The biggest security breaches of 2021 The biggest security breaches of 2021
When the safety of a DeFi protocol is concerned, it is good to use other tried and tested projects’ codebase.
4 min read
Updated: Jan. 21, 2022 at 1:27 pm UTC
Cover art/illustration via CryptoSlate. Image includes combined content which may include AI-generated content.
According to on-chain analytics firm Chainalysis, the volume of criminal cryptocurrency transactions in 2021 peaked at a new all-time high – $14 billion. However, despite the rise in criminal transfer volume, its relative share to the entire cryptocurrency transaction volume of 2021 was the lowest of all time. These statistics show that the expansion of the cryptocurrency sphere is by far outpacing cybercrime associated with cryptocurrencies, it also shows that security in the industry is also catching up with the demand.
The most lucrative cyberattacks of 2021
Even though there was a drop-off in the share of crime-associated transaction volume in the cryptocurrency space in 2021, there were several instances that raised some eyebrows. Here I will go through some of the most eye-catching ones.
1. Poly Network – $611 million
The Poly Network hack happened on 10 August 2021 and resulted in the theft of around $611 million worth of digital assets stolen on three blockchains: Ethereum, BSC and Polygon. The conspicuous detail was that the hacker returned the entire sum he had stolen, explaining his move as an attempt to point out the vulnerabilities in the Poly Network protocol that did not seek profit.
Poly Network is a cross-chain network that allows users to perform cross-blockchain operations in a decentralized way. For example, transferring funds from one blockchain to another. For doing this, a large amount of liquidity is needed to be in the protocol. In Poly Network, this liquidity is controlled by special smart contracts.
The contracts exploited were EthCrossChainManager and EthCrossChainData. EthCrossChainData is owned by EthCrossChainManager and stores a list of public keys who can control this liquidity (keepers).
The attacker exploited a vulnerability in the EthCrossChainManager contract and could trick it to replace the contract’s keepers for the attacker’s ones. Then the attacker cyphoned the liquidity from the Poly Network protocol, having gained full control over the protocol’s operations.
2. Bitmart – $196 million
On 4 December 2021, the centralised cryptocurrency exchange Bitmart got attacked, with $200 million worth of crypto assets being stolen from its hot wallet. The attackers stole the private keys to the exchange’s hot wallets.
The Bitmart exchange claimed that it had lost $150 million, but the blockchain cybersecurity firm Peckshield later came out with a claim that $196 million had been stolen from the Ethereum and Binance Smart Chain blockchains in more than 20 cryptocurrencies and tokens. They also showed the path in graphics that the stolen assets had travelled except for the final destination. First, the attacker swapped the stolen assets for Ether using the DEX aggregator 1inch and then washed the Ether using a privacy mixer Tornado Cash. After that the trace goes blank.
This cyberattack showed once again the vulnerability of storing private keys to multiple addresses with huge sums on a single server. This exposed all of the exchange’s hot wallets at once.
3. Cream Finance – $130 million
In the Cream Finance cyberattack that took place in December 2021, a hacker or two hackers used multiple protocols – MakerDAO, AAVE, Curve, Yearn.finance – to pull off a heist from Cream Finance worth $130 million worth of tokens and cryptocurrencies.
The evidence suggests there might have been two attackers, I am going to assume so. There were two addresses used in the attack: address A and address B. First address A loaned out $500 million worth of DAI from MakerDAO and, having dragged that liquidity through Curve and Year.finance, used them to mint 500 million cryUSD on Cream Finance. At the same time, address A increased the liquidity in Yearn.finance’s yUSD Vault to 511 million yUSDTVault.
Then address B flash borrowed $2 billion in Ether from AAVE, minted $2 billion worth of cEther by depositing the borrowed $2 billion ETH into Cream. Then address B used it to take out 1 billion yUSDVault and redeemed them for 1 billion cryUSD and transferred them to address A. Thus, address A got 1.5 billion cryUSD.
After that address A bought 3 million DUSD from Curve and redeemed them all for yUSDVault, thus obtaining 503 million yUSDVault on its balance. Then address A redeemed 503 million yUSDVault for the underlying yUSD token and brought the total supply of yUSDVault to 8 million.
Then address A transferred 8 million yUSD into the Yearn.finance yUSD vault and doubled the vault’s valuation. This made Cream’s PriceOracleProxy’s double the valuation of cryUSD as it determines the price of cryUSD based on (valuation of yUSD Yearn Vault) / (the total supply of yUSDVault), i.e. $16 million / 8 million yUSDVault. Therefore, Cream perceived that address A had $3 billion in cryUSD.
This mistake eventually cost Cream Finance. The hackers were able to return the flash loan with the excess liquidity they produced and pocket the entire liquidity ($130 million) that was locked in Cream Finance using the $1 billion in cryUSD they got left.
The most popular types of attacks in 2021
Speaking of attacks on smart contracts, the most popular type of attack was the flash loan attack like the one described above. According to The Block Crypto, out of the 70 DeFi attacks in 2021, 34 used flash loans, the December Cream Finance heist being the pinnacle in terms of the stolen amount. The quintessential trait of these attacks is the use of multiple protocols. On their own, they might be secure, but when it comes to using a string of them, vulnerabilities can be found.
Another type of attack on smart contracts that can be classed as a classic DeFi attack is the reentrancy attack. A reentrancy attack can happen if the function that calls an external contract does not update the address balance before it makes another call to that contract. In this case, the external contract can withdraw funds recursively because the address balance in the target contract is not updated after every withdrawal. And these recursive calls can continue until the contract’s balance is depleted.
And the third common type of attacks in 2021 was attacks on centralised exchanges by way of stealing the private key to the hot wallet of exchanges. This is a very old way of cyber attacks in the history of cryptocurrencies, but it does not become too old.
How to protect your funds in the cryptocurrency space?
When it comes to an individual user’s funds, it is good to do due diligence of the platform you want to deposit your funds to: look at the site, look at the socials of the team members, have a look at the White Paper and the technical audit. Also, it will be good to use the functionality in cryptocurrency wallets that allow whitelisting the contracts that the user regularly uses, it exists in the Metamask wallet and in dedicated online services for safe cryptocurrency keeping Unrekt and Debank. If a transfer to an unfamiliar contract has been approved, they will highlight such a contract.
When the safety of a DeFi protocol is concerned, it is good to use other tried and tested projects’ codebase. But the founder should still sanction at least one technical audit of the smart contracts of the project. This is especially important with protocols deployed on multiple blockchains and interacting with other protocols. They require especially rigorous scrutiny during audits.
Posted In: Guest Post, Hacks
