The DeFi hacks of 2020

The DeFi hacks of 2020

In 2020, 17 major DeFi exploits and hacks took place that resulted in the loss of $154 million. In two of these 17 attacks, the theft was the result of the founding team exit scamming. The other 16 instances were the result of an exploit.

Interestingly, in six of the attacks that took place, the stolen funds or a portion of the stolen funds were returned to the project. If we assume the teams that say the attacker returned the money are being truthful, the total amount stolen from DeFi exploits in 2020 comes to $94 million.

What do we mean by exploit? When an attacker has a strong understanding of how a DeFi project’s smart contract works, and then uses that knowledge to interact with the smart contract in a way that lets them take advantage of the DeFi project, get tokens at prices that are beneficial to them, or drain the project’s liquidity pools.

Let’s take a closer look at the DeFi hacks of 2020 and how the attacker was able to pull off the attack. 

bZx

Date: February 14

Amount lost: $350,000 

Decentralized lending platform bZx was the first DeFi project to suffer from an exploit in 2020. The attacker was able to make a $350,000 profit by executing a flash loan attack.

A flash loan attack is when an attacker takes out a loan from one DeFi platform or service provider, and uses the borrowed money to interact with smart contracts in a way that manipulates prices of DeFi tokens in their favor so that they can subsequently drain a projects liquidity pool at prices favorable to them. You will see that many of the DeFi exploits that took place in 2020 happened because of a flash loan attack.

bZx

Date: February 18

Amount lost: $650,000

Just four days after bZx was exploited for $350,000 it was flash loan attacked again, this time for $650,000.

Lendf.me

Date: April 19

Amount lost: $25 million

On April 19th, Dforce’s Lendf.me protocol was exploited for a whopping $25 million. The attacker was able to exploit a flaw in the ERC-777 token standard that allowed them to commit a re-entry attack.

A re-entry attack takes place when a project’s smart contract makes an external call to a third-party contract before it resolves which allows an attacker to take over control flow of the project’s smart contract. 

The attacker allegedly returned the stolen funds to the Dforce team.

Balancer Protocol

Date: June 29

Amount lost: 449,740

On June 29, Balancer Protocol was the victim of a flash loan attack which resulted in the loss of $449,740. 

Opyn

Date: August 4

Amount lost: $371,260

Opyn was the victim of a “double exercise” attack which led to the loss of 371,260 USDC.  The attacker was able to exploit the platform in a way that allowed them to receive ETH put option contract collateral as well as ETH put option contract settlement money—when they really should have only had access to the settlement money.

Sushi Swap

Date: September 5

Amount lost: $13,808,454

SushiSwap was the victim of the classic “rug pull” attack when its founder Chef Nomi removed roughly 37,400 ETH from the project’s development fund and sent it to his personal wallet. 

A rug pull attack is when the developers or the founding team exit scam by sending the money within the project’s liquidity pools to their personal wallets.

After Sushi token investors were advised to lawyer up, Chef Nomi returned all of the stolen funds. 

bZx

Date: September 13

Amount lost: $8,100,000

bZx was exploited for a third time this year on September 13. In the September attack, an attacker exploited a bug in the protocol that allowed them to mint unbacked tokens and then trade those unbacked tokens for LINK, ETH, USDT, and DAI.

bZx has allegedly “restored” all of the funds stolen during this attack.

Eminence Finance

Date: September 28

Amount lost: $15 million

Eminence Finance was the victim of a flash loan attack that resulted in the loss of $15 million, although the attacker returned $8 million of the stolen funds.

Harvest Finance

Date: October 26

Amount lost: $24 million

Harvest Finance was exploited via a flash loan attack that resulted in the loss of over $24 million. 

Akropolis

Date: November 12

Amount lost: $2 million

Akropolis, the DeFi platform that allows users to earn interest on deposits as well as borrow, lost roughly $2 million due to a flash loan attack.

Value DeFi

Date: November 14

Amount lost: $7.4 million

Value DeFi was the victim of a flash loan attack that resulted in roughly $7.4 million being drained from the project’s liquidity pool. Shortly after the attack took place, the attacker returned $2 million worth of stolen funds.

Origin Protocol

Date: November 16

Amount lost: $7.7 million

On November 16, an attacker took advantage of a flaw in the Origin protocol smart contract as well as execute a flash loan attack to drain $7.7 million from the project.

Pickle Finance

Date: November 21

Amount lost: $19.7 million

The Pickle Finance attacker was able to execute a complex attack on the protocol that allowed them to steal $19.7 million.

Compounder

Date: December 1

Amount lost: $9.8 million

The Compounder development team rug-pulled investors just 22 days after the project launched; as a result, $9.8 million was stolen.

Nexus Mutual

Date: December 14

Amount lost: $8.3 million

The Nexus Mutual hack was rather unique; instead of a flash loan attack or rug pull taking place, the attacker tricked Nexus Mutual CEO Hugh Karp into signing a transaction that sent roughly $8.3 million to the attacker’s wallet.

Warp Finance

Date: December 17

Amount lost: $7.7 million

Warp Finance suffered a flash loan attack on December 17 that resulted in $7.7 million in stablecoins being stolen from the project’s liquidity pools. 

Cover Protocol

Date: December 28

Amount lost: $3 million

On December 28, an attacker exploited an “infinite mint” bug in Cover Protocol to print millions of dollars’ worth of tokens and then exchanged them for roughly $3 million in ETH.

Shortly after the hack took place, DeFi project Grap Finance took credit for the exploit, and returned all of the stolen funds to Cover Protocol.

Why so many exploits?

The DeFi sector has become a prime target for hackers. The DeFi market is new, unprofessional, and has several unexplored attack vectors. Many projects in the DeFi space launch without being audited, and even those that do get audited often have attack vectors that go undiscovered. In addition, DeFi exchanges do not have any AML or KYC, so it is easy to execute an attack and launder the money through a DeFi exchange while remaining undetected. 

We say this often (and that’s because it’s true), when it comes to DeFi, you must proceed with caution. The DeFi space is riddled with fraudsters, scammers, and attackers looking to capitalize on the slipshod sector, its sloppy infrastructure, and its many attack vectors. The best way to stay dry, is to not get involved. 

See also: CoinGeek Live presentation, Blockchain Intelligence: Analytics, Forensics & Compliance Tools for Bitcoin SV

New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.

[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]
[id^="_form"]
[id^="_form"]
[id$="_submit"]
[id$="_submit"]
[^;]
[^;]
[?&]
[?&]
[^&#]
[^&#]
[(d+)]
[(d+)]
[elem.name]
[elem.name]
[+_a-z0-9-'&=]
[+_a-z0-9-'&=]
[+_a-z0-9-']
[+_a-z0-9-']
[a-z0-9-]
[a-z0-9-]
[a-z]
[a-z]
[el.name]
[el.name]