<img src="https://secure.glue1lazy.com/215876.png" style="display:none;">

Stake Suffers $38 million Hack

On the 4th of September 2023, the popular crypto gambling platform Stake suffered a major security breach due to private key leak resulting in the theft of approximately US $38 million.  The preliminary investigation confirms that unauthorized withdrawals were detected from Stake's hot wallets on the Ethereum, Polygon, and Binance Smart Chain networks.

Read More

Hack Track: Investigating Conic Finance Flow of Funds

Conic Finance, a liquidity pool optimization platform designed for the decentralized finance (DeFi) protocol Curve, encountered an exploit on July 21st, 2023 that resulted in a loss exceeding $3.26 million, attributed to a vulnerability within their smart contract. 

Read More

DeFi's Dark Side: Combining Yearly Insights from Annual HackHub Report with the U.S. Treasury's Illicit Finance Risk Assessment of DeFi

This is the first piece in an ongoing series that decodes the U.S. Department of Treasury’s assessment of DeFi Services. In this piece, the Merkle Science team will be breaking down cyber-related vulnerabilities highlighted in the assessment.

To learn more about Blockchain Analytics and how it can help you move forward with safety and security in a decentralized world, watch out for our next piece. 

Earlier today, the U.S. Department of Treasury published an assessment titled “Illicit Finance Risk Assessment of Decentralized Finance”(the assessment). The assessment explores how illicit actors are abusing DeFi services and the vulnerabilities that are unique to such services. 

The assessment finds that illicit actors, including ransomware cybercriminals, thieves, scammers, and Democratic People’s Republic of Korea (DPRK) cyber actors, are using DeFi services in the process of transferring and laundering their illicit proceeds.

Therefore, with the state of crypto crime constantly evolving and illicit actors becoming increasingly sophisticated,  it is important, now more than ever, to remain vigilant in order to protect against emerging threats. Across all the hacks in 2022, attackers majorly targeted DeFi platforms and services. Out of the total amount lost in crypto-related attacks, more than 81% were swindled from DeFi platforms leading to a loss of more than $3.9 billion. 

As noted in Merkle Science’s Hackhub Report across thousands of services in DeFi, the center for the majority of the attacks were cross-chain bridges. Out of the $3.9 billion stolen by illicit actors, more than 60% were swindled from cross-chain bridges alone. 

Breaking Bridges 

Read More

Hack Track: Analysis of Wintermute Attack

On 20 September 2022, crypto market maker Wintermute was hacked for circa $160 million. According to the tweet from Wintermute’s Founder and CEO Evgeny Gaevoy, the amount lost was related to its decentralized finance (DeFi) operations, while its centralized exchange and over-the-counter offerings remain unaffected.

Read More

Hack Track: Analysis of Harmony's Horizon Bridge Exploit

[Update 2022.07.10]

Our previous analysis showed that the exploiter had transferred the stolen crypto assets from the Horizon bridge to an address controlled by him via 9 transactions. Following that, the exploiter started swapping crypto assets such as WETH, SUSHI, AAVE, DAI, etc. into ETH via multiple smart contract calls. The exploiter then broke down 18k+ of the swapped ETH into smaller amounts and dispersed it into multiple wallets. Subsequently, he started moving funds into Tornado Cash.

As of July 10, 2022, the exploiter has moved roughly 85,700 ETH to Tornado. Cash: Router from 14 different addresses which were linked to the Harmony Bridge Exploit

Figure 1: Funds transferred to Tornado Cash by the Hacker

Depositing Stolen Funds into Tornado Cash

According to our analysis, the stolen funds were routed to Tornado Cash’s 100 ETH (T100) contract. We came to this conclusion by examining the spike in daily Deposit and Withdrawal volumes in the T100 contract between June 27 to July 2, 2022. 

Figure 2: Spike in the Daily Deposit and Withdrawl volume in T100 contract

Based on the time lag between each subsequent deposit, it is highly probable that the exploiter used automated scripting to deposit funds.

Figure 3 - Time lag (approx 300-540) seconds between subsequent transactions

Receiving Mixed Funds from Tornado Cash

Using our custom heuristics, the Merkle Science team identified 148 addresses (withdrawal addresses) that the attacker used to receive the mixed stolen funds. Over 84,000 ETH was received by these 148 suspected addresses from the T100 contract addresses. Subsequently, after evaluating the group of 148 addresses, we were able to identify 7 addresses that have had outgoing transactions. 

Of those 7 addresses with outgoing transactions, we have seen chain-hopping from Ethereum blockchain to:

  • Bitcoin  ⇌ Ethereum
  • Binance Smart Chain ⇌ Ethereum
  • Polygon ⇌ Ethereum


The stolen funds were converted into stablecoins and the chain-hopping was done using bridges such as RenVM and Multichain contracts. To hide the trail of funds, the exploiter tried to create many blockchain transactions, which would in turn ensure that the ultimate endpoint is lost in the data — in this process he attempted to throw off any sort of tracking by traditional blockchain analytics companies and law enforcement.

However, we were able to identify several overlapping points on the blockchain that were used in the process of swapping funds among different blockchains. These overlapping points include the repeated use of the same technique and addresses to swap the funds on the aforementioned blockchains.

Once bridged back to Ethereum, the stolen funds were subsequently dispersed into crypto exchanges.

Analyzing transaction time metrics to identify timezone of the hacker

If a user has made enough transactions on the blockchain, analyzing the transaction time metrics can sometimes tell you the timezone a user is operating in. In this case, the 850 transactions were grouped into buckets, and counts of these transactions by the hour of the day (0-23) were examined. According to our analysis, the exploiter lives in:

  • Asia Timezone
  • The time zone can be further isolated into +6GMT and +12GMT with a high confidence


Figure 4: Hour-of-day analysis of withdrawal transactions

What is the Horizon cross-chain bridge?

A cross-chain bridge connects two independent blockchains and enables an exchange of information, cryptocurrency, and NFTs from one blockchain network to another. The Horizon bridge facilitates token transfers from Ethereum (ETH), Binance Smart Chain (BSC), and Bitcoin (BTC) to the Harmony network. Meaning that users are able to send (ETH, ERC20, ERC721) tokens in a set, BNB, BEP20 assets, and Bitcoin to Harmony. In a tweet, Harmony confirmed that the crypto assets were stolen from the Ethereum side of the bridge and the trustless BTC bridge remains unaffected, and based on our analysis both ETH and BSC were exploited.

Read More

Hack Track: Analysis of Beanstalk Flash Loan Attack

On April 17, 2022, Beanstalk Farms, a decentralized credit-focused stablecoin protocol built on Ethereum, suffered an exploit. The attackers exploited Beanstalk’s governance protocol to extract $182 million in collateral, around $80 million of which went to the hacker as profit. Beanstalk enables participants to earn rewards such as Stalk and Seeds by contributing to a central funding pool called the Silo. The participants receive four Seeds for every Bean stablecoin deposited in the Silo, which in turn, earns them 0.004 Stalk every hour. Stalks are ERC-20 standards tokens that bestow governance rights over the protocol to its holders and give holders voting power. Unlike Stalks, Seeds are not liquid and do not give voting rights to their holders. 

Read More