Summary: The Decentralized Finance (DeFi) sector has grown remarkably, with over $58 billion locked across key networks like Ethereum, Solana, and Avalanche, including Layer 2's like Arbitrum and Optimism. The vast sums in smart contracts have attracted bad actors.

We've compiled a list of the top 10 DeFi hacks up to May 2023, with a sobering total exceeding $2.2 billion illegally extracted from these protocols, underscoring the critical need for heightened security.

  1. Ronin Bridge (Axie Infinity): $615,000,000
  2. Poly Network: $600,000,000
  3. Wormhole Bridge: $326,000,000
  4. Nomad Bridge: $200,000,000
  5. Beanstalk (BEAN): $181,000,000
  6. Compound Finance: $150,000,000
  7. Vulcan Forged: $140,000,000
  8. Horizon Bridge: $100,000,000
  9. Rari Capital & Fei Protocol: $80,000,000
  10. Qubit Finance: $80,000,000
Table of Contents

1. Ronin Bridge ($615,000,000)

The Ronin Bridge is a cross-chain DeFi protocol for transferring value between Ethereum and Axie Infinitity's native blockchain layer 2 ecosystem Ronin. The protocol suffered the largest hack to date on March 29, 2022 when a hacker took control of the private keys that held over $615,000,000 in value and stole the funds. The money was siphoned through Tornado Cash and the losses totalled over 173,000 ETH and 25.5 million USDC.

The hack was purported to be done by Lazarus Group, which is a group of hackers that are funded by North Korea.

2. Poly Network ($600,000,000)

The Poly Network is a cross-chain protocol that allows for the interoperability between Ethereum and Bitcoin. On August 15, 2020, a hacker took advantage of a flaw in the Multi-Collateral Dai (MCD) contract to drain $600 million from the lending protocol Compound. The money was taken out in the form of Flash Loans from the dYdX protocol and sent to a mix of Ethereum and Bitcoin wallets.

The hack was purported to be done by an unknown entity, as the hacker's wallets have not been linked to any known entities.

3. Wormhole Bridge ($326,000,000)

The Wormhole Bridge (now Portal Token Bridge) is another cross-chain protocol that allows for the transfer of value between Ethereum and Solana. On May 19, 2021, a hacker took advantage of a flaw in the WETH contract to mint over 2 million WETH, which was then used to buy over $326 million worth of cryptocurrency on the Solana's leading DEX Serum. The money was then sent to a mixer via Tornado Cash and the hacker was able to get away with the funds.

The hack was perpetrated by an unknown entity, as the hacker's wallets have not been linked to any known entities.

4. Nomad Bridge ($200,000,000)

The Nomad Bridge hack is another instance of a cross-chain protocol being exploited for $200,000,000 based on a flawed minting and burning contract. The Nomad Bridge allows users to send value between Ethereum, Avalanche, Evmos, Milkomeda and Moonbeam. In this exploit, the hacker found that they were able to create transactions without requiring Nomad's smart contract to validate the authenticity of the transaction.

This lead to over $200 million being drained from the Nomad Bridge by the anonymous hacker. White hat hackers also exploited the contract, however later returned $36 million and were rewarded in tokens for returning funds.

5. Beanstalk Protocol ($181,000,000)

The Beanstalk attack was different to the previous exploits, in that it was a governance attack that was carried out through two malicious Beanstalk governance proposals. The attacker acquired enough tokens to approve Beanstalk Proposals #18 and #19 which allowed them to completely drain the Beanstalk smart contract which held over $180,000,000 in funds.

They were able to acquire enough tokens through a Flash Loan, which they later paid back. The hackers pocketed a profit of $76 million and had to repay the remaining amount to the bZX protocol for the flash loan.

6. Compound Finance ($150,000,000)

Compound Finance is a lending protocol that allows users to earn interest on their cryptocurrency holdings. On June 17, 2020, a hacker took advantage of a flaw in the Compound's Price oracle system to mint over $150 million worth of COMP tokens. The hacker then sent the money to a mixer via Tornado Cash and was able to get away with the funds.

The hack was perpetrated by an unknown entity, as the hacker's wallets have not been linked to any known entities.

7. Vulcan Forged ($140,000,000)

Vulcan Forged was a popular play-to-earn cryptocurrency on the Polygon Network that suffered a brand-destroying exploit of $140 million in December of 2021. According to their developer's post-mortem report, the hacker was able to socially engineer and hack the credentials of user wallets to obtain private keys. The hacker was able to extract 4.5 million Vulcan Forged tokens (PYR) which were valued at more than $140,000,000 at the time.

The hack was perpetrated by an unknown entity, as the hacker's wallets have not been linked to any known entities.

8. Horizon Bridge ($100,000,000)

The Horizon Bridge was the primary bridge that allowed users to transfer tokens between the Harmony One network and Ethereum. The exploit began at around 7:00 am EST and went for 20 minutes where the hacker made 11 transactions bridging various tokens out of the bridge which exceeded $100,000,00 in value. The hacker was able to gain access to these funds by getting private key details from the multi-sig signers.

In total, Frax (FRAX), Ethereum (ETH), AAVE (AAVE), SushiSwap (SUSHI) and many other tokens were stolen via the bridge through this exploit. Since then, the Harmony One bridge has been halted and has not come back online.

9. Rari Capital & Fei Protocol ($80,000,000)

Rari Capital and Fei Protocol merged late last year and then suffered an $80,000,000 hack due to a reentrancy vulnerability according to leading auditing team BlockSec. This was the exact same exploit that was used to drain Compound Finance and other forks of the Compound codebase, highlighting vulnerabilities throughout the lending and borrowing space in DeFi.

The Rari and Fei teams tried to get the hacker to return funds by offering a $10 million bounty, however, the anonymous exploiter was able to get away with $80m by siphoning funds through mixers like Tornado Cash on Ethereum.

10. Qubit Finance ($80,000,000)

Qubit Finance is a Binance Smart Chain-based protocol that allows users to lend and borrow for low fees and is a similar design to Compound Finance and Rari Capital. The hackers were able to take advantage a smart-contract exploit which enabled them to mint an unlimited amount of xETH that allowed them to borrow BNB, sell it and bridge the value off-chain.

In a post-mortem analysis, the addresses connected to the attack were able to steal over 206,000 Binance Coins (BNB) which was worth over $80,000,00 at the time of the exploit. A third-party incident report by CertiK stated that the attack used a deposit function to illicitly mint 77,162 qXETH without needing to make a deposit.

What are Common DeFi Hacks?

DeFi, or decentralized finance, is a rapidly growing sector of the cryptocurrency market that allows for financial transactions to occur on the blockchain without intermediaries. However, the decentralization and lack of regulation also make DeFi vulnerable to various types of hacks.

Here are some common DeFi hacks:

  1. Smart Contract Exploits: Smart contracts are self-executing computer programs that run on the blockchain. Hackers can exploit vulnerabilities in smart contract code to steal funds.
  2. Phishing Scams: Phishing scams involve tricking users into revealing their private keys or seed phrases, which are used to access funds. Hackers create fake websites or social media accounts that look like legitimate DeFi protocols and trick users into giving up their credentials.
  3. Fake Defi Protocols: There have been instances of hackers creating fake DeFi protocols that look like legitimate ones and tricking users into depositing funds.
  4. Rogue Admin Access to Protocols: In some cases, a rogue admin with access to a DeFi protocol can manipulate it for their own benefit, such as by draining liquidity pools or altering smart contract code.
  5. Liquidity Pool Attacks: Liquidity pools are a key component of DeFi and allow for decentralized trading. However, if a hacker gains control of a significant portion of the liquidity in a pool, they can manipulate the market for their own benefit.
  6. Front-running: Front-running is a type of market manipulation where a trader takes advantage of advanced knowledge of a trade to execute their own trade before the original trade goes through. In DeFi, this can occur if a hacker is able to view trades before they are executed on the blockchain.

It is important to be aware of these common DeFi hacks and to take steps to protect your funds, such as using reputable DeFi protocols, being cautious of phishing scams, and using hardware wallets to store your private keys or seed phrases.

Final Thoughts

In conclusion, as the DeFi sector continues its impressive growth with over $58 billion locked across various networks, security challenges persist. The prevalence of high-profile hacks, with the top 10 as of May 2023, amassing losses exceeding $2.2 billion, emphasizes the need for increased vigilance. From the $615 million loss in the Ronin Bridge to the $80 million theft in Qubit Finance, these incidents underline the potential vulnerabilities in DeFi.

Common hacks, such as smart contract exploits, phishing scams, fake DeFi protocols, rogue admin access, liquidity pool attacks, and front-running, call for proactive security measures. Users are advised to use reputable DeFi platforms, exercise caution to avoid phishing scams, and employ hardware wallets for secure storage of private keys or seed phrases. As DeFi evolves, so too must its security, fostering a safer environment for users to navigate this innovative financial landscape.