A tidal wave of mass adoption has finally come to crypto this year thanks to new use cases brought about by Web 3, NFT, DeFi, and metaverse applications, and an even bigger wave is expected next year. It’s not completely surprising then that another record number of hacks totaling billions were perpetrated in 2021 by bad actors, scammers and hackers that have found ways to exploit vulnerabilities in ill-implemented or nascent cryptocurrency security measures. Hackers upped their efforts in the last quarter of 2021, and exploit they did.
While there have been huge leaps in security, privacy, and understanding our own individual role in protecting our assets, not all protocols are created equal. Oftentimes, exchanges or protocols will prioritize growth over implementing proper security features. Assets, as well as private information, are easily compromised if modern security features are not implemented fully and appropriately before they are necessary.
Recent security breaches
The crypto market has been cooling off since many ATHs were reached in October, but this hasn’t disincentivized hackers from attempting to steal coins or tokens from exchanges. Several digital asset hacks have occurred in the past month, some of which are among the highest-valued thefts in crypto history.
BitMart was taken for $225 million
On Dec. 4th, BitMart, a centralized exchange based in the Cayman Islands, had multiple hot wallets compromised, losing over $225 million over the course of an hour. Many altcoins such as Binance Coin (BNB), Safemoon, and Shiba Inu (SHIB) were stolen, marking the largest theft from a centralized exchange (CEX) in 2021.
The hack was first observed by Peckshield, a data analytics and blockchain security company, but several days later BitMart CEO Sheldon Xia confirmed the hack, stating two hot wallets had their private keys stolen, one holding Ethereum-based assets and the other containing Binance Smart Chain (BSC) coins.
Assets were quickly laundered through a decentralized finance (DeFi) service, Tornado Cash, making the recovery of any funds unlikely. Nevertheless, BitMart has compensated users at their own expense and resumed deposits and withdraws several days later on Tuesday, Dec. 7th.
Not only was this the largest CEX hack of 2021, but also the 5th largest hack in crypto history, the largest being PolyNetwork earlier this year (though most of PolyNetwork’s funds were recovered.)
MonoX Finance has $31 million of liquidity pool assets stolen
According to the MonoX team, on Nov. 30th hackers tricked their protocol’s swap contract into boosting the project’s native MONO token to a ridiculous price, then used the inflated token to purchase assets from the liquidity pool.
Through the exploitation of MonoX Finance’s smart contracts, thieves were able to make off with $31 million worth of Wrapped Ethereum and MATIC tokens. Despite two previous audits by Peckshield and Halborn, neither of the smart contract auditors were able to identify the exploit hackers abused to drain funds.
While this amount may seem small compared to the value often stolen from exchanges, DeFi protocols aren’t always able to recover when millions of dollars are stolen, as it can tarnish their reputation or require them to liquidate their own assets to pay back investors.
Badger DAO Protocol
Not long after MonoX Finance was breached, another DeFi protocol, Badger DAO, was hacked for $120 million in various cryptocurrencies.
The hack is believed to have come about because of an exploit in the user interface, and not from core protocol contracts. This exploit allowed hackers to spam users with withdrawal requests for additional permissions, effectively signing transactions that withdrew funds to the hacker’s address.
Once detected, engineers from Badger DAO immediately suspended all smart contracts to prevent withdrawals so Chainalysis analysts could investigate the issue. Peckshield Inc concluded 2,100 BTC and 151 ETH were stolen as a result of the hack, but data shows that the malicious permission requests may have been used for weeks prior to the attack, meaning this value could be much higher.
Celsius Network funds were stolen via Badger DAO hack
Among the addresses compromised in the Badger Dao hack, one belonged to Celsius Network, who lost around $54 million worth of wrapped Bitcoin, making them the largest victim of the attack.
Celsius Network is a lending protocol with over one million users. While Celsius initially did not comment on the lost funds, they later confirmed the wallet belonged to them, adding that they were working with Badger DAO to recover the funds.
The easiest way for protocols and exchanges to prevent hacks is to prioritize upgrading their security infrastructure. With crypto becoming a market where many investors and institutions are willing to put money into new projects, protocols may soon find that the assets they’re trusted with create a honeypot for bad actors who can breach their incomplete security features.
Trusted, reliable security should be established before assets become a target for thieves and hackers. These bad actors consider themselves modern-day bank robbers that are familiar with common security systems and possess the know-how to breach or exploit them.
The CYBAVO difference
A leader in the cybersecurity industry and a founding member of the MPC Alliance, CYBAVO has become an industry leader in cutting-edge security technology such as Multi-party computation (MPC) and secure digital asset operations for institutions and virtual asset custodians.
CYBAVO VAULT offers many tools to help fund managers, blockchain developers, NFT marketplaces, GameFi developers, crypto exchanges, and many other services manage and secure digital assets, enhance operational efficiency, and ensure regulatory compliance.
CYBAVO’s flagship product, the CYBAVO VAULT, is secured through various mechanisms using a defense-in-depth approach, but one of the most important aspects is the correct implementation of MPC to eliminate single points of failure. These single points of failure are often the main contributor to hacks that result from poor private key management or human error.