Taking stock of the top 20 hacker attacks in the encryption industry in the past two years, how many of them have you been attacked?

Although the cumulative losses from these security incidents reached billions of dollars, the losses of users of the vast majority of stolen projects were compensated.

Finishing: Biscuits, Chain Catcher

At the end of March, Ronin Network, a sidechain network under the famous blockchain game Axie Infinity, lost approximately US$620 million in assets in a hacker attack, becoming the most serious DeFi hacker attack to date, further deepening the public's concerns about the security of the crypto world.

In the past two years, huge amounts of funds have continued to flow into the crypto industry, but its security is still very fragile. Many code vulnerabilities from centralized exchanges and DeFi projects have been repeatedly attacked by hackers, and the number, frequency, and scale of various security incidents are growing rapidly.

According to SlowMist statistics, blockchain security incidents in 2021 caused cumulative losses of more than US$9.8 billion, involving 231 security incidents. Although a considerable portion of the losses were recovered or compensated by the project parties, the crypto industry was still severely damaged.

According to the data of professional encryption security website rekt and other public information, Chain Catcher counted the top 20 hacker attacks according to the amount of money affected in the hacker attacks. (As of April 2022)

1. Ronin Network, $624 million

On March 29, 2022, Ronin officially announced that its cross-chain bridge was hacked, and 173,600 ETH and 25.5 million USDC were stolen, with a total value of approximately US$620 million.

Officials said that the project was stolen because the private keys of five validators were stolen. Last November, Sky Mavis and Axie DAO established a gas-free RPC node with the original intention of reducing user costs. This required Axie DAO to become a Sky Mavis validator. Although the RPC node only lasted for a month, the whitelist access rights were never revoked, giving the attacker the opportunity to steal the Axie DAO signature and gather the consensus of 5 validators in exchange for private keys to forge fake withdrawals.

Currently, Axie Infinity co-founder Aleksander L. Larsen has posted on Twitter that the Axie Infinity team is working hard to communicate with the hackers to recover the losses and determine the best compensation plan.

2. Poly Network, $611 million

On August 10, 2021, the smart contracts deployed by the cross-chain interoperability protocol Poly Network on Ethereum, BSC and Polygon were simultaneously attacked by hackers, and assets worth more than US$610 million were stolen.

According to the analysis of the SlowMist team, the attacker used a specific function to pass carefully constructed data to modify the keeper of the EthCrossChainData contract. After replacing the address of the keeper role, the attacker can construct transactions at will and extract any amount of funds from the contract.

After multiple parties communicated with the hacker on the chain, the hacker finally returned all the stolen assets to the project party, and all users did not suffer any actual losses.

3. Wormhole, $326 million

On February 3 this year, the cross-chain protocol Wormhole was attacked by hackers. The official confirmed that the loss in this attack reached 120,000 ETH (about 326 million US dollars).

According to the investigation, the vulnerability of this incident is that there is an error in the signature verification code of the core Wormhole contract on Solana, which allows the attacker to forge messages from the "guardian" to mint whETH. The attacker minted unlimited whETH (Wormhole ETH) equivalents on Solana, and then transferred 120,000 real ETH to Ethereum through Wormhole.

After the incident, the hacker did not respond to the project's communication. Jump Crypto, a subsidiary of Wormhole's parent company Jump Trading, quickly decided to "pay out of its own pocket" to replenish 120,000 ETH to the cross-chain bridge smart contract to help Wormhole bridge go back online.

4. BitMart, $196 million

On December 5, 2021, approximately US$196 million was stolen from the Ethereum and BSC hot wallets of the cryptocurrency trading platform BitMart, including a total of approximately US$100 million on Ethereum and a total of approximately US$96 million on BSC.

It is understood that the attacker transferred BitMart funds from the hot wallet to his own wallet, traded most of the currencies into ETH and BNB through 1inch, and then mixed the currencies through TornadoCash, and finally got away with it. Some assets were recovered through cooperation with the project party.

Since then, BitMart founder Sheldon Xia announced that he would use the platform’s funds to compensate affected users and open deposits and withdrawals soon.

5. Vulcan Forged, $140 million

On December 13, 2021, the blockchain game project Vulcan Forged announced that 148 wallets holding PYR were hacked, more than 4.5 million PYR had been stolen, and the total loss value exceeded US$140 million. Afterwards, the project team decided to compensate the affected user wallets with the PYR users in the vault.

6. Cream Finance, $130 million

On October 27, 2021, the mortgage lending platform Cream Finance suffered a flash loan attack, resulting in a loss of approximately US$130 million.

It is understood that this attack was a mixture of economic attacks and oracle attacks. The attacker flash loaned DAI from MakerDAO to create a large number of yUSD tokens. At the same time, by manipulating multi-asset liquidity pools, the price of yUSD was calculated using price oracles. After the yUSD price rose, the attacker's yUSD position increased, creating enough borrowing limits to offset the liquidity of the Cream Ethereum v1 market.

On November 13, Cream Financ announced a compensation plan for affected users, which will use the remaining tokens in its treasury and remove all remaining Cream token allocations of the project team to distribute 1,453,415 Cream tokens to affected users.

7. Badger: $120 million

On December 2, 2021, the Badger user interface was hacked and malicious wallet requests were implanted, with total losses of approximately 2,100 BTC and 151 ETH, or approximately US$120 million.

The incident was a phishing attack caused by a "malicious injection snippet" from Cloudflare, an application platform running on the Badger cloud network. Hackers used compromised API keys created without the knowledge or authorization of Badger engineers to regularly inject malicious code and obtain unlimited authorization annotations for user wallets.

Afterwards, Badger announced that it had hired cybersecurity firm Mandiant and blockchain analysis firm Chainalysis to investigate the attack, and was working with the two companies and authorities in the United States and Canada to recover any possible funds. At the same time, the project decided through a community vote to compensate affected users with part of the treasury assets and part of the protocol revenue for about a year.

8. Qubit Finance, $80 million

On January 28, 2022, the BSC lending project Qubit was suspected of being hacked. The hacker minted a large amount of xETH collateral and stole approximately US$80 million in assets from the funding pool.

The main reason for this attack is that when recharging ordinary tokens and native tokens are implemented separately, when transferring tokens in the whitelist, there is no recheck to see if it is a 0 address, resulting in the operation that should have been recharged through the native recharge function being able to smoothly follow the ordinary token recharge logic.

Team Mound, the development team of Qubit Finance, decided to reorganize and release a compensation plan after the attack, and will give up all its tokens to compensate the community.

9. AscendEX, $77 million

On December 12, 2021, a total of more than US$77 million in assets may have been stolen from the Ethereum, BSC and Polygon hot wallets of the cryptocurrency exchange AscendEX.

After the incident, the exchange stated that it would conduct a comprehensive security check and that if any user’s funds were affected by the incident, AscendEX would provide 100% compensation.

10. EasyFi, $59 million

On April 20, 2021, Ankitt Gaur, founder of Layer 2 DeFi lending protocol EasyFi, said that $6 million in stablecoins and 2.98 million EASY tokens were transferred from the protocol's liquidity pool, with a total loss of approximately $59 million.

It is understood that the project was stolen because the administrator's MetaMask mnemonic phrase key was remotely attacked, and the EasyFi smart contract was not hacked. EasyFi has contacted the Binance and AscendEx teams. The hacker did not transfer the tokens from the wallet and could not sell them in DEX due to liquidity restrictions.

Afterwards, the project stated that it would compensate 100% of the net balance of lenders/depositors of each address as per the snapshot, and users would receive funds in two parts, 25% paid in advance and the remaining 75% paid in EZ, which is secured by the EASY V2 token EZ at a 1:1 ratio.

11. Uranium Finance, $57 million

On April 28, 2021, Uranium Finance, an AMM protocol on Binance Smart Chain, tweeted that Uranium was attacked during the migration process and the loss amount was approximately US$57 million.

It is understood that the problem occurred in the pair contract of the Uranium project. The logic of the swap function of the contract refers to the logic of PancakeSwap, allowing users to borrow funds through flash loans. However, when checking the contract balance according to the constant product formula, the function has a precision processing error, resulting in the balance calculated in the final contract being 100 times larger than the actual balance of the contract. In this case, if the attacker uses a flash loan to borrow money, he only needs to repay 1% of the loan amount to pass the check, and steal the remaining 99% of the balance, resulting in project losses.

Afterwards, Uranium Finance published a vulnerability analysis article and called on users to move their funds as soon as possible and stop providing liquidity to the contract. Since then, there has been no official update from Uranium Finance, and it is suspected that it has ceased operations.

12. bZx, $55 million

On November 6, 2021, the decentralized lending protocol bZx suffered the theft of over $55 million in assets due to a private key leak on the Polygon and BSC chains.

It is understood that the incident was not a hacker attack targeting a vulnerability in the protocol itself, but a phishing attack on bZx developers. The developers received a phishing email with a Word document containing malicious macros attached. Opening this document will lead to the theft of the developer's personal wallet key. The hacker was able to control the contract and extract it from BZRX.

13. Cashio, $48 million

On March 23, 2022, Solana's algorithmic stablecoin Cashio tweeted a warning to users not to mint any tokens and to withdraw funds from the pool as soon as possible. The protocol had an infinite minting vulnerability, resulting in a loss of approximately $48 million.

Cashio Dollar is an algorithmic stablecoin backed by USDT-USDC LP tokens. Hackers illegally issued 2 billion CASH tokens by bypassing an unverified account and converted CASH tokens into UST, USDC and USDT-USDC LP through multiple applications, with a total profit value of approximately US$48 million.

After being hacked, the project owner said that they did not have enough funds to repay users’ losses, and was willing to provide 1 million USDC as a bounty if the attacker returned the funds. The attacker said in a message on the chain that he would refund victims whose losses were less than $100,000.

14. PancakeBunny, $46 million

On May 20, 2021, PancakeBunny, a yield aggregator on the Binance Smart Chain BSC, was suspected of being attacked, resulting in a loss of approximately US$46 million.

This is a typical flash loan attack. The key point is that there is a flaw in the price calculation of WBNB-BUNNY LP, and the amount of BUNNY minted by the BunnyMinterV2 contract depends on this flawed LP price calculation method. Ultimately, the attacker used flash loans to manipulate the WBNB-BUNNY pool, thereby raising the price of LP, causing the BunnyMinterV2 contract to mint a large number of BUNNY tokens for the attacker.

The PancakeBunny team released an evaluation and compensation plan after the flash loan attack. It will issue a new token pBUNNY and create a compensation pool, which is funded by performance fees (direct contributions from the team), funds recovered from the vulnerability exploit, and QFI token airdrops. After 90 days, the original holders will exchange pBUNNY for BUNNY at a discount below the market price.

15. Kucoin, $45 million

On September 20, 2020, Kucoin's hot wallet was attacked, resulting in losses of more than US$280 million.

Afterwards, Kucoin CEO Johnny Lyu stated that by cooperating with exchanges and project parties, $222 million in funds (accounting for 78%) were recovered, and further cooperation with law enforcement and security agencies recovered $17.45 million (accounting for 6%). Finally, KuCoin used the insurance fund to pay the remaining funds lost, about $45 million (16%), and no users suffered losses in this incident.

16. Secretswap, over 40 million US dollars

On September 14, 2021, Secretswap, a DEX project based on the privacy public chain Secret Network, was hacked, and more than US$40 million in funds in the liquidity pool were withdrawn by hackers. After the incident, the project suspended the use of Secretswap and the Secret Network cross-chain bridge to prevent hackers from transferring assets from the cross-chain bridge to the Ethereum network.

Subsequent investigations revealed that the vulnerability involved a single LP contract related to SecretSwap reward staking, no stolen funds left the network, no bridge/token contracts were attacked, and the network itself was not attacked.

A few days later, Secret Network rolled back the network through a hard fork, returned the stolen assets to the users’ liquidity pool, and resumed the use of the cross-chain bridge.

17. Alpha Finance, $37 million

On February 13, 2021, Alpha Finance Lab stated on its official Twitter that hackers exploited a vulnerability in Alpha Homora V2 to borrow ETH, DAI, USDC and other assets from Iron Bank (Cream V2), resulting in a debt relationship between Alpha Homora v2 and Cream v2 and a loss of approximately US$37 million.

The repayment method of the Alpha team is: use the 1000 ETH deposited by the attacker in the Alpha Homora V2 deployer contract to pay the outstanding balance; use the 1000 ETH deposited by the attacker in the Cream V2 deployer contract to pay the outstanding balance; the Tornado Cash Foundation will return the 100 ETH donation paid by the attacker to Alpha Homora to pay the outstanding balance; Alpha will commit to using 20% ​​of the Alpha Homora V1 and V2 reserves to repay the remaining funds, and pay it monthly to the Cream V2 Iron Bank until all new debts are paid off.

18. Vee Finance – $37 million

On September 21, 2021, the smart contract of Vee Finance, an Avalanche ecosystem lending platform, was attacked, resulting in a loss of approximately US$37 million.

It is understood that the main reason for the vulnerability is that when users create leveraged trading orders, the oracle only uses the price of Pangolin pool as the price feed source, and the price fluctuation of the pool exceeds 3%. The oracle will refresh the price, causing the attacker to manipulate the price of Pangolin pool. The manipulation of Vee Finance oracle price and the acquisition oracle price did not perform decimal processing, resulting in the expected slippage check before the swap not working.

Subsequently, Vee.Finance announced a reward of US$500,000 to track down the attacker and will bear all losses, compensating all lenders and deposit users with platform revenue and VEE tokens in reserves. Team tokens will no longer be released until all are repaid.

19. Crypto.com: $33 million

On January 18, 2022, some accounts of the cryptocurrency exchange Crypto.com were suspected to be hacked, resulting in losses of approximately US$33 million.

It is understood that hackers bypassed the existing 2FA verification and became part of the withdrawal whitelist. A total of 483 accounts were hacked, and 4,836 ETH and 444 Bitcoins were stolen. The ETH was sent to Tornado Cash for mixing.

After the incident, Crypto.com stated that it had compensated all users for their losses and restored the assets in their accounts.

20. MonoX Finance – $31 million

On November 30, 2021, the automated market maker protocol MonoX was attacked by a flash loan, and approximately $31 million worth of cryptocurrencies on Ethereum and Polygon were stolen by hackers.

It is understood that the attacker used swap contracts to push the price of MONO to a sky-high level and then used MONO to purchase all other assets in the pool.

After that, the project team stated that it would issue debt tokens dMONO for all stolen assets and deploy a dMONO vault. It would use our revenue to repurchase MONO and send MONO to this vault. Any dMONO holder can exit the vault at any time by destroying their dMONO and obtaining MONO, but if the user chooses to withdraw dMONO before it reaches the value owed, it means that the remaining debt is being waived.

Further statistics show that although the cumulative losses of these security incidents reached billions of dollars, the losses of users of most stolen projects were fully compensated. Among them, the stolen assets of Poly Network and Secretswap were all recovered, and 8 projects such as Wormhole were compensated in original currency by the project parties. Most of the remaining projects were compensated by the projects in the form of their own tokens, but the actual compensation amount was often lower than the loss amount due to the decline in token prices. Only Uranium Finance did not make any compensation to users.

From this we can see that hacker attacks are not as scary as imagined. What is important is the project party’s resource background and sense of responsibility to users. While crypto users should be cautious about any financial operations, they should give priority to participating in projects and platforms with stronger strength as much as possible, and make relevant investments and mining activities within their own tolerance to ensure the safety of funds.