Inventory: Hacker Attacks, Vulnerability Exploits, and Theft Incidents in the Cryptocurrency Sector in 2020

Unlike previous years, the major cryptocurrency news in 2020 was not about large exchanges being hacked and millions of dollars worth of Bitcoin being stolen. However, there were still quite a few hacking incidents, most of which originated from the emerging decentralized finance (DeFi) sector.

DeFi was one of the main driving forces behind the momentum of the crypto market in 2020, and there are good reasons why DeFi has continued to attract scammers and hackers. A large number of unaudited smart contracts combined with cloned code have made it easy for hackers to exploit, often resulting in millions of dollars in digital assets being stolen.

A report from CipherTrace in November stated that all thefts and hacks that occurred in the first half of 2020 resulted in losses of over $50 million, with DeFi accounting for 45% of these incidents. The report noted that this proportion rose to 50% in the second half of the year. In an interview with Cointelegraph, CipherTrace CEO Dave Jevans warned that DeFi could face regulatory crackdowns: "DeFi hacking incidents now account for more than half of all cryptocurrency hacking incidents in 2020, and this trend is attracting the attention of regulators."

He added that regulators are more concerned about the lack of anti-money laundering compliance: "The $280 million stolen from KuCoin was the largest hack of 2020, and the hackers used DeFi protocols to launder the money." Jevans also believes that in 2021, regulators may clearly define what actions DeFi protocols must take to avoid the consequences of failing to comply with anti-money laundering regulations, being attacked, and potential sanctions.

Hacks on Exchanges in 2020

The KuCoin hack occurred at the end of September, when the exchange's CEO Johnny Lyu confirmed that hackers had breached the exchange's Bitcoin, Ethereum, and ERC-20 hot wallets following a private key leak.

KuCoin stated in early October that it had identified the suspects and had officially involved law enforcement in the investigation. By mid-November, the exchange claimed it had recovered 84% of the stolen cryptocurrency and had restored full services for most of the tradable assets.

Other exchanges were also hacked this year, but the KuCoin hack was the largest. In February, the Italian exchange Altsbit lost nearly all its funds in a $70,000 hack, and several other smaller cryptocurrency exchanges also suffered breaches. In October 2020, up to 75 centralized cryptocurrency exchanges closed for various reasons, with hacking being one of them.

Hacks and Exploits in DeFi in 2020

With billions of dollars poured into DeFi protocols and liquidity mining, DeFi became a hotbed for hackers. The first major hacking incident of 2020 occurred on the DeFi lending platform bZx, which suffered two flash loan attacks in February, resulting in nearly $1 million in user funds being lost. A flash loan refers to borrowing and repaying cryptocurrency collateral within the same transaction.

bZx halted operations to prevent further losses, but this sparked a wave of criticism from observers in the crypto industry, who claimed that bZx was ultimately a centralized platform and that it could be the "end of DeFi."

The market crashed in March, leading to mass liquidations of collateral, particularly Maker's MKR token, but these were not hacking incidents. In the following month, a hacker exploited a reentrancy method using the ERC-777 token standard to attack imBTC, which is pegged to Bitcoin. The hacker stole all assets from the Uniswap liquidity pool, estimated at $300,000 at the time.

In April, a hacker exploited the same vulnerability to steal all liquidity from the lending platform dForce. This hacker continuously increased their ability to borrow other assets and escaped with around $25 million.

In June, a vulnerability in Bancor's smart contracts led to the loss of up to $460,000 in tokens. This DeFi automated market maker stated that it had deployed a new version of the smart contract that fixed the vulnerability.

Balancer was the next DeFi protocol to be exploited, with hackers using a carefully orchestrated arbitrage attack to steal $500,000 worth of WETH from its liquidity pool. In an attack on a vulnerability, the hacker executed a series of flash loans and arbitrage token swaps, while the Balancer team was apparently already aware of the vulnerability.

Rather than a hacking incident, it was another vulnerability, but bZx made headlines again in July due to suspicious token sales, which were manipulated by bots placing buy orders in the same block generated by the marked tokens. These hackers stole nearly $500,000 in profits resulting from the token price surge.

In August, the DeFi options protocol Opyn became the next victim, with hackers using its ETH put option contracts to steal over $370,000 in funds. The vulnerability allowed attackers to double-exercise the Ethereum put option oToken and steal the staked ETH. Opyn recovered about 440,000 USDC from the treasury through white-hat hackers and returned them to the put option sellers.

Similarly, it was not a direct hacking incident, but a code flaw in the unaudited Yam Finance smart contract affected the reset of the governance token YFI, leading to a price crash in YFI in mid-August. The Yam Finance protocol was forced to call on DeFi whales to vote to restart version 2 for rescue.

The Rise of SushiSwap

At the end of August, the legend of SushiSwap began, giving rise to "vampire mining" and "rug pulls." The anonymous founder of SushiSwap, "Chef Nomi," sold $8 million worth of SUSHI tokens, causing the price of SUSHI to plummet. A few days later, FTX CEO Sam Bankman-Fried rescued the protocol by taking control through a multi-signature smart contract that was handed over to him by a DeFi whale alliance. Ultimately, all funds were returned to the developer fund of the protocol.

During the altcoin boom in 2017, rug pulls continued to launch a series of DeFi clone coins like Pizza and Hotdog. The prices of these tokens soared and plummeted dramatically within hours, sometimes even minutes.

In mid-October, traders rushed to send funds to an unaudited and unreleased smart contract from Yearn Finance founder Andre Cronje. Just hours after Cronje posted a teaser about a new "game multiverse" on Twitter, the smart contract Eminence Finance was hacked, resulting in a loss of $15 million. The hacker returned about $8 million but kept the remaining funds, prompting disgruntled traders to file a lawsuit against the Yearn team for their lost funds.

At the end of October, a complex flash loan arbitrage attack on the Harvest Finance protocol resulted in a loss of about $24 million in stablecoins within seven minutes. This attack sparked a debate over whether these exploitations of system design could be considered hacking.

November was particularly painful for Akropolis, as hackers stole $2 million worth of DAI stablecoins, forcing Akropolis to "pause the protocol." The Value DeFi protocol lost $6 million in a common flash loan attack, the stablecoin project Origin Dollar lost $7 million, and Pickle Finance lost $20 million worth of DAI in a complex exploit.

A personal attack in mid-December broke the pattern of exploiting protocol system vulnerabilities. Hugh Karp, the founder of the DeFi insurance protocol Nexus Mutual, lost $8 million from his MetaMask wallet when a hacker successfully compromised his computer and forged a transaction. These types of attacks are usually less common as they involve some degree of social engineering.

So far, the last reported flash loan attack this year occurred on December 18, when Warp Finance was hacked, resulting in a loss of $8 million.

Many retail traders and investors also fell victim to phishing scams, and in 2020, around 272,000 Ledger buyers had their personal information compromised after a hack, making Ledger hardware wallet owners targets as well.

Resistance to DeFi Development

In 2020, most smart contract and flash loan vulnerabilities will suppress the development of DeFi. Newer, smarter DeFi protocols may emerge next year, but as always, scammers, hackers, and cybercriminals will also enhance their attack capabilities.

A deep dive into the current DeFi world requires a great deal of vigilance and attention, but it has come a long way in such a short time, and the future landscape of decentralized finance is continuously evolving.