The hacked crypto assets in 2022 are likely to overshoot 2021’s $3.2 billion in stolen funds, states the crypto security firm Chainalysis.
Image Source: Chainalysis.
Security breaches and code exploits are the centre of interest for attackers trying to steal cryptocurrency. Not to mention that DeFi protocols are making up to be irresistible targets for assault.
Especially in 2022, cross-chain bridges are setting up the stage for the newest hack trend, accounting for 64% of fund thefts this year.
Let’s examine what went wrong behind the largest crypto hacks of 2022 and have a taste of how to approach web3 security.
Unfolding The 2022’s Biggest Hacks
Axie Infinity Ronin Bridge
Stolen Funds: $62,40,00,000
Ronin network worked on the Proof-of-Authority model with nine validator nodes. Out of nine, five nodes need to approve for passing the transactions in the bridge. Four validator nodes are Sky Mavis’s internal team members, and it only requires one more signature to validate a transaction.
In the Ronin exploit, the hacker managed to gain access to the fifth validator node by leveraging the RPC node. Gas-free RPC node was established a year before to reduce the cost for users during heavy network traffic.
Thus, the hacker made withdrawals in two transactions by comprising the nodes. 173,600ETH drained in the first transaction and 25.5M USDC in the second from the Ronin bridge contract. The largest fund theft in crypto history was identified only six days later the hack occurred.
Stolen Funds: $58,60,00,000
The BNB bridge connects the old Binance Beacon chain and the Binance Smart chain. The hacker exploited a vulnerability and was able to mint two batches of 1M BNB each- a total of 2M BNB worth around $586M at the time of the hack.
Here’s the attack plot.
The attacker showed false proof for deposits in the Binance Beacon chain. The Binance bridge used a vulnerable IAVL verification to verify proofs that the hacker managed to forge and proceed with the withdrawal.
The hacker then routed the funds to his wallet by depositing them on the Venus protocol, a BSC lending platform, as collateral instead of dumping BNB directly.
Stolen Funds: $32,60,00,000
Wormhole, the bridge between Ethereum and Solana, suffered a loss of 120,000 wrapped Ether which totalled $321 million at the time due to a code exploit.
The hack took place in Solana by manipulating the bridge with information showing 120k ETH is submitted on the Ethereum chain. As a result, the hacker could mint an equivalent of 120k in wETH from Solana.
The attacker used the ‘SignatureSet’ of the previous transaction to hinder the verification mechanism of the Wormhole bridge and leveraged the ‘Verify-signatures’ function in the main bridge contract. The discrepancies in the ‘solana_program::sysvar::instructions’ and ‘solana_program’ was exploited by the user to verify an address that contained only 0.1 ETH.
Following this and through subsequent code exploit, the hacker fraudulently minted 120k whETH on Solana.
Stolen Funds: $19,00,00,000
Nomad bridge experienced a fatal blow by becoming a juicy target for anyone to join the squad of hackers.
During the bridge’s routine upgrade, the Replica contract was initialized with a coding flaw that severely impacted the assets. In the contract, the address 0x00 was set as trusted root, which meant all messages were valid by default.
The exploit transaction by the hacker failed in the first attempt. However, the Tx address was copied by subsequent hackers who called the process() function directly as the validity is marked to be ‘proved.’
The upgrade read the ‘messages’ value of 0 (invalid) as 0x00 and hence passed the validation as ‘proven.’ This meant any process() function was passed to be valid.
So the hackers were able to launder funds by making the copy/paste of the same process() function and replacing the previous exploiter address with theirs.
This chaos led to a drain of $190M in liquidity from the bridge’s protocol.
Stolen Funds: $18,10,00,000
It was basically a governance attack that led the hacker to whip $181M.
The hacker was able to take a flash loan sufficient enough to vote and push a malicious proposal.
The Attack flow is as follows.
The attackers acquired the voting power by taking a flash loan and immediately acted out to execute an emergency malicious governance proposal. The absence of the delay in proposal execution stood in favour of the attack.
The hacker made two proposals. The first is to transfer the funds in the contract to themself, and the next proposal is to transfer $250k worth of $BEAN to the Ukraine donation address.
The stolen funds were then used to repay the loan and directed the remaining to Tornado cash.
Stolen Funds: $16,23,00,000
The hot wallet compromise resulted in a $160M loss for Wintermute.
The profanity tool used for creating vanity addresses had a vulnerability. Wintermute’s hot wallet and DeFi vault contract both had vanity addresses. The weakness of the Profanity tool led to the compromise of the hot wallet’s private keys, followed by fund theft.
Stolen Funds: $11,50,00,000
Mango markets fell for a price manipulation attack losing nine figures on the go.
How did it happen?
The attacker deposited over $5M in Mango Markets and countertrade from another account against their position. This resulted in massive spiking in the price of MNGO tokens from $0.03 to $0.91.
The attacker then used his position as collateral and drained funds from the liquidity pools. In brief, manipulating and pumping the token price led to the collapse of the protocol.
Stolen Funds: $10,00,00,000
Harmony bridge fell for the grasp of a private key compromise, followed by a $100M loss. Let’s follow the flow of attack.
Harmony bridge used 2 of 5 multisig addresses to pass transactions. The attacker managed to gain control of these addresses by compromising private keys. After gaining control of two addresses, the hacker was able to execute transaction that drained $100M.
Stolen Funds: $8,00,00,000
Rari uses a compound fork code that doesn’t follow the check-effect-interaction pattern. Failing to check the pattern leads to reentrancy attacks.
In this reentrancy pattern, the attacker played around with the code using ‘call.value’ and ‘exitMarket’ functions. The attacker took a flash loan to borrow ETH, entered again through ‘call.value’ and called ‘exitMarket’ to withdraw the funds placed as collateral.
Thus the hacker got the funds taken through a flash loan and retained the collateral placed for borrowing.
Stolen Funds: $8,00,00,000
Qubit allows locking funds in Ethereum and borrowing the equivalent on BSC. The contract’s ‘tokenAddress.safeTransferFrom()’ function was exploited in the Qubit hack.
It allowed the hacker to borrow 77,162 qXETH from the BSC without making any ETH deposits on Ethereum. And then, using it as collateral to borrow WETH, BTC-B, USD stablecoins, etc., the hacker made ~$80M in profits.
How To Play Smart With Web3 Security?
The TVL in DeFi hit its all-time high of $303M in 2021. But the ever-rising exploits in the DeFi space are causing a decline in TVL value in 2022. This sends out a cautioning alarm to take Web3 security seriously.
The largest theft of DeFi protocols was due to faulty code. Fortunately, a more rigorous approach to testing the code before deploying can curb these types of attacks to a great extent.
With many new projects being built in the web3 space, QuillAudits intend to ensure maximum security for the project and work in the best interest of securing and strengthening web3 as a whole. In that way, we’ve successfully secured about 700+ Web3 projects and continue to extend the scope of shielding Web3 space through a broad range of service offerings.