Decentralized finance (DeFi) platforms experienced a rough February, losing over $21 million to hackers. The losses were caused by seven different protocols experiencing reentrancy, price oracle attacks, and other exploits.
The biggest attack was the flash loan reentrancy attack on Platypus Finance, which resulted in $9.1 million being lost, according to data released by a data analytics platform, DefiLlama.
Among the six other significant hacks in February, the initial one involved a price oracle attack on BonqDAO on February 1st, as pointed out by DefiLlama.
BonqDAO: $1.7 million
One of the attacks was a price oracle attack on BonqDAO, resulting in $1.7 million being lost.
The attacker manipulated the price of AllianceBlock (ALBT) token by increasing its price and minting large amounts of BEUR. The BEUR was then swapped for other tokens on Uniswap, after which the price was dropped to almost zero, leading to the liquidation of ALBT troves.
The attack resulted in losses estimated to be around $120 million, but the hackers reportedly only cashed out around $1 million due to a lack of liquidity on BonqDAO.
Orion Protocol: $3 million
Another attack was a reentrancy attack on decentralized exchange Orion Protocol, resulting in a loss of roughly $3 million.
The attackers used a malicious smart contract to drain funds from the target with repeated withdrawal orders.
However, the CEO of Orion Protocol, Alexey Koloskov, confirmed that all users’ funds were safe and secure.
We have been investigating this very sophisticated attack from the minutes it occurred. We will not reopen the Deposit function until we feel confident that the bug has been fixed which will only be after successfully passing new audits from leading audit firms.
— Alexey Koloskov (@alexeykoloskov) February 2, 2023
The CEO also stated that they had reasons to believe that the issue did not result from any inadequacies in their core protocol code. Instead, it was likely caused by a vulnerability in one of the smart contracts used by their experimental and private brokers due to mixing third-party libraries.
dForce Network: $3.65 million
The DeFi protocol dForce network also experienced a reentrancy attack, resulting in losses of around $3.65 million. However, in a surprising twist, all funds were returned when the hacker came forward as a white hat hacker.
2/5 Shortly after the incident, we entered into conversations with the exploiter, who came forward as a whitehat. We have agreed to offer a bounty and will drop all on-going investigation and law enforcement actions.
— dForce (@dForcenet) February 13, 2023
Platypus Finance: $9.1 million
Platypus Finance was hit with a flash loan attack that resulted in $8.5 million being drained from the protocol. A post-mortem report from Platypus auditor Omniscia noted that the attack was possible due to code in the wrong order.
The team announced that they are seeking to return around 78% of the main pool funds by reminting frozen stablecoins.
https://twitter.com/Platypusdefi/status/1631573948147306497?
In addition, the team behind Platypus Finance confirmed two more incidents that resulted in an additional $667,000 being exploited, bringing the total losses to around $9.1 million.
Fortunately, on February 25th, French police arrested two suspects related to the hack and seized approximately $222,000 worth of crypto assets.
Hope Finance: $1.86 million
Users of Hope Finance, an Arbitrum-based algorithmic stablecoin project, fell prey to a smart contract exploit that saw roughly $2 million stolen from them.
A member of the CertiK team said that the scammer changed the details of the smart contract, which led to funds being drained from Hope Finance genesis protocol:
“It appears that the scammer changed the TradingHelper contract which meant that when 0x4481 calls OpenTrade on the GenesisRewardPool the funds are transferred to the scammer.”
Web3 security firm CertiK identified the incident on February 21st after an announcement from the Hope Finance Twitter account notifying users of the scam:
https://twitter.com/CertiKAlert/status/1627950776579420163?
Dexible: $2 million
Multichain exchange aggregator Dexible was also hit by an exploit that targeted the app’s selfSwap function, with $2 million worth of cryptocurrency being lost as a result of the attack.
The attacker exploited a vulnerability in the exchange’s newest smart contract, allowing them to steal funds from any wallet that had an unspent spend approval on the contract.
Dear Dexible community, we regret to inform you that in the early hours of February 17th, a hacker exploited a vulnerability in our newest smart contract. This allowed the hacker to steal funds from any wallet that had an unspent spend approval on the contract.
1/5
— Dexible (@DexibleApp) February 17, 2023
Upon investigating the attack on Dexible, the team discovered that the attacker had utilized the app’s selfSwap function to transfer over $2 million worth of cryptocurrency from users who had previously authorized the app to move their tokens.
The attacker then received the tokens into their own smart contract before withdrawing the coins through Tornado Cash into unknown BNB wallets.
LaunchZone: $700,000
Finally, BNB Chain-based DeFi protocol LaunchZone had $700,000 worth of funds drained on Feb. 27.
The attacker leveraged an unverified contract to drain the funds, taking advantage of an approval made to the unverified contract 473 days ago by the LaunchZone deployer.
These figures mark a stark increase from January, which saw only $740,000 in hacks to DeFi platforms across two protocols.
In its 2023 Crypto Crime Report, blockchain data firm Chainalysis revealed that hackers stole $3.1 billion from DeFi protocols in 2022, accounting for more than 82% of the total amount stolen in the year.
As DeFi continues to grow in popularity, attacks on its platforms will likely become more common.
Therefore, it is crucial that DeFi protocols implement robust security measures to prevent such attacks and mitigate their impact if they occur. It is also important for users to exercise caution when using these platforms, keeping a close eye on their funds and not trusting projects that lack proper security measures.