DeFi Exploits: A Comprehensive List of Types of Attacks from 2020-2023

Sept. 21

Mainly Rug pulls – long story short team walks away with money. Some of the notable cases are: OnceCoin, Thodex Over, AnubisDAO, Uranium Finance, Arbix Finance and several others during the last years.

How does a rug pull work? 

A rug pull occurs when a cryptocurrency developer abandons a project and runs away with investor funds. The developer creates a token, lists it on a decentralized exchange (DEX), and pairs it with a major cryptocurrency like Ethereum. The goal is to trick investors into buying the token, causing its price to go up.

How Does a Rug Pull Happen?

The creators of a rug pull token manipulate the market by removing money from the liquidity pool, causing the coin's value to plummet. The creators may even generate buzz on social media platforms like Twitter, Telegram, and others by adding liquidity to their pool, making investors believe the token has strong potential.The ease with which tokens can be created on open-source blockchains like Ethereum and listed for free on DEXs has made it easier for malicious actors to take advantage of unsuspecting investors.

Compromised private keys

Private keys can become compromised in several ways. But the most common method is through phishing scams. Phishing is a type of cyber attack where a hacker poses as a trustworthy entity (such as a bank or email provider) to trick you into giving them your private key or other sensitive information. They may send you an email or direct you to a fake website that looks legitimate, asking you to input your private key.

Always check the website's url and what you are signing in your wallet. You can also use chrome extensions like Fire, a Chrome extension that sits in your browser and simulates a transaction before you sign with your wallet, giving you visibility into exactly what you're signing. These types of extensions do not have access to your private key (and will never ask for it).

Exploitation of infinite approvals

In simple terms, infinite approval is a programming practice that grants smart contracts unlimited access to a user's cryptocurrency funds. Typically, smart contracts are programmed to access a specific amount of funds, but with infinite approval, they can request access to an unlimited number of coins or tokens stored in the user's account.

However, this practice has been met with controversy in the cryptocurrency community. One infamous example of a smart contract employing infinite approval was used by Bancor, a decentralized exchange. When users first used the system, they had to authorize the smart contract to withdraw an unlimited number of tokens from their wallets.

This practice raised serious security concerns, as Bancor's smart contracts also contained a vulnerability that could have allowed hackers to steal all the tokens authorized by the user. Fortunately, Bancor's programmers detected this vulnerability and modified their systems to only request approval for the necessary number of tokens. The developers even preemptively "stole" user funds to return them later to prevent a hack.

Ex: Li Finance protocol exploit using infinite approval
‍
Re-entry attacks

There is an awesome article on re-entrancy attack by Quantstamp.

TLDR: Re-entrancy is when a procedure can be paused and resumed later without errors. This can lead to serious vulnerabilities in smart contracts, as was the case with the infamous DAO Hack in 2016. In this hack, attackers siphoned off $70 million worth of Ether by exploiting a re-entrancy vulnerability. The attack took advantage of Ethereum's default fallback function, which can contain arbitrary code if overridden by developers.
‍

Smart contract breaches

Smart contract breaches can occur if there are errors or vulnerabilities in the code, or if one party deliberately tries to manipulate the contract.

Ex: MakerDAO Black Thursday
‍
In March 2020, a sudden drop in the value of Ethereum caused the MakerDAO smart contract to become undercollateralized. This led to $8.32 million worth of Ethereum being liquidated, causing significant losses for many users.


Infinite unsolicited mint of tokens

An infinite unsolicited mint of tokens occurs when a smart contract is designed in a way that allows anyone to create an unlimited number of new tokens without the permission or knowledge of the contract's creators. This can happen when the smart contract is not properly coded to restrict the creation of new tokens.

The consequences of an infinite unsolicited mint of tokens can be severe. It can lead to hyperinflation, where the value of the tokens decreases rapidly due to the abundance of supply. It can also undermine the credibility of the token and the project it represents, leading to a loss of trust from investors and users.

Ex: In 2020, attackers exploited a vulnerability in a Cover Protocol smart contract, allowing them to create an unlimited number of COVER tokens. They sold these tokens for over $37 million on decentralized exchanges. The vulnerability was discovered and fixed by security firm PeckShield.

Cross-chain bridge hacks

Cross-chain bridge hacks occur when a hacker exploits vulnerabilities in the code of a bridge that connects two different blockchain networks, allowing them to steal or manipulate funds. These hacks can result in significant financial losses and damage to the credibility of the affected networks.

Cross-chain bridge hacks were the newest headache in 2022, with cross-chain bridges being the victim of 50% of all DeFi exploits. Over the course of two years, $2,5 billion has been stolen by hackers by exploiting cross-chain bridge vulnerabilities.

The most notable ones: 

Wormhole hack ($325M), Ronin ($540M) and Harmony ($100M).
‍
‍
Frontend and DNS exploits

Front-end exploits occur when attackers exploit vulnerabilities in the user interface of a website or app, allowing them to steal login credentials, private keys, and other sensitive information. DNS exploits involve attackers redirecting users to a fake website, allowing them to steal login credentials and other sensitive information.

Ex: Ledger Data Breach

In 2020, the hardware wallet provider, Ledger, suffered a data breach that exposed the personal information of over 270,000 customers. Attackers used the information to launch targeted phishing attacks, posing as Ledger support staff and tricking users into revealing their seed phrases and private keys.
‍

Liquidity pool exploits

Liquidity pool exploits occur when attackers exploit vulnerabilities in decentralized exchange (DEX) liquidity pools, resulting in the loss of funds for users. These exploits can take different forms, such as impermanent losses, manipulating prices or taking advantage of arbitrage opportunities.

Ex: SushiSwap Vampire Attack  

In 2021, a hacker executed a "vampire attack" on SushiSwap, a decentralized exchange protocol. The attacker created a fork of SushiSwap that offered better incentives to liquidity providers, causing many users to migrate their funds to the new protocol and draining liquidity from SushiSwap.

Fake token attacks

Fake token attacks occur when attackers create counterfeit versions of legitimate tokens, often with the same name and symbol, and sell them to unsuspecting buyers.

Ex: Unicats mimicking Uniswap token (both being UNI on exchanges)

Flash loan attacks

A flash loan attack is a type of cyber attack in which an attacker takes out a flash loan from a decentralized finance (DeFi) platform and uses it to manipulate the price of a token or carry out other malicious activities. The attacker then repays the loan, leaving no trace of their activity.

Ex: Beanstalk Farms suffered a $182M exploit due to a flash loan attack

In2022 Beanstalk Farm, a stablecoin protocol on Ethereum, experiencedy a flash loan attack resulting in a loss of $182M. The attack was possible due to a compromise of their newly implemented governance mechanism, Curve LP Silos. The attacker used flash loans to gain significant voting power and then voted in favor of their own proposal, allowing them to transfer funds to their own wallet address. The attacker then repaid the flash loan using the extracted funds from the protocol. ‍

Oracle attacks

An oracle attack exploits weaknesses in decentralized oracle systems to manipulate the outcome of smart contract executions in DeFi apps and platforms. Oracles are third-party services that provide external data to smart contracts, allowing them to execute based on real-world events. However, if the oracle is not secure, attackers can provide false or manipulated data to the smart contract, leading to incorrect outcomes and may result in financial losses.

Ex: BonqDAO Price Oracle Hack in Feb 2023

On February 2nd, 2023, the Polygon DeFi protocol BonqDAO fell victim to a price oracle hack due to an error in a smart contract code. The attacker stole 100 million $BEUR stablecoins and 120 million Wrapped AllianceBlock Token ($WALBT). For more details, read the article above, amazing work from Hacken.

Governance token attacks

Attacker gains control of a cryptocurrency platform's governance token and uses it to manipulate the platform's decision-making process. This can include voting on proposals or electing board members. Once the attacker gains control, they can use it to push through malicious proposals or steal funds from the platform.

Ex: Build Finance DAO Suffers Governance Takeover Attack

In 2022 Build Finance DAO suffered a governance token attack where an attacker proposed and passed a proposal to gain control of the token contract (the hacker had enough token to pass and vote fir the proposal). The attacker then minted and sold various tokens, stealing an estimated $470,000.

The Beanstalk Farm example works here as well.

Liquidations

Crypto liquidations occur when traders borrow funds to invest and the value of the assets they purchased drops significantly. When the value of their investment drops below a certain level, the exchange or lending platform may automatically sell their assets to cover the borrowed funds, resulting in a forced liquidation. This can occur during market collapses, where the overall value of cryptocurrencies decreases rapidly, leading to a wave of forced liquidations across various platforms.

Attacks on leveraged positions

An attack on leveraged positions occurs when a trader or group of traders intentionally manipulate the price of an asset to cause significant losses for investors who are using leverage or borrowed funds to trade that asset. Even small price movements can result in significant profits or losses. Attackers may use various tactics, such as coordinated buying or selling, spreading false information, or engaging in market manipulation, to trigger a cascading effect that results in forced liquidations of leveraged positions. Crypto is still early and with lack of regulations those attacks are still possible.
‍
Flash loan attacks

A flash loan attack is a type of cyber attack in which an attacker takes out a flash loan from a decentralized finance (DeFi) platform and uses it to manipulate the price of a token or carry out other malicious activities. The attacker then repays the loan, leaving no trace of their activity.

Ex: Beanstalk Farms suffered a $182M exploit due to a flash loan attack

In2022 Beanstalk Farm, a stablecoin protocol on Ethereum, experiencedy a flash loan attack resulting in a loss of $182M. The attack was possible due to a compromise of their newly implemented governance mechanism, Curve LP Silos. The attacker used flash loans to gain significant voting power and then voted in favor of their own proposal, allowing them to transfer funds to their own wallet address. The attacker then repaid the flash loan using the extracted funds from the protocol. ‍

Bank run on tokens

As a result of Ponzi scheme crashes (ex: Luna crash) or market manipulations (ex: the FTX saga).