A review of the top 20 hacking cases in the encryption industry in the past two years
Finishing: Cookies, Chain Catchers
Finishing: Cookies, Chain Catchers
At the end of March, the Ronin Network, a sidechain network of the famous chain game Axie Infinity, lost about $620 million in assets in a hacking incident, becoming the most serious DeFi hacking attack so far, further deepening public concerns about the security of the encrypted world.
In the past two years, huge amounts of funds have continued to flow into the encryption industry, but its security is still very fragile. Many code loopholes from centralized exchanges and DeFi projects have been repeatedly attacked by hackers. The number, frequency, and scale of various security incidents, etc. levels are growing rapidly.
According to the professional encryption security website rekt data and other public information, Chaincatcher counts the top 20 hacking incidents according to the amount of money affected in the hacking attacks in the past two years.
secondary title
1. Ronin Network, $624 million
On March 29, 2022, Ronin officially stated that its cross-chain bridge was hacked, and 173,600 ETH and 25.5 million USDC were stolen, with a cumulative value of about 620 million US dollars.
At present, Axie Infinity co-founder Aleksander L. Larsen has tweeted that the Axie Infinity team is working hard to communicate with hackers to recover losses to determine the best compensation plan.
secondary title
2. Poly Network, $611 million
On August 10, 2021, the smart contracts deployed by the cross-chain interoperability protocol Poly Network on Ethereum, BSC, and Polygon were hacked at the same time, and assets worth more than US$610 million were stolen.
After multiple parties communicated with the hacker on the chain, the hacker finally returned all the stolen assets to the project party, and all users did not suffer any actual losses.
secondary title
3. Wormhole, $326 million
On February 3 this year, the cross-chain protocol Wormhole was hacked, and officials confirmed that 120,000 ETH (approximately $326 million) were lost in the attack.
After the incident, the hacker did not respond to the communication from the project party. Jump Crypto, a subsidiary of Jump Trading, the parent company of Wormhole, quickly decided to replenish 120,000 ETH to the smart contract of the cross-chain bridge "at its own expense" to help the Wormhole bridge go online again.
secondary title
4. BitMart, $196 million
On December 5, 2021, approximately US$196 million was stolen from the Ethereum and BSC hot wallets of the encrypted trading platform BitMart, of which approximately US$100 million was stolen on Ethereum and approximately US$96 million was stolen on BSC.
Since then, BitMart founder Sheldon Xia has announced that the platform's funds will be used to compensate affected users, and deposits and withdrawals will be opened soon.
secondary title
On December 13, 2021, the chain game project Vulcan Forged claimed that 148 wallets holding PYR had been hacked, more than 4.5 million PYR had been stolen, and the total value of the loss exceeded 140 million US dollars. Afterwards, the project team decided to compensate affected user wallets with PYR users in the vault.
secondary title
6. Cream Finance, $130 million
On October 27, 2021, the mortgage lending platform Cream Finance suffered a flash loan attack, resulting in a loss of approximately US$130 million.
On November 13, Cream Financ announced the compensation plan for the affected users. It will use the remaining tokens in its treasury and remove all the remaining Cream token allocations of the project team, and issue 1,453,415 Cream tokens to the affected users.
secondary title
7. Badger $120 million
On December 2, 2021, the Badger user interface was hacked and a malicious wallet request was implanted, with a total loss of approximately 2100 BTC and 151 ETH, or approximately $120 million.
Afterwards, Badger announced that it hired cybersecurity firm Mandiant and blockchain analysis firm Chainalysis to investigate the attack, and is working with both companies and authorities in the United States and Canada to recover any possible funds. At the same time, through community voting, the project decided to compensate affected users with part of the treasury assets and part of the agreement income, with a period of about one year.
secondary title
8. Qubit Finance, $80 million
On January 28, 2022, Qubit, the BSC lending project, was suspected of being hacked. The hacker minted a large amount of xETH collateral and stole about $80 million in assets from the fund pool.
Team Mound, the development team of Qubit Finance, decided to reorganize and release a compensation plan after the attack, and will give up all its tokens to compensate the community.
secondary title
9. AscendEX, $77 million
After the incident, the exchange stated that it will conduct a comprehensive security check. If any user's funds are affected by this incident, AscendEX will make 100% compensation.
secondary title
10. EasyFi, $59 million
On April 20, 2021, Ankitt Gaur, founder of the Layer 2 DeFi lending agreement EasyFi, said that the protocol liquidity pool had been transferred 6 million US dollars of stable coins and 2.98 million EASY tokens, with a total loss of about 59 million US dollars.
Afterwards, the project stated that it will compensate 100% of the lender/depositor net balance of each address according to the snapshot, and users will receive funds in two parts, 25% paid in advance, and the remaining 75% paid in EZ, which is issued by the EASY V2 token EZ 1:1 ratio guarantee.
secondary title
11. Uranium Finance, $57 million
On April 28, 2021, Uranium Finance, the AMM protocol on the Binance Smart Chain, tweeted that Uranium was attacked during the migration process, and the loss amounted to approximately US$57 million.
Afterwards, Uranium Finance published a vulnerability analysis article and called on users to remove funds as soon as possible and stop providing liquidity to the contract. Since then, there has been no official update of Uranium Finance, and it is suspected that it has ceased operations.
secondary title
12. bZx, $55 million
It is understood that the accident was not a hacking attack targeting a vulnerability in the protocol itself, but a phishing attack on bZx developers, who received a phishing email with a Word document containing malicious macros attached. Opening this document could result in the theft of the developer's personal wallet keys. The hacker was able to take control of the contract and withdraw it from BZRX.
secondary title
13. Cashio, $48 million
On March 23, 2022, Cashio, the Solana ecological algorithm stablecoin, tweeted to warn users not to mint any tokens and withdraw funds from the pool as soon as possible. There was an infinite minting bug in the protocol, which resulted in a loss of about $48 million.
After the hacker attack, the project party stated that it did not have enough funds to repay the user's losses. If the attacker returns the funds, it is willing to provide 1 million USDC as a bounty. The attacker stated through a message on the chain that he would refund victims who lost less than $100,000.
secondary title
14. Pancake Bunny, $46 million
On May 20, 2021, PancakeBunny, a revenue aggregator on Binance Smart Chain BSC, was suspected of being attacked and lost about $46 million.
The PancakeBunny team released an assessment and compensation plan after being attacked by flash loans. It will issue new tokens pBUNNY and create a compensation pool. The compensation pool will be provided by performance fees (directly contributed by the team), funds recovered from exploits, and QFI token airdrops funds. After 90 days, the original holder will exchange pBUNNY for BUNNY at a discount below the market price.
secondary title
15. Kucoin, $45 million
Since then, Kucoin CEO Johnny Lyu said that $222 million (78%) was recovered through cooperation with exchanges and project parties, and $17.45 million (6%) was recovered through further cooperation with law enforcement and security agencies. In the end KuCoin used the insurance fund to pay for the remaining loss of funds, about $45 million (16%), and no users suffered losses in this incident.
secondary title
16. Secretswap, over $40 million
On September 14, 2021, Secretswap, a DEX project based on the privacy public chain Secret Network, was hacked, and more than $40 million in the liquidity pool was withdrawn by hackers. After the incident, the project suspended the use of the cross-chain bridge between Secretswap and Secret Network , to prevent hackers from transferring assets from the cross-chain bridge to the Ethereum network.
A few days later, Secret Network rolled back the network through a hard fork, returned the stolen assets to the user's liquidity pool, and restored the use of the cross-chain bridge.
secondary title
17. Alpha Finance, $37 million
The Alpha team’s repayment method is: the attacker deposits 1000 ETH in the Alpha Homora V2 deployer contract to pay the arrears; deposits the attacker in the Cream V2 deployer contract 1000 ETH to pay the arrears; the Tornado Cash Foundation will Return the 100 ETH donation paid by the attacker to Alpha Homora to pay the arrears; Alpha will promise to use 20% of the Alpha Homora V1 and V2 reserves to repay the remaining funds, and pay to Cream V2 Iron Bank on a monthly basis until all new debts are fully paid pay off.
secondary title
18. Vee Finance $37 million
On September 21, 2021, the Vee Finance smart contract of the Avalanche ecological lending platform was attacked, resulting in a loss of approximately US$37 million.
Afterwards, Vee.Finance announced a reward of $500,000 to track down the attacker, and will bear all losses, and compensate all lenders and depositors with platform revenue and VEE tokens in reserves, and the team tokens will no longer be released until all are repaid.
secondary title
19. Crypto.com $33 million
On January 18, 2022, some accounts of the cryptocurrency exchange Crypto.com were suspected of being hacked, resulting in a loss of approximately US$33 million.
After the incident, Crypto.com stated that it has compensated all users for their losses and restored the assets in their accounts to their original positions.
secondary title
20. MonoX Finance $31 million
On November 30, 2021, the automatic market maker protocol MonoX was attacked by a flash loan, and about $31 million worth of cryptocurrencies on Ethereum and Polygon were stolen by hackers.
It is understood that the attacker used the swap contract to operate, pushing up the price of MONO to sky-high prices and then using MONO to purchase all other assets in the pool.
Thereafter, the project team stated that it will issue debt token dMONO for all stolen assets and deploy a dMONO vault, will use our revenue to buy back MONO and send MONO to this vault, and any dMONO holder can destroy them at any time by The dMONO comes and acquires MONO to exit the vault, but if the user chooses to withdraw the dMONO before it reaches the value owed, it means that the remaining debt is being forgiven.
Further statistics show that although the cumulative losses of these security incidents reached billions of dollars, most users of the stolen projects were fully compensated for their losses. Among them, the stolen assets of Poly Network and Secretswap were all recovered, and Wormhole and other 8 projects The original currency compensation was paid by the project party, and most of the remaining projects were paid by the project in the form of its own tokens. However, due to the decline in token prices, the actual compensation amount was lower than the loss amount. Only Uranium Finance did not make any compensation to users.
