Quick Links
Decentralized Finance, or DeFi, has undeniably transformed the conventional financial services landscape, boasting impressive benefits. However, despite the advantages, the security of DeFi protocols has been the subject of significant concerns. As DeFi continues to gain traction, its decentralized nature also leaves it vulnerable to potential security breaches and hacking attempts.
Hackers stole approximately $21 million from DeFi projects in 2023. The massive financial losses due to the DeFi hacks made us realize the importance of identifying the causes of such exploits and developing preventive measures.
What are DeFi Hacks?
DeFi hacks are incidents in which attackers steal cryptocurrency funds by exploiting flaws in decentralized finance (DeFi) protocols. DeFi is a name used to represent a set of decentralized financial applications that function on blockchain technology and are designed to provide financial services such as lending, borrowing, trading, and investing in a decentralized, trustless manner.
Because DeFi protocols are decentralized, there is no centralized authority or institution to oversee and secure them. Instead, the security of these protocols relies on the underlying blockchain technology and the smart contracts that govern them. Unfortunately, these smart contracts may contain weaknesses that attackers might exploit.
Different Types of Hacking Methods
As the popularity and use of DeFi protocols have grown, so has the number of DeFi hackers. The 2021 attack on Poly Network, in which hackers took over $600 million in cryptocurrency, and the 2020 attack on the Harvest Finance protocol, in which hackers stole $34 million, are two of the most high-profile DeFi hacks.
Due to their open-source nature, composability, and fast-paced development cycle of DeFi projects, DeFi protocols are vulnerable to various attacks and hacking attempts.
One of the most popular DeFi hacks is a smart contract exploit, in which hackers try to exploit the flaw in the code of the smart contract used by the DeFi protocol. This helps the attacker to manipulate the DeFi protocol’s behavior and steal the user’s assets.
Hackers also use a rug pull strategy in which they create fake projects, ask the investors to invest in the same, then withdraw all the assets and disappear, leaving users with worthless tokens.
Another well-known way of DeFi hacking is using flash loans, which allow hackers to borrow enormous sums of cryptocurrency without requiring any collateral. The hacker can then exploit the DeFi protocol to drain liquidity pools or steal money from other users.
To decrease the risk of DeFi hacks, DeFi protocols and users must take precautions to safeguard the security of their cash, such as employing multi-signature wallets, conducting smart contract audits, and following best security practices when using DeFi protocol.
List of DeFi Hacks
SafeMoon
SafeMoon was abused in March 2023 due to a vulnerability in the protocol’s most recent upgrade. This upgrade enabled the public use of a burn function, which drained approximately $8.9 million in value from the project’s SFM/BNB pool.
This vulnerability was so simple that it was suggested that it was caused by compromised private keys and a malicious update. Finally, the attacker pretended to be a whitehat MEV operator and discussed returning some monies to the protocol.
Euler Finance
The Euler Finance hack was one of the largest that drained approximately $197 million from the protocol. The hacker identified a vulnerability in an update to the protocol’s smart contracts in July 2022.
When donating e-tokens to the project’s reserves, the modified code lacked tests to ensure the health of a user’s position. The attacker could drain value from the protocol by establishing bad debt on one contract, contributing its collateral, and selling it at a discount with another. This affected both the protocol and other projects that had merged with it.
Sentiment
A read-only reentrancy weakness enabled the Sentiment attack. The attacker could exploit this flaw by stealing $1 million from the protocol.Exploiting the reentrancy vulnerability in this example allowed the susceptible contract to overestimate the number of tokens in its pool. As a result, it miscalculated the value of those tokens, allowing the attacker to obtain a loan worth $1 million from the protocol.
SushiSwap
There was a glitch in SushiSwap’s Route Processor2 contract where they could not validate user-provided input. The attacker took advantage of this vulnerability and stole $3.3 million from the protocol.
An attacker might modify the previous pool address, which is used to validate a future request, which was the problem. The attacker could drain value from users with existing approvals for the new RouteProcessor2 contract by referring the pool address to a fraudulent pool.
Yearn Finance
Yearn Finance will be hacked again in April 2023. In this scenario, the attacker used a weakness lurking in the protocol’s smart contracts for years.An outdated Yearn contract’s copy-paste error used the address of a Fulcrum USDC contract rather than the intended USDT contract. An attacker used this mismatch to manipulate the value of yUSDT tokens and steal $10 million from the system.
Conclusion
DeFi has transformed how we engage with financial services by providing decentralized and trustless solutions that increase accessibility and transparency. Yet, as DeFi’s popularity has grown, so has the number of DeFi hacks, resulting in considerable losses for numerous protocols and their users.
To prevent DeFi hacks, developers and communities must apply best practices in security, such as smart contract security audits, penetration tests, and bug bounties. Cooperation with outside security specialists can improve the safety of DeFi protocols.
Furthermore, protocols should prioritize identifying and responding to suspicious actions to reduce the impact of any potential hacks. DeFi protocols can continue to expand and offer revolutionary financial services securely and transparently by applying these principles.
