DeFi Exploits in 2021: A Compilation of DeFi Crimes


The DeFi Exploits in 2021 it has already surpassed the figures recorded in 2020. With the amount of money locked in the DeFi protocols, criminals are also attacking them to get their way.

While there have been fewer DeFi attacks in 2021, they are more devastating than the attacks that occurred in 2020. According to a report by CipherTrace, in late April 2021, criminals were able to get $ 156 million in the first five months of 2021. This amount has surpassed the $ 129 million stolen in DeFi-related hacks throughout 2020.

Let's explore the DeFi vulnerabilities that have occurred so far in 2021.

DeFi hacks and exploits in the first quarter

Feb 4: Yearn Finance (YFI) Loan Quick Attack

January 2021 was uneventful and the crypto market and DeFi were enjoying a boom. In February, Yearn Finance, a loan aggregation protocol and currently the eighth largest Ethereum-based DeFi platform by TVL of $ 3.26 billion, was the first victim of criminals in 2021 who want to profit from this emerging market with their own. methods.

On February 4, 2021, Yearn Finance suffered an exploit financed by flash loans. According to the details, Yearn Finance's yDAI wallet vault was exploited for the loss of $ 11 million. Although the attacker stole $ 11 million from Yearn, he was only able to get $ 2.7 million in DAI as the excessive fees cost him millions to execute the hack.

The attacker started the attack with flash loans taken from dYdX and Aave. He then used these loans as collateral for another loan in Composite. After that, the attackers deposited these funds into the yDAI vault, inflating the DAI price. Finally, he traded in his Curve tokens, which accumulated from a pool with his inflated DAI.

The attack was mitigated. The team responded within 11 minutes and the team was able to protect the remaining $ 24 million stored in the vault from the attacker. Following the exploit, Yearn Finance conducted a series of audits through MixBytes.

Feb 13: Alpha Homora Loan Attack

On February 13, Alpha Homora V2, a DeFi protocol that leverages performance on Ethereum, was exploited for more than $ 37 million in a complicated quick-loan attack on Homora's Iron Bank.

After the attack, Alpha Homora published a post-mortem report. According to the report, the attacker was able to use Alpha's sUSD contracts that were not disclosed to the public at the time. Cream Finance's V2 Iron Bank was also affected by the hack, as Alpha Homora V2 integrated with Cream V2 in a protocol-to-protocol loan form.

The attack was complicated and involved 9 transactions. According to the details, the attacker used Alpha Homora multiple times to borrow sUSD from Iron Bank. Each time they borrow twice as much as the previous one. Every time the attacker loaned these funds to Cream Finance's Iron Bank, he received cySUSD. The perpetrators did this multiple times: borrowing sUSD from Alpha Homora, lending these funds to Cream's Iron Bank, and receiving cySUSD.

After completing multiple transactions, the attacker had accumulated a large amount of cySUSD. In the end, their cySUSD number reaches an incredible amount, allowing them to borrow anything from IronBank. He then borrowed 13.2k WETH, 3.6M USDC, 5.6M USDT and 4.2M DAI. Of these borrowed funds, the three stablecoins were deposited into Aave V2. The 13.2k Ether was distributed in several different places: 1,000 ETH to Iron Bank, 1,000 ETH to Alpha Homora, 320 ETH to a donation fund, and 10,925 ETH held in the wallet. At the end of the exploit, the Alpha Homora attacker was able to earn approximately $ 37.5.

According to Alpha Homora, no user funds were lost as there was no liquidity in the sUSD loan pool.

February 27: Furucombo smart contract exploitation

On February 27, Furucombo, a protocol for batch transactions and interactions with multiple DeFi protocols at once, was mined for $ 15 million. According to the post-mortem report, the breach affected 22 Furucombo users and resulted in funds, made up of 21 different assets worth US $ 15 million, stolen by an unknown attacker.

This was an "evil contract" exploit in which a fake contract made Furuсombo think that Aave v2 has a new implementation. Because of this, all interactions with Aave v2 allowed for approved token transfers to an arbitrary address.

March 8: DODO DEX Exploit

On March 8, 2021, DODO, an Ethereum and BSC-based DEX, experienced a smart contract hack, and the attackers were able to steal approximately $ 3.8 million worth of cryptocurrency from several of DODO's crowdfunding groups.

DODO provides liquidity to traders through miners who contribute to Crowdpools. Four of these groups WSZO, WCRES, ETHA and FUSI were affected by the exploit. Details suggest that hackers took advantage of a bug in the DODO V2 Crowdpooling smart contract. The error was in the init () function of the contract.

The attackers first created a fake token and called the init () function of the vulnerable smart contract. Using the sync () function, they set the contract's reserved variable to 0, showing the balance of 0 tokens. The attacker calls init () again, but this time it pointed it to a real token from one of the DODO pools. They then used a flash loan to transfer all those currencies from the funds and avoid the flash loan check. According to some sources, the DODO team was able to recover $ 3.1 million of the stolen assets.

March 4: $ 31M Meerkat Fiance Exploit

On March 4, 2020, just one day after the launch, Meerkat Finance, a BSC-based yield farming DeFi protocol, claimed that it had been hacked for $ 31 million. The trullo claimed that its smart contract vault was exploited and the attacker drained around 13 million BUSD and 73,000 BNB, which were worth $ 31 million at the time.

But the community believed this was an exit scam and the Meerkat Finance team has escaped user funds as on-chain analysis revealed that funds were depleted by tampering with Meerkat's smart contract containing the Business logic of the project vault by using the original Meerkat implementer. bill. Suspicions of a carpet pull grew when, shortly after the attack, the Meerkat Finance website and Twitter account went offline.

On March 5, PAID Network, a smart contract program for companies that made the most popular DEX Initial Offerings (IDO) on Polkastarter, was exploited for around $ 3 million. The attacker exploited the PAID Network mining feature, creating 60 million PAID tokens out of thin air and transferring them to your wallet.

Given the PAID token price of $ 2.8 at the time, the attacker was able to steal $ 180 million. But the price plummeted almost 90% after the attack. It traded around $ 3 million for Wrapped Ether (WETH), but the rest remained in PAID tokens.

The community expected another exit scam, but the team responded after a few days. According to the details, the attack was the result of poor smart contract key management, not a vulnerability. The network relied on a single private key to manage control over the smart contract. By compromising that private key, the attacker was able to control the contract update function.

The attacker updated and replaced the original smart contract with a malicious version that allowed tokens to be burned and minted. The project still exists and the PAID token is priced at $ 0.422 as of this writing.

March 15: Roll's Hot Wallet

On March 15, Roll, a social token platform on Ethereum, suffered a wallet breach, prompting hackers to drain at least 3,000 ETH worth $ 5.7 million. The attacker stole 11 different social tokens, including $ WHALE, $ RARE, and $ PICA. According to the team, the private keys of the active wallet were compromised.

DeFi hacks in the second quarter

April 3: ForceDAO Launch Day Exploit

On April 3, 2021, the Ethereum-based performance aggregator ForceDAO was hacked within hours of its launch. According to a post-mortem report, on April 3, just after ForaceDAO launched its airdrop campaign, four black hat hackers managed to drain a total of 183 Ether (ETH), worth roughly $ 367,000 at the time. A white hat hacker assisted the ForceDAO team by alerting them to avoid further losses.

According to the details, the attackers were able to exploit a bug in ForceDAO's xFORCE vault, a fork of a SushiSwap smart contract that contains a mechanism to roll back tokens in the event of failed transactions. The hackers deposited FORCE tokens that they knew could not be transferred, but somehow they could still receive xFORCE tokens for themselves. He then exchanged these xForce tokens for ETH.

April 28: Uranium Finance $ 50M Hack

On April 28, Uranium Finance, an AMM platform at BSC, reported that the platform had been mined for $ 50 million. The hacker was able to steal $ 36.8 million in Binance Coin (BNB) and Binance USD (BUSD), 80 Bitcoin, 1,800 Ether, 26,500 Polkadot, 5.7 million Tether, 638,000 Cardano (ADA), and 112,000 u92, the project's native currency.

The exploit occurred when the protocol was performing its token migration event from V2 to V2.1. The hacker was able to exploit a coding error in the platform balance modifier logic. In fact, this was the second attack on Uranium Finance in April. The first attack forced the platform to migrate to V2 and then suddenly the team decided to upgrade to another version, V 2.1. The team suspected this was an inside job that could have leaked the vulnerability.

April 19: EasyFi's $ 80 million attack

On Monday, April 19, 2021, EasyFi, a DeFi protocol based on the Polygon Network, reported having suffered an attack of more than $ 80 million. Hacker was able to get away with 2.98 million EASY tokens, which were worth around $ 25 each at the time, for a total of around $ 75 million and $ 6 million in stablecoins, including DAI and Tether (USDT ).

According to an EasyFi blog post by CEO and founder Ankitt Gaur, the private keys for the MetaMask network administrator account had been compromised through his computer and nothing was wrong with the EasiFy contracts.

May 1: Spartan Protocol Lightning Loan Attack

On May 1, Spartan Protocol, a BSC-based defi platform, was exploited for $ 30 million in a lightning loan attack. According to a report by security firm PeckShield, the exploit occurred due to "flawed logic in calculating the liquidity quota when the group's token is burned to withdraw the underlying assets."

The attacker first borrowed 100,000 wrapped BNB (wBNB) from PancakeSwap. The attacker then traded wBNB for the protocol's native SPARTA token five times via the exploited Spartan group. The process was completed ten more times to inflate the asset balance in the group. The hacker then used DEX 1-inch and Nerve Finance to withdraw the stolen funds.

May 8: Exploitation of Rari Capital's $ 11 million evil contract

On May 8, Rari Capital, a DeFi platform that uses a number of products for performance, reported an $ 11 million exploit on its platform. According to experts, the hack was an exploitation of the malicious contract, in which an attacker "tricks" a contract into thinking that a hostile contract should have access or permissions.

According to the post-mortem report, the hack was related to the ibETH vault that generates interest from Rari. Rari Capital Ethereum Pool deposits ETH in Alpha Finance's ibETH token as its return generation strategies. The attacker leveraged its yield-generating integration with Alpha Finance Labs' ibETH token. The attacker first took an ETH flash loan from dYdX and deposited it with the Rari Capital Ethereum group.

It then manipulated the value of ‘ibETH.totalETH ()’ by pushing it artificially high. In this way, the hacker was able to get more ETH from the Rari Capital Ethereum Pool than deposited. He stole approximately 2,600 ETH, around $ 11 million at the time.

May 20: PancakeBunny's $ 200 million flash loan exploitation

On May 20, the popular BSC-based DeFi protocol, PancakeBunny, suffered a lightning loan attack that resulted in the loss of more than $ 200 million in crypto assets. According to the team, the attacker seized 697,000 BUNNY and 114,000 BNB, worth more than $ 200 million.

In the exploit, the hacker used PancakeSwap to borrow a large amount of BNB and deposited it in the USDT / BNB and BUNNY / BNB pool, manipulating the asset balance. The hacker ended up obtaining a large number of BUNNY and BNB tokens through this flash loan attack.

May 22: Stuck Financing $ 3M Flash Loan Attack

On May 22, Bogged Finance joined the growing list of BSC-based DeFi protocols exploited in flash loan attacks. In the exploit, the hacker was able to seize 11,358 Binance Coin (BNB), worth a total of $ 3 million at the time.

According to a report from the Bogged Finance team:

“The attacker was able to use flash loans to exploit a flaw in the participation section of the BOG smart contract to manipulate participation rewards and cause supply inflation, without the transaction fee being charged or burned, causing inflation net ».

May 28: BurgerSwap $ 7.2M Flash Loan Attack

On May 28, BurgerSwap, a decentralized exchange based on Binance Smart Chain, reported about a flash loan exploitation that resulted in the loss of $ 7.2 million in user funds. The attacker seized $ 1.6 million in wrapped BNB, $ 6,800 in ETH, 3.2 million BURGER coins, 1 million xBURGER, 95,000 ROCKS ($ 152,000), $ 22,000 from BUSD, and another $ 1.4 in Tether (USDT). According to the details, the hacker launched a flash loan attack with the help of a fake token.

May 30: Belt Finance $ 6.3M Flash Loan Exploit

On May 30, another BSC-based DeFi protocol, Belt Finance, a performance aggregation platform, fell victim to a flash loan attack that lost $ 6.3 million. According to a report by Rekt, the most complex flash loan exploit in which the hacker exploited a flaw in the way the protocol vaults calculate the value of their collateral.

Elipsis is a decentralized exchange that allows the exchange of stablecoins with low slippage on the Binance Smart Chain. As a performance aggregator, Belt deploys capital in Elipsis as a performance generation strategy. In the exploit, the Ellipsis strategy of the BeltBUSD vault was leveraged.

June 16: Alchemix Reverse Carpet Event

On June 16, Alchemix, an Ethereum-based DeFi protocol, suffered a one-time $ 6.5 million exploit in which users of the protocol were the ones who benefited. Alchemix is ​​an innovative DeFi protocol that puts user assurance to work through performance agriculture. The interest this generates is used to repay part or all of the loan.

On June 16, an error in the Alchemix alETH vault caused the vault to lack sufficient collateral. According to the details, the bug accidentally created additional vaults, and the protocol used some of these vaults to incorrectly calculate outstanding debts, which in turn meant that the protocol's funds were used to pay users' debts. For a short period, users were able to withdraw their ETH collateral with their ETH loans still outstanding, resulting in a reverse pull of around $ 6.53 million.

June 21: Impossible Finance $ 0.5M Flash Loan Exploit

On June 21, another BSC-based DeFi protocol, Impossible Finance, lost around 230 ETH, roughly $ 500,000, in user funds during a flash loan attack. The exploit was reportedly similar to the BurgerSwap exploit in which the attacker launched a quick loan attack to drain Impossible Finance's liquidity pool with the help of a fake token.

Comparison: 2020 vs 2021

As the DeFi space is enjoying a great time, so are criminals. DeFi crimes were unknown in 2019. However, in the second half of 2020, the DeFi market exploded and new projects began to emerge every day, which is still happening.

DeFi crimes also increased with this growth. According to a CipherTrace report from November 2020, DeFi hacks accounted for 25% of the 2020 hacking and robbery volume. In total, $ 129 million was lost in 2020 in DeFi-related crime.

But in 2021, the weight of DeFi-related crime increased as TVL on Ethereum-based DeFi platforms was $ 85 billion in May, compared to $ 16 billion on January 1. According to the May report from CipherTrace:

"At $ 156 million, the net number of DeFi-related hacks in the first five months of 2021 already exceeds the $ 129 million stolen in DeFi-related hacks throughout all of 2020."

With this, DeFi-related attacks accounted for more than 60% of the total volume of attacks and robberies. This amount does not include an additional $ 83.4 million lost through DeFi-related fraud, such as carpet removal or exit scams.

Factors leading to these events

Urgent loan attacks

As we can see from the discussion above, flash loan attacks account for the majority of DeFi vulnerabilities. A quick loan attack is an exploit in which a hacker takes an unsecured loan from a loan protocol and manipulates the market in his favor using a series of technical tricks.

Flash loans are an important innovation at DeFI, allowing small-time players to participate in the market. Unfortunately, this also makes flash loans easy and inexpensive to pursue. But, flash loan attacks are here to stay, as there is still no solid solution to replace or defend against these attacks.

Smart contract errors

Other factors include smart contract errors and coding errors as teams rush to launch their product to share their part in this growing space. Thorough audits are carried out, but even this does not guarantee foolproof security.

Extraction or Rug Pull scams

Rug Pulls are also important factors in DeFi-related fraud. Most of the teams at Rug Pull events are anonymous developers who promise to give farmers a ridiculously large APY. As soon as enough funds have been locked in a smart contract, the developer suddenly withdraws all funds from the liquidity pool and disappears forever with the funds, causing the token price to plummet to zero.

Binance Smar Chain (BSC) Hacks

Due to DeFi's high gas rates and scalability issues, Binance's smart contract blockchain platform has seen an increase in demand since its launch in September 2020, due to its low rates and high performance.

The nascent DeFi platforms running on BSC have attracted large user bases, but these rapidly launched DeFi platforms are also falling victim to crypto criminals. Below is the list of BSC-based DeFi protocols that were hacked or exploited in 2021 so far.

  • March 4: Meerkat Fiance mined for $ 31 million
  • March 8: DODO DEX mined for $ 3.8 million
  • April 28: Exploitation of Uranium Finance for 50 million dollars
  • May 1st: Spartan Protocol exploited for $ 30 million
  • May 20th: Pancake bunny exploited for $ 200 million
  • May 22: Use of Bogged finance for $ 3 million
  • May 28: BurgerSwap mined for $ 7.2 million
  • May 30: Belt Finance mined for $ 6.3 million
  • June 21: Impossible Finance mined for $ 0.5 million

If you found this article interesting, here you can find more news about DeFi

Leave A Reply

Your email address will not be published.

20 − 13 =