Cryptocurrency hacks, exploits, and thefts in 2020

Unlike previous years, the main cryptocurrency news in 2020 was not about major exchanges being hacked and millions of dollars worth of Bitcoin being stolen. However, there were still quite a few hacks, most of which originated in the emerging decentralized finance (DeFi) sector.

DeFi has been one of the main drivers of crypto market momentum in 2020, and there’s a reason why DeFi has been a magnet for scammers and hackers. A large number of unaudited smart contracts coupled with cloned code allow hackers to exploit them, often resulting in millions of dollars in digital assets being stolen.

A November report from CipherTrace said that all thefts and hacks that occurred in the first half of 2020 resulted in losses of more than $50 million, with DeFi accounting for 45% of these incidents. In the second half of the year, that percentage rose to 50%, the report said. In an interview with Cointelegraph, CipherTrace CEO Dave Jevans warned that DeFi could suffer a regulatory crackdown: "DeFi hacks now account for more than half of all cryptocurrency hacks in 2020, a trend that is attracting the attention of regulators."

He added that regulators are more concerned about the lack of anti-money laundering compliance: "The $280 million theft from KuCoin was the largest hack in 2020, and the hackers used DeFi protocols to launder the money." Jevans also believes that in 2021, regulators may clarify what actions DeFi protocols will take to avoid the consequences of failing to comply with anti-money laundering, flag grabbing (referring to being attacked) and possible sanctions.

Hacker attacks on exchanges in 2020

The KuCoin hack took place in late September, when the exchange’s CEO Johnny Lyu confirmed that the breach affected the exchange’s Bitcoin, Ethereum, and ERC-20 hot wallets following the leak of private keys.

KuCoin said in early October that it had identified the suspect and formally involved law enforcement in the investigation. By mid-November, the exchange announced that it had recovered 84% of the stolen cryptocurrency and restored full service for most tradable assets.

There have been other exchanges hacked this year, but the KuCoin hack is the biggest. In February, Italian exchange Altsbit lost almost all of its funds in a $70,000 hack, and several other small cryptocurrency exchanges have also been hacked. In October 2020, as many as 75 centralized cryptocurrency exchanges shut down for various reasons, including hacking.

DeFi hacks and exploits in 2020

With billions of dollars invested in DeFi protocols and liquidity mining, DeFi has become a hotbed for hackers. The first major hack in 2020 occurred on the DeFi lending platform bZx, which suffered two flash loan attacks in February and lost nearly $1 million in user funds. Flash loans refer to borrowing and repaying cryptocurrency collateral in the same transaction.

bZx ceased operations to prevent further losses, but this triggered a wave of criticism from crypto industry observers, who said that bZx is still a centralized platform and it could be "the end of DeFi."

The market crashed in March, leading to massive collateral liquidations, especially for Maker’s MKR token, but these were not hacks. The following month, hackers attacked imBTC, which is pegged to Bitcoin, using a method called ERC-777 token standard reentrancy. The hacker stole the entire Uniswap liquidity pool, estimated at $300,000 at the time.

In April, hackers used the same vulnerability to steal all liquidity from lending platform dForce. The hacker continued to increase their ability to lend other assets and ran away with approximately $25 million in funds.

In June, a vulnerability in Bancor’s smart contract led to the loss of up to $460,000 in tokens. The DeFi automated market maker said it had deployed a new version of its smart contract that fixed the vulnerability.

Balancer was the next DeFi protocol to be exploited, with hackers stealing $500,000 in WETH from its liquidity pools in an elaborate arbitrage attack. The hacker conducted a series of flash loans and arbitrage token swaps in an attack on a vulnerability that the Balancer team apparently knew about.

More of another vulnerability than a hack, bZx was in the news again in July for a suspicious token sale, this time manipulated by bots that placed buy orders on the same block the tokens were mined. The hackers stole nearly $500,000 in profits that were generated by the token’s price increase.

In August, DeFi options protocol Opyn became the next victim, with hackers using its ETH put options contract to steal more than $370,000. The vulnerability allowed the attacker to double-exercise Ethereum put options oTokens and steal the staked ETH. Opyn recovered approximately 440,000 USDC from the vault through white hat hackers and returned them to the put option sellers.

Likewise, it was not a direct hack, but a code flaw in the unaudited Yam Finance smart contract that affected the rebase of the governance token YFI, leading to a sharp drop in the price of YFI in mid-August. The Yam Finance protocol was forced to call on DeFi whales to be saved by voting to relaunch version 2.

When SushiSwap was hot

At the end of August, the legend of SushiSwap began, and it gave rise to "vampire mining" and "rug pull" (referring to some projects that deceive users into staking and investing by packaging themselves, and then immediately absconding with the money). SushiSwap's anonymous founder "Chef Nomi" sold $8 million worth of SUSHI tokens, causing the price of SUSHI to plummet. A few days later, FTX Exchange CEO Sam Bankman-Fried saved the protocol, and through a multi-signature smart contract, he was handed over control by a DeFi whale alliance. In the end, all funds were returned to the protocol's developer fund.

The rug pull continued with a series of DeFi clones like Pizza and Hotdog during the altcoin boom in 2017. The prices of these tokens have skyrocketed and plummeted dramatically within hours, sometimes even minutes.

In mid-October, traders sent funds to an unaudited and unpublished smart contract from Andre Cronje, the founder of DeFi protocol Yearn Finance. Within hours of Cronje tweeting a trailer about a new "gaming multiverse," the smart contract Eminence Finance was hacked, costing $15 million. The hacker returned about $8 million but kept the rest, prompting disgruntled traders to file legal action against the Yearn team over the lost funds.

In late October, a sophisticated flash loan arbitrage attack on the Harvest Finance protocol resulted in the loss of approximately $24 million in stablecoins in seven minutes, sparking a debate over whether these exploits of system design can be considered hacks.

November was a particularly painful month for Akropolis, which had to “pause the protocol” after hackers stole $2 million worth of DAI stablecoins. The Value DeFi protocol lost $6 million in a common flash loan attack, the stablecoin project Origin Dollar lost $7 million, and Pickle Finance lost $20 million worth of DAI in a complex vulnerability.

A personal attack in mid-December broke the pattern of exploiting protocol system vulnerabilities. Hugh Karp, founder of DeFi insurance protocol Nexus Mutual, lost $8 million in his MetaMask wallet because a hacker successfully hacked into his computer and forged a transaction. These types of attacks are generally less common because they involve some degree of social engineering.

The last flash loan attack reported so far this year was the hack of Warp Finance on December 18, which resulted in a loss of $8 million.

Many retail traders and investors have also fallen prey to phishing scams, while Ledger hardware wallet owners have also been targeted after the personal information of around 272,000 Ledger buyers was hacked in 2020.

Obstacles to DeFi Development

Most of the smart contract and flash loan vulnerabilities will inhibit the development of DeFi in 2020. New and smarter DeFi protocols may emerge next year, but as usual, scammers, hackers, and cybercriminals will also improve their attack capabilities.

Delving deeper into the current DeFi world requires a great deal of vigilance and attention, but it has come a long way in such a short period of time, and the future decentralized finance landscape is constantly evolving.

As a blockchain news and information platform, Cointelegraph Chinese only provides personal opinions of the author, has nothing to do with the position of Cointelegraph Chinese platform, and does not constitute any investment and financial advice. If you need to reprint, please contact the relevant staff of Cointelegraph Chinese.