DeFi’s growing popularity is invariably linked to the growing crypto-heists in the space. Chainalysis says that DeFi accounts for 97% of all the crypto stolen in the first three months of 2022.
Here is an analysis showing the tremendous contribution of Defi in the crypto scams.
According to the Rekt Leaderboard for top blockchain hacks of all times, ⅘ top scams exploited the DeFi cross-chains, putting a question mark on bridge security.
This article will talk about 5 such popular Defi hacks and what could be the role of smart contracts audit in preventing such crypto frauds.
5 Popular hacks in DeFi History
In the case of DeFi protocols, the largest thefts are usually the result of faulty codes. Much of the value of stolen amounts to code exploits and flash loan attacks (a type of code exploit involving the manipulation of cryptocurrency prices).
Here are five popular Defi hacks contributing a tremendous share to the crypto-heists.
1. Polynetwork attack
The largest hack in the DeFi sphere was potentially saved because the hacker returned most of the crypto stolen back to the network.
In Aug 2021, Polynetwork finance, a cross-chain DeFi protocol, lost $600M worth of crypto-assets to hacking. A cross-chain interoperability bridge, a poly network allows users to transfer their tokens from one blockchain to another. The hacker exploited Polynetwork’s cross-chain smart contract, swapping the network keeper’s account for a malicious attacker.
Although eventually returned all the assets except for $33M worth of crypto.
2. Cream Finance
In October 2021, Cream Finance was hacked for $130M for the second time in a row. The protocol is a part of the Yearn finance ecosystem.
Cream finance faced a flash loan attack, repeatedly lending and borrowing flash-loaned assets across two addresses, where the hacker was able to exploit a pricing vulnerability.
Following the accumulation of yUSDVault-collateralized crYUSD, the cost of the underpinning yUSDVault token was influenced to double the value of the attacker’s collateral effectively.
3. NOMAD attack
NOMAD was recently hacked for $190M making it the 5th largest Defi hack of all time. Unlike in most cases where stealing crypto assets is a matter of a few seconds or minutes, the nomad bridge was slowly drained for about an hour. Hacker exploited a simple bug in the bridge’s smart contract allowing numerous scammers to take funds from the bridge without requiring any thorough understanding. The bridge suffered a loss of about $190 million. Fortunately, the hacker agreed to return the stolen assets, although the talks are still on the table.
4. Ronin network
The largest Defi hack of all time lost $624M worth of crypto-assets due to a security breach on its system. It was shocking to see that the attack went unnoticed for six days.
Happening in March 2022, an attacker forged fake withdrawals from the Ronin bridge across two transactions by hacking Ronin’s private keys.
Ronin was launched as an Ethereum sidechain to cater to the rising popularity of Axie Infinity. To maximize TPS, with low-cost transactions, decentralization was exchanged for Proof-of-Authority, where only nine validators validated the transactions. Here, hackers gained access to validators compromising the transactions in a security breach event.
5. Wormhole Network
Another Defi bridge exploit.
Wormhole, a Defi (decentralized finance) platform, was hit with a $325 million cryptocurrency loss after an attacker exploited a security flaw in its system. It is a token bridge that allows users to send and receive cryptocurrencies between blockchains such as Ethereum, Polygon, Binance SmartChain (BSC), Oasis, Solana, Terra, Avalanche, and others.
Attacking the bridge’s Solana side. It was caused by a recent update to Wormhole’s GitHub repository. The update revealed a fix for a bug that undeployed to the project itself. The attacker created a valid signature for a transaction, allowing them to freely mint 120 wrapped Ethereum (wETH).
What is the role of audit in Defi exploits?
Out of the five projects discussed above, three projects, namely Ronin, Polynetwork, and Cream finance, were unaudited.
Smart contracts are the key to the Defi ecosystem, making it an imperative move to consider their security aspect and smart contract auditing is the beginning. Auditing a smart contract entails thoroughly examining a smart contract’s code for it to interact with the desired blockchain protocol.
Smart contracts decide the functioning of a Defi protocol. Hence, Smart contract auditing is an unavoidable step to having a secure deployment on the blockchain.
Since the cryptocurrency market is expanding, hackers are developing more sophisticated methods of gaining access to users’ funds. Hence, the project owners and developers must take the necessary steps to ensure the code is functioning appropriately. Before it is too late, projects must make a conscious effort to conduct a thorough, smart contract audit.