Unlike in previous years, crypto messages were not dominated by major exchange hacks and million dollar Bitcoin theft in 2020. There were still a few, however, and most of them came from the nascent decentralized financial sector.
DeFi was one of the main drivers of the crypto market momentum in 2020 and it is clear that the emerging financial landscape has been a magnet for scammers and hackers. Largely unchecked smart contracts combined with cloned code were a recipe for vulnerabilities and exploits, which often resulted in millions of dollars in digital assets being stolen.
A November 2020 CipherTrace report found that DeFi claimed 45% of all thefts and hacks in the first half of the year, resulting in a loss of over $ 50 million. That number rose to 50% of all thefts and hacks in the second half, according to the report. Dave Jevans, CEO of CipherTrace, warned in an interview with Cointelegraph of a possible government action: “DeFi hacks will account for more than half of all cryptocurrency hacks in 2020, a trend that is attracting the attention of regulators.”
He added that anti-money laundering non-compliance is of greater concern to regulators: “The funds stolen in the biggest hack of 2020 – the $ 280 million KuCoin hack – were made using DeFi – Logs laundered. ”Jevans also believes that 2021 is likely to give regulators clarity on what action the DeFi protocols are likely to take to avoid the consequences of non-compliance with money laundering, flag capture and possible sanctions.
Exchange hacks in 2020
The KuCoin hack happened in late September when the exchange’s CEO Johnny Lyu confirmed the break-in affected the company’s hot wallets Bitcoin, Ethereum and ERC-20 after private keys were leaked.
By early October, KuCoin announced that it had identified suspects and officially involved law enforcement in the investigation. By mid-November, the Singapore-based exchange announced it had recovered 84% of its stolen crypto and resumed full service for the majority of its tradable assets.
There have been other exchange hacks this year, but KuCoin was the biggest. In February, Italian exchange Altsbit lost almost all of its money in a $ 70,000 hack, and there were some other minor violations of the crypto exchange. In October 2020, up to 75 centralized crypto exchanges were closed for various reasons.
DeFis 2020 hacks and exploits
With billions of dollars pouring into DeFi logs and yield farms, the burgeoning landscape has become a hotbed for hackers. The first major slump in 2020 occurred on DeFi lending platform bZx in February when two flash loan exploits resulted in a loss of nearly $ 1 million in user funds. A flash loan is when crypto-collateral is borrowed and repaid within the same transaction.
bZx has frozen operations to prevent further losses. However, this sparked a wave of criticism from industry watchers who claimed it was ultimately a centralized platform and could be the “death of DeFi.”
The markets crashed in March causing numerous collateral liquidations, especially for Makers MKR tokens, but these weren’t hacks. The next of these came the following month when a packaged version of Bitcoin called imBTC was attacked using something called an ERC-777 token standard re-entry method. The attacker was able to suck out a Uniswap liquidity pool for its entire value, which was estimated at $ 300,000 at the time.
In April, the same exploit was used to withdraw all liquidity from the Chinese credit platform dForce. The hacker repeatedly increased his ability to borrow other assets and made around $ 25 million in cash.
In June, an exploit was discovered in Bancor’s smart contracts that resulted in up to $ 460,000 worth of tokens being used up. The automated DeFi market maker said it had provided a new version of the smart contract that fixed the vulnerability.
Balancer was the next DeFi protocol to be exploited to the tune of $ 500,000 in packaged ether that was stolen from its liquidity pools using a well-planned arbitrage attack. A number of flash loans and arbitrraged token swaps were conducted in an attempt to attack a vulnerability that the balancer team apparently already knew about.
Not so much a hack as another exploit, but bZx was in the news again in July with a dubious token sale manipulated by bots placing buy orders on the same block that marked the start of the token generation event. Almost half a million dollars in prize pump winnings were captured by the attackers.
DeFi option protocol Opyn was the next victim in August when hackers took advantage of its ETH put contracts, which were closed for more than $ 370,000. The exploit allowed attackers to “double-exercise” Ethereum Put oTokens and steal the collateral. Opyn raised around USDC 440,000 from outstanding vaults using a white hat hack and effectively returned them to put sellers.
Here, too, it was not a direct hack, but a code error in an unchecked smart contract from Yam Finance that affected the rebasing of the governance token, which led to a price drop in mid-August. The protocol had to appeal to DeFi-Wale to save it by voting for a reboot as version 2.
When the sushi rolls off
The SushiSwap saga began at the end of August and the terms “vampire degradation” and “carpet pulling” were coined. The anonymous protocol cloner and administrator named “Chef Nomi” sold SUSHI tokens worth $ 8 million, which caused the token price to collapse. A few days later, the log was saved by Sam Bankman-Fried, CEO of FTX Exchange, who was given control by a consortium of DeFi whales via a multi-signature smart contract. Eventually, all funds were returned to the developer fund.
The carpet pulls, or “pump and dumps” as they were called during the previous altcoin boom in 2017, continued with a number of DeFi clones like pizza and hotdog. The token prices for these food farms went up and collapsed within hours and sometimes even minutes.
In mid-October, hordes of “degenerate farmers,” or degens, as they were called, piled money into an unchecked and unpublished smart contract from the founder of the DeFi protocol Yearn Finance, Andre Cronje. The Eminence Finance contract lost $ 15 million when it was hacked within hours after Cronje posted teaser on Twitter about the new “gaming multiverse”. The hacker returned around $ 8 million but kept the rest, which led the disgruntled traders to take legal action against the Yearn team for lost funds.
In late October, a sophisticated arbitrage attack on the Harvest Finance protocol resulted in a loss of $ 24 million in stablecoins in around seven minutes. The attack sparked a debate about whether these system design exploits can be viewed as hacks.
November was a particularly painful month for Acropolis, which had to pause log when hackers got away with $ 2 million DAI stablecoin. The Value DeFi protocol lost $ 6 million in an all-too-frequent flash credit exploit, the return-generating stablecoin project Origin Dollar was used for $ 7 million, and Pickle Finance suffered a collateral loss of $ 20 million a sophisticated exploit.
One that broke the form of exploitation of the system was a personal attack on a person in mid-December. The founder of the Nexus Mutual DeFi Protocol, Hugh Karp, lost $ 8 million from his MetaMask wallet when a hacker managed to infiltrate his computer and forge a transaction. These types of attacks are generally less common because they involve some level of social engineering.
The last reported Flash credit attack of the year was a $ 8 million slump in Warp Finance on December 18.
Many retailers and investors have also fallen victim to phishing attempts, and Ledger hardware wallet owners were also targeted in 2020 after the personal information of around 272,000 Ledger buyers was hacked.
Combat hardening DeFi
The bulk of smart contract and flash loan exploits in 2020 will serve to fight the burgeoning financial ecosystem as it evolves. New and smarter DeFi protocols are expected to hit the market next year, but as always, scammers, hackers, and cybercriminals will also improve their game to stay ahead of the curve.
A large dose of vigilance and attention is required to delve into the current world of DeFi, but it has come a very long way in such a short amount of time, and the decentralized financial landscape of the future is constantly evolving.