Games & Play-to-Earn
On-chain Data Suggests Crypto Hacks and DeFi Exploits are on Course to Match Q1 Figures
More than $320 million was lost to bad actors within the crypto space in the first quarter of the year as per data compiled by smart contract security platform CertiK. The figure represented a significant decline from that in the preceding quarter (Q4 2022) and from a similar period in the previous year. The blockchain security firm attributed this decrease to distressing incidents that rocked the industry across the three months.
Notable among them, an upheaval in the stablecoin markets and a banking crisis extending into the digital assets space. These and other unfortunate incidents prompted investors to move their funds to the sidelines while also putting off potential entrants and inflows as a result. Barely halfway into Q2, more exploit incidents have been reported with attributable losses headed to equal the figure reported in Q1.
$103 million was lost to hacks, exploits, and scams in April
In March, about $211 million was stolen in crypto, dominated by a $197 million hack on Euler Finance. The amount siphoned last month was slightly less than half of this, with blockchain security firm Certified Kernel Tech (CertiK) estimating a figure of $103.7 million in losses to exploits, hacks, and scams.
April and March numbers brought the total amount stolen by malicious actors in the first four months to $429.7 million year-to-date. Another major incident in April was the Ethereum Maximal Extractable Value (MEV) bot sandwich attack which resulted in a $25.4 million loss. Bitrue exchange also reportedly had $23 million in Ether and other currencies drained from one of its hot wallets.
Flash loan attacks
Decentralized finance aggregator, Yearn Finance led in flash loan attacks last month, with only users running on an older version of the protocol affected. PeckShield reported on April 13 that a hacker targeted a bug to mint an extremely huge amount of yUSDT – 1.3 quadrillion tokens, worth about $11.6 million from just 10,000 USDT. In a series of swaps that ensued afterward, the attacker was able to obtain 61,000 USDP, 1.5 million TUSD, 1.79 million BUSD, 1.2 million USDT, 2.58 million USDC, and 3 million DAI.
Multi-chain lending pool Hundred Finance lost $7.4 million on April 15 after suffering a security breach involving flash loaning WBTC on Ethereum layer two Optimism. The protocol has since placed a $500,00 bounty on the hacker after efforts to negotiate seemingly bore no fruits. Hundred Finance was previously hit to the tune of $6.5 million in a reentrancy attack in March 2022. The blockchain security firm further showed that total funds lost to exit scams increased to $9.4 million in April, heralded by the decentralized exchange Merlin.
CertiK insists rogue developers stole the $1.8M in Merlin’s attack
zkSync decentralized exchange Merlin’s loss of $1.82 million came on April 25, during the three-day public sale of its MAGE tokens, despite brandishing an audit by CertiK. The DEX, whose popularity stems from the attractive yield offered on deposits, confirmed the attack advising all users to disengage their wallet permissions. CertiK meanwhile termed it a private key management issue.
In a thread addressing the incident, the blockchain security firm later highlighted that it had pointed out centralization risk under ‘Decentralization Efforts’ in its audit report of Merlin. Some, however, question the quality of work done by the firm. Meanwhile, the malicious code that allegedly caused the loss of funds was identified by eZKalibur, a decentralized exchange, and launchpad also built on zkSync. eZKalibur pointed out that the initialize function created a backdoor of sorts, allowing an unlimited amount of tokens to be transferred from the contract’s address to the ‘feeTo address.’
A compensation plan is in the works
CertiK said on April 26 that it was exploring a compensation plan for the affected while still urging the responsible individuals to return 80% of the funds and keep the rest as a white hat bounty. It further said that rather than an attack, Merlin was a victim of rogue developers – which explains why the entity was able to siphon the liquidity pool with such ease. The blockchain security team said the perpetrators are believed to be in Europe and that it is working with law enforcement agencies to bring them to justice should direct negotiations hit a brick wall.
In an update on the situation on Friday, CertiK insisted that all this was a rug pull by Merlin developers who took advantage of their wallet privileges to defraud users. It added that attempts to collaborate with the remaining Merlin team were plagued by challenges as certain core members were unwilling to verify their identities, making validation and eventual assistance of the victims difficult. CertiK has frozen $160,000 of the stolen funds so far and is closely monitoring the remaining amount in hopes of recovery. It is working with law enforcement agencies in the US and UK towards these efforts and also pledged $2 million to help the victims and fight exit scams.
Hackers manipulated a price oracle to steal $2M from Polygon lending protocol 0VIX
A price oracle manipulation hack struck lending protocol 0VIX at the end of April, causing it to lose more than $2 million following an exploit on the vGHST token, a staked token of blockchain gaming initiative inspired by the popular Tamagotchi game. Blockchain security company PeckShield revealed that the hackers behind the 0VIX Protocol attack utilized a flash loan worth $6.12 million in stablecoins to open vGSHT lending positions.
The attacker(s) afterward manipulated the protocol’s price oracle and the vGSHT lending pool in extension – they manufactured a spike in the price of GHST, which made the vGHST lending pool insolvent, enabling them to liquidate the pools and walk away with the collateral from the pools. The protocol’s core team suspended Polygon POS and zkEVM operations (its token lending markets), adding that it had initiated efforts to manage the situation.
In a subsequent update, the 0VIX Protocol Association said it resumed operations on the zkEVM, allowing users of the 0VIX Polygon zkEVM market unrestricted access to their funds. It asked all users to verify their positions and health factor and repay any outstanding debts. The update further clarified that the pause on 0VIX zkEVM had only been a preventive measure, as the exploit did not affect it. The Association, however, didn’t divulge any further details to protect the integrity of ongoing investigations, adding that it, along with its security partners, remained dedicated to recovering the compromised funds.
A bug in Level Finance’s reward mechanism allowed an attacker to siphon $1M in LVL tokens
This week, Level Finance was hacked for $1 million worth of its native LVL token. The BNB Chain-native non-custodial spot and perpetual contracts exchange confirmed on May 1 that the attacker targeted its LevelReferralControllerV2 referral contract that enables repeated claims, making away with more than 214 LVLs which they exchanged for 3,345 BNB.
Blockchain security company PeckShield said that the hack resulted from a bug that allowed repeated referral claims (in the same epoch), which Level Finance confirmed was from a recent update to its incentive mechanism. The platform temporarily halted its referral program to end the attack, though the event did not affect its liquidity pools or linked DAOs.
Deus Finance paused contracts and burned DEI following a $6M hack
In a more recent incident, DeFi protocol Deus Finance confirmed over the weekend that it was the victim of a hack on its BNB Smart Chain and Arbitrum deployments. Though not confirmed yet, the manipulation saw it lose more than $6 million in crypto assets. The attack was front run by a bot according to PeckShield, allowing the hacker to make away with 1,337,375 BUSD from DEI/BUSD pools, and a further $5 million on the ARB/ETH pools. Deus paused all contracts and DEI tokens on-chain burned in response to mitigate against more losses. The protocol team added that it actively evaluating the underlying collateral of the DEI, and will devise a comprehensive recovery and redemption plan depending on pre-burn DEI balances.
Recognizing that some individuals may have taken part in arbitrage endeavors following the breach and gotten stuck while at it, Deus said it was actively assessing to see whether these transactions can be reversed expeditiously to resolve the matter. The DeFi platform pointed out that the Deus v3 system, currently in use, is isolated from DEI and therefore was unaffected by the events. It has also urged the attacker to relinquish 80% of the proceeds and consider the rest a white hat bounty. In a tweet earlier today, the DEI stablecoin issuer Deus Finance said the exploiter(s) had complied and sent back 2,023 ETH to a recovery multi-sig wallet address managed by trusted members of Yearn Finance.