Year in Review: Top 10 DeFi Hacks of 2022

Posted on Feb 6, 2023 | BLOG

year_in_review_top_defi_hacks_2022_banner

Several hacks and scams in 2022 further blighted an abysmal year for the crypto industry, a year in which the pitfalls of using a centralized exchange (CEX) or custody came under mainstream scrutiny yet again with the collapse of FTX and others like 3 Arrows Capital, BlockFi and Voyager. 

The FTX drama – like the collapse of Terra (LUNA), 3AC, and Celsius before it – has been a body blow for the industry. However, a quieter but steadier crisis is building in the world of decentralized finance (DeFi), where hacks and exploits are continuing to happen regularly. 

Much of the 2021 bull market found its genesis in the 2020 DeFi Summer, in which decentralized protocols like Compound, Uniswap, Aave and others unlocked a plethora of smart contract-powered use cases for cryptocurrencies. 

However, an estimated $3 billion in DeFi funds was stolen in 2022 alone, a significant jump from 2021’s $2 billion, making it an increasingly risky investment for anyone to make. The number could be as high as $4.75 billion, according to a Hacken report. If the industry doesn’t find a way to deal with these DeFi vulnerabilities, a trust collapse even among serious crypto users is possible. 

Let’s count down the Top 10 DeFi hacks of 2022, in ascending order.

10. Qubit Finance ($80M)

In January 2022, a hacker stole more than $80M from Qubit Finance, a protocol on the Binance Smart Chain. The hacker managed this by exploiting a deposit option in Qubit’s QBridge contract.

Security firm CertiK found the hacker used the option to mint 77,162 qXETH, an asset standing in for Ether. They then used that asset to drain all of the BNB from QBridge.

The company tried to convince the hacker to return the funds in an exchange for a smaller sum, which would have been considered a legal bug bounty; however, those efforts failed.

9. BNB Chain ($100M)

In October 2022, an exploit occurred on the cross-chain bridge of Binance’s BNB Chain, resulting in the minting of additional BNB tokens on the network. A BNB Chain developer revealed on Reddit that the attacker had drained between $100M and $110M, far smaller than the outset estimate of $600M.

The developer explained the exploit took place on the BSC Token Hub, which serves as a bridge between the BNB Beacon Chain and the BNB Chain. A bug in the bridge’s smart contract allowed for the forged transactions responsible for the exploit.

8. Horizon Bridge ($100M)

In June 2022, the Lazarus Group, a North Korean hacking group employed by the government, successfully hacked the Horizon Bridge.

The hack resulted in the theft of around $100M worth of cryptocurrency, including Ether, Tether, and wrapped Bitcoin. Blockchain analysts at Elliptic determined the attack’s origin and found that some of the stolen assets were sent through Tornado Cash, a now-sanctioned coin-mixing service.

According to the Elliptic analysts, the Horizon Bridge hackers’ use of automated deposits into Tornado Cash was similar to other hacks attributed to the Lazarus Group, such as the Ronin Bridge hack in March 2022.

7. Maiar Exchange ($113M)

In June 2022, a major security breach occurred on the Maiar Exchange, a decentralized exchange (DEX) platform built on the Elrond blockchain. The attacker exploited a smart-contract vulnerability that allowed them to withdraw an amount of Elrond eGold (EGLD) valued at approximately $113M.

The hacker quickly sold the stolen crypto on the Maiar Exchange, causing the value of EGLD to plummet temporarily by 92%, before they converted it to ETH and sold it on other exchanges.

6. Mango Markets ($114M)

In October 2022, Mango Markets, a Solana-based DeFi platform, lost approximately $114M when an attacker manipulated price oracle data to take out large loans without sufficient collateral.

The attacker deposited $5M on the platform and used it to open a huge long position in MNGO-PERP. This led the price of MNGO to jump, increasing the value of the attacker’s collateral. These funds were then used to take further debt positions on Mango.

Ultimately, the protocol allowed the attacker to return $67M of the stolen tokens and keep the remaining $47M as a bug bounty.

The attacker, later identified as Avraham Eisenberg, defended his actions as “legal” and a “highly profitable trading strategy.”

5.Wintermute ($162M)

In September 2022, the crypto market maker Wintermute lost approximately $162M in a DeFi hack.

Blockchain security firm Certik discovered the hack did not stem from a smart contract vulnerability, but rather a vulnerable private key. The private key may have been leaked or obtained through brute force. Certik also indicated a flaw in the Profanity vanity address generator may have been to blame.

At the time of the hack, Wintermute had around $200M in outstanding DeFi debt to various platforms, with TrueFi being the largest creditor at $92M. Despite the hack, Wintermute was able to pay back its TrueFi loan.

4. Beanstalk Farms ($182M)

In April 2022, an exploit in the governance system of the Ethereum-based stablecoin protocol Beanstalk Farms resulted in the loss of all $182M of its total value locked (TVL).

Blockchain security firm PeckShield found that the attacker used a flash loan to acquire a large amount of Beanstalk’s native governance token, STALK. The size of these holdings then allowed the person to pass proposals regarding donations to Ukraine.

The attacker stole around $80M in multiple cryptos, breaking the BEAN stablecoin’s $1 peg and wiping out Beanstalk Farms' $182M TVL. In the end, the crypto haul was laundered via Tornado Cash.

3. Nomad Bridge ($190M)

In August 2022, the Nomad cross-chain bridge was exploited, resulting in the theft of over $190M from the platform. The attack involved hundreds of addresses and was initiated by a suspicious transaction that drained 100 wrapped Bitcoin tokens.

Subsequent transactions then systematically drained all digital assets from Nomad. The exploit was enabled by a bug in the Replica contract on the bridge. This allowed anyone to locate a transaction, substitute their address, and then broadcast it again.

The attack, which lasted three hours, was facilitated by an update that introduced the vulnerability. Nomad offered a bug bounty and recovered $20M in stolen crypto by promising not to press charges against those who returned funds.

2. Wormhole Bridge ($326M)

In February 2022, the Wormhole bridge experienced a massive security breach that resulted in the loss of 120,000 wrapped Ether (WETH) tokens, worth approximately $325M at the time. 

The hacker managed to get past the bridge’s verification processes and mint the wrapped tokens, which they then exchanged for ETH on the Ethereum network and various altcoins on Solana.

In response to the hack, the Wormhole team offered a $10M bug bounty to get the crypto back, but no one came forward. To prevent disastrous inflation and keep up user confidence in the bridge, Wormhole’s VC backer, Jump Crypto, replenished the missing crypto.

1. Ronin Bridge ($620M)

In March 2022, a hacker stole 173,600 Ether and 25.5M USDC (then altogether worth $625M) from the Ronin Network. The attacker used hacked private keys to quickly siphon away the funds.

Ronin, which supports the Axie Infinity P2E game, is a side chain of the Ethereum network. At the time of the attack, it had nine validators and a majority of signatures were needed to allow withdrawals. However, the attacker managed to access five private keys via a backdoor.

Sky Mavis later announced that it raised $150M with Binance to make users at least partially whole. Meanwhile, US officials tied the North Korean Lazarus group to the crime.

Conclusion

With 2022 behind us, let’s spare a moment for the plight of DeFi, a leading frontier for the future of mass cryptocurrency adoption. After all, crypto is supposed to be about decentralization and transparency, and the stability of the DeFi sector will be essential to realizing that vision.