According to CipherTrace source $ 468 million have been stolen from crypto projects platforms since the beginning of 2020. About $ 100 million stolen from DeFi market, which is 21% of the total volume of illegally withdrawn funds.
At the same time, DeFi projects accounted for almost half of the total number of attacks. This result was the result of the rapid growth of the decentralized finance market. Since the beginning of January, the volume of funds blocked on it has grown from $ 675 million to $ 13.5 billion.
Damage: $ 150 million to $ 280 million
BTC, ETH, and other ERC-20 format tokens worth more than $ 150 million were withdrawn from the hot wallets of the Chinese cryptocurrency exchange KuCoin on September 26. The Block analyst Larry Chermak suggested that the amount of damage could be almost double, estimating it at $ 280 million.
KuCoin is a centralized exchange, but its hack also turned out to be related to DeFi. Hackers laundered stolen tokens using decentralized exchange services, including the Uniswap exchange. The Whale Alert service recorded several such transactions at once with the DeFi tokens of Synthetix project (SNX), Chainlink (LINK), and Ocean Protocol (OCEAN) blockchain platform tokens. To eliminate the stolen assets, the scammers used test transactions and TWAP orders based on the time-weighted average price of the asset.
Some of the funds were returned with the help of the company’s partners, primarily Bitfinex and Tether, who froze part of the stolen funds on their accounts. $ 64 million were returned to the crypto exchange.
The exchange reported in early October that in cooperation with the police, it had identified the kidnappers. In mid-November, the company’s CEO Lyu Johnny reported that KuCoin had recovered 84% of the total stolen funds. According to him, this turned out to be real thanks to the tracking of transactions фтв updating smart contracts. By November 22, the exchange promises to return to normal operation.
Damage: $ 8 million
On the night of September 13, as a result of a cyber attack, about $ 8 million was withdrawn from the bZx DeFi protocol. The hackers exploited a vulnerability in the protocol’s smart contract that allowed duplicate iToken tokens.
The attackers managed to duplicate 101,778 iETH with a total value of approximately $ 1.74 million, 219,200 LINK tokens ($ 2.6 million), 1,756,351 USDT, 1,412,048 USDC, and 667,989 DAI (approximately $ 680,000). The incident with theft of funds from bZx was the third for the project in a year: as a result of two previous attacks carried out in February, hackers managed to withdraw about $ 1 million more.
bZx stated that users’ funds are safe, and the losses are fully covered by the platform’s insurance fund. The protocol was restored to full functionality three days after the attack.
Damage: $ 7 million
On the night of November 17, the attackers have withdrawn funds worth more than $ 7 million from the Origin Dollar (OUSD) stablecoin network. The hackers took advantage of the project’s smart contract vulnerability, which allowed them to use the process of rebalancing the value of the stablecoin in their favor.
The initiators of the attack gained access to the assets and artificially inflated the OUSD offer, after which they were able to profitably sell the received cryptocurrency on the Uniswap and Sushiswap decentralized exchanges for Ethereum, USDT and DAI.
In the first hours after the information about the hack, the cost of OUSD fell by 85%. Project co-founder Matthew Lee says the project team is working to fully recover the stolen funds, and also invites hackers to surrender and get positions as security consultants at the company.
Damage: $ 25 million
Hackers attacked the Harvest Finance profitable farming protocol at the end of October. The attackers withdrew $ 25 million from the pools, but then they returned more than $ 2 million. A large flash credit was used, with the help of which arbitration was carried out. Flash loans allow you to borrow as much as you need without collateral, as long as there is enough liquidity in the pool. Then you can use the received assets to perform other operations.
The attackers used the obtained assets to manipulate the prices of stablecoins in the Curve Finance DeFi protocol, which Harvest interacts with. Within seven minutes, they withdrew funds from the Harvest pools, after which they exchanged them for renBTC tokens.
After information about the hack appeared, the cost of the FARM project’s own token fell from $ 232 to $ 112. The asset price has not recovered until now.
The developers took responsibility for what happened, citing their own “engineering mistake” as the reason for the hack. According to them, they are working on a plan to return the stolen funds to users and are updating the protocols.
Damage: $ 6 million
Hackers managed to withdraw $ 6 million to DAI and USDC with Value DeFi on November 15. The developers reported that the funds were stolen using an instant loan of 80,000 ETH taken from the Aave landing platform.
A day later, Value DeFi reported that the hackers had recovered about $ 2 million from the stolen funds, and the rest of the assets were still being recovered. The platform resumed its work.
Damage: $ 5 million
In early autumn, a cryptocurrency exchange Eterbase registered in Slovakia was attacked by a hacker. The criminals hacked into cryptocurrency wallets that held Bitcoin, XRP, Tron, Tezos, Algorand, as well as Ethereum and ERC-20 tokens. Analysts at The Block believe that the damage from the actions of attackers amounted to $ 5.32 million.
Immediately after the incident, Eterbase suspended operations and began tracking the addresses to which the stolen funds were transferred. According to the exchange, most of them ended up on accounts with Binance, Huobi and HitBTC. At the same time, many community members believe that ETH and ERC-20 tokens, which accounted for most of the stolen assets, have been moved to the Uniswap decentralized exchange.
Whether the exchange managed to recover the stolen funds is still unknown. Eterbase plans to resume operations on December 15th.
Damage: $ 2 million
On November 13, an unknown assailant attacked the Akropolis farming protocol. Using instant loans and vulnerabilities in smart contracts, the criminal withdrew $ 2 million in the DAI stablecoin from the savings pools.
The hacker was withdrawing tokens in several tranches of 50 thousand DAI each. The attack lasted 7 hours until the attacker completely emptied the pool.
A day after the attack, Akropolis published an open letter on Medium, in which it offered the hacker to return the stolen funds for a reward of $ 200,000. But it was deleted soon. Currently, the development team is restoring the platform to work and continues to investigate the crime together with the police.
China Doesn’t Intend To Ease Pressure On Crypto Community
“Stabledollar”: What USA Offers As An Alternative To CBDC
Will Binance Scam? Regulators Pressure And Future Of Cryptoexchange
Ripple Launches XRP-Based Payment Gate Between Japan and Philippines