DeFi Hacks in 2022: Causes, Cases & Cautionary Tales
As users all over the world are losing their confidence in the security of crypto platforms due to numerous hacks, the overall frustration is growing. And even if your DeFi protocol hasn’t been hacked in 2022, it doesn’t mean that this won’t happen next year.
The requirements for cybersecurity are changing as the industry evolves, and it gets harder to protect your protocol with legacy solutions. For this reason, continuous updates and security improvements are a must for any blockchain-related project. And Blaize knows this better than anyone else.
The Blaize team has been boosting the security of various blockchain projects for over 5 years. By now, we have conducted audits for over 180 projects and detected over 350 high-risk vulnerabilities, saving the companies over $100 million from hacking. Our clients include Aurora, 1inch, PEAKDEFI, and many other world-known companies.
So worry no more and keep on reading to find out how to avoid DeFi hacks and keep your blockchain project secure.
How Bad Is It?
Hacking has always been a huge problem for the industry, even in its early days. Since the moment smart contracts emerged and DeFi started evolving faster, we have witnessed more and more hacker attacks.
So it was rather predictable that 2021 would become a big year for cryptocurrency theft with roughly $3.2 billion stolen over the course of last year – a 516% increase compared to 2020. DeFi hacking was the culprit for 72% of the 2021 total ($2.3 billion stolen from DeFi protocols).
If you think that was bad, 2022 has a nasty surprise prepared. As of October this year, hackers have already drained over $3 billion across 125 hacks, so 2022 might even surpass the previous year in terms of the value stolen.
While back in 2018-2019, hackers mostly attacked centralized exchanges, since 2020, DeFi protocols have become the main target.
Who knows what 2023 has in store for the crypto industry. But we surely wanna have hope for the best.
Top 5 Causes & Incentives of DeFi Hacks
Surely, the fact that DeFi hacks have been on the rise over recent years can be connected to certain factors that motivate hackers and reasons for the attack.
Let’s review the top five most common factors in these two categories.
- DeFi protocol popularity. DeFi protocols are being increasingly adopted by a number of crypto industry players, and generally speaking, this means there is more money to steal.
- Open-source code. Most DeFi platforms have open-source code for the analysis and reuse purposes, which causes many DeFi projects to be vulnerable to rug pulls and other hacks. Hackers gain access to the project source code and can search for bugs and other elements that they can compromise.
- Increased ecosystem complexity. Smart contracts are complex on their own, but with additional features and integrations that allow them to interact with other blockchain-based projects, security becomes even more unattainable.
- Inconsistent security audits. Most DeFi projects neglect conducting security audits to reveal vulnerabilities and other security issues before they are exploited, which puts them at risk and leads to security breaches.
- Human error. Even in the 21st century when it seems like you can automate everything, human error plays an essential role in contributing to the largest DeFi hacks and exploits.
Top 7 DeFi Exploits & Hacks in 2022
Now let’s get specific. 2022 has seen many attacks but some of the biggest DeFi hacks have been more elaborate and notorious than others.
1. Harmony Hack (June 2022)
In this attack, a hacker has managed to loot $100 million from Harmony’s Horizon Bridge, which serves as a channel for transferring crypto assets (tokens, stablecoins, NFTs) between Ethereum, Binance Smart Chain, and Harmony blockchains.
Harmony officials immediately began ‘working with national authorities and forensic specialists to identify the culprit and retrieve the stolen funds’ and later revealed the address of the culprit in a tweet.
The company did not share the details of how the funds had been stolen in the first place. However, back in April, three months prior to the attack, one of the investors had concerns regarding the security of the Horizon Bridge due to a ‘multisig’ wallet with just two signatures required for transactions.
Some experts believed that a private key compromise that had allowed the culprit to receive passwords to the crypto wallet resulted in the Horizon Bridge hack.
“Single point of failure is always a bad practice. The protocol just should not have a single admin with a single key. Even a multisig cannot solve the problem fully if it controls a single entry point.
We can step aside for a bit from decentralization (obviously the need for an admin already means lack of decentralization), and point on a core of general cybersecurity best practices: a protocol should be sustainable, so it should not rely on a single point. Especially if this point lies on the admin’s private key” – Pavlo Horbonos, Head of Security Department
2. Nomad Hack (August 2022)
The Nomad token bridge has also been the victim of a large DeFi hack where various users have taken advantage of an error and ended up stealing roughly $190 million in value from the protocol.
The company failed to give instructions immediately but claimed to be ‘aware of impersonators posing as Nomad and providing fraudulent addresses to collect funds’ in an update tweet.
The exploit of the bridge was made possible due to a recent smart contract upgrade when Nomad initialized the value of trusted roots to 0x00, which led to all messages being viewed as proven automatically.
Users quickly discovered the vulnerability. They did not even have to know the specific mechanics to exploit it since all they had to do was just take a successful exploit transaction and submit it with their own account address.
“We can argue a lot about the upgradeability of smart contracts or even about the existence of the owner role and how it’s against decentralization. But the main thought here is that even if you are in full control of the contract, you should provide the control over yourselves. That means – add every possible check to avoid human error, especially when it comes to the owner of the protocol” – Pavlo Horbonos, Head of Security Department
3. Solana Hack (August 2022)
Solana has become the hacker’s target as well, and users have reported their funds stolen from internet-connected ‘hot’ wallets. The officials’ reaction followed swiftly with Solana stating that they were ‘investigating drained wallets’ in a tweet.
The unknown hacker drained funds from roughly 8,000 wallets on Solana, stealing around $8 million in value. What’s interesting is that the hack was not specific to just one type of wallet – Phantom, Slope, and TrustWallet were all reported compromised.
The cause of the attack was speculated a lot. Solana developers finally came to the conclusion that compromised private keys ‘created, imported, or used in Slope mobile wallet applications’ were to blame.
The hack has since reignited the debate of ‘hot wallets vs cold wallets’ and has proven that the latter are much more secure to use if users want to avoid future exploits of security vulnerabilities.
‘It is hard to believe that users are still using “hot wallets” in 2022. Of course they find them convenient, but if the first rule of crypto user’s security is “Not your keys – not your money”, the second rule is “Keep your keys far from prying eyes”. This is the exact case when cryptosecurity meets cybersecurity – the data stored online can be stolen online” – Pavlo Horbonos, Head of Security Department
4. Acala Hack (August 2022)
Acala has lived to be another victim whose DeFi protocol has gotten hacked when a bug in a recently deployed liquidity pool has been exploited by DeFi hackers. The company paid a high price for the attack – 1.28 billion aUSD tokens were minted by error.
The Acala representatives quickly issued a statement, saying that ‘the misconfiguration has been rectified’ in an attempt to calm users down.
The liquidity pool in question was the iBTC/aUSD liquidity pool, which is basically a digital pile of cryptocurrency contained by a smart contract that assists with creating liquidity for faster transactions on DEXs and DeFi protocols.
The attack decreased the value of the stablecoin to $0.01, and Acala had to freeze the hacker-minted tokens, switching the network to maintenance mode.
“This is a good example of both fragility of the algorithmic stablecoins and the power of pseudo-decentralized entities. You can break the stablecoin with a push, and you can stop the whole chain in minutes. Both are bad practices from the security point of view – you cannot gain users’ trust while holding the full control of the chain. But you can always repeat LUNA’s lesson – at least, Acala reacted quickly this time” – Pavlo Horbonos, Head of Security Department
5. Wintermute Hack (September 2022)
The Wintermute crypto market maker has suffered a hack for $160 million with lending and OTC operations remaining unaffected.
The company reassured users in a tweet, stating that ‘the hack was contained within our proprietary DeFi trading business’, which is supposedly a separate technology.
The hack probably originated with the Profanity service that is responsible for generating ‘vanity addresses’ for digital cryptocurrency accounts to simplify the operational process.
Wintermute found out about the vulnerability in Profanity’s code and took steps to blacklist their accounts. However, due to z ‘human error’, one of the accounts was not blacklisted, which ended up being the one responsible for the $160 million heist.
“You should always follow one simple rule: do not use vulnerable software. Especially if the vulnerability is well-known. It is like using the code-lock with the default password” – Pavlo Horbonos, Head of Security Department
6. BNB Chain Hack (October 2022)
The BNB Chain hack has definitely been one of the most worrisome DeFi hacks in 2022 with millions of users feeling rather uneasy since Binance is the world’s largest and most well-known crypto exchange.
Binance acted fast to make an update on Twitter, saying that they were ‘temporarily pausing BSC’ due to the hack.
The hack cost the company $570 million and happened due to an unexpected problem on the network that allowed the attacker to create 2 million BNB tokens out of nothing.
The root cause of the hack was identified as a bug in the bridge’s smart contract that resulted in the hackers being able to forge transactions and transfer money to their own crypto wallet.
“This is another reminder that bridges store enormous amounts of liquidity, and it should be guarded well. As the year has shown, bridges are the #1 goal for hackers due to the amount of liquidity and the place at the edge of on-chain and off-chain. And that edge is the most vulnerable part. We can all learn a lesson from Rainbow bridge, where each of these components is decentralized – even the offchain one” – Pavlo Horbonos, Head of Security Department
7. Deribit Hack (November 2022)
Deribit has been one of the latest names in the list of DeFi hacks for 2022. The crypto exchange suffered a loss of $28 million due to a compromised hot wallet.
The company temporarily froze withdrawals and deposits due to security checks but rushed to reassure clients that their ‘funds are safe’ and that it managed to cover losses with internal reserves.
A security breach was revealed as the main cause of the attack. Hackers were able to gain access to the wallet server and withdraw funds from the hot wallet.
Luckily, the company kept only 1% of assets in hot wallets at the time, and everything else was held in a secure cold storage.
Top 7 Cryptocurrency Thefts of 2022
|Victim||Amount Stolen (USD)||Service Type||Hack Type|
|Harmony||$100 million||Blockchain||Code exploit|
|Nomad||$190 million||Crypto bridge||Security breach|
|Solana||$8 million||DeFi blockchain||Compromised private keys|
|Acala||$900 million||DeFi network||Code exploit|
|Wintermute||$160 million||Crypto market maker||Human error|
|BNB Chain||$570 million||Crypto exchange||Code exploit|
|Deribit||$28 million||Crypto exchange||Security breach|
How to Avoid DeFi Exploits & Hacks?
There are plenty of ways DeFi protocols can be compromised: vulnerabilities, inefficient smart contract logic, problems with access control, incorrect liquidity pool estimates, compromised private keys, oracles manipulation and cascading liquidations, rug pulls, flash loan attacks, and so on.
That is why it is essential to have effective practices in place to protect your DeFi protocol. Let’s get into that.
- You should run a full set of unit tests to reveal any functionality issues in different parts of the contract and make sure they are solved from the start. This will help you avoid dealing with obvious problems later on. Moreover, the modern development approach requires an additional layer of integration tests with mainnet-fork techniques. These kinds of tests will give you the possibility to work in real-like environment.
- Getting in touch with a few auditors and hiring them to conduct smart contract security audits for you might be a good idea as well. This way, you can detect unexpected smart contract vulnerabilities prior to deployment and prevent DeFi hacking as is.
- Making sure that your code is unique can also play an essential role. Sure, copy-pasting code from other protocols will enable you to speed up development but the consequences might be dire. If some pieces of code are incompatible, exploiting the vulnerabilities that they create will be a piece of cake.
- Another thing you should always keep in mind is access control. To minimize the risks that loose private key access leads to or to keep your DeFi protocol secure even if there is key loss, you can use a separate multisig contract or include a multisig logic to your protocol. Besides, you should avoid a single point of failure – even if the owner (or the admin) role cannot be avoided, make sure you have an accurate role system so that a single key compromise will not ruin the protocol.
- Hiring a highly qualified team of DeFi developers who possess accurate knowledge of DeFi project vulnerabilities and specifications is a must to ensure secure code.
- If you require assistance with bugs and errors, turn to your protocol community. Launching a bug bounty campaign will allow you to improve the user experience within the protocol and successfully defend it from potential hacks. Early testnet, closed beta, alpha program – these are all examples of early access to the protocol that will allow the community (and security auditors) to help with early diagnostics and bug detection.
- Up-to-date structured documentation is key. You should always make sure that the documents for your code base are relevant and accessible. This will help the protocol owner understand better their own logic in smart contracts – you can detect loopholes and deadlock even during the process of describing functions.
Why Do You Need Blaize?
Taking into account how hard it can be to protect your DeFi projects from vulnerabilities, it is a great idea to have a reliable team of blockchain developers and auditors at hand. And this is exactly where Blaize comes to the rescue!
The Blaize team provides high-quality blockchain development services that allow you to sleep soundly at night, knowing that your project is built according to all industry standards and its security is very high.
So what can we help you build?
- Blockchain ecosystems and protocols
- Decentralized applications
- Smart contracts
- Developer tools
- Enterprise solutions, including blockchain integration
- NFT marketplaces, games, and collections
Our expertise is at your service. If you are doubting whether we would be the right fit, you can check out what we have developed for LeagueDao, Breaker, and other customers.
If you already have everything you need, we can ensure that your project is secure by completing:
- Smart contract security audits.
- Formal verification of technical solution and protocol’s logic.
- Audits of various system components.
- Full dApp security review.
We have already conducted audits for over 180 projects and detected over 350 high-risk vulnerabilities, saving the companies over $100 million from hacking. You can read more about our full auditing services.
Here at Blaize, we are always ready to develop a highly secure solution tailored specifically to your needs and wants, help you become a reliable security provider, or simply consult you on the industry best practices to prevent you from making rookie mistakes. Contact our team to learn more or discuss your project in detail.
You know what they say – buy nice or buy twice. In case you are a part of the crypto industry, that statement rings especially true.
We cannot prevent DeFi hacks from happening or talk hackers out of it but we can do everything in our power to make sure that your project remains secure even during these hard times. So don’t think twice – hire Blaize to build a truly secure blockchain product.
Frequently Asked Questions
How to stop DeFi hacks?
You can do the following:
- Complete full unit tests.
- Conduct smart contract security audits.
- Make sure your code is unique.
- Take care of protocol’s access control.
- Hire experienced developers.
- Launch a bug bounty for your protocol community.
- Keep your documentation in order.
Can a DeFi security audit make my platform safer?
Sure. Security audits help you to detect vulnerabilities in the system and minimize the risk of DeFi hacking.
For this reason, we highly recommend you hire at least two reputable companies to conduct security audits of your protocol and smart contracts.
How do I know if my DeFi protocol is resistant to attacks?
Unfortunately, you can never be 100% sure that your protocol is resistant to all possible attacks. Yet, you can do regular code analysis, perform tests, and check your DeFi protocol’s compliance with security requirements. This way you’ll be able to update your code if necessary and avoid any possible exploits.
How can I ensure that my customers’ crypto funds would not be stolen?
You should hire professional contractors to conduct security audits of your protocol and smart contracts, which will help with preventing heists and keeping your data protected.
Get in touch with Blaize to get an expert opinion regarding your project’s security.