10 Largest DeFi Hacks

10 Largest DeFi Hacks

Adrian Graham
Fact Checked
Nov 12, 2022

The Decentralized Finance (DeFi) sector has exploded to over $58 billion in total value locked across protocols on major networks like Ethereum, Solana, Avalanche and prominent Layer 2's like Arbitrum and Optimism. With so much value locked in contracts, it is no surprise that bad actors are drawn to the space in an attempt to steal funds.

To summarise, here is a list on the top 10 DeFi hacks as of November 2022 based on our research. The total amount hacked from the top 10 protocols exceeds $2.2 billion.

  1. Ronin Bridge (Axie Infinity): $615,000,000
  2. Poly Network: $600,000,000
  3. Wormhole Bridge: $326,000,000
  4. Nomad Bridge: $200,000,000
  5. Beanstalk (BEAN): $181,000,000
  6. Compound Finance: $150,000,000
  7. Vulcan Forged: $140,000,000
  8. Horizon Bridge: $100,000,000
  9. Rari Capital & Fei Protocol: $80,000,000
  10. Qubit Finance: $80,000,000

Table of Contents

Platform Highlights

Ronin Bridge ($615,000,000)

The Ronin Bridge is a cross-chain DeFi protocol for transferring value between Ethereum and Axie Infinitity's native blockchain layer 2 ecosystem Ronin. The protocol suffered the largest hack to date on March 29, 2022 when a hacker took control of the private keys that held over $615,000,000 in value and stole the funds. The money was siphoned through Tornado Cash and the losses totalled over 173,000 ETH and 25.5 million USDC.

The hack was purported to be done by Lazarus Group, which is a group of hackers that are funded by North Korea.

Poly Network ($600,000,000)

The Poly Network is a cross-chain protocol that allows for the interoperability between Ethereum and Bitcoin. On August 15, 2020, a hacker took advantage of a flaw in the Multi-Collateral Dai (MCD) contract to drain $600 million from the lending protocol Compound. The money was taken out in the form of Flash Loans from the dYdX protocol and sent to a mix of Ethereum and Bitcoin wallets.

The hack was purported to be done by an unknown entity, as the hacker's wallets have not been linked to any known entities.

Wormhole Bridge ($326,000,000)

The Wormhole Bridge (now Portal Token Bridge) is another cross-chain protocol that allows for the transfer of value between Ethereum and Solana. On May 19, 2021, a hacker took advantage of a flaw in the WETH contract to mint over 2 million WETH, which was then used to buy over $326 million worth of cryptocurrency on the Solana's leading DEX Serum. The money was then sent to a mixer via Tornado Cash and the hacker was able to get away with the funds.

The hack was perpetrated by an unknown entity, as the hacker's wallets have not been linked to any known entities.

Nomad Bridge ($200,000,000)

The Nomad Bridge hack is another instance of a cross-chain protocol being exploited for $200,000,000 based on a flawed minting and burning contract. The Nomad Bridge allows users to send value between Ethereum, Avalanche, Evmos, Milkomeda and Moonbeam. In this exploit, the hacker found that they were able to create transactions without requiring Nomad's smart contract to validate the authenticity of the transaction.

This lead to over $200 million being drained from the Nomad Bridge by the anonymous hacker. White hat hackers also exploited the contract, however later returned $36 million and were rewarded in tokens for returning funds.

Beanstalk Protocol ($181,000,000)

The Beanstalk attack was different to the previous exploits, in that it was a governance attack that was carried out through two malicious Beanstalk governance proposals. The attacker acquired enough tokens to approve Beanstalk Proposals #18 and #19 which allowed them to completely drain the Beanstalk smart contract which held over $180,000,000 in funds.

They were able to acquire enough tokens through a Flash Loan, which they later paid back. The hackers pocketed a profit of $76 million and had to repay the remaining amount to the bZX protocol for the flash loan.

Compound Finance ($150,000,000)

Compound Finance is a lending protocol that allows users to earn interest on their cryptocurrency holdings. On June 17, 2020, a hacker took advantage of a flaw in the Compound's Price oracle system to mint over $150 million worth of COMP tokens. The hacker then sent the money to a mixer via Tornado Cash and was able to get away with the funds.

The hack was perpetrated by an unknown entity, as the hacker's wallets have not been linked to any known entities.

Vulcan Forged ($140,000,000)

Vulcan Forged was a popular play-to-earn cryptocurrency on the Polygon Network that suffered a brand-destroying exploit of $140 million in December of 2021. According to their developer's post-mortem report, the hacker was able to socially engineer and hack the credentials of user wallets to obtain private keys. The hacker was able to extract 4.5 million Vulcan Forged tokens (PYR) which were valued at more than $140,000,000 at the time.

The hack was perpetrated by an unknown entity, as the hacker's wallets have not been linked to any known entities.

Horizon Bridge ($100,000,000)

The Horizon Bridge was the primary bridge that allowed users to transfer tokens between the Harmony One network and Ethereum. The exploit began at around 7:00 am EST and went for 20 minutes where the hacker made 11 transactions bridging various tokens out of the bridge which exceeded $100,000,00 in value. The hacker was able to gain access to these funds by getting private key details from the multi-sig signers.

In total, Frax (FRAX), Ethereum (ETH), AAVE (AAVE), SushiSwap (SUSHI) and many other tokens were stolen via the bridge through this exploit. Since then, the Harmony One bridge has been halted and has not come back online.

Rari Capital & Fei Protocol ($80,000,000)

Rari Capital and Fei Protocol merged late last year and then suffered an $80,000,000 hack due to a reentrancy vulnerability according to leading auditing team BlockSec. This was the exact same exploit that was used to drain Compound Finance and other forks of the Compound codebase, highlighting vulnerabilities throughout the lending and borrowing space in DeFi.

The Rari and Fei teams tried to get the hacker to return funds by offering a $10 million bounty, however, the anonymous exploiter was able to get away with $80m by siphoning funds through mixers like Tornado Cash on Ethereum.

Qubit Finance ($80,000,000)

Qubit Finance is a Binance Smart Chain-based protocol that allows users to lend and borrow for low fees and is a similar design to Compound Finance and Rari Capital. The hackers were able to take advantage a smart-contract exploit which enabled them to mint an unlimited amount of xETH that allowed them to borrow BNB, sell it and bridge the value off-chain.

In a post-mortem analysis, the addresses connected to the attack were able to steal over 206,000 Binance Coins (BNB) which was worth over $80,000,00 at the time of the exploit. A third-party incident report by CertiK stated that the attack used a deposit function to illicitly mint 77,162 qXETH without needing to make a deposit.

Final Thoughts

While Decentralized Finance (DeFi) is one of the highest growth and most exciting aspects of the digital asset ecosystem, it is not without its risks.  The above hacks show that there is still much work to be done in terms of security for protocols in the space. We have seen over $2 billion worth of value drained from various DeFi protocols and this is likely just the tip of the iceberg.

As the space continues to grow, it is important to be aware of the risks involved and to do your own research before investing in any digital asset, or depositing funds into a smart contract.

Adrian Graham

Co-Founder & former banker turned Full-Time DeFi analyst and researcher. Left traditional finance to pursue my interest in digital assets and decentralized finance.

View Posts