DeFi is not just a buzzword. It is the next new thing in the world of finance. If web 3.0 is the new Internet, DeFi is its new financial ecosystem. DeFi has its risks, of course. The world of decentralized finance faces the problem of DeFi token and protocol vulnerability. Only for the first 5 months of 2022, DeFi hacks have amounted to $1.4 billion in financial losses. This article will look at the biggest DeFi hacks in recent months and offer our three solutions for DeFi vulnerability.
DeFi Security is a Necessity
According to DeFi Pulse, the total value locked (TVL) in DeFi is more than $56 billion. The figure is impressive, but it is still a sharp decrease from 2021, when TVL in DeFi reached more than $110 billion. The reduction in TVL is mainly attributed to the recent stablecoin collapse. At the same time, the drop in TVL can be partially explained by financial losses due to DeFi token vulnerability and DeFi protocol vulnerability. After all, DeFi is still a novel concept, and it is highly lucrative for hackers. DeFi protocols are increasingly subject to cyber-attacks, exploits, scams, and arbitrage.
According to the REKT Database of cyber-attacks, DeFi protocols have lost $4.75 billion in total due to scams, hacks, and exploits. Out of $4.75 billion lost, only $1 billion was returned. Only 21 percent of all the funds lost due to cyber-attacks have been recovered. Today, REKT Database has reports of 2,782 attacks. The most popular type of cyber-attack is a honeypot, followed by exit scam, exploit, access control, and flash loan.
Figure 1: Total funds lost due to DeFi hacks since 2012
The number of DeFi cyber-attacks has been steadily growing in the last 12 months. According to DeFi REKT, the year-to-date total funds lost is $1.4 billion. Here is a list of tokens and protocols that have fallen victims to the biggest DeFi cyber-attacks in the past year.
Loss: $615.5 million
Date: March 29, 2022
The Ronin Validator Security Breach revealed the most significant DeFi vulnerability on record. The hacker stole 173,600 ETH and 25.5 million USDC from Ronin Bridge in just two transactions.
On March 23, the hacker compromised Sky Mavis’s Ronin and Axie DAO validator nodes. The perpetrator was able to hack private keys, allowing them to make fake withdrawals. It is worth noting that Ronin had a decentralized validator key scheme. However, the attacker found a backdoor in a decentralized validation scheme. In particular, they utilized a gas-free RPC node to receive the signature for the Axie DAO validator.
On April 14, the FBI found that Lazarus Group, a hacking group based in North Korea, was responsible for the exploit. According to the U.S. Department of the Treasury, the group is also known as “Appleworm,” “Group 77,” “APT-C-26,” and “Hidden Cobra.” The U.S. Department of Treasury sanctioned the ETH address that received the funds. The Ronin exploit is the biggest of all DeFi hacks to this day.
Loss: $602.2 million
Date: August 10, 2021
The hacker exploited unverified Proxy smart contracts on three chains: ETH, BSC, and Polygon. Given the enormous financial loss, it’s no surprise Poly Network later offered the hacker to become the platform’s chief security advisor.
Loss: $326 million
Date: February 2, 2022
The hacker allegedly exploited a security vulnerability in signature verification. This breach allowed the hacker to mint 120,000 wETH on Solana.
Loss: $181 million
Date: April 18, 2022
Type: Flash Loan
This attacker exploited a 1-day delay in $BEAN governance proposal contract to complete a flash loan. The flash loan allowed the attacker to manage more than 70% of the total seeds. The attacker got access to 350m DAI, 500m USDC, 150m USDT, 32m BEAN, and 11.6m LUSD. The Beanstalk attack is the biggest flash loan hack to date.
Loss: $140 million
Date: December 12, 2021
Type: Access Control
The Vulcan Forged DeFi attack was about gaining access control over private keys. Vulcan Forged creates wallets for its users and stores their keys. The attacker gained access to 96 wallets and drained 4.5m PYR tokens, in addition to ETH and MATIC.
DeFi Vulnerability is a Red Flag for Community
In addition to direct monetary losses, DeFi vulnerability results in huge reputational damages for entrepreneurs behind DeFi protocols. DeFi cyber-attacks put the founder’s reputation at risk. DeFi token vulnerability and DeFi protocol vulnerability, especially when left unchecked, are massive red flags for the community of DeFi users.
Preventing DeFi cyber-attacks is vital, especially when looking at financial damage. The DeFi industry has already suffered $3 billion in irreversible losses due to DeFi hacks. With this in mind, DeFi protocols have huge monetary and reputational incentives to improve their DeFi security. The Web 3.0 cybersecurity company Hacken offers practical solutions for businesses that take their DeFi security seriously.
Hacken provides several DeFi cybersecurity services, including smart contract security audits, penetration tests, and bug bounties.
A DeFi security audit is the most effective measure for dealing with DeFi security vulnerabilities. In essence, a contract security audit assesses the recorded transactions with a blockchain ledger. Hacken conducts blockchain protocol audits, and smart contract audits for Ethereum, Solana, BSC, Polygon, and other networks. In Ethereum alone, Hacken has audited smart contracts for a total market cap of $100 billion. Hacken is the proven leader in blockchain audit thanks to years of experience in this field and the exceptional expertise of our security specialists.
Hacken offers penetration testing services for web applications, mobile apps, and networks. Penetration testing is a cost-effective solution for DeFi protocols. It comes in handy for businesses that do not have large security teams.
HackenProof is a bug bounty and vulnerability coordination platform that connects customers, including DeFi protocol owners, with a community of external security experts, a.k.a ethical hackers. Hacken offers Bug Bounty programs of three types depending on the customer’s goals.
Bug bounties are crowdsourced. Dozens of white hat hackers compete for a monetary prize to be the first to identify a particular security vulnerability. Bug Bounty solutions are beneficial for evaluating DeFi security because white hat hackers act like real hackers. HackenProof has generated 5,730 reports of security breaches from white hat hackers.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.