DeFi is still in it's infancy and with that infancy comes growing pains. What was once a small idea on ETH a few years ago has since blossomed into a $150b+ industry across multiple chains and platforms. That new inflow of money has brought in a huge number of developers to DeFi; some with big dreams and the programming skills to back them up and others that are more akin to Script Kiddies (aka developers who happen to be real good at copy-pastin).
Over the last few months DeFi exploits/hacks have been all over the news. Seemingly every few days another protocol was hit. To gain a better understanding of why, today I'd like to go through the top 5 biggest hacks/exploits that have occurred on DeFi and see if there's anything we can learn.
5. Meerkat Finance - $32M
This one was not a scam/exploit, even though the Meerkat team claimed it as one initially, but I'd still like to include it for what we can learn. Meerkat was a fork of Yearn.Finance that was launched on Binance Smart Chain in early March. Just one day after launch, the protocol was rugged for $13M BUSD and 73,000 BNB. At the time this came out to $32M.
Shortly after the rug pull occurred, Meerkat's website/Twitter/Github and any other evidence of it's existence was removed. Many said a rollback on Binance Smart Chain would be eminent but no such rollback has occurred. The exploit was performed by using a backdoor built into the code that allowed those with access to the vault to "upgrade" it to set the withdraw location to their wallet address.
4. Alpha Finance - $37.5M
Audits are usually a sign of good faith in DeFi but don't always mean full trust can be put in the platform. Alpha Finance was likely attacked from within due to the complex nature and insider knowledge that would have been required for the exploit. According to Alpha's official post-mortem the attacker would have needed to know about HumoraBankv2's sUSD pool on contract level that was not available at that time in the UI and detailed knowledge of a rounding miscalculation that only affected pools with zero liquidity. All signs point to an inside job on this one although no person has been named.
Sometimes a project can have all the right signs but can still be exploited from the inside. Alpha Finance had been audited twice and their team was fully known and doxed but that still didn't protect it from an insider attack. You'd be happy to know Alpha Finance has continued on and made a recovery since this incident, so chances are whoever did this doesn't work there now.
Audited: Yes - Quantstamp, Peckshield
Team: Fully doxed
3. PancakeBunny - $45M
The biggest loser from the BSC Flash Loan epidemic. I personally was holding some BUNNY when this went down but luckily I hadn't spent a dime of my own money on it, I had earned all of it by farming the CAKE pool. Eight flash loans were used to manipulate the price of various PancakeSwap pools, creating a skewed price of BUNNY from the VaultFlipToFlip vault. This caused 6.9M BUNNY tokens to be minted, thus crashing the price from ~$150 to $6. Total value locked went from a high of $10B to just over $1B.
PancakeBunny has been taking all the right steps since this incident - with a pretty extensive plan set in place in an attempt to help recover the price of BUNNY, which has since done so mildly. I personally plan to keep staking my CAKE here since it's earning some pretty solid rewards in spite of BUNNY's price dump.
Audited: Yes - Haechi
2. Uranium Finance - $57.2M
This was not the first time the Uniswap clone had imploded. This exploit occurred on 28 April 2021, earlier in that same month Uranium had suffered a separate exploit when they introduced vulnerabilities into the MasterChef contract. The exploit occurred when a single line of code contained an error, transposing 1,000 for 10,000 which allowed 1 wei of an input token to be swapped for 98% of the total balance of the output token.
The following funds were taken from the exchange - 34,000 WBNB, 17.9M BUSD, 1,800 ETH, 80 BTC, 26,500 DOT, 638k ADA, 5.7M USDT and 112k U92. All in all totaling $57.2M. The crazy thing about this exploit was that the code was slated to be fixed that very next day, but the attacker (whether internal or not) got to it just in time. Further proof that copy-pastin ain't gonna cut it long term.
1. EasyFi - $80M
The only hack to take place on Polygon (MATIC) on this list and unfortunately the largest. This happened when the private keys to the owner's MetaMask account were compromised by the hacker. No fancy flash loans or loopholes in code were found for this one, just poor security measures led to the largest hack in DeFi history. It's crazy to me that a hot wallet (not multisig, not a hardware wallet) was all that stood between a potential hacker and $80M.
After the attack the hacker held 30% of the EASY token supply (~$75M) and $6M of stablecoins. The EASY token's were not...Easily liquidated but the stablecoins were. A hard fork has since been put in place and compensation for token holders has begun. I had not heard of EasyFi prior to writing this, but based on the owner's security I'm going to go ahead and never touch this project as well.
Team: Partially known and doxed
- Value DeFi - Hacked three times (twice in one week) for a total of $28M. I'm not sure if they'll ever learn their lesson.
- Merlin Labs - Hacked two times for a total of $1.23M. Two separate exploits on the same day.
The biggest thing I learned from this was that audits and doxed teams don't always mean safety when it comes to DeFi. As I stated above DeFi is still in it's infancy so experts/auditors are still finding out ways DeFi can be attacked. On top of that audits are designed to protect from external threats but as evidenced by some of the above examples, internal threats can sometimes be even more damaging. However the common knowledge of "Anonymous Team/No Audit = Rug Pull" tends to remain true in Crypto.
I think what I plan to do coming out of this is if the team is known pay more attention to their level of knowledge/experience in Crypto. Outside of technical exploits the other most common thing I saw was internal team members leaking valuable information. Whether it be info on an unreleased liquidity pool or storing funds in a hot wallet. This certainly hasn't and won't discourage me from investing in DeFi but it has encouraged me to take even more precautions when determining a project to invest into in the future.
I hope you enjoyed reading, if you've been a part or victim of any Rug Pulls/Hacks/Exploits in DeFi I'd love to hear about it in the comments. Thanks for reading!
*Thumbnail credit to CryptoPotato
Two Products I Shill :)
Ledger Wallet - Get a $25 voucher and Crypto Beginner Guide when you purchase through this link. Best wallet for long term storage.
DeltaBadger - Simple to use Crypto DCA Bot, 10% off through this link. Great for long-term investing.