Biggest Crypto Hacks & Their Causes

Chainalysis reports $3.8 billion stolen from crypto in 2022, driving the total amount to over $6 billion. Behind these figures are thousands of crypto hacks, and here is the list of the top 7 most influential.

Ronin Bridge Exploit: The biggest crypto hack

Loss. The attacker got away with 173,600 ETH and 25,500,000 USDC. The loss stood at $624 million as of March 23, 2022.

Cause. The crypto hack unfolded as a compromise of validator nodes. In particular, the hacker took control over four Sky Mavis and one Axie DAO validators, enough to constitute a 5 of 9 majority. Sky Mavis’ validators were compromised in a spear-phishing scam on one of its employees. That gave access to 4 of 9 validators, still not enough to steal funds. However, there was a backdoor in Ronin’s gas-free PRC node, which in turn gave them access to the final Axie DAO validator. A few months ago, Sky Mavis faced an enormous backlog; Ronin whitelisted it to sign transactions. The allowlist was never revoked, resulting in the largest hack of the cross-chain bridge. The source of the attack was identified as Lazarus Group, a criminal syndicate from North Korea. In 2022, the U.S. Office of Foreign Assets Control (OFAC) added Lazarus to the sanction list.

Aftermath. The aftermath of the incident resulted in a massive shift in thinking about blockchain security, especially in the areas of external threat analysis and ongoing monitoring. After all, it took Ronin’s team 6 whole days to notice cryptocurrency stolen. Ronin had no technical capability to monitor large outflows of stolen funds from the bridge.

Poly Network: Cross-chain message error

Loss. On August 10, 2021, the cross-chain platform incurred a loss of $611 million in various tokens on three different chains, but the attacker returned the stolen funds.

Cause. The loss was triggered by insufficient access control linked to a smart contract vulnerability. The DeFi protocol had a critical error in one of its functions responsible for cross-chain messages. Because of that, anyone was able to trigger vital function calls. The attacker did just that, bypassing the ownership check. It involved some grinding, but the hacker came up with the right input to call a special contract. After that, they methodically drained assets from one blockchain network after another.

Consequences. The repercussions of the incident remained a movie blockbuster. A hacker transferred stolen funds to white hats and organizations promoting blockchain industry growth. Tether froze millions, negating its previous commitment to coin neutrality. The attacker also broadcasted messages for the entire DeFi community and even linked their KYC-verified accounts at centralized exchanges. Ultimately, they returned most of the funds stolen to the cross-chain protocol of origin.

Binance Bridge Proof Verifier 

Damage. The largest crypto exchange in the world suffered a terrifying hack on its bridge on October 6, 2022. The amount of money lost is $586 million, or two million BNB.

Cause. The attacker somehow convinced Bridge to send 1 million BNB … twice. The Attacker forged withdrawal proof due to vulnerable IAVL tree verification. As a result, the hacker managed to forge a message that tricked the logic of the contract into thinking the message was indeed valid, even though the hacker didn’t have valid claims to the funds.

Aftermath. The consequences were dire ranging from a later-deleted tweet by CZ about everything being normal to the wide outcry against BInance’s involvement in anything other than running a crypto exchange.

FTX: Slam the door before you go

Value lost: On November 12, 2022, a loss of $420 million was recorded by the company that was globally exposed and destined to fail.

Cause. There was an issue with “unauthorized access.” The catalyst for the breach was a hasty transfer of FTX assets to different types of storage right after their bankruptcy declaration. We’ll never know the exact reason, but there are grounds to suggest it was an insider liquidation.

Aftermath. Much has been said about FTX, one of the largest downfalls, well on par with Terra Luna’s fall. The backlash surrounding FTX business fundamentals was so strong that this particular hack did not get appropriate attention. However, people close to cybersecurity call it a final nail in the coffin.

Wormhole: Open the Floodgates of Cryptocurrency Hacking

Damage. The hacker minted 120,000 wETH with no underlying ETH. The financial setback totals $320 million lost in Solana’s bridge on February 2, 2022.

Cause. The root cause of the exploit was traced back to Solana VAA verification resulting in a failure to validate “guardian” accounts. There were unpatched Rust smart contracts in Solana that prolific cryptocurrency hackers manipulated into deposit credit. 

Impact. The impact of the incident was tremendous for every cross-chain protocol. The Wormhole incident set off a chain reaction resulting in the largest crypto hacks that followed. As Dyma Budorin, Hacken’s Co-Founder and CEO warned back then, “Cross-chain protocols have a dangerous journey.”

BitMart: CeFi Not So Safe

Cost. Losing $196 million in 2021 was a huge deal, especially when it comes from CeFi.

Origin. BitMart reluctantly cited a “security breach” as a culprit. However, behind every breach is a vulnerability. In their case, it was probably private key leakage or another issue from insufficient operations security.

Effects. The effects of the incident once again proved that centralized exchanges could be hacked big despite all their control. There was little understanding (or acceptance) from the Bitmart team that something was going terribly wrong. Less than 48 hours later, Celsius suffered a similar security breach, a huge blow to CEXs of the world.

Nomad Bridge Trusted Root Attack

Loss. In 2022, we saw $190 million drained from Nomad Bridge.

Flaw. The factor that led to the hack was determined to be a fatal security flaw in a trusted root. 0x00 address was set as a trusted root, and all transactions with invalid messages appeared as 0x00. As a result, hackers were sending 0.01 WBTC in MoonBeam/Evmos network and receiving 100WBTC back by adding a message with 0x00 root to the transaction.

Lessson. The case of Nomad proves one point about DeFi protocols. They are permissionless: once your weakness is discovered, endless hordes of copycat attackers will tear you apart. The aftermath of the initial hack caused dozens of amateurs to repeat the same actions in what felt like a massive following of a script.

How do hackers hack the crypto?

Crypto exchange hacks

Crypto exchange hacks execute differently depending on the level of decentralized finance systems. In DEXs, cryptocurrency hacks are often attributable to contract hacks and flash loan attacks. For DeFi protocols, it’s common to see manipulations with price oracles or vulnerable relations between contracts. Centralized cryptocurrency exchanges mostly suffer from weak OpSec, confusing access control, appalling integrity, and irresponsible functioning as custodians. Through the years, exchanges have reduced cryptocurrency hacks, but they are far more common than traditional financial institutions.

Crypto bridge hacks

The largest crypto hacks occur with bridges. In most cross-chain bridges, the biggest hacks were attributed to compromised private keys, poor access control of who can sign transactions, and unaudited smart contracts. In most DeFi protocols losing millions, there’s a backdoor at some level of blockchain architecture. Some mistakes can be attributed to simple mistakes in who can sign transactions.

For some reason, a cross-chain bridge operating digital assets worth millions had neither a procedure for granting and revoking permissions nor a mechanism for funds monitoring. Phishing and social engineering also play a huge role. The external validator node was also compromised in a spear-phishing attack.

Crypto wallet hacks

Crypto hacks of digital wallets exist in two different directions: hacks affecting users and hacks affecting blockchain companies behind them. From the user perspective, the most common attack vectors are phishing scams, keyloggers, and social engineering. For example, phishing scams are elaborate schemes to trick users into ceding control of their credentials. For example, hackers hijack a hyped airdrop announcement with fake websites where victims, through malicious wallets connect. There are myriads of complex and plain social engineering techniques, and the burden of staying safe largely falls on the individual.

In another dimension, companies behind crypto wallets are subject to hacking attempts where hackers exploit vulnerabilities in blockchain technology. For example, in the 2022 Slope wallet for mobile devices, hackers exploited seed phrases that were sent in plaintext, thereby stealing $4.5 million. Yet another example is being vulnerable to proper brute force, such as in the case of the Profanity vanity tool.

Protection against crypto hacks

Hacking may never be stopped in crypto. However, blockchain projects must take active measures to protect the funds they operate and cryptographic keys from hackers.

1. True decentralization for consensus
2. Regularly review and revoke access
3. Ongoing monitoring & incident response
4. Smart contract audit on both sides
5. Validation of 100% of accounts involved in cross-chain interactions
6. Secure Development Lifecycle

For L1 and L2 protocols, a blockchain protocol audit helps mitigate the weaknesses that often allow hackers to steal funds from cross-chain bridges. It covers vulnerabilities at different levels of blockchain architecture and is essential for the most complex and daring Web3 projects.

On-chain monitoring would make a difference in reducing response times. The sooner projects notice something going wrong, the sooner they react. Monitoring threats 24/7 is challenging at least in logistics. However, relying on the on-chain smart contract monitoring system like Hacken Extractor makes it possible.

Contact Hacken Team to discuss what blockchain security measures would work best to help your project stay clear of crypto hacking.