Hack Track

On the 30th of July, Curve Finance, a decentralized, Automated Market Maker (AMM), was hacked leading to a loss of ~ $45 million in CurveDAO, ETH, and wETH. The attackers exploited a malfunctioning reentrancy lock on different versions of the Vyper programming language (0.2.15, 0.2.16, and 0.3.0) across multiple stable-pools.

On April 17, 2022, Beanstalk Farms, a decentralized credit-focused stablecoin protocol built on Ethereum, suffered an exploit. The attackers exploited Beanstalk’s governance protocol to extract $182 million in collateral, around $80 million of which went to the hacker as profit. Beanstalk enables participants to earn rewards such as Stalk and Seeds by contributing to a central funding pool called the Silo. The participants receive four Seeds for every Bean stablecoin deposited in the Silo, which in turn, earns them 0.004 Stalk every hour. Stalks are ERC-20 standards tokens that bestow governance rights over the protocol to its holders and give holders voting power. Unlike Stalks, Seeds are not liquid and do not give voting rights to their holders. 

[Update 2022.04.18]

On April 14, 2022, the U.S. Department of Treasury’s Office tied the North Korea-based hacking group, Lazarus, to the Ronin Network exploit. The Office of Foreign Assets Control (OFAC) added an Ethereum wallet address (0x098B716B8Aaf21512996dC57EB0615e2383E2f96) associated with Lazarus to its sanctions list. The sanctioned wallet address contains funds stolen in the Ronin security breach. At the time of the publication, the wallet holds 138,433.136 ETH valuing close to $402 million. The Ronin Bridge was exploited for 173,600 ETH and 25.5 million USDC, worth around $568 million at the time of the transaction.

The North Korean state-sponsored Lazarus group, has been associated with several major cyberattacks over the years, including a 2014 hack on Sony Pictures and the 2017 WannaCry ransomware attacks. The OFAC first imposed sanctions on Lazarus and two of its sub-groups ​​Bluenoroff and Andariel in September 2019. In the announcement, the U.S. Department of Treasury stated Lazarus and its sub-groups are controlled by North Korea’s primary intelligence agency, the Reconnaissance General Bureau (RGB).

In its official update, the Ronin Network confirmed that the FBI has linked Lazarus to its validator security breach. Additionally, the Ronin Network also stated that it is “still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk.”  The bridge is expected to be deployed by end of April.

Around $568 million worth of crypto has been stolen from the Ronin Network, the blockchain underlying the popular crypto game Axie Infinity. The amount lost is calculated based on the ETH/USD price conversion rate on the date of the transaction — March 23, 2022.  On March 29, 2022, Sky Mavis, the creator of both Ronin and Axie Infinity, reported that the Ronin bridge had been exploited for 173,600 Ethereum (ETH) and 25.5 million USDC

On February 2, 2022, the Wormhole Token Bridge, suffered an exploit, which resulted in the loss of 120,000 Wrapped Ether (wETH) tokens worth over $320 million at the time. Wormhole is a popular cross-chain bridge that links Ethereum and Solana blockchain.

This is the largest crypto exploit of 2022 so far and the second-largest decentralized finance (DeFi) attack to date. The attack happened amidst a rapid increase in hacking incidents suffered by DeFi platforms. In fact, according to a report by CertiK, which is a leading security-landing platform, the amount of money lost in the hack of DeFi projects more than doubled to $1.3 billion in 2021.

Of late, the attacks on bridge platforms are on the rise. The news of the Wormhole exploit comes shortly after the Quibit Finance attack, wherein the attacker took advantage of a logical error in Qubit’s smart contract to input malicious data to steal $80 million worth of cryptocurrency. Bridges between chains are often more susceptible to exploits as they require more interactions and contract approvals than the other

[Update 2022.02.18]

On December 4, 2021, crypto exchange BitMart suffered an attack on its Ethereum and Binance Smart Chain hot wallets, resulting in a loss of nearly $200 million USD. Founder and CEO Sheldon Xia confirmed the incident, writing on Twitter: "We have identified a large-scale security breach related to one of our ETH hot wallets and one of our BSC hot wallets.”

On October 27, 2021, C.R.E.A.M. Finance lending markets were exploited. The attacker stole over $136 million worth of crypto assets from the C.R.E.A.M. v1 lending markets. The majority of the crypto assets stolen are reportedly ERC-20 coins and C.R.E.A.M. Liquidity Protocol tokens. 

On 29 August 2021, Bilaxy, a Seychelles-based centralized crypto exchange, released a statement on Twitter, informing its users that its hot wallets were hacked. Additionally, Bilaxy advised its users to not deposit any funds into Bilaxy accounts until further notice. All the values in this piece are in US Dollars (USD). This news comes shortly after the Liquid Global Official Hack, wherein the attacker, due to a security breach, stole around $91 million in cryptocurrency from Liquid’s warm wallets.

[UPDATE 2021.08.23]

As per the update provided by the Poly Network on 19 August 2021, assets worth approximately $427 million were returned by the hacker. The update further stated that 28,953 ETH and 1,032 WBTC (about $141 million) were still left in the ¾ multi-signature wallet and that Poly Network is waiting for the hacker to provide his private key authorization.

On 23 August 2021, Poly Network released another update announcing that the hacker has publicly shared the private key needed to regain control of the remaining assets through an on-chain message. The announcement stated that Poly Network has successfully retrieved the remaining $141 million and has fully recovered all the user assets that were transferred out during the attack.

This comes after Poly Network promised the hacker a $500,000 bounty for the restoration of user funds, inviting him to become its “chief security advisor.”

Poly Network after verifying the private key provided by the hacker regained control of the $610 million (not including the frozen $33 million USDT) in assets that were affected in this attack. With respect to the recovery of $33 million USDT, Poly Network stated that they have been in close communication with Tether and that “Tether is in the process of confirming the final unfreezing process” with them. Additionally, Poly Network thanked the hacker for his cooperation and stated that they had officially entered the fourth phase of their roadmap “Asset Recovery.” The Poly Network team is in the process of returning full asset control to their users as swiftly as possible.

As per the panelists of Merkle Science’s “Regulating the DeFi Frontier: Where Consumer Protection & Financial Innovation Collide” webinar, the Poly Network hack is a classic example of the situation where enforcement may arrive before regulation. The panelists noted that the collective action of the crypto industry such as blockchain analytics, blocking certain transactions, and adding the individual tokens to the black lists may have pushed the hackers to return the stolen amount

On 10 August 2021, the Poly Network was attacked by a hacker, losing over $600 million — the largest crypto hack since the Coincheck hack in 2018 — across the Ethereum, Binance Smart Chain, and Polygon blockchains. (The previous record  The hack was initially rumored as a leak of the private key of a single keeper in the network but the Poly Network and others in the blockchain community have confirmed that the hacker exploited a smart contract vulnerability between contract calls.