DeFi Security Vulnerabilities and Exploits 2021

Despite the series of obvious advantages, the DeFi platforms seem to face cyber attacks over and over again.

Although the DeFi was one of the key drivers of the digital currency market traction in the past year, it is still immature in the decentralized finance space. Add that the crypto and DeFi ecosystem is full of large scale scammers and hackers and you have a recipe for disaster. The cybersecurity of distributed exchanges, DEX’s that you can launch in an hour, is still weak and vulnerable to attackers and exploits and is a major harm to venture capitalists and crowdpooling projects. Lack of security audits due to the ability to clone on demand by non-technical anonymous founders creates fertile ground for clever hackers. Here are some of 2021’s hacks and exploits.

• Project: yCredit Finance
  Date: 2021-01-01
  Summary: Minting vulnerability exploited
  Impact: $11M lost
  Type: Hack
  References:
  • Deposit Less, Get More: yCredit Attack Details by BlockSecTeam
  • Exploit PoC by Banteg
• Project: Saddle Finance
  Date: 2021-01-19
  Summary: Price arbitrage due to high slippage.
  Impact: 7.9 BTC ($275K) lost
  Type: Hack
  References:
  • Saddle Finance – REKT by rekt
  • 2021-1 Saddle Finance Arbitrage by Origin Protocol
• Project: SushiSwap
  Date: 2021-01-19
  Summary: Misconfiguration exploited to manipulate DIGG-WETH price.
  Impact: 81 ETH ($100K) attacker profit Type: Hack
  References:
  • SushiSwap was attacked for the second time by SlowMist
  • Badgers DIGG SUSHI by rekt
  • Replaying Ethereum Hacks – Sushiswap BadgerDAO’s Digg by cmichel
• Project: Yearn
  Date: 2021-02-04
  Summary: Yearn V1 yDAI vault exploited.
  Impact: $11M lost Type: Hack
  References:
  • Vulnerability disclosure 2021-02-04 by Yearn Security
  • The yDAI Incident Analysis: Forced Investment by PeckShield
  • A brief analysis of yearn finance being hacked by SlowMist
  • Inside the Yearn v1 yDAI Hack (Feb 2021) by Halborn
  • Yearn – REKT by rekt
  • Yearn Exploit by Origin Protocol
  • Attacker TX on Etherscan
  • Tether Freezes $1.7 Million in Profits From Yearn Finance Hack by Robert Stevens (Decrypt)
• Project: Growth DeFi
  Date: 2021-02-09
  Summary: rAAVE pool exploited by forcing an LP with a fake token.
  Impact: $1.3M (ETH) stolen. Type: Hack
  References:
  • rAAVE Farming Contract Exploit explained by Growth DeFi
  • The Big Combo (Growth DeFi – REKT) by rekt
  • Growth DeFi Exploit by Origin Protocol
• Project: BT Finance
  Date: 2021-02-09
  Summary: Exploit similar to Yearn hack.
  Impact: $1.7M stolen. Type: Hack
  References:
  • BT.Finance Exploit analysis report by BT Finance
  • BT.Finance Exploit by Origin Protocol
• Project: Alpha Homora
  Date: 2021-02-12
  Summary: Smart contract exploited.
  Impact: $38M (USDC, DAI, USDT, WETH) stolen. Type: Hack
  References:
  • Alpha Homora V2 Post Mortem by Alpha Homora
  • Alpha Finance – REKT by rekt
• Project: CryptoPunks
  Date: 2021-02-24
  Summary: Auction was front-run using flash loans.
  Impact: Punk #1737 won for 1 Wei. Type: Hack
  References:
  • Announcement Tweet
• Project: Furucombo
  Date: 2021-02-27
  Summary: Exploited by tricking it to use fake AAVE implementation.
  Impact: $15M stolen. Type: Hack
  References:
  • Furucombo Post-Mortem March 2021 by Furucombo
  • Analysis of the Furucombo Hack by SlowMist
  • Furucombo – REKT by rekt
  • Furucombo exploit internals by Kurt Barry
  • Replaying Ethereum Hacks – Furucombo by Cmichel
  • 2021-2-27 Furucombo Attack by Origin Protocol
• Project: Yield Finance
  Date: 2021-02-27
  Summary: Whitehat hack, $166K DAI lost and later recovered.
  Impact: N/A. Type: Hack
  References:
  • Announcement Tweet
• Project: Zerion
  Date: 2021-03-04 Summary: Tricked into listing a malicious Balancer clone.
  Impact: $30K
  Type: Hack
  References:
  • Post mortem on Zerion’s asset phishing attack by Evgeny Yurtaev
• Project: PAID Network
  Date: 2021-03-05
  Summary: Private keys compromised Impact: $160M (PAID) minted and sold. Type: Hack
  References:
  • PAID Network Attack Postmortem, March 7, 2021 by PAID
  • Analysis of Paid Network’s Hacked Event by SlowMist
• Project: Kava
  Date: 2021-03-05
  Summary: Flaw in accounting logic exploited. Impact: No funds were lost. Type: Hack
  References:
  • Kava 5 Launch Post-Mortem by Kava
• Project: DODO
  Date: 2021-03-09
  Summary: The initialization function was left callable. Impact: $3.8M lost
  Type: Hack
  References:
  • DODO Pool Incident Postmortem: With a Little Help from Our Friends by DODO Breeder
  • DODO – REKT by rekt
• Project: True Seigniorage Dollar
  Date: 2021-03-13
  Summary: Upgrade forced by taking over DAO. Impact: 11.8B TSD minted and sold
  Type: Hack
  References:
  • Announcement Tweet
• Project: Roll
  Date: 2021-03-14
  Summary: Private keys compromised. Impact: $5.7M lost
  Type: Hack
  References:
  • Roll – REKT by rekt
  • A $5.7 Million Crypto Heist Sent Social Tokens into Free Fall by Tim Hakki (Decrypt)
• Project: Cream Finance
  Date: 2021-03-15
  Summary: DApp attacked by hijacking DNS
  Impact: Unknown
  Type: Hack
  References:
  • Announcement Tweet
  • Postmortem Report of DNS Hijacking by CREAM
• Project: PancakeSwap Finance
  Date: 2021-03-15
  Summary: DApp attacked by hijacking DNS
  Impact: Unknown
  Type: Hack
  References:
  • Announcement Tweet
• Project: Nifty Gateway
  Date: 2021-03-15
  Summary: Account hijacking
  Impact: NFTs stolen
  Type: Hack
  References:
  • Announcement Tweet
• Project: Iron Finance
  Date: 2021-03-16
  Summary: vFarm reward misconfiguration
  Impact: 170K SIL lost
  Type: Hack
  References:
  • Iron Finance vFarms incident Post-mortem (16 March 2021) by Iron Finance
• Project: SIL Finance
  Date: 2021-03-18
  Summary: Contract permissions exploited.
  Impact: $12.1M lost and later returned
  Type: Hack
  References:
  • Follow Up on the Service Outage & All Funds Are SAFU by SIL finance
• Project: Uniswap Info
  Date: 2021-03-30
  Summary: Transaction volume spam by Delta Finance.
  Impact: N/A
  Type: Hack
  References:
  • $11 Billion in ‘Fake’ Uniswap Volume Causes DeFi Project and DEX to Clash by Jeff Benson (Decrypt)
  • Exploit analysis by Igor Igamberdiev
• Project: ForceDAO
  Date: 2021-04-04
  Summary: Insufficient validation on the deposit function.
  Impact: $367K stolen. Whitehat saved $9.6M
  Type: Hack
  References:
  • xFORCE Exploit Post Mortem by ForceDAO
  • Exploit analysis by Igor Igamberdiev
• Project: Polkatrain
  Date: 2021-04-04
  Summary: Rebate mechanism exploited.
  Impact: $3M (57K DOT) stolen
  Type: Hack
  References:
  • The response for hacker attack incident from Polkatrain team by Polkatrain
• Project: Uranium Finance
  Date: 2021-04-07
  Summary: Logic bug exploited.
  Impact: $1.5M stolen
  Type: Hack
  References:
  • Uranium : post-mortem, v2, compensations by Uranium Finance
  • Exploit analysis by @ret2jazzy
• Project: PancakeSwap Lottery
  Date: 2021-04-12
  Summary: Lottery exploited by the administrator.
  Impact: $1.8M stolen
  Type: Hack References:
  • $1,800,000 was stolen from Binance Smart Chain PancakeSwap Lottery Pool by Crypto Pwnage
  • $1,800,000 was stolen from Binance Smart Chain PancakeSwap Lottery Pool – Part II by Crypto Pwnage
• Project: Uranium Finance
  Date: 2021-04-27
  Summary: Logic bug exploited.
  Impact: $51M stolen
  Type: Hack
  References:
  • Hack announcement
  • Exploit post-mortem by Uranium Finance
  • SlowMist: Analysis of Uranium Finance’s Hacked Event by SlowMist
  • Exploit analysis by @FrankResearcher
  • Uranium Finance – REKT by rekt
• Project: Spartan Protocol
  Date: 2021-05-02
  Summary: Logic bug exploited.
  Impact: $30M stolen
  Type: Hack
  References:
  • The Spartan Incident: Root Cause Analysis by PeckShield
  • Exploit analysis by @FrankResearcher
  • Spartan Pool Hack by Origin Protocol
• Project: Value DeFi
  Date: 2021-05-06
  Summary: Reinitialized pool.
  Impact: $10M stolen
  Type: Hack
  References:
  • Value DeFi – Rekt 2 by rekt
  • Exploit analysis by @FrankResearcher
• Project: Value DeFi
  Date: 2021-05-08
  Summary: Incorrect use of exponents.
  Impact: $11M stolen
  Type: Hack
  References:
  • Value DeFi – Rekt 3 by rekt
  • ValueDeFi Incident: Incorrect Weighted Constant Product Invariant Calculation by PeckShield
  • Exploit analysis by @FrankResearcher
• Project: Meebits
  Date: 2021-05-08
  Summary: Flawed NFT generation.
  Impact: Rare $700K NFT generated
  Type: Hack
  References:
  • Meebits Exploit Analysis and PoC by iphelix
  • Ultra-rare Meebit NFT minted via exploit sells for $765,000 by Liam Frost (Cryptoslate)
• Project: Rari Capital
  Date: 2021-05-08
  Summary: Composability vuln.
  Impact: $10M stolen
  Type: Hack
  References:
  • 5/8/2021: Rari Capital Ethereum Pool — Post-Mortem by Davic Lucid (Rari Capital)
  • (5/8/21) Rari Capital Exploit Timeline & Analysis by Nipun Pitimanaaree (Alpha Finance)
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • Price manipulation attack in reality (again): RariCapital incident by BlockSecTeam
  • Rari Capital – REKT by rekt
  • Hacker mocking Rari Capital by @dudesahn and @bantg
  • Why the Attack Was Possible by @banescusebi and @ridesolo5
  • ETH and BSC attacker addresses.
• Project: xToken Market
  Date: 2021-05-14
  Summary: Incorrect price calculation.
  Impact: $25.5M
  Type: Hack References:
  • Initial Report on xBNTa, xSNXa Exploit by Michael J. Cohen (xToken)
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • xToken – REKT by rekt
• Project: Vault.sx
  Date: 2021-05-14
  Summary: Reentrancy exploit.
  Impact: $13.5M
  Type: Hack References:
  • EOS vaults.sx hack by cmichel
• Project: Bearn Finance
  Date: 2021-05-16
  Summary: Withdrawal logic vulnerability.
  Impact: $11M
  Type: Hack References:
  • bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan by bEarn Fi
  • Bearn.Fi Incident: Inconsistent Asset Denomination Between Vault & Strategy by PeckShield
  • bEarn – REKT by rekt
  • Bearn.Fi Hack by Origin Protocol
• Project: Venus Protocol
  Date: 2021-05-18
  Summary: Price manipulation
  Impact: $200M+ liquidated $100M+ debt
  Type: Hack References:
  • Venus Protocol — Incident Post Mortem by Venus Protocol
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
• Project: Pancake Bunny
  Date: 2021-05-19
  Summary: Minting vulnerability exploited
  Impact: 114,631 BNB ($41.8M), 697,245 BUNNY ($8M); 6.97M BUNNY minted and sold, token price collapsed
  Type: Hack
  References:
  • Official Post Mortem by Pancake Bunny
  • PancakeBunny Incident: Root Cause Analysis by PeckShield
  • BSC attacker address.
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • SlowMist: PancakeBunny Hack Analysis by SlowMist
  • BSC PancakeBunny Exploit Post Mortem by Christoph Michel
  • PancakeBunny – REKT by rekt
  • Knownsec Blockchain Lab｜Binance SmartChain PancakeBunny (BUNNY) Attack Event Analysis by Knownsec Blockchain Lab
  • The PancakeBunny Bunny Performance Fee Minting Incident Analysis by WatchPug
  • Hack Track: Pancake Bunny Hack by Merkle Science
  • Attacker donates to Rekt by rekt
• Project: Bogged Finance
  Date: 2021-05-22
  Summary: Minting vulnerability Impact: $3.6M Type: Hack
  References:
  • BOG Flash Loan Attack: What Happened, and what’s next — Token Migration by Bogged Finance
  • Bogged Finance Incident: Root Cause Analysis by PeckShield
  • Bogged Finance Hack by Origin Protocol
• Project: AutoShark Finance
  Date: 2021-05-24
  Summary: Minting vulnerability exploited
  Impact: $750K (2.2K WBNB) Type: Hack
  References:
  • Autoshark Performance Fee Minting Incident Analysis by WatchPug
  • How AutoShark got economically exploited by AutoShark
  • AutoShark – REKT by rekt
• Project: Merlin
  Date: 2021-05-26
  Summary: Minting vulnerability exploited
  Impact: $680K
  Type: Hack
  References:
  • Our Road Ahead by Merlin Lab
  • Merlin Lab Enhanced Security Measures by Merlin Lab
  • Merlin Labs – REKT by rekt
  • Exploit Analysis by Peckshield
• Project: Merlin
  Date: 2021-05-26
  Summary: Price calculation error
  Impact: $540K
  Type: Hack
  References:
  • Our Road Ahead by Merlin Lab
  • Merlin Labs – REKT 2 by rekt
• Project: BurgerSwap
  Date: 2021-05-27
  Summary: Reentry vulnerability
  Impact: $7.2M
  Type: Hack
  References:
  • BurgerSwap – REKT by rekt
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by Hayden Adams (@haydenzadams)
  • Exploit Analysis by PeckShield
• Project: Wild Credit
  Date: 2021-05-27
  Summary: Contract reinitialized
  Impact: $700K
  Type: Hack
  References:
  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by Anish Agnihortri (@_anishagnihotri)
• Project: JulSwap
  Date: 2021-05-27
  Summary: Price manipulation using flashloans
  Impact: $700K
  Type: Hack
  References:
  • Flash Loan Farming / JULb / BNB by JustLiquidity (JulSwap)
  • JulSwap V2 Upgrading Its Oracle Mechanism to Chainlink by JustLiquidity (JulSwap)
  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by PeckShield
  • Exploit Analysis by WatchPug
• Project: Belt Finance
  Date: 2021-05-29
  Summary: Price manipulation using flashloans
  Impact: $6.2M
  Type: Hack
  References:
  • May 29 Incident Report by Belt Finance
  • Exploit Analysis by Igor Igamberdiev (@FrankResearcher)
  • Exploit Analysis by PeckShield
  • Exploit Analysis by Mudit Gupta (@Mudit_Gupta)
  • Exploit Analysis by Christoph Michel (@cmichelio)
  • Belt Finance Attack Event Analysis by Knownsec Blockchain Lab
  • Belt – REKT by rekt