Biggest DeFi Hacks in 2020

William M. Peaster on 05 Jan 2021

DeFi was the star of the cryptoeconomy’s show in 2020, which, if recent days are any indication, will go down as a historic year for cryptocurrencies in general. That said, this year also saw a new wave of sophisticated attackers arrive to probe and steal young DeFi projects’ token holdings. Let’s look back on this year’s biggest and most successful DeFi attacks.

The 1st bZx Exploit - Feb. 15th

  • Attack style: Bug exploit
  • Amount lost: ~$356,000
  • Funds recovered: N/A

In this attack, the culprit used a flash loan via dYdX to launch a permissionless “pump and dump” scheme involving WBTC and the bZx, Compound, KyberSwap, and Uniswap projects. The ensuing manipulation allowed the attacker to make off with more than 1,200 ETH.

Source: PeckShield

Follow-up bZx Oracle Blitz - Feb. 18th

  • Attack style: Oracle manipulation
  • Amount lost: ~$666,000
  • Funds recovered: N/A

Days after the prior bZx exploit, an attacker launched another flash loan assault on the protocol. This new ploy involved oracle manipulation around Synthetix’s sUSD token, which the culprit pumped and then used to borrow a small trove of ETH from bZx.

Source: PeckShield

The Uniswap & Lendf.me Reentrancy Attacks - Apr. 18th-19th

  • Attack style: Reentrancy via imBTC
  • Amount lost: +$25 million
  • Funds recovered: ~$25 million

In April 2020, imBTC issuer Tokenlon was at the center of not one but two separate reentrancy attacks, with a smaller initial salvor targeting Uniswap V1 and a second one netting a whopping $25 million from dForce’s Lendf.me protocol. The DeFi assaults revolved around ERC-777 hooks, which can allow tokens to be commandeered by malicious contracts if deposited into protocols that don’t mitigate these hooks by design. Notably, the Lendf.me attacker ended up returning the tokens stolen from that protocol after their IP address and other identifying information was apparently uncovered.

The Great Bancor Rescue - June 18th

  • Attack style: Infinite approvals + public method visibility
  • Amount lost: ~$135,000
  • Funds recovered: ~$135,000

A critical bug in the Bancor Network meant that many users unsuspectingly OK’d infinite approvals to a smart contract that, horrifyingly, bore a public method that anyone could use to steal Bancor users’ funds. In collaboration with whitehat hackers, Bancor discovered the flaw and immediately attempted to “exploit” it in order to prevent a malicious agent from doing the same first. Automated frontrunners hopped into the fray and unknowingly helped Bancor save the funds, which these entities promptly returned to Bancor.

Balancer’s Deflationary Assault - June 28th

  • Attack style: Deflationary tokens
  • Amount lost: ~$522,000
  • Funds recovered: N/A

In this incident, an extremely knowledgeable DeFi hacker launched a sophisticated flash loan blitz against Balancer. The culprit first funded their address with a transaction through Ethereum privacy solution Tornado.cash. The scheme itself targeted the STA and STONK deflationary tokens and their transaction fee mechanisms, which allowed the hacker to make off with +$500,000 worth of ETH, LINK, SNX, and WBTC.

Opyn’s Double Puts - Aug. 5th

  • Attack style: Bug exploit
  • Amount lost: ~$371,000
  • Funds recovered: N/A

DeFi options protocol Opyn was the victim of an attack that saw a hacker use a bug to “double exercise” the project’s oTokens. This attack vector, which was promptly patched up by Opyn, allowed the malicious agent to steal over $370,000 worth of USDC collateral from the protocol’s ETH Put smart contracts.

bZx’s iToken Duplication Incident - Sept. 15th

  • Attack style: Bug exploit
  • Amount lost: ~$8 million
  • Funds recovered: ~$8 million

In this attack, a hacker used an exploit within the code of bZx’s iToken system to “increase his balance artificially.” The episode highlighted how smart contract audits don’t offer guaranteed peace of mind in DeFi, seeing as how bZx was audited by both PeckShield and Certik prior to this incident. Luckily, bZx was able to recover all of the lost funds from the attacker.

The Eminence Oracle Attack - Sept. 29th

  • Attack style: Oracle manipulation
  • Amount lost: ~$15 million
  • Funds recovered: ~$8 million

Eminence Finance, an NFT-based game by Yearn creator Andre Cronje, captured tons of on-chain attention before its creator ever announced anything about the project. This led to DeFi degens aping into the project and throwing caution to the wind, which created a sizable token trove that a hacker rapidly stole from via a flash loan-driven oracle manipulation attack. The culprit ended up returning $8 million of the $15 million in stolen funds, which was distributed through a community refund mechanism.

Harvest Finance Oracle Attack - Oct. 26th

  • Attack style: Oracle manipulation
  • Amount lost: ~$24 million
  • Funds recovered: ~$2.5 million

In late October, yield aggregator protocol Harvest Finance fell prey to an oracle manipulation attack that earned its creator over $24 million in stolen tokens. Specifically, the protocol’s USDC and USDT vault were targeted in the DeFi assault, which centered around impermanent loss in Curve.fi’s Y pool.

The Cheese Bank Heist - Nov. 6th

  • Attack style: Oracle manipulation
  • Amount lost: ~$3.3 million
  • Funds recovered: N/A

Decentralized autonomous bank project Cheese Bank was drained of more than $3 million worth of Dai, USDC, and USDT after a hacker exploited a flaw in the way the asset tracks token prices via an intricate flash loan blitz.

The Attack on Akropolis - Nov. 12th

  • Attack style: Bug exploit + reentrancy
  • Amount lost: ~$2 million
  • Funds recovered: N/A

An attacker used an reentrancy attack in combination with a vulnerability in the Akropolis project’s savings pool to steal $2 million worth of the Dai stablecoin. This pool had notably been audited by Certik, Pessimistic, and SmartDec prior to the assault, yet another reminder that audits are not the end-all be-all for DeFi security.

The Value DeFi Oracle Blitz - Nov. 14th

  • Attack style: Oracle manipulation
  • Amount lost: ~$7.5 million
  • Funds recovered: ~2 million

In November, upstart yield aggregator protocol Value DeFi saw its centralized oracle exploited and its MultiStables Vault drained. The episode came on the heels of Value DeFi infamously posting that one of its advantages was superior security. In the wake of the attack, the project’s team announced plans to integrate with decentralized oracle network Chainlink.

Origin Dollar Reentrancy Assault - Nov. 17th

  • Attack style: Bug exploit + reentrancy
  • Amount lost: ~$7.7 million
  • Funds recovered: N/A

November also saw stablecoin project Origin Dollar fall victim to a flash loan attack. The assault involved the attacker using a malicious contract to mint more OUSD than they should’ve been allowed to. After the incident, the Origin Dollar team offered a bounty of $1 million for information leading to the identity of the culprit.

Pickle Finance’s Big Pickle - Nov. 22nd

  • Attack style: Bug exploit
  • Amount lost: ~$19.7 million
  • Funds recovered: N/A

Yield aggregator protocol Pickle Finance saw its pDAI PickleJar drained to the tune of nearly 20 million Dai in November. The complex attack revolved around the offender installing an “Evil Jar” into pDAI’s system, which was used to compromise the funds within.

Source: banteg

The Warp Finance Oracle Attack - Nov. 22nd

  • Attack style: Oracle manipulation
  • Amount lost: ~$7.7 million
  • Funds recovered: ~$5.85 million

Warp Finance, a DeFi lending platform for liquidity provider (LP) tokens, was attacked earlier this month in an oracle manipulation blitz that netted the offender +$7 million. Due to a quirk in the project’s design, its team was able to recover $5.85 million worth of Uniswap ETH/DAI LP tokens that the attacker had used as collateral.

Conclusion

2020 was a boom year for DeFi, and with the sector rising into the limelight attackers have turned their attention therein accordingly. From the attacks above, it’s clear there’s no single way to attack a DeFi protocol, but rather common attack vectors that young projects in the space have fallen prey to. For now, losses from these growing wave of DeFi attacks haven’t been catastrophic. Yet as the ecosystem continues to blossom and the total value locked (TVL) within protocols both big and small swells, the stakes will get even higher and the attacks more lucrative. Expect to see more sophisticated DeFi assaults in 2021, to say the least.

Tags:

DeFi is coming. Don't get left behind

About the author
William M. Peaster
William M. Peaster is a writer and curator of the DeFi Arts Intelligencer, a newsletter tracking Ethereum’s digital collectibles arena. He is not a financial advisor. The thoughts shared in this guest post are his opinions and reflect his personal experiences and personal optimism around Ethereum. He currently owns some cryptoart and ETH.

The Latest: