Cointelegraph Consulting: Recounting 2021’s biggest DeFi hacking incidents

Published at: Nov. 3, 2021

Compound Finance is just one of the latest victims of DeFi hacking incidents in 2021. On Sept. 30, its errant token distribution bug within the Proposal 062 exposed a flaw in which $70 million–$85 million in excess COMP tokens were wrongly distributed to users. 

Yet, an extra $65 million was placed in a vulnerable vault a few days later, resulting in at least $150 million in COMP tokens at risk. But, while Compound was able to remedy the entire situation, it shows how vulnerable the decentralized finance (DeFi) sector can be at times due to its nascency.

Last year, the total value locked (TVL) in DeFi was a mere 5% of what it’s currently worth $255 billion. The change marks an explosive 1686% growth. Even with the Compound debacle, and most recently with decentralized trading platform BXH that drained $139 million from an attack due to a leaked admin key, TVL actually increased over the last month, appreciating by 14.27%.

One reason why investors have flocked to DeFi protocols is to search for higher returns. The rock-bottom interest rates of 2020 that lacked a clear framework for an increase caused investors to look for other avenues to park their cash. Locking crypto assets to DeFi protocols and to supply liquidity for such services became an attractive option, as it offers more attractive returns. What ensued was a yield farming boom in 2020 that prevailed up to this year.

Counting the incidents

The rising popularity of DeFi is a double-edged sword for the young sector and the entire cryptocurrency space as a whole. Since 2012, 534 blockchain hacking incidents have taken place with 169 events coming in 2021 alone, according to Chinese cybersecurity firm Slow Mist. Hacks grow in sophistication and target various areas in the space.

Nevertheless, the biggest hack to ever take place occurred in 2021 and was carried out by an unknown hacker on cross-chain protocol Poly Network. The result was an equivalent of $610 million in tokens stolen, topping MtGox and Coincheck. The attack pocketed about $273 million from the Ethereum network, $85 million in USD Coin (USDC) from the Polygon network and $253 million from Binance Smart Chain. It also removed sizable amounts of renBTC, wrapped Bitcoin (wBTC) and wrapped Ether (wETH).

The incident with Poly Network is one of many DeFi hacking instances in 2021. Poly Network was fortunate to recover all of the funds. Cream Finance, on the other hand, was not so lucky. The decentralized lending protocol comes in at a distant second, and the attack it took — which was twice this year — had nearly $150 million wiped out and is still trying hard to recover. Overall, the total amount of money lost due to blockchain hacking this year is nearly $7 billion, which is a $2.5 billion increase from last year.

Calls for audit

Poly Network, Compound and Cream Finance have made it to the top three by the number of funds affected (totaling $906 million). Like Cream Finance, there are also other notable protocols in which exploits took place more than once in the same year, like THORChain and Value DeFi.

Also, albeit negligible at $1.5 million in contrast to the affected funds of the rest of the other victims, Merlin Labs, a yield optimizer built on BSC, was attacked thrice — initially twice in the same week and once more a month later. Furthermore, what’s surprising is that it was audited by Hacken 11 days before the attack.

Security experts recommend a smart contract to undergo an audit, usually through independent auditors. An audit could help detect and possibly rectify smart vulnerabilities in code and check the reliability of the smart contract's interactions. 

Kava Labs CEO Brian Kerr told Cointelegraph in May 2020 of how critical it is for anyone who wants to use a DeFi protocol to first check audits and peer reviews. But even then, he warns of associated technical and market risks since the sector, again, is still new.

Download the 34th issue of the Cointelegraph Consulting Bi-weekly Newsletter in full, complete with charts and market signals, as well as news and overviews of fundraising events.

Among the projects that fell victim to attacks this year, only about 15 DeFi protocols were audited out of the 40 affected. But it’s worth noting that the affected funds for the audited protocols were significantly less than those that weren't audited. For each audited company, the amount of loss was almost 60% less than those that were unaudited. As a whole, 20.3% of the affected funds in all the protocols hacked this year were from protocols that were audited, while 79.67% or about $1.3 billion were from those that were unaudited.

The four major reasons DeFi protocols get hacked include coding mistakes, developer incompetence, misuse of third-party protocols, and business logic errors. The most common among these and possibly the most dangerous is developer incompetence, which is also a direct consequence of coding mistakes. Inadequately qualified developers rushing to launch a project without a rigorous third-party check could be more susceptible to exploits.

This is the reason why there is an ongoing push for an extra measure in improving security protocols in the industry. Audits, particularly smart contract security audits and secondary auditing, are just two ways to achieve this. As Kerr said, an investor's technical diligence is also warranted in scrutinizing a DeFi protocol before investing.

Still, the light at the end of the tunnel is that these hacks could be essential in advancing the DeFi sector. CipherTrace Chief Financial Analyst John Jefferies told Cointelegraph back in August that such crimes will spark an acceleration of know-your-customer, or KYC, procedure acceptance particularly with the decentralized exchanges, orDEXs, which can be critical in getting regulatory approval.

As DeFi matures, especially with the advent of layer-one blockchains competing against Ethereum, the hacking events as of late are perhaps just the tip of the iceberg, and the poorly designed and unaudited protocols could be in a whole heap of trouble.

Cointelegraph’s Market Insights Newsletter shares our knowledge on the fundamentals that move the digital asset market. The newsletter dives into the latest data on social media sentiment, on-chain metrics, and derivatives.

We also review the industry’s most important news, including mergers and acquisitions, changes in the regulatory landscape, and enterprise blockchain integrations. Sign up now to be the first to receive these insights. All past editions of Market Insights are also available on Cointelegraph.com.

Tags
Related Posts
Cointelegraph Consulting: ERC-20 token's market cap overtakes Ethereum’s
The latest findings by Santiment, published in Cointelegraph Consulting’s biweekly newsletter, suggest that Ethereum is temporarily being ‘professionalized’. Since the September 2nd market crash, the combined market capitalization of all ERC-20 assets has overtaken Ethereum’s own market cap, with the differential between the two continuing to grow in favor of ERC-20 assets. This market cap ‘flippening’ points to the fact that the price of Ethereum has corrected more strongly than the ERC-20 ecosystem and has struggled to bounce back in the immediate aftermath. Perhaps unsurprisingly, it was the DeFi-related coins in particular that managed to bounce back much quicker than …
Blockchain / Sept. 18, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Finance Redefined: Alchemy raises $200M, Bunny goes DAO, Feb. 4–11
Welcome to the latest edition of Cointelegraph’s decentralized finance newsletter. As the DeFi space continues its technical resurgence, essential news on funding, innovation and DAOs continues to drive adoption in what remains a nascent industry. For the full version of this newsletter including longer, more descriptive analysis of the top stories this week, subscribe below: Alchemy raises $200M in latest funding, ACH token soars 77% Web3 platform Alchemy announced the launch of a $200-million Series C funding round this week, giving the company a decacorn status and a valuation of $10.2 billion. The seven-investor round was led by two California-based …
Decentralization / Feb. 12, 2022
Another depeg — Acala trace report reveals 3B aUSD erroneously minted
High-profile security incidents continue to be a theme in 2022 as the Acala Network joined a long list of stricken platforms to fall prey to exploits. Acala’s aUSD token, which acts as the native stablecoin for the Polkadot and Kusama blockchains, saw its value plummet 99% after a misconfiguration of the iBTC/aUSD liquidity pool was exploited after its launch on Aug. 14. Initial estimates from Acala noted that 1.2 billion aUSD were minted without the necessary collateral - seeing the token’s value depeg from its 1:1 USD ratio to a bottom of $.01. Acala put its network in maintenance mode …
Blockchain / Aug. 17, 2022
Celer Network shuts down bridge over potential DNS hijacking
Interoperability protocol Celer Network (CELR) has asked its users to revoke the approval for several contracts after shutting down its cBridge over a suspected DNS hijacking. According to the project's initial analysis, there was some suspicious DNS activity at around 7 PM (UTC) on Aug. 17. However, the platform is still trying to investigate and know more about the issue at the time of writing. Meanwhile, as the platform continues to pinpoint the problem, the team has shut down the cBridge as an initial way to avoid any more mishaps and protect their users. In addition to shutting down the …
Blockchain / Aug. 18, 2022