The spectacular growth of decentralized finance (DeFi) continues to bring boundless opportunities and financial perils to crypto users. We’ve witnessed hundreds of millions of funds being lost from hacks, theft, rug pulls, and system failure ever since the disruptive crypto subsector exploded in popularity last year. About $120 million worth of assets were looted from DeFi platforms in 2020 alone while they caught the attention and imagination of the crypto sector.
While fewer DeFi attacks have occurred in 2021 so far and despite the advancements in security protocols, the proliferation of third-party code audits, and the maturation of the crypto space in general, we can’t say for certain that DeFi hacks this year will be less devastating by the end of the year than when compared to 2020, as certain systemic problems remain.
Let’s explore the DeFi hacks and exploits that have so far transpired in the first few months of 2021. We’ll cover the 9 most serious incidents and also discuss the various reasons why they happened.
February 2021 DeFi Hacks
Yearn Finance Flash Loan Attack
After an uneventful January, the first known DeFi attack of the year occurred on none other than Yearn Finance, one of the top yield aggregators in the space, which allowed the hackers to siphon $11 million worth of user funds from the Dai Vault through a smart contract exploit, allowing them to get away with $2.7 million in profit after having to spend an exorbitant $8.5m in fees. The attackers exploited the protocol’s flash loan feature, which they arbitraged between other DeFi platforms.
The hackers initiated the attack with flash loans borrowed from dYdX and Aave, which they used to make a collateralized loan on Compound. After which, the attacker deposited them in Yearn’s pool, inflating the price of DAI. Finally, they swapped their Curve tokens, which were accumulated from a pool with their inflated DAI.
Alpha Homora Iron Bank Exploit
Alpha Finance suffered from a loss of over $37 million due to a series of flash loans launched on Alpha Homora V2, its leveraged yield farming and liquidity protocol. The perpetrators borrowed millions of stablecoins from Cream Finance’s IronBank, doubling their loans after every succeeding one. The acquired funds were then lent back to IronBank, giving them stablecoins in return, which allowed them to manipulate their value for profit. Analysts believe that smart contract exploits made the attack possible in the first place
March 2021 DeFi Hacks
Meerkat Finance Exploit
Meerkat Finance is a yield farming protocol on Binance Smart Chain (BSC), which was reported to have its smart contract vault attacked within a day after going live in March 2021. The attack resulted in a loss of about 13 million BUSD and 73,000 BNB.
Questions surrounding the attack ensued after it was revealed that the supposed hacker had modified the vault business logic to drain these assets. Meerkat’s website and Twitter account were both taken down, giving users the suspicion that it might have been a rug pull or an intentionally placed coding error to steal funds from users.
What is a DeFi rug pull?
A rug pull in the DeFi space is an event where a protocol token is launched on a DEX like Uniswap and paired with a leading cryptocurrency like Ethereum. Retail liquidity providers known as yield farmers are then actively pursued by usually anonymous team members on social media who promise a ridiculously large Annual Percentage Yield (APY) .
As soon as enough funds have been locked into a smart contract, the developer (who has full control over the contract) suddenly withdraws all the funds from the liquidity pool and disappears forever with the funds, causing the token’s price to crash to zero.
PAID Network Infinite Mint Attack
Paid Network was compromised in an infinite mint attack that resulted in a loss of around $180 million, with the attacker bagging a total of $3 million in profit. The exploit in the minting of PAID tokens caused inflation in its supply, sending its value down by 85%. There were speculations within the community that the PAID incident was not an exploit but a rug pull. However, judging by the fact Paid Network is still thriving today with its Ignition Launchpad and have reimbursed victims, this does not seem to be the case.
EasyFi is a DeFi platform on top of the Polygon Network, which reported a loss of over $80 million worth of assets due to a hack. It was revealed that the attacker took away $75 million worth of assets and siphoned $6 million from its liquidity pools. The team decided to conduct a hard fork in order to recover most of the funds that were drained.
April 2021 DeFi Hacks
ForceDAO was targeted by hackers who drained a total of 183 ETH ($367,000 at the time) from its xFORCE protocol. They were able to loot from the xFORCE vault by exploiting a smart contract bug with Aragon Minime tokens and the protocol’s liquidity pool.
The culprits deposited FORCE tokens that they knew would fail to transfer, yet were still somehow able to receive xFORCE tokens for themselves. They then swapped the xFORCE tokens they accumulated into ETH for profit.
Uranium Finance Migration Exploit
Uranium Finance is an automated market maker protocol on BSC, which suffered a total loss of over $50 million due to an attack that occurred while the protocol was conducting its token migration event. The hacker was able to exploit a coding error in the platform’s balance modifier logic. Wisely, the hacker utilized Ethereum-based mixer protocol Tornado Cash to liquidate stolen funds whilst keeping their identity private.
May 2021 DeFi Hacks
Spartan DeFi Flash Loan Attack
Spartan Protocol is a BSC-based DeFi platform that was recently attacked with multiple flash loans, eventually resulting in a total loss of about $30 million. The attacker took out loans from PancakeSwap to get wrapped BNBs, which were swapped with Sparta’s native token five times, manipulating the balance of assets held in its liquidity pool. The hacker then used DEXs 1inch and Nerve Finance to withdraw the stolen funds.
Rari Capital Exploit
Rari Capital is one of the latest DeFi platforms to be targeted by hackers, draining its yield vaults and lending pools to incur an $11 million loss. According to investigations, the hacker exploited smart contracts by “tricking” them into allowing hostile contracts to have unauthorized access to funds kept in its ibETH vault.
Why and How Are DeFi Protocols Still Being Hacked in 2021?
Flash loans appear to be the most common DeFi feature that hackers have taken advantage of and used to either directly or indirectly steal funds, which begs the question, should we abolish the use of flash loans to avoid such risks? Unfortunately, not.
Flash loans are an important innovation in DeFI as they allow users to borrow without collateral as long as the liquidity is restored to the pool under one transaction block, which presents an enormous opportunity for small-time players to participate in the market. In addition, it also enables handy DeFi features like self-liquidation, arbitrage, collateral swapping, and many more.
Unfortunately, this also makes flash loans easy and cheap to pull off. Since flash loans allow anyone to be a whale, if only for a few seconds, malicious actors have no financial deterrent in attempting flash loan attacks, unlike in 51% attacks that require massive resources.
Flash loan attacks may be. High-volume transactions, especially from funds acquired from massive flash loans, could inflate the price feed for a stablecoin, which hackers can abuse to multiply their holdings.
Oracle manipulation is another huge concern as decentralized networks have no way of accessing data without oracles. The fact of the matter is that getting accurate price data that is secure and reliable is difficult. And oracles are even more essential to DeFi than flash loans, which means we can’t get rid of them either.
Smart Contract Vulnerabilities
Smart contract bugs are also primary causes for DeFi exploits. Unfortunately, regardless of extensive audits conducted in a protocol, we can never ensure its security. Therefore, it is important to remember that providing liquidity and staking will always have some degree of security risk, which is why it is recommended to never invest what you can’t afford to lose.
While DeFi protocols have showcased tremendous innovation and undoubtedly hold the potential to permanently disrupt how we offer and gain access to financial services such as the lending and borrowing of assets, it is still a very new industry and as such its smart contract coding and security are far from watertight. Therefore, we recommend you proceed with caution when dealing with DeFi instruments and inform yourself of the associated risks.
For a less risky passive income avenue, check out Cybavo’s staking options for Ethereum 2.0.