Cointelegraph: Summary of Defi Crypto Vulnerabilities and Hacking Thefts in 2020

2020 is the year of DeFi, but the development of the fledgling decentralized financial ecosystem has not been smooth sailing.

Unlike previous years, crypto news in 2020 has not been dominated by major exchange hacks and multi-million dollar Bitcoin thefts. However, there have still been a lot of them, most of which originated from emerging decentralized finance (DeFi) projects and liquidity mining.

DeFi has been one of the main drivers of cryptocurrency market momentum in 2020, and it stands to reason that the emerging financial landscape has attracted scammers and hackers. A large number of unaudited smart contracts and cloned code have become a recipe for vulnerabilities and exploits, often resulting in the theft of millions of dollars in digital assets.

A November 2020 CipherTrace report noted that DeFi accounted for 45% of all thefts and hacks in the first half of the year, resulting in losses of more than $50 million. The report said that this number rose to 50% of all thefts and hacks in the second half of the year.

CipherTrace CEO Dave Jevans warned in an interview with Cointelegraph that DeFi could be hit by regulation: “DeFi hacks now account for more than half of all cryptocurrency hacks in 2020, a trend that has attracted the attention of regulators.”

He added that regulators are more concerned about the lack of anti-money laundering compliance: “Funds stolen in 2020’s largest hack — the $280 million KuCoin hack — were laundered using DeFi protocols.” Jevons also believes that in 2021, regulators are expected to clarify what actions DeFi protocols can take to avoid the consequences of non-compliance with AML anti-money laundering regulations, code security audits, and possible sanctions.

Exchange hacks in 2020

The KuCoin hack took place in late September, when the exchange’s CEO Johnny Lyu confirmed that the intrusion affected the company’s Bitcoin, Ethereum, and ERC-20 hot wallets following a private key leak.

By early October, KuCoin said it had identified the suspects and had formally incorporated law enforcement into the investigation. By mid-November, the Singapore-based exchange announced it had recovered 84% of the stolen cryptocurrency and resumed full service for most of its tradable assets.

There have been other exchange hacks this year, but KuCoin was the biggest victim of the hack. In February, Italian exchange Altsbit lost almost all of its funds in a $70,000 hack, and there have been other minor breaches of crypto exchanges. By October 2020, as many as 75 centralized crypto exchanges had shut down for a variety of reasons, with hacks being the main reason.

DeFi vulnerabilities and hacks in 2020

With billions of dollars invested in DeFi protocols and crypto farms on the rise, the nascent space has become a hotbed for hackers. The first major breach of 2020 occurred on DeFi lending platform bZx in February, when two flash loan exploits led to the loss of nearly $1 million in user funds. A flash loan is when crypto collateral is borrowed and repaid in the same transaction.

bZx ceased platform operations to prevent further losses, but this drew criticism from industry observers, who claimed that it was ultimately a centralized platform after all and could be “the end of DeFi.”

The market crashed in March, leading to massive collateral liquidations, especially for Maker’s MKR token, but this was not caused by a hack. The next one came the following month, when imBTC, a version of Bitcoin wrapper that uses a standard reentrancy method called ERC-777 tokens, was attacked. The attacker was able to extract liquidity using the entire value of Uniswap, estimated at $300,000 at the time.

In April, the Chinese crypto lending platform dForce used the same vulnerability to exploit all liquidity. The hacker repeatedly increased the ability to lend other assets and made a profit of about $25 million.

In June, a vulnerability was discovered in Bancor’s smart contract, resulting in the loss of up to $460,000 in tokens. The DeFi automated market maker said it had deployed a new version of the smart contract that fixed the vulnerability.

Balancer is the next DeFi protocol to have Ethereum-wrapped Ether stolen from its liquidity pools via a well-planned arbitrage attack, with the amount of up to $500,000 being exploited. A series of flash loans and arbitrage token swaps were carried out targeting a vulnerability that the Balancer team apparently knew about.

More of a hack than another exploit, bZx made headlines again in July with a questionable token sale that was manipulated by bots placing buy orders in the same area that marked the start of that token generation event. The attacker pocketed nearly $1 million in price increase profits.

DeFi options protocol Opyn was the next victim in August when hackers made more than $370,000 by exploiting its ETH Put options. The exploit allowed the attacker to “double-practice” Ethereum put tokens and steal collateral. Opyn used white hat hacking methods to recover about 440,000 USDC from the outstanding vault and returned it to the Put option sellers.

Again, it was not a direct hack, but a code flaw in the unaudited Yam Finance smart contract that affected the repricing of the governance token, causing a price crash in mid-August. The protocol was forced to appeal to DeFi whales to retain it by re-voting it to version 2.

The emergence of SushiSwap

The SushiSwap saga began in late August and coined the terms “vampire mining” and “rug pulling.” An anonymous protocol cloner and administrator known as “Chef Nomi” sold $8 million worth of SUSHI tokens, causing the token’s price to plummet. A few days later, the protocol was rescued by Sam Bankman-Fried, CEO of the FTX exchange, which was controlled by a consortium of DeFi whales through a multi-signature smart contract. Eventually, all funds were returned to the developer fund.

The rug pull or “pump and dump” as it was called during the last altcoin boom in 2017 and continued with many DeFi clones like Pizza and Hotdog. The prices of these food farm tokens surged and plummeted in a matter of hours or even minutes.

In mid-October, groups of “degenerate farmers,” or as they are called, piled funds into an unaudited and unreleased smart contract of Andre Cronje, the founder of DeFi protocol Yearn Finance. The Eminence Finance contract was hacked within hours of Cronje posting a teaser about a new “gaming multiverse” on Twitter, resulting in a loss of $15 million. The hacker returned about $8 million but kept the rest of the remaining funds, prompting disgruntled traders to file legal action against the Yearn team for the loss of funds.

In late October, a sophisticated flash loan arbitrage attack was carried out on the Harvest Finance protocol, resulting in the loss of $24 million in stablecoins in approximately seven minutes.

November was a particularly painful month for Akropolis, which had to "pause the protocol" after hackers stole $2 million in DAI stablecoins. Value DeFi protocol lost $6 million in a very common flash loan exploit, yield-generating stablecoin project Origin Dollar was exploited for $7 million, and Pickle Finance suffered $20 million in collateral damage in a sophisticated "evil jar" exploit.

One activity that disrupts the pattern of exploiting the system was a physical attack on an individual in mid-December. Hugh Karp, the founder of the Nexus Mutual DeFi protocol, lost $8 million from his MetaMask wallet when a hacker managed to infiltrate his computer and spoof a transaction. These types of attacks are generally less common because they involve a degree of social engineering.

The last reported flash loan attack of the year so far was the $8 million hack of Warp Finance on December 18.

Many retail traders and investors have also fallen foul of phishing attempts, with Ledger hardware wallet owners also being targeted in 2020 after the personal information of approximately 272,000 Ledger buyers was hacked.

In the battle to perfect DeFi

In 2020, most smart contracts and flash loan exploits will struggle with the development of the emerging financial ecosystem. New and smarter DeFi protocols may emerge next year, but as always, scammers, hackers, and cybercriminals will continue to work hard to stay ahead of the curve.

Digging into the current world of DeFi requires a great deal of vigilance and attention, but it has come a long way in such a short period of time, and the future decentralized finance landscape continues to evolve.