Decentralized finance (DeFi) refers to blockchain-based applications that exclude intermediaries from financial goods and services like savings, loans and swaps. Though DeFi provides great benefits, it can also involve tons of risks.
In 2021, the number of DeFi attacks grew by nearly 2.5 times in comparison to 2020. And the sum of stolen funds increased almost threefold. The reason for this is that projects devote more effort to innovation and fewer funds to security, thus the hacking rate is constantly on the rise.
This article shows the top 10 DeFi exploits. All estimates presented are in the value as of the time of the incident.
1. Ronin Network hack: Over $625 million lost
The NFT-powered Axie Infinity game is among the biggest crypto success stories of the previous year. On March 23, 2022, it happened to be the victim of the largest crypto hack of the time. The Ronin Network attack resulted in a more than $600 million loss.
The hackers were able to acquire 5 out of 9 validator keys, allowing them to fake withdrawals worth about $625 million. The hackers then chain-recorded the transactions and validated them via the stolen keys. They pulled most of the funds out of the Ronin Bridge in just two transactions.
2. Poly Network hack: $610 Million lost (and returned)
Another major DeFi security attack occurred on August 10, 2021, involving Poly Network, a cross-chain crypto swap provider. The hacker cracked a smart contract on the platform and transmitted a combined total of $610 million to their Ethereum and BSC addresses.
Poly Network reached out to the hacker asking for the funds back. The day after the attack, the hacker, who identified himself as "Mr. Whitehat," gave back about $260 million, claiming that his actions were a demonstration of crypto platform insecurities. By August 23, Mr. Whitehat had returned the rest of the hacked funds.
3. Wormhole: $326 Million
One of the most destructive cross-chain attacks happened in January 2022, when Wormhole, a well-known bridge, lost $320 million in Wrapped Ethereum (wETH). WETH is a cryptocurrency referenced to the Ethereum price on a 1:1 basis. The hackers' target was the bridge's leg on Solana, where users must lock Ethereum into a smart contract first in order to receive an equal amount in Wrapped Ethereum.
The hacker found a method to do this by minting wETH without getting ETH locked in Wormhole. It became possible owing to a malfunction in the smart contract, which the hacker benefited from. The Wormhole bridge attack proved doubts about cross-chain bridges to be justified.
4. Beanstalk: $182 Million
In April 2022, an Ethereum-based protocol Beanstalk revealed one of the biggest crypto hacks so far: $182 million had disappeared in a flash loan attack. The hacker(s) succeeded in laundering $80 million in Ethereum through Tornado Cash.
Beanstalk is renowned for its algorithmic BEAN stablecoin, supposed to be $1. Though it held the peg momentarily following the attack, the exploit showed that algorithmic stablecoins are only as stable as their underlying contracts.
5. Compound Finance – $150 Million
Compound Finance, an Ethereum-based lending and borrowing platform, is one of the major DeFi projects. The protocol mistakenly paid huge amounts in native COMP cryptocurrency to a number of users in September 2021. It was a vulnerability that allowed borrowers to collect a larger amount than their estimated share of COMP.
Compound Finance’s CEO, Robert Leshner, reached out on Twitter to the receivers of the funds, requesting a payback. Approximately half of the funds were returned. Whether the misdistribution of COMP tokens was a plotted attack or an honest mistake by the developers is still a matter of uncertainty.
6. Vulcan Forged: $140 Million
Vulcan Forged, a Polygon gaming platform, was hit in December 2021 when its customers lost $140 million. As per a report, the hacker acquired the credentials of the centralized user wallet - Venly - to obtain the private keys of 96 crypto wallets. The hacker ended up with 4.5 million Vulcan Forged native PYR tokens.
7. Cream Finance: $130 Million
In October 2021, Cream Finance, a multi-chain lending protocol, was hit by a flash loan attack that led to the drain of around $130 million out of its Ethereum-based liquidity pool. The hacker managed to exploit a weakness in pricing by taking out multiple flash loans on different Ethereum addresses.
In fact, this was the third attack involving Cream Finance in 2021, nearly two months prior to this, the platform underwent a $19-million flash loan attack.
8. Paid Network: $127 Million
Paid Network, an ecosystem dApp offering smart contract agreement services, experienced one of the largest DeFi hacks when an attacker made use of a previously compromised private key. Applying the key, the hacker swapped the original smart contract on the platform for a customized one.
9. Badger DAO: $120 Million
Smart contract vulnerabilities are not always targeted by attackers. Badger, a lending platform that utilizes Bitcoin collateral and runs on Ethereum, suffered a $120 million loss in December 2021 because of an attack directed at its UI (user interface) functionality.
10. BNB Chain: $100 Million
BNB Chain, a blockchain connected with crypto exchange Binance, became the victim of a hack that resulted in a $100 million drain in crypto. The hackers used BSC Token Hub, one of the platform’s bridges, to mint additional BNB tokens, that were later drained.
What to Do to Prevent Hacking?
Such situations could have been prevented with a DeFi security audit, which is a thorough review and analysis of the code. To make sure that code deployment works correctly and without failures, companies can order auditing services from reliable auditing companies such as Hexens. Audits carried out by highly qualified professionals with the extra help of automated tools give multiple benefits to blockchain projects.