Ronin Network, the Ethereum based sidechain for crypto game Axie Infinity, was in March swindled for over $620 million in ETH and USDC. The attacker “used hacked private keys to forge fake withdrawals” from the Ronin bridge contract in two transactions.
The exploit, which occurred on March 23, was only discovered a week later when one user failed to withdraw 5,000 ether. In total, the hacker made off with 173,600 ETH and 25.5 million USDC, valued at more than $620 million at the time.
On Feb. 2, an attacker siphoned over $320 million in wrapped ETH out of the Wormhole protocol, cross-chain crypto bridge between Solana, Ethereum, Avalanche, and others. Wormhole users are required to stake ethereum to mint wrapped ETH, a type of crypto that is pegged to the price of ethereum.
Analytics firm Elliptic blamed the exploit on Wormhole’s failure to validate “guardian” accounts. allowing the attacker to mint 120,000 wETH with no ethereum backing it. The hacker then exchanged 93,750 wETH for ethereum and exchanged the remainder for Solana. The total value of the loss was over $320 million at the time.
On Aug. 2, hackers drained about $190 million in cryptocurrency from Nomad, a tool that lets users swap tokens from one blockchain to another.
The attack began with an upgrade to Nomad’s code. A section of the smart contract was marked as valid each time users made a transaction. This allowed bad actors to withdraw more assets than were deposited on the platform. Hackers repeated the process until $190 million in crypto was moved out of the bridge. Nomad never found out until it was too late.
In April, an attacker drained $182 million of crypto from Beanstalk Farms, a DeFi protocol aimed at balancing the supply and demand of different crypto assets.
PeckShield said the the attacker exploited Beanstalk’s majority vote governance system, and voted to send themselves $182 million. The attacker used a flash loan to obtain a controlling stake in the protocol, but their actual profit was only in the region of $80 million, said the firm.
Wintermute is the latest DeFi protocol to fall victim to hackers, who made off with $160 million from the platform’s decentralized finance section. CEO, Evgeny Gaevoy said the hack was linked to a critical bug in the Ethereum vanity address-generating tool Profanity.
He said Wintermute used the tool to generate a unique address in order to cut transaction costs, never for “vanity.” Human error seems to be behind this particular attack.
In June, hackers exploited a loophole on decentralized exchange Maiar to steal around 1.65 million of elrond egold (EGLD), the native token of the Elrond blockchain. Researchers said the attacker deployed a smart contract and used three wallets to steal an estimated $113 million worth of EGLD from the exchange.
The hackers immediately sold 800,000 of the token for $54 million on the same DEX, and the remainder was sold on centralized exchanges or swapped for ethereum.
Just days after the Elrond exploit, hackers struck again on June 23, hitting the Horizon bridge for almost $100 million. Horizon is a crosschain interoperability platform between Ethereum, Binance Smart Chain and Harmony blockchain networks.
PeckShield revealed more than $98 million in various tokens was drained off the Harmony-managed platform and exchanged to ether. Over 50,000 user wallets were affected. The hackers later moved $35 million through Tornado Cash.
The DeFi protocol said on Jan. 28 that it had been exploited by an attacker who stole 206,809 binance coin (BNB) from its QBridge protocol. In total, the tokens were valued at $80 million.
According to security company Certik, the attacker leveraged a deposit option in the QBridge contract to mint 77,162 qXETH – some sort of crypto used to represent ethereum bridged via Qubit. The attacker fooled the platform into believing they made a deposit. After repeating the process enough times, they exchanged the assets into BNB and vanished.
Cashio, a stablecoin protocol on Solana, suffered what the team called an “infinite mint glitch” exploit in March. Hackers siphoned $48 million from the protocol, prompting a collapse of Cashio’s CASH stablecoin.
Cashio allows users to mint the CASH stablecoin with all deposits backed by interest-bearing liquidity provider tokens. The attacker minted billions of CASH and swapped them for USDC and UST, itself collapsed, before withdrawing through the DEX Saber.
Dollar-pegged CASH crashed to $0 after the hack. Attacker returnedmoney to accounts that held less than $100,000 and promised to donate the rest to charity. That’s the last we heard ever of it, the Cashio loot. CASH is dead.
Fantom-based lending platform Scream suffered perhaps one of the most careless exploits in DeFi this year, from a protocol security perspective. Scream took on a $38 million debt after stablecoins, Fantom USD (fUSD) and DEI, whose valued it had fixed to $1, lost peg.
Because the protocol had hardcoded the value of the two stablecoins, a decline in value of the assets did not show on Scream. Whales utilized this loophole to drain the protocol of any other valuable stablecoins while depositing the de-pegged fUSD and DEI.
A total of $38 million in the stablecoins FRAX, USDT, USDC, and MIM were whisked away from the network. After the incident, Scream dumped hardcore pricing and switched to Chainlink oracles for real-time pricing data. Whales kept their loot. Good pay day for degens!.