Flash attacks have become the most popular method of hacking exchanges and protocols
Vulnerability of smart contracts is a big problem for companies
DeFi – protocols are the main target of hackers
International consortium of news organizations developing transparency standards.
DeFi Hacks of 2020: Can They Recover?
Decentralized finance (DeFi) Decentralized finance (DeFi) is a financial services built on blockchain technology that offer users access to an open, efficient and … More) originated back in 2015, when the MakerDao app allowed crypto asset holders to borrow in DAI stablecoins … This was followed by years of steady growth, which resulted in rapid development and hype.
According to DeFi Pulse, this year the value locked into DeFi protocols has jumped from roughly $ 700 million to $ 14.7 billion. Most of the growth took place in the second half of the year, now known as the “DeFi Summer.” But not everything went smoothly with experimental technologies..
The boom attracted the attention of hackers and dishonest players, who were quick to take advantage of the new trend. Although cryptocurrency cybercrime is down 60% this year, more than 21% of all crypto hacks are in the DeFi space. In the first half of the year, DeFi accounted for 45% of all thefts (47.7 million), and in the second half of the year, statistics increased to 50% (51.5 million).
The number of DeFi hacks in 2019 was negligible, however this year the amount stolen from these protocols exceeded $ 100 million. The list below details the most serious cyber attacks on the DeFi space in 2020.
1 – DaoMaker (8.32 million USD, March 12)
MakerDao suffered the most during the Black Swan event. So much so that emergency shutdown was even discussed at the time. The collapse of the Ethereum exchange rate has led to network congestion. Panic began among investors, and the oracles of the project started having problems with updating quotes and liquidating positions.
Some users were able to use the protocol by liquidating some of their loans free of charge, resulting in losses of USD 8.32 million. Investors have since teamed up and are currently filing $ 28 million in damages against MakerDao.
2 – Eminence (15 million USD, September 29)
André Cronier became famous in the cryptosphere for creating Yearn.Finance. Own Token As the use of cryptocurrencies increases, new types of tokens are emerging. They can represent value or something intangible like voices. Two … More platforms skyrocketed to nearly $ 42,000 in September, becoming the first cryptocurrency to surpass Bitcoin in value. Lots of investors have gathered around Andre, following him on new projects such as the gamified DeFi platform Eminence.Finance.
The project did not have a website and was not officially launched, but that did not stop investors from injecting more than $ 15 million in funding for Eminence. The money was put into an unsecured and unverified beta contract that was hacked just 3 hours after the test launch message appeared on Twitter.
The hackers eventually showed some goodwill and returned $ 8 million of stolen funds to Andre, which he used to partially compensate users for losses. However, this did not save him from threats and prosecution..
3 – BZx (954,000 USD, February 18)
BZx has become the most hacked DeFi platform of the year. She was attacked three times. The first two attacks were sequential – they took place four days apart at the end of February. By using the interconnectedness of the DeFi protocols instead of vulnerabilities in the BZx protocol itself, these “flash attacks” allowed hackers to steal $ 954,000. By getting large flash loans, hackers were able to influence asset prices and drain the credit pool.
4 – BzX (8 million USD, September 14)
In September, the BZx platform survived its third cyberattack. This time due to a protocol error. Roughly $ 8 million was stolen after a hacker was able to create iTOKens for free, a token that must be backed by assets and grow in value as the credit pool grows. Fortunately, this story has a happy ending, as the BZx team was able to track down the hacker and recover the stolen funds..
5 – UniSWAP (300,000 USD, April 18)
The UniSWAP exploit occurred about a day before the DForce incident, and stems from the same vulnerability in the Ethereum ERC777 token standard. It is estimated that a hacker stole $ 300,000 using iMBTC, the Ethereum version of Bitcoin. Those who provided liquidity to UniSwap suffered losses as the bitcoins backing iMBTC were not affected.
WARNING!! A BILLION Dollar DeFi Hack Is Coming in 2021!
6 – dForce (25 million USD, April 19)
The Lendf.Me lending protocol, owned by the Chinese platform DForce, was hacked on April 19. The attacker was able to steal $ 25 million using the same Ethereum vulnerability that made the infamous DAO hack possible in 2016. After a complete depletion of the money pool, the hacker had difficulties with cashing out, which may have led to the return of $ 21 million of stolen funds..
7 – Harvest (34 million USD, October 26)
During the “flash attack” on October 26, hackers were able to carry out the biggest DeFi heist of the year, as $ 34 million was stolen from the Harvest.Finance protocol. Flash credits have been used to manipulate the price of multiple stablecoins on decentralized exchanges (DEXs), creating arbitrage opportunities and allowing hackers to buy more stablecoins than they could under normal circumstances.
Many in the crypto community have already expressed their concerns about the centralization of the project prior to the incident. Harvest’s anonymous founders decided not to relinquish control over blocked assets that exceeded more than $ 1 billion before the hack.
Since then, attackers have recovered about $ 2.5 million in stolen funds. Undaunted, the Harvest team is investigating the attack and even offered a $ 100,000 reward for anyone who finds hackers..
8 – Akropolis (2 million USD, November 12)
Akropolis fell victim to a flash attack on November 12th. Hacker Discovered Vulnerability In Akropolis Smart Contracts That Allows Him To Take Flash Credit Using Fake ERC-20 Token.
Akropolis had to freeze its stablecoin pool and now the team is seeking to recover losses from investors and catch the culprit. The Akropolis team has already identified the Ethereum wallet the attacker was using and notified all major cryptocurrency exchanges.
9 – ValueDeFi (6 million USD, November 14)
On November 14, just two days after the Akropolis incident, ValueDeFi became the target of the next flash attack. The team announced their new feature on Twitter – the MultiStables repository. However, less than 24 hours later, Value DeFi was hacked. The update, which, among other things, was supposed to increase protection against flash credits, ultimately failed.
The attacker was able to manipulate prices in one of the vaults through a flash loan, which he then used to buy the same manipulated assets at a reduced price. The attack was also made possible by the centralized oracle of Value DeFi.
10 – Pickle Finance (19.7 million USD, November 21)
Inspired by Pickle Rick, an episode of the hit TV show Rick and Morty, Pickle.Finance is the most recent hack on the list. On November 22, the attacker was able to create a so-called evil jar containing smart contracts that have the same interface as the original jars of the protocol. This allowed him to exchange between 2 banks and steal about $ 19.7 million..
Most Popular Attack Methods
Flash attacks have certainly been the most popular method lately. It involves bypassing the credit mechanism, which in turn opens up numerous attack opportunities such as asset price manipulation..
Double-spending attacks have been used successfully several times. In the case of the UniSWAP and Lendf.me protocols, attackers exploited vulnerabilities in the Ethereum code, namely the ERC-777 token standard. Some speculate that the problem is not with Ethereum itself, but rather with the combination of Ethereum code with DeFi protocol code that accidentally opens up opportunities for exploits..
It’s hard to tell if the successful exploit is a hacker’s merit or a developer’s mistake. However, the same cannot be said for poor project management. Keeping centralized functions in decentralized protocols creates vulnerabilities. This was the case with Harvest.Finance, where developers controlled the value locked in contracts and Value DeFi..
Finally, an increase in fraud should be expected, similar to the 2017 ICO boom. Due to the abundance of cheating schemes: from Pump&Dump schemes to fraudulent UniSwap tokens, it is believed that 99% of DeFi tokens are actually scams.
How crypto traders can protect their personal data from hackers?
The DeFi space still looks like a minefield. Due to its decentralized and anonymous nature, the DeFi market is an easy target for scammers, hackers and money launderers. There is no regulatory framework to protect investors, and the lack of security audits makes the hacker’s job much easier. Despite the fact that not all violations resulted in losses for investors, security remains a serious concern.
Experts from the leading cybersecurity company Hacken shared helpful tips on how to protect your personal data. The first and most important step is to never share your private keys, best of all, store them offline in so called cold storage. Using a multisignature scheme is also highly recommended as it will help prevent loss in the event of key loss or unwanted third party access. It’s also important to secure your Ethereum wallet by regularly checking and sometimes revoking smart contract permissions from DeFi apps you have used..
It is important to note that you should do a thorough background check before considering any investment in this (or any other) space. Investigate the team behind the project and see if the protocols passed stress tests and smart contract audits before launch.
Forecasts for 2021
Industry experts predict that the number of DeFi hacks will continue to rise next year. This, as well as money laundering, is becoming a huge problem. Decentralized exchanges Cryptocurrencies continue to march across the planet, becoming increasingly mainstream and finding new areas of use. People buy bitcoin, … More (DEX) are ideal machines for laundering money as they keep their users anonymous, do not use KYC and cannot freeze any funds, unlike centralized exchanges. This was beautifully illustrated in the biggest hack of the year, where KuCoin lost $ 218 million and the hacker was then able to launder money through the DEX exchanges..
Vulnerabilities in smart contracts also pose a lot of problems. Hackers will take advantage of the lack of experience in developing and auditing smart contracts. It’s worth noting that DeFi is in its early stages of development. The above problems and other aspects such as low liquidity, regulatory uncertainty and high volatility are quite expected. Still, DeFi could bring about a much needed revolution in the financial system.
All information contained on our website is published in good faith and objectivity, and for informational purposes only. The reader is solely responsible for any actions he takes based on the information received on our website..
CONTENTS DeFi – a new and rapidly growing trend in global finance Many projects bring their founders millions of dollars It is not clear yet …
CONTENT Russians began to invest more often in crypto deposits KYC has a positive effect on the adoption of cryptocurrencies in Russia The adoption of the…
CONTENT What crypto exchanges need to know about KYC and AML What requirements does FATF put forward to cryptocurrency companies Compliance, security…