DeFi is gradually being targeted by hackers

The well-known blockchain game Axie Infinity was hacked and lost $625 million. The NFT of superstar Jay Chou was also stolen. Recently, hacking incidents targeting the DeFi field have increased sharply. What other hacking incidents are there, and why are hackers so active in this field recently?

$625 million lost overnight

On March 29, 2022, Axie Infinity was robbed (hacked), losing $625 million worth of Crypto (173,600 Ethereum and 25.5 million stablecoins USDC) overnight. This hacker attack set a record for the largest attack in DeFi history.

Axie Infinity is an NFT-based online video game developed by Vietnamese studio Sky Mavis. Axie Infinity uses Ethereum-based Crypto AXS and SLP as tokens. Axie Infinity allows players to collect, breed, battle, and trade creatures called "Axies" that exist in the form of NFTs.

Axie Infinity Game

New players need to buy at least three "Axies" to start the game. In February 2020, Sky Mavis estimated that the average player spent about $400 to buy three "Axies". By December 2021, the cost of three "Axies" has reached $1,000.

The game adopts a "play to earn" approach, where participants can use "Axies" to earn in-game CryptoSLP based on Ethereum after paying a starting fee. Axie Infinity allows users to cash out their SLP tokens every fourteen days. In fact, the outside world describes this model as a form of gambling, an unstable market that is overly dependent on the influx of new players.

The attack caused AXS to fall by about 9%, and its current market value is around $400 million. The RON token of Axie Infinity's infrastructure Ronin fell by 22%. At the same time, it also once again put the security issues of the decentralized financial system (DeFi) on the table. If the security of users' basic assets cannot be guaranteed, then blockchain, Crypto, NFT, chain games and the metaverse are just empty talk.

AXS Trend

Source: Coin Market Cap

All assets in the Axie Infinity game actually exist on the chain. The place that was attacked this time was the Ronin cross-chain bridge used to connect the Axie Infinity game assets and Ethereum. The Ronin cross-chain bridge is an Ethereum sidechain designed by Sky Mavis specifically for the Axie Infinity ecosystem. It allows users to send Crypto back and forth between Ethereum and Axie. It aims to solve the high transaction fees of the Ethereum network and expand the NFT transaction capacity. It also launched the Ronin encrypted wallet. The Ronin cross-chain bridge is currently the most important infrastructure for the Axie Infinity game.

Sky Mavis announced that the attacker discovered a backdoor in the Ronin cross-chain bridge node, through which they managed to control Sky Mavis' four Ronin validators and a third-party validator run by Axie DAO, thereby completing the withdrawal of a large amount of assets. The attack occurred as early as March 23, but it was not until March 29 that users discovered that their assets had been cleared and discovered the incident. The hacker attack caused all the Ethereum and funds on Ronin to be exhausted. Sky Mavis said that it has now increased the number of validators from 5 to 8 to improve the security of assets. Part of the stolen assets are players' assets, and the other part are Axie Infinity's official reserve assets. Sky Mavis has cooperated with government agencies and various platforms to try to recover the stolen funds. Among them, Binance, the world's largest Crypto exchange, blocked the hacker's potential address and suspended all deposits and withdrawals based on the Ronin cross-chain bridge.

Jay Chou’s NFT was stolen and the loss exceeded $500,000

On April 1, 2022, the famous singer Jay Chou posted on the social platform Instagram that his Bored Ape, BAYC#3738 NFT had been stolen.

Jay Chou IG Post

The Bored Ape Yacht Club, or BAYC, is a company based on Ethereum. It has released NFT avatars with monkeys as the theme, which will be sold to the public on April 23, 2021. BAYC has issued a total of 10,000 NFT avatars of monkeys, each of which is different. These avatars are stored on Ethereum in the ERC-721 standard (NFT Ethereum contract standard non-fungible token) and are stored and hosted on the IPFS network. At the beginning of the release, the price of a monkey avatar was 0.08 ETH.

The Bored Ape Yacht Club official website

The initial release did not attract much attention until May 1, when well-known collector Pranksy took notice of the project and announced that he had purchased more than 250 monkeys. From the moment he posted the tweet, BAYC sales, users, and transactions began to surge. After only 117 minutes, BAYC sold out. According to the BAYC team, they have never had any private communication with Pranksy.

Each BAYC NFT avatar has unique features. The team shaped the monkey’s different expressions, headwear, clothing and other features to generate avatars with their own characteristics.

BAYC NFT avatars with different styles

Buying a BAYC NFT avatar is not just buying a digital artwork, but also obtaining the qualification to enter the BAYC club. The BAYC NFT owned by the buyer is a digital identity, which can enjoy the club's benefits and products. A BAYC user commented: The BAYC club is like a club in college, everyone will contact each other, everyone will set the social network avatar as an ape, and will follow each other, which has set off the trend of "Ape follow Ape".

Many celebrities also started to buy monkeys, which brought more attention to the project. For example, NBA player LaMelo Ball, NBA Chairman Daryl Morey, the famous DJ duo Bassjackers, the famous DJ 3lau and many Chinese stars including Chen Bolin, Wu Jianhao, Shawn Yue, etc. They all used BAYC's avatar as their social media avatar. These celebrities have greatly stimulated the public's interest in BAYC.

The NFT was given to Jay Chou by Huang Licheng in January 2022. According to the data on the chain, after the NFT was stolen, it was quickly traded multiple times at prices of 111ETH, 130ETH, and 155ETH. So far, the NFT has been noticed by the project party and returned to Jay Chou.

Cross-chain protocol hacked, total loss of $1 billion

On February 3, 2022, the cross-chain protocol Wormhole was hacked, resulting in a loss of 120,000 ether (worth about $326 million at the time). After hacking Wormhole, the hacker transferred 80,000 ether to the Ethereum network, and the remaining 40,000 ether remained on Solana. Wormhole is a protocol that allows users to bridge assets across blockchains. The total value of assets locked in Wormhole exceeds $1 billion, and it supports six blockchains: Terra, Solana, Ethereum, Binance Smart Chain, Avalanche, and Polygon.

On the same day, Wormhole announced that the vulnerability had been fixed and the protocol was back in operation, but did not make a clear response to the stolen funds.

On August 10, 2021, Poly Network was hacked and lost about $610 million. Poly Network is the world's leading lightweight heterogeneous chain cross-chain interoperability protocol. Poly Network mainly uses technology to deploy smart contracts to connect communications and transactions between many public chains. In August 2020, the Poly Network mainnet was launched. Poly Network is a cross-chain organization jointly initiated by Neo, Ontology, and Switcheo Foundation as founding members, and Distributed Technology as a technology provider.

The hacker's initial source of funds was XMR, which he then exchanged for BNB, Ethereum, MATIC and other currencies on the exchange and withdrew the money to three addresses respectively. Soon after, he launched attacks on three chains, replaced the contract administrator of Poly Network with himself, and stole funds from multiple wallets.

However, in the end, the hackers were forced to return the stolen assets due to difficulties in cashing out and many security companies inferred some key information about the hackers from clues such as on-chain data.

The Wormhole incident (US$330 million) and the Poly Network incident (US$610 million) have made people begin to doubt whether the blockchain world is really safe.

Blockchain's Rise Drives Hackers to Target Crypto Exchanges

In 2019, Zhao Dong, a shareholder of Crypto exchange Bitfinex, said on Weibo that in the eyes of professional hackers, it is only a matter of time, and there is no exchange or blockchain platform that cannot be hacked.

The continued rise of Crypto and blockchain-related products has made stealing Crypto an increasingly popular activity. Crypto exchanges control and gather a large amount of wealth from institutions and retail investors, making it profitable for hackers. Except for the top exchanges, small and medium-sized exchanges have a low level of security and defense. Small and medium-sized exchanges currently do not pay enough attention to security and defense, mainly because the maintenance cost of the security and defense system is very high. Secondly, and more importantly, the current encryption industry, especially the Crypto industry, is outside the supervision. Even if losses are caused after the hacker attack, the legal risk for hackers is very low. In addition, it is precisely because the encryption industry is outside the supervision that hackers are difficult to monitor assets after the attack is successful, whether it is cashing out or transferring, so hackers are more willing to obtain encrypted assets.

Crypto market value continues to rise

Source: Coin Market Cap

Crypto exchanges are frequently hacked around the world. 01Blockchain has compiled most of the hacks, losses, etc.

Some Crypto Exchanges Have Been Hacked

Data source: 01 blockchain

According to incomplete statistics from 01 Blockchain, since 2011, 44 hacking incidents have caused Crypto exchanges to lose at least 1.1 million Bitcoins, which are worth a total of $51 billion at the time of writing. 01 Blockchain has organized the number of hacking incidents that occurred in each year into the following table.

Data source: 01 blockchain

More and more hackers are also starting to target decentralized financial platforms. According to data from blockchain analysis company Chainalysis, the amount of money received by illegal Crypto addresses in 2021 increased by 79% from the previous year to $14 billion. Currently, there are not enough protection measures to ensure the safety of investors' property. The industry needs more practical exploration to improve the decentralized financial system.

Aleksei Korobeinikov, an expert in blockchain system and blockchain software DApp R&D, said that in response to security vulnerabilities in current DeFi projects, the platform should not only conduct multiple reviews of key links such as smart contracts, but also realize that an experienced team of developers with a deep understanding of the core system architecture and logic will be the key to preventing hacker attacks.

Most thefts in DeFi are caused by smart contract vulnerabilities or private key hacking. Once digital assets are stolen, transferred, or traded, they are difficult to recover, often leaving users who suffer losses with nowhere to turn to. Therefore, blockchain and DeFi actually have security concerns and are not 100% safe.

Losses from various hacking incidents (excluding Axie Infinity)