In 2020, 17 major DeFi exploits and hacks took place that resulted in the loss of $154 million. In two of these 17 attacks, the theft was the result of the founding team exit scamming. The other 16 instances were the result of an exploit.
Interestingly, in six of the attacks that took place, the stolen funds or a portion of the stolen funds were returned to the project. If we assume the teams that say the attacker returned the money are being truthful, the total amount stolen from DeFi exploits in 2020 comes to $94 million.
What do we mean by exploit? When an attacker has a strong understanding of how a DeFi project’s smart contract works, and then uses that knowledge to interact with the smart contract in a way that lets them take advantage of the DeFi project, get tokens at prices that are beneficial to them, or drain the project’s liquidity pools.
Let’s take a closer look at the DeFi hacks of 2020 and how the attacker was able to pull off the attack.
bZx
Date: February 14
Amount lost: $350,000
Decentralized lending platform bZx was the first DeFi project to suffer from an exploit in 2020. The attacker was able to make a $350,000 profit by executing a flash loan attack.
A flash loan attack is when an attacker takes out a loan from one DeFi platform or service provider, and uses the borrowed money to interact with smart contracts in a way that manipulates prices of DeFi tokens in their favor so that they can subsequently drain a projects liquidity pool at prices favorable to them. You will see that many of the DeFi exploits that took place in 2020 happened because of a flash loan attack.
bZx
Date: February 18
Amount lost: $650,000
Just four days after bZx was exploited for $350,000 it was flash loan attacked again, this time for $650,000.
Lendf.me
Date: April 19
Amount lost: $25 million
On April 19th, Dforce’s Lendf.me protocol was exploited for a whopping $25 million. The attacker was able to exploit a flaw in the ERC-777 token standard that allowed them to commit a re-entry attack.
A re-entry attack takes place when a project’s smart contract makes an external call to a third-party contract before it resolves which allows an attacker to take over control flow of the project’s smart contract.
The attacker allegedly returned the stolen funds to the Dforce team.
Balancer Protocol
Date: June 29
Amount lost: 449,740
On June 29, Balancer Protocol was the victim of a flash loan attack which resulted in the loss of $449,740.
Opyn
Date: August 4
Amount lost: $371,260
Opyn was the victim of a “double exercise” attack which led to the loss of 371,260 USDC. The attacker was able to exploit the platform in a way that allowed them to receive ETH put option contract collateral as well as ETH put option contract settlement money—when they really should have only had access to the settlement money.
Sushi Swap
Date: September 5
Amount lost: $13,808,454
SushiSwap was the victim of the classic “rug pull” attack when its founder Chef Nomi removed roughly 37,400 ETH from the project’s development fund and sent it to his personal wallet.
A rug pull attack is when the developers or the founding team exit scam by sending the money within the project’s liquidity pools to their personal wallets.
After Sushi token investors were advised to lawyer up, Chef Nomi returned all of the stolen funds.
bZx
Date: September 13
Amount lost: $8,100,000
bZx was exploited for a third time this year on September 13. In the September attack, an attacker exploited a bug in the protocol that allowed them to mint unbacked tokens and then trade those unbacked tokens for LINK, ETH, USDT, and DAI.
bZx has allegedly “restored” all of the funds stolen during this attack.
Eminence Finance
Date: September 28
Amount lost: $15 million
Eminence Finance was the victim of a flash loan attack that resulted in the loss of $15 million, although the attacker returned $8 million of the stolen funds.
Harvest Finance
Date: October 26
Amount lost: $24 million
Harvest Finance was exploited via a flash loan attack that resulted in the loss of over $24 million.
Akropolis
Date: November 12
Amount lost: $2 million
Akropolis, the DeFi platform that allows users to earn interest on deposits as well as borrow, lost roughly $2 million due to a flash loan attack.
Value DeFi
Date: November 14
Amount lost: $7.4 million
Value DeFi was the victim of a flash loan attack that resulted in roughly $7.4 million being drained from the project’s liquidity pool. Shortly after the attack took place, the attacker returned $2 million worth of stolen funds.
Origin Protocol
Date: November 16
Amount lost: $7.7 million
On November 16, an attacker took advantage of a flaw in the Origin protocol smart contract as well as execute a flash loan attack to drain $7.7 million from the project.
Pickle Finance
Date: November 21
Amount lost: $19.7 million
The Pickle Finance attacker was able to execute a complex attack on the protocol that allowed them to steal $19.7 million.
Compounder
Date: December 1
Amount lost: $9.8 million
The Compounder development team rug-pulled investors just 22 days after the project launched; as a result, $9.8 million was stolen.
Nexus Mutual
Date: December 14
Amount lost: $8.3 million
The Nexus Mutual hack was rather unique; instead of a flash loan attack or rug pull taking place, the attacker tricked Nexus Mutual CEO Hugh Karp into signing a transaction that sent roughly $8.3 million to the attacker’s wallet.
Warp Finance
Date: December 17
Amount lost: $7.7 million
Warp Finance suffered a flash loan attack on December 17 that resulted in $7.7 million in stablecoins being stolen from the project’s liquidity pools.
Cover Protocol
Date: December 28
Amount lost: $3 million
On December 28, an attacker exploited an “infinite mint” bug in Cover Protocol to print millions of dollars’ worth of tokens and then exchanged them for roughly $3 million in ETH.
Shortly after the hack took place, DeFi project Grap Finance took credit for the exploit, and returned all of the stolen funds to Cover Protocol.
Why so many exploits?
The DeFi sector has become a prime target for hackers. The DeFi market is new, unprofessional, and has several unexplored attack vectors. Many projects in the DeFi space launch without being audited, and even those that do get audited often have attack vectors that go undiscovered. In addition, DeFi exchanges do not have any AML or KYC, so it is easy to execute an attack and launder the money through a DeFi exchange while remaining undetected.
We say this often (and that’s because it’s true), when it comes to DeFi, you must proceed with caution. The DeFi space is riddled with fraudsters, scammers, and attackers looking to capitalize on the slipshod sector, its sloppy infrastructure, and its many attack vectors. The best way to stay dry, is to not get involved.
See also: CoinGeek Live presentation, Blockchain Intelligence: Analytics, Forensics & Compliance Tools for Bitcoin SV
New to blockchain? Check out CoinGeek’s Blockchain for Beginners section, the ultimate resource guide to learn more about blockchain technology.
