DeFi platforms

7 DeFi protocol hacks in Feb see $21 million in funds stolen: DefiLlama

DeFi platforms lost over $21 million to hackers throughout February, according to data released by DeFi project aggregator DefiLlama.

Reentrancy, price oracle attacks and exploits across seven protocols caused the decentralized finance (DeFi) space to bleed at least $21 million in crypto in February.

According to DeFi data analytics platform DefiLlama, one of the largest in the month was the flash loan reentrancy attack on Platypus Finance, which led to $8.5 million of funds lost.

DefiLlama highlighted six other noteworthy hacks in the month, the first being the price oracle attack on BonqDAO on Feb 1.

*DeFi platforms suffered seven attacks throughout February. Source: DefiLlama*

BonqDAO: $1.7 million

BonqDAO revealed to its followers in a Feb. 1 post that its Bonq protocol was exposed to an oracle attack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token.

The exploiter increased the ALBT price and minted large amounts of Bonq Euro (BEUR). The BEUR was then swapped for other tokens on Uniswap. Then, the price decreased to almost zero, which triggered the liquidation of ALBT.

Blockchain security firm PeckShield estimated the losses to be around $120 million; however, it was later revealed hackers reportedly only cashed out around $1 million due to a lack of liquidity on BonqDAO.

Orion Protocol: $3 million

Just a day later, on Feb. 2, decentralized exchange Orion Protocol suffered a loss of roughly $3 million through a reentrancy attack, where attackers used a malicious smart contract to drain funds from a target with repeated withdrawal orders.

We have been investigating this very sophisticated attack from the minutes it occurred. We will not reopen the Deposit function until we feel confident that the bug has been fixed which will only be after successfully passing new audits from leading audit firms.

— Alexey Koloskov (@alexeykoloskov) February 2, 2023

Orion Protocol CEO Alexey Koloskov confirmed the attack at the time, assuring everyone that “All users’ funds are safe and secure.“

“We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers,” he said.

DForce Network: $3.65 million

DeFi protocol dForce network was another February victim of a reentrancy attack resulting in around $3.65 million in losses.

In a Feb. 10 post, dForce confirmed the exploit; however, in a twist, all funds were returned when the attacker came forward as a white hat hacker.

2/5 Shortly after the incident, we entered into conversations with the exploiter, who came forward as a whitehat. We have agreed to offer a bounty and will drop all on-going investigation and law enforcement actions.

— dForce (@dForcenet) February 13, 2023

“On Feb. 13, 2023, the exploited funds were fully returned to our multisig on both Arbitrum and Optimism, a perfect ending for all,” dForce said.

Platypus Finance: $9.1 million

On Feb. 16, DeFi protocol Platypus Finance suffered a flash loan attack resulting in $8.5 million being drained from the protocol.

A post-mortem report from Platypus auditor Omniscia noted that the attack was possible because of code in the wrong order.

On Feb. 23, the team announced that they are seeking to return around 78% of the main pool funds by reminting frozen stablecoins.

Updated compensation page

We have updated our compensation page today! If you have deposited or withdrawn LP tokens from our yield aggregators before the pool pause, your compensation amount will be updated accordingly.
More https://t.co/GfLIn5jmtF

— Platypus (++) (@Platypusdefi) March 3, 2023

The team also confirmed second and third incidents, which led to another $667,000 exploited, bringing total losses to around $9.1 million.

French police arrested two suspects related to the hack and seized around $222,000 worth of crypto assets on Feb. 25.

Hope Finance: $1.86 million

A few days later, on Feb. 20, users of Arbitrum-based algorithmic stablecoin project Hope Finance fell prey to a smart contract exploit, which saw roughly $2 million stolen from users.

#CommunityAlert @hope_fin have announced the community has been scammed for ~$2m making this the largest #exitscam on Arbitrum in 2023.

$1.86m was transferred to @TornadoCash.

Hope_fin have posted steps for user’s to withdraw their staked LPhttps://t.co/hJbFXiKujt

— CertiK Alert (@CertiKAlert) February 21, 2023

Web3 security firm CertiK flagged the incident on Feb. 21, following an announcement from the Hope Finance Twitter account notifying users of the scam.

A member of the CertiK team told Cointelegraph at the time that the scammer had changed the details of the smart contract, which led to funds being drained from Hope Finance genesis protocol:

“It appears that the scammer changed the TradingHelper contract which meant that when 0x4481 calls OpenTrade on the GenesisRewardPool the funds are transferred to the scammer.”

Dexible: $2 million

Multichain exchange aggregator Dexible was hit by an exploit that targeted the app’s selfSwap function, with $2 million worth of cryptocurrency lost due to the Feb. 17 attack.

According to a Feb. 18 post from the exchange, “a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract.“

Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract.

1/5

— Dexible (@DexibleApp) February 17, 2023

After investigating, the Dexible team found the attacker had used the app’s selfSwap function to move over $2 million worth of crypto from users that had previously authorized the app to move their tokens.

After receiving the tokens into their own smart contract, the attacker withdrew the coins through Tornado Cash into unknown BNB (BNB) wallets.

LaunchZone: $700,000

BNB Chain-based DeFi protocol LaunchZone had $700,000 worth of funds drained on Feb. 27.

According to blockchain security firm Immunefi, an attacker leveraged an unverified contract to drain the funds.

“An approval had been made to the unverified contract 473 days ago by the LaunchZone deployer,” Immunefi said.

The February figures are a stark increase from January, according to DefiLlama figures.

The tracker lists only $740,000 in hacks to DeFi platforms in the month across two protocols — Midas Capital and Roe Finance.

In its 2023 Crypto Crime Report, blockchain data firm Chainalysis revealed that hackers stole $3.1 billion from DeFi protocols in 2022, accounting for more than 82% of the total amount stolen in the year.

FBI issues alert over cybercriminal exploits targeting DeFi

Smart contracts governing DeFi platforms identified as a particular cause for concern for the enforcement agency.

The United States Federal Bureau of Investigation (FBI) has issued a fresh warning for investors in decentralized finance (DeFi) platforms, which have been targeted with $1.6 billion in exploits in 2022.

In a Tuesday public service announcement on the FBI’s Internet Crime Complaint Center, the agency said the exploits have caused investors to lose money — advising investors to conduct diligent research about DeFi platforms before using them while also urging platforms to improve monitoring and conduct rigorous code testing.

The law enforcement agency warned that cybercriminals are out in force to take advantage of ”investors’ increased interest in cryptocurrencies,” and ”the complexity of cross-chain functionality and open source nature of Defi platforms.”

The #FBI warns that cyber criminals are increasingly exploiting vulnerabilities in decentralized finance (DeFi) platforms to steal investors cryptocurrency. If you think you are the victim of this, contact your local FBI field office or IC3. Learn more: https://t.co/fboL1N17JN pic.twitter.com/VKdbpbmEU1

— FBI (@FBI) August 29, 2022

The FBI observed cybercriminals exploiting vulnerabilities in smart contracts that govern DeFi platforms in order to steal investors’ cryptocurrency.

In a specific example, the FBI mentioned cases where hackers used a “signature verification vulnerability” to plunder $321 million from the Wormhole token bridge back in February. It also mentioned a flash loan attack that was used to trigger an exploit in the Solana DeFi protocol Nirvana in July.

However, that’s just a drop in a vast ocean. According to an analysis from blockchain security firm CertiK, since the start of the year, over $1.6 billion has been exploited from the DeFi space, surpassing the total amount stolen in 2020 and 2021 combined.

FBI recommends due diligence, testing

While the FBI admitted that “all investment involves some risk,” the agency has recommended that investors research DeFi platforms extensively before use and, when in doubt, seek advice from a licensed financial adviser.

The agency said it was also very important that the platform’s protocols are sound and to ensure they have had one or more code audits performed by independent auditors.

Typically, a code audit involves a review of the platforms underlying code to identify vulnerabilities or weaknesses, which could be exploited.

According to the FBI, any DeFi investment pools with an “extremely limited timeframe to join” or “rapid deployment of smart contracts” should also be approached with extreme caution, especially if they have not conducted a code audit.

Crowdsourced solutions, generating ideas or content by soliciting contributions from a large group of people, were also flagged by the law enforcement agency:

“Open source code repositories allow unfettered access to all individuals, to include those with nefarious intentions.”

The FBI said DeFi platforms can also do their part to increase security by testing their code regularly to identify vulnerabilities, along with real-time analytics and monitoring.

An incident response plan and informing users about possible platform vulnerabilities, hacks, exploits or other suspicious activity are also among the recommendations.

However, failing all that, the FBI urges American investors targeted by hackers to contact them through the Internet Crime Complaint Center or their local FBI field office.

Earlier this year, U.S. Deputy Attorney General Lisa Monaco announced the FBI was stepping up its efforts to address crime in the digital asset space with the formation of the Virtual Asset Exploitation Unit.

The specialized team is dedicated to cryptocurrency and includes experts to help with blockchain analysis as part of a shift in focus toward disruption of international criminal networks, rather than just their prosecution.