benefit.
Following this, Harvest Finance developers suggested eventually disabling flash loans, prohibiting the deposit and withdrawal of funds within the same transaction.
DeFi Hack #9: Balancer
Amount lost: $500K
Hacking style: flash loan attack
Balancer, one of the largest Ethereum-backed liquidity providers, lost $500K in a series of hack attacks.
The first known case targeted only pools containing STA and STONK. Similar to the above-listed cases, the attacker arranged an ETH loan from dYdX, converted it to WETH, and swapped it to and from STA multiple times.
As the STA balance was diminishing, the contract did not update the data adequately. The hacker then called a function that made STA soar – based on the effective limited availability. He then took advantage of this price rise, swapping STA for other tokens such as BTC, ETH, COMP, and others. There was also a second attack, using the same approach with different tokens.
DeFi Hack #10: Bancor
Amount lost: $23.5m
Hacking style: smart contract vulnerability
Bancor learned a lesson on security back in 2018 when it fell victim to a wallet hacking attack worth $23.5m.
Nowadays, crypto exploits are more sophisticated, but the platform does not want to wait until it is hacked again. To avoid any such risk, it hacked itself to fix a crucial vulnerability occurring when users interact with its smart contracts.
It appeared that Bancor users swapping their ERC20 assets following contract deployment allowed for infinite approvals of the tokens to the respective contracts. Since these smart contracts were based on the public method, this could potentially lead to criminals hijacking approvals to steal their funds.
Key Takeaway
DeFi has been subject to multiple exploits and attacks recently. Most of them were executed via flash loans, which involved borrowing tokens, fooling smart contracts, manipulating prices and pocketing the illegal earnings.Should you require a tech audit or require a custom-made solution to protect your DeFi project, feel free to reach out to our team.