At least 14 DeFi projects have been attacked by hackers this month, with total losses exceeding $250 million
The month with the highest frequency of attacks and the largest losses in DeFi history.This article is an original piece by Chain Catcher, authored by Gu Yu and Alyson.
Since the beginning of this year, the DeFi industry has developed rapidly, with a large number of DeFi projects emerging, and the total locked amount reaching nearly $90 billion. However, due to reasons such as lax code audits for many projects, they have also become targets for numerous hackers. Particularly in May, the frequency of DeFi security incidents surged significantly.
According to statistics from Chain Catcher, a total of 27 DeFi projects have been attacked by hackers this year, with at least 14 projects being attacked this month alone, averaging one DeFi project being attacked every two days, resulting in total losses of at least $250 million, making it the month with the highest frequency of attacks and the largest losses in DeFi history.
Specifically, the DeFi projects that suffered hacker attacks this month include BurgerSwap, Julswap, Merlin, AutoShark Finance, Bogged Finance, Pancake Bunny, Venus, FinNexus, bEarn Fi, EOS Nation, xToken, Rari Capital, Value DeFi, and Spartan.
Among them, flash loans were the primary method of attack, with at least 7 projects being attacked as a result; BSC was the most active platform for hackers, with at least 11 attacks occurring on the BSC public chain; the amounts involved in the attacks were generally large, with at least 7 projects suffering losses exceeding $10 million, the highest being Venus with losses exceeding $100 million.
Below is a detailed summary by Chain Catcher of the 14 DeFi project attack incidents this month:
1. BurgerSwap
Loss Amount: Approximately $7 million
Summary: On May 28, the BSC-based AMM project BurgerSwap was attacked via a flash loan, with over 432,874 BURGER stolen.
2. Julswap
Loss Amount: Unknown
Summary: On February 28, the BSC-based AMM project Julswap was attacked via a flash loan, with the token price dropping by as much as 90%.
3. Merlin
Loss Amount: Approximately $680,000
Summary: On May 26, the BSC ecosystem automatic yield aggregator Merlin was attacked by hackers. Due to a vulnerability in the getReward code, a large number of CAKE tokens were manually transferred to the Vault contract, resulting in approximately 59,000 MERL being minted and 240 ETH being obtained through sales.
Solution: The team will airdrop compensation tokens cMERL to users, and holders of this token will be able to receive BNB rewards from the compensation pool. Additionally, extra funds from the development team will be used for burning and buyback activities to restore the token price.
4. AutoShark Finance
Loss Amount: Approximately $820,000
Summary: On May 25, the BSC-based fixed-rate protocol AutoShark Finance was attacked via a flash loan. Due to incorrect LP value and fee acquisition calculations, the SharkMinter contract calculated a very large value when computing the attacker’s contribution, resulting in the minting of a large number of SHARK tokens for the attacker, causing the token price to crash from $1.2 to $0.01, with the attacker profiting approximately $820,000.
Solution: The official statement indicated that a new token JAWS will be issued to compensate affected users.
5. Bogged Finance
Loss Amount: $3 million
Summary: On May 23, the BSC-based aggregation trading platform Bogged Finance officially stated that hackers exploited a vulnerability in the BOG token contract's staking function through a flash loan attack. The hackers used Pancake Pair Swap code to extract staking rewards before contract verification was completed, resulting in the minting of over 15 million BOG tokens, most of which were originally intended for BOG stakers.
Solution: A new token will be issued, and the stolen BOG tokens will be returned to staking users.
6. Pancake Bunny
Loss Amount: Approximately $42 million
Summary: On May 20, the BSC-based DeFi yield aggregator PancakeBunny suffered a flash loan attack, losing 114,631 BNB and 697,245 BUNNY, the latter of which was heavily minted and sold off, causing the price to crash from $240 to below $2. According to an investigation by the CertiK security team, the attack was successful because PancakeBunny used PancakeSwap AMM for asset price calculations, allowing the hacker to maliciously manipulate the AMM pool price using flash loans and exploit issues in the token minting calculations.
Solution: PancakeBunny will issue a new token pBUNNY and create a compensation pool to compensate original BUNNY holders for their losses due to the price drop.
7. Venus
Loss Amount: Over $100 million
Summary: On the evening of May 18, the DeFi lending platform Venus on BSC saw its token XVS manipulated by a whale, causing it to double in price. Subsequently, using XVS as collateral, over $100 million worth of BTC and ETH was borrowed and transferred out. Afterward, the collateral asset XVS price plummeted and faced liquidation, but due to insufficient market liquidity, the system failed to liquidate in time, resulting in Venus facing a massive loss of over $100 million.
Solution: Venus will sell some XVS tokens to external institutions to cover platform losses.
8. FinNexus
Loss Amount: $7 million
Summary: On May 17, the on-chain options protocol FinNexus was attacked by hackers who infiltrated and managed to recover the private key of the FNX token contract manager, minting over 323 million FNX and selling them on centralized and decentralized exchanges, causing a price crash.
Solution: The FinNexus team stated that they will issue a new token and compensate all users holding FNX before the hack on a 1:1 basis; liquidity providers on DEX who suffered greater losses will receive additional compensation.
9. bEarn Fi
Loss Amount: Approximately $10.86 million
Summary: On May 16, the cross-chain DeFi protocol bEarn Fi's BUSD-Alpaca strategy in its bVaults suffered a flash loan attack, depleting nearly 10.86 million BUSD from the pool.
Solution: bEarn Fi stated that they will create a compensation fund consisting of remaining savings, development funds, DAO funds, and a portion of fees generated by the protocol, and will take a snapshot of the balance to deploy a compensation contract.
10. EOS Nation
Loss Amount: $15 million
Summary: On May 14, the EOS Nation flash loan smart contract suffered a re-entry attack, resulting in approximately 1.2 million EOS and 462,000 USDT being stolen.
Solution: flash.sx stated that all lost funds are under the security control of eosio.prods, and a proposal has been initiated to change the hacker's EOS account permissions, which will allow funds to be returned to users once approved.
11. xToken
Loss Amount: Approximately $25 million
Summary: On May 13, the DeFi staking and liquidity strategy platform xToken was attacked via a flash loan, with liquidity in the xBNTa Bancor pool and xSNXa Balancer pool being immediately depleted, resulting in approximately $25 million in losses.
Solution: The xToken team stated that they plan to use 2% of the total supply of XTK to compensate for the stolen losses.
12. Rari Capital
Loss Amount: $14 million
Summary: On May 8, the DeFi smart advisory protocol Rari Capital experienced a vulnerability in its ETH funding pool due to the integration of the Alpha Finance Lab protocol. The attacker manipulated the price of ibETH tokens by deploying a helper contract, leading to Rari suffering a massive loss of $14 million.
Solution: Rari Capital will return 2 million reserved RGT tokens intended for team expansion to the DAO to compensate affected users and reward contributors.
13. Value DeFi
Loss Amount: A total of $15 million from two attacks
Summary: The DeFi protocol Value DeFi on Ethereum and BSC suffered two attacks on May 5 and May 7, respectively. The first attack stemmed from a code vulnerability in Value DeFi's ProfitSharingRewardPool contract, affecting its vStake pool, resulting in losses of over 200,000 BUSD and 8,790 BNB; the second attack was due to a code vulnerability in Value DeFi's vSwap contract, affecting parts of pools and products from IRON Finance.
Solution: The team will use 8,530 VALUE from the insurance fund and 122,463 VALUE from the multi-signature, totaling 130,994 VALUE for compensation, while the remaining 251,702 VALUE will be compensated using the team's VALUE.
14. Spartan
Loss Amount: $30 million
Summary: On May 2, the BSC-based synthetic asset protocol Spartan Pools V1 was attacked. Due to a vulnerability in liquidity share calculations, the attacker transferred approximately $30 million from the funding pool.
Solution: A new SPARTA token will be issued, and the previously unissued 20 million tokens will be used to compensate the liquidity providers who suffered losses due to the attack.
