2020 has been the year of DeFi, but not all has gone smoothly with the fledgling financial ecosystem.
Unlike in previous years, crypto news in 2020 has not been dominated by major exchange hacks and million dollar Bitcoin thefts. However, there have still been quite a few and most of them have originated from the nascent decentralized finance sector.
DeFi has been one of the main drivers of crypto market momentum in 2020 and it stands to reason that the emerging financial landscape has been a magnet for scammers and hackers. Largely unaudited smart contracts coupled with cloned code have been a recipe for vulnerabilities and exploits, often resulting in millions of dollars in digital assets being pilfered.
A CipherTrace report from November 2020 stated that during the first half of the year, DeFi took up 45% of all thefts and hacks resulting in over $50 million lost. That figure rose to 50% of all thefts and hacks in the second half, according to the report. Speaking to Cointelegraph, CipherTrace CEO Dave Jevans warned of a potential regulatory crackdown: “DeFi hacks now make up more than half of all cryptocurrency hacks in 2020, a trend that is attracting attention from regulators.”
He added that of greater concern to regulators is the lack of Anti-Money Laundering compliance: “Funds stolen in the largest hack of 2020 - the $280 million KuCoin hack - were laundered using DeFi protocols.” Jevans also believes that 2021 is likely to bring clarity from regulators in terms of what actions DeFi protocols are expected to take to avoid the consequences of a failure to comply with AML, Capture the Flag, and possible sanctions.
Exchange hacks in 2020
The KuCoin hack occurred in late September when exchange CEO, Johnny Lyu, confirmed that the incursion affected the firm’s Bitcoin, Ethereum, and ERC-20 hot wallets, after private keys were leaked.
By early October KuCoin said it had identified suspects and had officially involved law enforcement in the investigation. By mid-November the Singapore based exchange declared that it had recovered 84% of the stolen crypto and resumed full services for the majority of its tradable assets.
There were other exchange hacks this year, but KuCoin was the largest. In February Italian exchange Altsbit lost almost all of its funds in a $70,000 hack, and there have been a couple of other minor crypto exchange breaches. In October 2020, as many as 75 centralized crypto exchanges had closed due to various reasons, hacking being onem.
DeFi’s 2020 hacks and exploits
With billions of dollars pouring into DeFi protocols and yield farms, the emerging landscape became a hotbed for hackers. The first major incursion of 2020 happened on DeFi lending platform bZx in February when two flash loan exploits resulted in the loss of nearly $1 million in user funds. A flash loan is when crypto collateral is borrowed and repaid within the same transaction.
bZx froze operations to prevent further loss, but this generated a wave of criticism from industry observers claiming that it was ultimately a centralized platform after all and could be the “death of DeFi.”
Markets crashed in March resulting in a lot of collateral liquidations, especially for Maker’s MKR token, but these were not hacks. The next one of those came the following month when a wrapped version of Bitcoin called imBTC was attacked using something called an ERC-777 token standard reentrancy method. The attacker was able to siphon a Uniswap liquidity pool for all of its value, estimated to be $300,000 at the time.
April also saw Chinese lending platform dForce drained of all its liquidity using the same exploit. The hacker repeatedly increased their ability to borrow other assets and made off with around $25 million in funds.
In June, an exploit was discovered in Bancor’s smart contracts that resulted in the draining of as much as $460,000 in tokens. The DeFi automated market maker stated that they had deployed a new version of the smart contract that had fixed the vulnerability.
Balancer was the next DeFi protocol to get exploited to the tune of $500,000 in wrapped Ether pilfered from its liquidity pools using a well-planned arbitrage attack. A series of flash loans and arbitraged token swaps were carried out in an attack on a vulnerability that the Balancer team apparently already knew about.
Not so much a hack as another exploit, but bZx was in the news again in July with a dubious token sale that was manipulated by bots placing buy orders in the same block that marked the start of the token generation event. Almost half a million dollars in price pump profits was captured by the attackers.
DeFi options protocol Opyn was the next victim in August when hackers exploited its ETH Put contracts making off with more than $370,000. The exploit allowed attackers to “double exercise” Ethereum Put oTokens and steal the collateral. Opyn recovered around 440,000 in USDC from outstanding vaults using a white hat hack, effectively returning them to Put sellers.
Again, not a direct hack but a code flaw in an unaudited Yam Finance smart contract affected the rebasing of the governance token resulting in a price collapse in mid-August. The protocol was forced to appeal to DeFi whales to save it by voting for a restart as version 2.
When the Sushi unrolls
The SushiSwap saga began at the end of August and the terms “vampire mining”’ and “rug pull” were coined. The anonymous protocol cloner and administrator known as “Chef Nomi” sold $8 million worth of SUSHI tokens causing the token price to collapse. A few days later, the protocol was rescued by FTX exchange CEO Sam Bankman-Fried, who was handed control by a consortium of DeFi whales through a multi-signature smart contract. Eventually all the funds were returned to the developer fund.
The rug pulls, or “pump and dumps” as they were termed during the previous altcoin boom in 2017, continued with a number of DeFi clones such as Pizza and Hotdog. Token prices for these food farms surged and collapsed within hours and sometimes even minutes.
In mid-October, hordes of “degenerate farmers,” or degens as they were termed, piled money into an unaudited and unreleased smart contract from DeFi protocol Yearn Finance founder Andre Cronje. The Eminence Finance contract lost $15 million when it was hacked within hours of Cronje posting teasers about the new “gaming multiverse” on twitter. The hacker returned around $8 million but kept the rest, which prompted the disgruntled traders to initiate legal action against the Yearn team over lost funds.
In late October, a sophisticated flash loan arbitrage attack on the Harvest Finance protocol resulted in the loss of $24 million in stablecoins in around seven minutes. The attack sparked debate as to whether these exploitations of the design of the system can be considered as hacks.
November was a particularly painful month for Akropolis which had to “pause the protocol” as hackers made off with $2 million in DAI stablecoin. The Value DeFi protocol lost $6 million in an all too common flash loan exploit, yield generating stablecoin project Origin Dollar was exploited for $7 million, and Pickle Finance suffered a $20 million collateral loss in a sophisticated “‘evil jar" exploit.
One that broke the mold of exploiting the system was a personal attack on an individual in mid-December. Nexus Mutual DeFi protocol founder Hugh Karp lost $8 million from his MetaMask wallet when a hacker managed to infiltrate his computer, spoofing a transaction. These types of attacks are generally less common as they involve some degree of social engineering.
The last reported flash loan attack of the year, so far, was an $8 million incursion on Warp Finance on December 18.
Many retail traders and investors have also fallen foul to phishing attempts and Ledger hardware wallet owners have also been targeted in 2020 after the personal information of some 272,000 Ledger buyers was hacked.
Battle hardening DeFi
The majority of smart contract and flash loan exploits in 2020 will serve to battle-harden the emerging financial ecosystem as it develops. New and smarter DeFi protocols are likely to emerge next year, but, as always, scammers, hackers and cybercriminals will also up their game in an attempt to stay ahead.
A huge dose of vigilance and attention is needed to delve into the current world of DeFi, but it has come a very long way in such a short period of time, and the decentralized financial landscape of the future is constantly evolving.