Hackers’ Assault on DeFi

    23 Dec 2021
    481 Views

    Over the past couple of months, there have been continuous reports of hacker attacks on various decentralized finance services. We tried to figure out why DeFi has suddenly got such intense onslaught from cybercriminals.

    To track the pattern, let’s first look at some of the loudest and most devastating hacks in recent weeks.

    – NFT marketplace Vulcan Forged lost $ 103 million due to a cyber-attack. Hackers managed to compromise 148 wallets of the Vulcan Forged users and steal 4.5 million PYR tokens (worth over $ 100 million). Vulcan Forged warned that attackers might have taken possession of users’ private keys. The marketplace promises to reimburse all those impacted. After the hack, the PYR marketplace token price fell by more than 25%.

    – AscendEX was hacked to the tune of $ 80 million. AscendEX (former BitMax) crypto exchange confirmed its hot wallets had been compromised. Having gained access to them, hackers withdrew tokens on the Ethereum, Binance Smart Chain, and Polygon networks. The cold wallets, on the other hand, were not affected. The official AscendEX account reported opening an investigation and guaranteed full compensation to all affected users.

    PeckShield blockchain security analysts said the total loss amounted to approximately $ 78 million, of which $ 60 million were in Ethereum, $ 9.2 million and $ 8.5 million – in BSC and Polygon, respectively.

    – The attack cost BitMart centralized crypto exchange $ 200 million. Its leadership announced that users would be compensated the losses from the site’s own funds, while Huobi and Shiba Inu [SHIB] teams have pledged to help the company get out of this situation.

    After the hack, BitMart CEO Sheldon Xia wrote in a series of posts that a full review of the incident was being carried out. In addition to the security audit, the exchange found out what cryptocurrencies were lost and who were affected. In total, about 27 different cryptocurrencies were stolen, including altcoins like Binance Coin, Safemoon, BowsCoin, BNBBPay, as well as a significant number of Baby Doge Inu, Floki Inu, Moonshot, and other meme coins.

    The criminals reportedly stole keys to two hot wallets; the rest of the wallets and cryptocurrencies were not affected. The first to notice suspicious activity on BitMart was the aforementioned security analytics company PeckShield. The stolen tokens went to the 1inch decentralized protocol and then to the Tornado Cash mixer. The incident caused a decrease in trading volumes from $ 1.46 to $ 1.15 billion daily turnover.

    – The users of BadgerDAO DeFi protocol lost about $ 100 million to hackers. According to PeckShield, 896 BTC (half of the entire sum stolen) came from a single user’s wallet.

    BadgerDAO developers confirmed they were looking into the incident: “Badger received reports of unauthorized withdrawals of user funds. For the time Badger engineers are investigating what happened, all smart contracts have been stopped to prevent further losses. The investigation is ongoing, and we will post additional information as soon as it presents itself.”

    Presumably, the smart contract itself wasn’t hacked, just the website interface. As a result, users, thinking they were interacting with BadgerDAO, were granting a third-party address permission to operate their wallets. The attack was carried out overnight, but the permissions obtainment process took several days or weeks.

    “Several users appear to have granted the attackers access to the assets included in the pools. We froze all the pools as soon as we noticed that to prevent further withdrawal. We are currently trying to understand where these permissions came from, how many people granted them, and what to do next.”, – one of the developers explained.

    – The MonoX DeFi project also fell victim to hackers. Attackers withdrew a total of $ 31 million in funds from the Ethereum and Polygon blockchains. The project team confirmed the hack on MonoX’s official Twitter account: “This morning our contract has been exploited. We are sorry to our users who have deposited funds. The team is investigating and will try our very best to get the stolen funds back. We thank our community for your support.”

    The project representatives also wrote that they would like to talk to the hacker and asked him to contact them. Many users have put coins in MonoX’s pools in anticipation of the project’s previously announced airdrop. To participate in the token distribution, one had to place WBTC, MATIC, ETH, USDC, or USDT.

    As can be seen from these and other examples, most successful attacks were aimed at users’ hot wallets or otherwise compromised user data. It indicates that the interaction between the system itself and its users remains the most vulnerable point of modern crypto projects. The question is, who is more to blame – the programmers or the users? Or, perhaps, it’s the architects of the project allowing a systemic oversight in such a sensitive area?

    The second weakest point for attacks was smart contracts. This is also unsurprising: they are becoming increasingly complex, as do the blockchains on which they work; universal standards have not yet been worked out, and the deadlines are always tight. In addition, the audit services for smart contracts are now extremely expensive, and not every project is ready to pay for them. Still, the leading risk factor is haste. The cryptocurrency world is changing and developing rapidly, so you have to constantly run just to stay in place. But not all programmers are willing or able to work in the “it should have been done yesterday” mode. Hence the numerous flaws, including in smart contracts.

    Leave a Reply

    Your email address will not be published. Required fields are marked *