Skip to content Skip to footer

DeFi Security Vulnerabilities and Exploits 2021

Despite the series of obvious advantages, the DeFi platforms seem to face cyber attacks over and over again.

Although the DeFi was one of the key drivers of the digital currency market traction in the past year, it is still immature in the decentralized finance space. Add that the crypto and DeFi ecosystem is full of large scale scammers and hackers and you have a recipe for disaster. The cybersecurity of distributed exchanges, DEX’s that you can launch in an hour, is still weak and vulnerable to attackers and exploits and is a major harm to venture capitalists and crowdpooling projects. Lack of security audits due to the ability to clone on demand by non-technical anonymous founders creates fertile ground for clever hackers. Here are some of 2021’s hacks and exploits.

  • Project: yCredit Finance
    Date: 2021-01-01
    Summary: Minting vulnerability exploited
    Impact: $11M lost
    Type: Hack
    References:
  • Project: Saddle Finance
    Date: 2021-01-19
    Summary: Price arbitrage due to high slippage.
    Impact: 7.9 BTC ($275K) lost
    Type: Hack
    References:
    • Saddle Finance – REKT by rekt
    • 2021-1 Saddle Finance Arbitrage by Origin Protocol
  • Project: SushiSwap
    Date: 2021-01-19
    Summary: Misconfiguration exploited to manipulate DIGG-WETH price.
    Impact: 81 ETH ($100K) attacker profit Type: Hack
    References:
    • SushiSwap was attacked for the second time by SlowMist
    • Badgers DIGG SUSHI by rekt
    • Replaying Ethereum Hacks – Sushiswap BadgerDAO’s Digg by cmichel
  • Project: Yearn
    Date: 2021-02-04
    Summary: Yearn V1 yDAI vault exploited.
    Impact: $11M lost Type: Hack
    References:
    • Vulnerability disclosure 2021-02-04 by Yearn Security
    • The yDAI Incident Analysis: Forced Investment by PeckShield
    • A brief analysis of yearn finance being hacked by SlowMist
    • Inside the Yearn v1 yDAI Hack (Feb 2021) by Halborn
    • Yearn – REKT by rekt
    • Yearn Exploit by Origin Protocol
    • Attacker TX on Etherscan
    • Tether Freezes $1.7 Million in Profits From Yearn Finance Hack by Robert Stevens (Decrypt)
  • Project: Growth DeFi
    Date: 2021-02-09
    Summary: rAAVE pool exploited by forcing an LP with a fake token.
    Impact: $1.3M (ETH) stolen. Type: Hack
    References:
    • rAAVE Farming Contract Exploit explained by Growth DeFi
    • The Big Combo (Growth DeFi – REKT) by rekt
    • Growth DeFi Exploit by Origin Protocol
  • Project: BT Finance
    Date: 2021-02-09
    Summary: Exploit similar to Yearn hack.
    Impact: $1.7M stolen. Type: Hack
    References:
    • BT.Finance Exploit analysis report by BT Finance
    • BT.Finance Exploit by Origin Protocol
  • Project: Alpha Homora
    Date: 2021-02-12
    Summary: Smart contract exploited.
    Impact: $38M (USDC, DAI, USDT, WETH) stolen. Type: Hack
    References:
    • Alpha Homora V2 Post Mortem by Alpha Homora
    • Alpha Finance – REKT by rekt
  • Project: CryptoPunks
    Date: 2021-02-24
    Summary: Auction was front-run using flash loans.
    Impact: Punk #1737 won for 1 Wei. Type: Hack
    References:
    • Announcement Tweet
  • Project: Furucombo
    Date: 2021-02-27
    Summary: Exploited by tricking it to use fake AAVE implementation.
    Impact: $15M stolen. Type: Hack
    References:
    • Furucombo Post-Mortem March 2021 by Furucombo
    • Analysis of the Furucombo Hack by SlowMist
    • Furucombo – REKT by rekt
    • Furucombo exploit internals by Kurt Barry
    • Replaying Ethereum Hacks – Furucombo by Cmichel
    • 2021-2-27 Furucombo Attack by Origin Protocol
  • Project: Yield Finance
    Date: 2021-02-27
    Summary: Whitehat hack, $166K DAI lost and later recovered.
    Impact: N/A. Type: Hack
    References:
    • Announcement Tweet
  • Project: Zerion
    Date: 2021-03-04 Summary: Tricked into listing a malicious Balancer clone.
    Impact: $30K
    Type: Hack
    References:
    • Post mortem on Zerion’s asset phishing attack by Evgeny Yurtaev
  • Project: PAID Network
    Date: 2021-03-05
    Summary: Private keys compromised Impact: $160M (PAID) minted and sold. Type: Hack
    References:
    • PAID Network Attack Postmortem, March 7, 2021 by PAID
    • Analysis of Paid Network’s Hacked Event by SlowMist
  • Project: Kava
    Date: 2021-03-05
    Summary: Flaw in accounting logic exploited. Impact: No funds were lost. Type: Hack
    References:
    • Kava 5 Launch Post-Mortem by Kava
  • Project: DODO
    Date: 2021-03-09
    Summary: The initialization function was left callable. Impact: $3.8M lost
    Type: Hack
    References:
    • DODO Pool Incident Postmortem: With a Little Help from Our Friends by DODO Breeder
    • DODO – REKT by rekt
  • Project: True Seigniorage Dollar
    Date: 2021-03-13
    Summary: Upgrade forced by taking over DAO. Impact: 11.8B TSD minted and sold
    Type: Hack
    References:
    • Announcement Tweet
  • Project: Roll
    Date: 2021-03-14
    Summary: Private keys compromised. Impact: $5.7M lost
    Type: Hack
    References:
    • Roll – REKT by rekt
    • A $5.7 Million Crypto Heist Sent Social Tokens into Free Fall by Tim Hakki (Decrypt)
  • Project: Cream Finance
    Date: 2021-03-15
    Summary: DApp attacked by hijacking DNS
    Impact: Unknown
    Type: Hack
    References:
    • Announcement Tweet
    • Postmortem Report of DNS Hijacking by CREAM
  • Project: PancakeSwap Finance
    Date: 2021-03-15
    Summary: DApp attacked by hijacking DNS
    Impact: Unknown
    Type: Hack
    References:
    • Announcement Tweet
  • Project: Nifty Gateway
    Date: 2021-03-15
    Summary: Account hijacking
    Impact: NFTs stolen
    Type: Hack
    References:
    • Announcement Tweet
  • Project: Iron Finance
    Date: 2021-03-16
    Summary: vFarm reward misconfiguration
    Impact: 170K SIL lost
    Type: Hack
    References:
    • Iron Finance vFarms incident Post-mortem (16 March 2021) by Iron Finance
  • Project: SIL Finance
    Date: 2021-03-18
    Summary: Contract permissions exploited.
    Impact: $12.1M lost and later returned
    Type: Hack
    References:
    • Follow Up on the Service Outage & All Funds Are SAFU by SIL finance
  • Project: Uniswap Info
    Date: 2021-03-30
    Summary: Transaction volume spam by Delta Finance.
    Impact: N/A
    Type: Hack
    References:
    • $11 Billion in ‘Fake’ Uniswap Volume Causes DeFi Project and DEX to Clash by Jeff Benson (Decrypt)
    • Exploit analysis by Igor Igamberdiev
  • Project: ForceDAO
    Date: 2021-04-04
    Summary: Insufficient validation on the deposit function.
    Impact: $367K stolen. Whitehat saved $9.6M
    Type: Hack
    References:
    • xFORCE Exploit Post Mortem by ForceDAO
    • Exploit analysis by Igor Igamberdiev
  • Project: Polkatrain
    Date: 2021-04-04
    Summary: Rebate mechanism exploited.
    Impact: $3M (57K DOT) stolen
    Type: Hack
    References:
    • The response for hacker attack incident from Polkatrain team by Polkatrain
  • Project: Uranium Finance
    Date: 2021-04-07
    Summary: Logic bug exploited.
    Impact: $1.5M stolen
    Type: Hack
    References:
    • Uranium : post-mortem, v2, compensations by Uranium Finance
    • Exploit analysis by @ret2jazzy
  • Project: PancakeSwap Lottery
    Date: 2021-04-12
    Summary: Lottery exploited by the administrator.
    Impact: $1.8M stolen
    Type: Hack References:
  • Project: Uranium Finance
    Date: 2021-04-27
    Summary: Logic bug exploited.
    Impact: $51M stolen
    Type: Hack
    References:
  • Project: Spartan Protocol
    Date: 2021-05-02
    Summary: Logic bug exploited.
    Impact: $30M stolen
    Type: Hack
    References:
  • Project: Value DeFi
    Date: 2021-05-06
    Summary: Reinitialized pool.
    Impact: $10M stolen
    Type: Hack
    References:
  • Project: Value DeFi
    Date: 2021-05-08
    Summary: Incorrect use of exponents.
    Impact: $11M stolen
    Type: Hack
    References:
  • Project: Meebits
    Date: 2021-05-08
    Summary: Flawed NFT generation.
    Impact: Rare $700K NFT generated
    Type: Hack
    References:
  • Project: Rari Capital
    Date: 2021-05-08
    Summary: Composability vuln.
    Impact: $10M stolen
    Type: Hack
    References:
  • Project: xToken Market
    Date: 2021-05-14
    Summary: Incorrect price calculation.
    Impact: $25.5M
    Type: Hack References:
  • Project: Vault.sx
    Date: 2021-05-14
    Summary: Reentrancy exploit.
    Impact: $13.5M
    Type: Hack References:
  • Project: Bearn Finance
    Date: 2021-05-16
    Summary: Withdrawal logic vulnerability.
    Impact: $11M
    Type: Hack References:
  • Project: Venus Protocol
    Date: 2021-05-18
    Summary: Price manipulation
    Impact: $200M+ liquidated $100M+ debt
    Type: Hack References:
  • Project: Pancake Bunny
    Date: 2021-05-19
    Summary: Minting vulnerability exploited
    Impact: 114,631 BNB ($41.8M), 697,245 BUNNY ($8M); 6.97M BUNNY minted and sold, token price collapsed
    Type: Hack
    References:
  • Project: Bogged Finance
    Date: 2021-05-22
    Summary: Minting vulnerability Impact: $3.6M Type: Hack
    References:
  • Project: AutoShark Finance
    Date: 2021-05-24
    Summary: Minting vulnerability exploited
    Impact: $750K (2.2K WBNB) Type: Hack
    References:
  • Project: Merlin
    Date: 2021-05-26
    Summary: Minting vulnerability exploited
    Impact: $680K
    Type: Hack
    References:
  • Project: Merlin
    Date: 2021-05-26
    Summary: Price calculation error
    Impact: $540K
    Type: Hack
    References:
  • Project: BurgerSwap
    Date: 2021-05-27
    Summary: Reentry vulnerability
    Impact: $7.2M
    Type: Hack
    References:
  • Project: Wild Credit
    Date: 2021-05-27
    Summary: Contract reinitialized
    Impact: $700K
    Type: Hack
    References:
  • Project: JulSwap
    Date: 2021-05-27
    Summary: Price manipulation using flashloans
    Impact: $700K
    Type: Hack
    References:
  • Project: Belt Finance
    Date: 2021-05-29
    Summary: Price manipulation using flashloans
    Impact: $6.2M
    Type: Hack
    References:

Leave a comment