The 10 worst crypto hacks of 2022; hackers target DeFi – BeinCrypto

Some critics of decentralized finance call it the “Wild West” of the crypto industry, which might sound hyperbolic from a general perspective. That said, since the start of the year alone, crypto hacks have cost DeFi platforms the equivalent of $2.32 billion. Aren’t these DeFi “critics” right after all?

The concept of decentralized finance originated in 2009, right after the launch of Bitcoin. However, the sector only really took off in 2020 with the introduction of yield farming by Compound Finance.

Today, the market has thousands of decentralized applications (dApps). According to DeFiLlama, the total locked value of DeFi amounts to $53.73 billiona colossal capitalization that attracts investors, but also hackers.

The sad record of crypto hacks

A fundamental pillar of crypto, DeFi has remained faithful to the principles of decentralization and confidentiality of Bitcoin, completely detaching itself from any government influence. This great freedom is unfortunately a double-edged sword, especially when it is not controlled.

According blockchain security firm PeckShield crypto hacks worth $2.32 billion (nearly double the figure recorded last year) to DeFi since the beginning of this year.

Over the years, hackers have developed very sophisticated systems to achieve their ends. According REKT, the most used crypto hack methods are: honeypots, exit scams and flash loans. To learn more about hacker methods, we invite you to read our guide to the 10 most common crypto scams in the cryptocurrency world.

Without further ado, here is according to PeckShield, the list of worst crypto hacks of the current year.

The Ronin Network — $620M

In March, Ronin Network, the Ethereum sidechain that hosts popular crypto game Axie Infinity, lost over $620 million in ETH and USDC. The attackers allegedly “used hacked private keys to make fake withdrawals” through two transactions on the Ronin Bridge.

The attack, which took place on March 23, was only discovered a week later when a user was denied a withdrawal of 5,000 ETH. In total, the hacker group grabbed 173,600 ETH and 25.5 million USDC, or almost $620 million as of the date of the hack.

So far, the attack on the Ronin network constitutes the biggest crypto hack in history, according to PeckShield.

The Wormhole Bridge — $320 million

On February 2, a hacker stole $320 million worth of Wrapped Ethereum (wETH) from the Wormhole Protocol, a popular crypto bridge that connects blockchains like Solana, Ethereum, and Avalanche.

Note that when Wormhole users place their ETH in staking, they receive wETH tokens, a crypto indexed to Ethereum.

Elliptic, a pioneering blockchain analytics company, revealed that the attack stemmed from a flaw in Wormhole’s “guardian” accounts. The flaw allegedly allowed the attacker to issue 120,000 wETH without depositing ETH. The latter then exchanged 93,750 wETH for Ethereum and the rest for Solana.

In total, the attack earned Wormhole nearly $320 million, making it one of the biggest crypto hacks in history.

Nomad Bridge — $190 million

On August 2, hackers stole approximately $190 million in crypto from Nomad, a tool that allows users to transfer tokens from one blockchain to another.

The attack is said to be due to an update to Nomad’s code. Indeed, a section of the smart contract was marked as “valid” each time users made a transaction. This allowed hackers to withdraw more assets than they were depositing on the platform. Then they repeated the process until $190 million worth of crypto was withdrawn from the bridge. When Nomad discovered their scheme, it was already too late.

Beanstalk Farms — $182 million

In April, Beanstalk Farms, a DeFi protocol aimed at balancing supply and demand in the crypto market, was stripped of $182 million in cryptocurrencies.

According to PeckShield, the hacker would have requested a flash loan to be able to buy the majority of the governance tokens. Then he cast a vote to send himself $182 million. That said, its actual profit was only $80 million, the company estimates.

Wintermute — $160 million

Wintermute is the latest DeFi protocol to fall for hackers so far. According to the CEO of the platform, Evgeny Gaevoy, the hack came from a critical bug in the Ethereum Profanity address generator. In total, the hacker seized 160 million dollars.

Gaevoy said the hacker used the tool to generate a unique address to reduce transaction fees. The attack is believed to be due to human error.

Elrond — $113M

In June, hackers used a flaw in the decentralized exchange Maiar to steal around 1.65 million Elrond (EGLD), the native token of the Elrond blockchain. According to the researchers, the attacker deployed a smart contract and used three wallets to steal approximately $113 million from EGLD.

Then he sold 800,000 tokens for $54 million on the same DEX, before converting the remaining amount into ETH on centralized platforms.

Horizon Bridge — $100 million

On June 23, a few days after the Elrond hack, hackers stole nearly $100 million at the Horizon Bridge. Horizon is a crypto bridge that connects Ethereum, Binance Smart Chain, and Harmony networks.

According to PeckShield, over $98 million was stolen and converted to Ethereum. Over 50,000 user wallets were affected. The hackers then transferred $35 million via Tornado Cash.

Qubit Finance — $80M

On January 28, Qubit Finance’s QBridge got stripped 206,809 Binance Coins (NBB). As of the date of the hack, the value of the tokens was $80 million.

According to Certik, a company specializing in blockchain security, the attacker exploited a loophole in the QBridge contract to issue 77,162 qXETH (a token used to represent ETH transferred through the Qubit Bridge). Then he made several fake deposits before converting the funds into BNB.

Cashio — $48 million

In March, Cashio, a Solana-based stablecoin, suffered what its developers call “an infinite emission glitch”. In total, pirates stole $48 million to the protocol, causing the stablecoin CASH to collapse.

Indeed, Cashio allows users to issue the stablecoin CASH after each deposit of LP tokens. The attacker allegedly issued billions of CASH by depositing USDC and UST (Terra Luna’s fallen stablecoin) before withdrawing them via the DEX Saber.

The CASH stablecoin, which derived its value from the US dollar, crashed to $0 after the hack. Finally, the attacker returned the funds stolen from accounts that held less than $100,000 and promised to donate the rest to charity. Since then, the case has fallen into oblivion.

Scream — $38 million

Scream, a Fantom blockchain-based lending platform, may have suffered one of the dumbest DeFi attacks this year. Indeed, just after the stablecoins Fantom USD (fUSD) and DEI lost their parity with the USD, the platform took out a loan of 38 million dollars.

Since the protocol had established a fixed price for the two stablecoins in question, the fall in their prices was not taken into account by Scream. The whales therefore used this loophole to strip the protocol of all other stablecoins by depositing fUSD and DEI.

In total, the protocol lost $38 million in FRAX, USDT, USDC, and MIM. After the incident, Scream replaced its old system with Chainlink oracles that update prices in real time. So far, the whales have not returned the funds to the platform.

Where did the stolen billions of dollars go?

Well, they’re probably lost forever.

According to PeckShield, around 50%, or $1.16 billion, of the funds stolen from crypto hacks were laundered through Tornado Cash, the crypto mixer that was sanctioned by the US government last month. Something that arouses until today, a wide controversy within the crypto sphere.

Concretely, Tornado Cash allows users to hide the history of their financial transactions, which makes them harder to trace. According to the FBI, North Korean hacker group Lazarus used the mixer to launder more than $7 billion worth of crypto since 2019.

The DeFi protocols cited above have made hundreds of attempts to recover their money, but to no avail. In the hope of recovering even a part of their funds, some protocols have even offered colossal sums to their captors.

Crypto hacks: Victims appeal to hackers’ conscience

For example, Qubit Finance offered $2 million to ethical hackers who would agree to return its funds. For its part, Harmony offered a $1 million bounty to recover the $100 million stolen from the Horizon Bridge and even promised never to press charges against its attackers. But so far, hackers continue to turn a deaf ear.

In August 2021, however, this same strategy worked for the Poly network, which managed to recover the $600 million stolen from it in a hack.

For its part, the Ronin Bridge was able to recover $30 million earlier this month, thanks to the efforts of Chainalysis, the US Treasury and the FBI. Nevertheless, this amount represents only 5% of the 620 million dollars stolen during the hack of the bridge. The FBI estimates that the Lazarus Group, the alleged perpetrator of the attack, laundered $455 million in Tornado Cash.

The Nomad Bridge hackers also returned $9 million to the platform a day after the attack. After the announcement of a 10% bounty on returned funds, ethical hackers returned an additional $32 million to Nomad. In the meantime, the author of the hack has distributed the remaining amount to several addresses.

For its part, Wormhole never recouped its $320 million. After fixing the flaw that caused its hack, the protocol received compensation of 120,000 ETH from Jump Trading Group, one of its main investors.

Clearly, blockchain bridges seem to be the weakest link in DeFi. However, there are means of protection for both users and platforms.

“When developing a project, it is necessary to write clear terms of reference and perform as many tests as possible to avoid logical errors,” said Alex Belets, founder of blockchain security firm Smart State. , in Be[In]Crypto.

“Use automatic vulnerability scanners. Don’t try to implement things for which there are libraries. Perform audits and protect your private keys. Don’t use third-party apps like Profanity to generate private keys,” he recommends.


All information on our website is published in good faith and for general information purposes only. Any action taken by the reader based on information found on our website is entirely at their own risk.

We would like to thank the writer of this write-up for this awesome web content

The 10 worst crypto hacks of 2022; hackers target DeFi – BeinCrypto

Find here our social media accounts as well as other pages related to it.