A review of the top 20 hacking incidents in the cryptocurrency industry from nearly two years ago: Most have been fully compensated, with only 2 cases recovered

Organizer: Cookies, Chain Catcher

At the end of March, the well-known blockchain game Axie Infinity's sidechain network Ronin Network suffered a hacker attack, resulting in a loss of approximately $620 million in assets, making it the most severe DeFi hacking incident to date and further deepening public concerns about the security of the crypto world.

In the past two years, massive funds have continuously flowed into the crypto industry, but its security remains very fragile. Numerous code vulnerabilities from centralized exchanges and DeFi projects have repeatedly been targeted by hackers, with the number, frequency, and scale of various security incidents rapidly increasing.

According to SlowMist statistics, blockchain security incidents in 2021 resulted in cumulative losses exceeding $9.8 billion, involving 231 security incidents. Although a significant portion of the losses was recovered or compensated by project parties, it still left the crypto industry deeply wounded.

Based on data from the professional crypto security website Rekt and other public information, Chain Catcher has compiled the top 20 hacking incidents in the past two years according to the amount affected.

1. Ronin Network, $624 million

On March 29, 2022, Ronin officials announced that their cross-chain bridge had been hacked, with 173,600 ETH and 25.5 million USDC stolen, totaling approximately $620 million.

The officials stated that the theft was due to the compromise of five validator private keys. Last November, Sky Mavis and Axie DAO established a gas-free RPC node to reduce user costs, which required Axie DAO to become a Sky Mavis validator. Although this RPC node lasted only a month, the whitelist access was never revoked, allowing attackers to steal Axie DAO signatures, gather consensus from five validators, and forge fake withdrawals using the private keys.

Currently, Axie Infinity co-founder Aleksander L. Larsen has tweeted that the Axie Infinity team is working hard to communicate with the hackers to recover losses and determine the best compensation plan.

2. Poly Network, $611 million

On August 10, 2021, the cross-chain interoperability protocol Poly Network was attacked simultaneously on smart contracts deployed on Ethereum, BSC, and Polygon, resulting in over $611 million in stolen assets.

According to analysis by the SlowMist team, the attackers exploited specific functions by inputting carefully crafted data to modify the EthCrossChainData contract's keeper. After replacing the keeper's address, they could freely construct transactions and extract any amount of funds from the contract.

After extensive on-chain communication with the hackers, they ultimately returned all stolen assets to the project party, and all users incurred no actual losses.

3. Wormhole, $326 million

On February 3 of this year, the cross-chain protocol Wormhole was hacked, with officials confirming a loss of 120,000 ETH (approximately $326 million) in this attack.

Investigations revealed that the vulnerability was due to an error in the signature verification code of the core Wormhole contract on the Solana side, allowing attackers to forge messages from "guardians" to mint whETH. The attackers minted an equivalent of whETH (Wormhole ETH) on Solana and then transferred 120,000 real ETH to Ethereum via Wormhole.

After the incident, the hackers did not respond to the project's communications. Jump Trading, the parent company of Wormhole, quickly decided to "dig into their pockets" and supplemented the cross-chain bridge's smart contract with 120,000 ETH to help Wormhole bridge go back online.

4. BitMart, $196 million

On December 5, 2021, the Ethereum and BSC hot wallets of the crypto trading platform BitMart were hacked, resulting in a loss of approximately $196 million, including about $100 million on Ethereum and about $96 million on BSC.

It is understood that the attackers transferred BitMart's funds from the hot wallet to their own wallet and exchanged most of the tokens for ETH and BNB through 1inch, then mixed the coins through TornadoCash, ultimately escaping unscathed.

Subsequently, BitMart founder Sheldon Xia announced that the platform would use its funds to compensate affected users and quickly opened deposits and withdrawals.

5. Vulcan Forged, $140 million

On December 13, 2021, the blockchain game project Vulcan Forged reported that 148 wallets holding PYR were hacked, with over 4.5 million PYR stolen, totaling a loss of over $140 million. Afterward, the project team decided to compensate affected user wallets with PYR from the treasury.

6. Cream Finance, $130 million

On October 27, 2021, the lending platform Cream Finance suffered a flash loan attack, resulting in a loss of approximately $130 million.

It is understood that this attack combined economic and oracle attacks, with the attackers borrowing DAI from MakerDAO's flash loan to create a large number of yUSD tokens while manipulating multi-asset liquidity pools and using price oracles to calculate the yUSD price. After the yUSD price increased, the attackers' yUSD positions grew, creating enough borrowing limits to offset Cream's Ethereum v1 market liquidity.

On November 13, Cream Finance announced a compensation plan for affected users, utilizing the remaining tokens in its treasury and removing all remaining Cream token allocations from the project team to distribute 1,453,415 Cream tokens to affected users.

7. Badger, $120 million

On December 2, 2021, the Badger user interface was hacked, and malicious wallet requests were injected, resulting in total losses of approximately 2,100 BTC and 151 ETH, totaling about $120 million.

This incident was a phishing attack caused by a "malicious injection snippet" running on the Badger cloud network's application platform Cloudflare. The hackers exploited compromised API keys created by Badger engineers without their knowledge or authorization, regularly injecting malicious code to gain unlimited authorization to user wallets.

Afterward, Badger announced it had hired cybersecurity firm Mandiant and blockchain analysis company Chainalysis to investigate the attack and was cooperating with both companies and authorities in the U.S. and Canada to recover any possible funds. Meanwhile, the project decided through community voting to use part of the treasury assets and some protocol income to compensate affected users over a period of about a year.

8. Qubit Finance, $80 million

On January 28, 2022, the BSC lending project Qubit was suspected to have been hacked, with hackers minting a large amount of xETH collateral and stealing approximately $80 million in assets from the liquidity pool.

The main reason for this attack was that when implementing the recharge of ordinary tokens and native tokens separately, there was no re-check on whether the tokens being transferred within the whitelist were zero addresses, allowing operations that should have gone through the native recharge function to successfully follow the ordinary token recharge logic.

Team Mound, the development team of Qubit Finance, decided to reorganize and release a compensation plan after the attack, abandoning all their tokens to compensate the community.

9. AscendEX, $77 million

On December 12, 2021, the cryptocurrency exchange AscendEX had its Ethereum, BSC, and Polygon hot wallets hacked, resulting in a total theft of over $77 million in assets.

After the incident, the exchange stated it would conduct a comprehensive security check and would provide 100% compensation if any user's funds were affected by this incident.

10. EasyFi, $59 million

On April 20, 2021, EasyFi founder Ankitt Gaur stated that the protocol's liquidity pool had been drained of $6 million in stablecoins and 2.98 million EASY tokens, totaling approximately $59 million.

It is understood that the project was hacked because the administrator's MetaMask mnemonic phrase key was remotely attacked, and EasyFi's smart contract was not hacked. EasyFi contacted the Binance and AscendEx teams, and the hackers did not transfer the tokens out of the wallet and could not sell them on DEX due to liquidity constraints.

Afterward, the project stated it would compensate each address's net balance of lenders/depositors at 100% based on a snapshot, with users receiving funds in two parts: an initial payment of 25% and the remaining 75% paid in EZ, guaranteed by the EASY V2 token EZ at a 1:1 ratio.

11. Uranium Finance, $57 million

On April 28, 2021, the AMM protocol Uranium Finance on the Binance Smart Chain tweeted that it had been attacked during the migration process, resulting in a loss of approximately $57 million.

It is understood that the issue occurred on the Uranium project's pair contract, where the swap function partially referenced PancakeSwap's logic, allowing users to borrow funds through flash loans. However, this function had a precision handling error when checking the contract balance according to the constant product formula, resulting in the calculated balance being 100 times larger than the actual balance. In this case, if the attacker used a flash loan to borrow, they only needed to repay 1% of the borrowed amount to pass the check and steal the remaining 99% of the balance, leading to project losses.

Afterward, Uranium Finance published a vulnerability analysis article and urged users to remove funds as soon as possible and not to provide liquidity to the contract. Since then, there have been no further updates from Uranium Finance's official channels, and it is suspected to have ceased operations.

12. bZx, $55 million

On November 6, 2021, the decentralized lending protocol bZx suffered a loss of over $55 million in assets on the Polygon and BSC chains due to a private key leak.

It is understood that this incident was not a hacker attack targeting the protocol's vulnerabilities but rather a phishing attack against bZx developers. The developers received a phishing email containing a Word document with malicious macros. Opening this document resulted in the theft of the developers' personal wallet keys. The hackers were able to control the contract and extract it from BZRX.

13. Cashio, $48 million

On March 23, 2022, the Solana-based algorithmic stablecoin Cashio warned users not to mint any tokens and to withdraw funds from the pool as soon as possible. The protocol had an infinite minting vulnerability, resulting in a loss of approximately $48 million.

Cashio Dollar is an algorithmic stablecoin backed by USDT-USDC LP tokens. The hackers illegally minted 2 billion CASH tokens by bypassing an unverified account and converted the CASH tokens into UST, USDC, and USDT-USDC LP through multiple applications, profiting a total value of approximately $48 million.

After the hacking incident, the project stated it did not have enough funds to repay user losses and was willing to offer $1 million USDC as a bounty if the attackers returned the funds. The attackers indicated through on-chain messages that they would refund victims with losses below $100,000.

14. PancakeBunny, $46 million

On May 20, 2021, the yield aggregator PancakeBunny on the Binance Smart Chain was suspected to have been attacked, resulting in a loss of approximately $46 million.

This was a typical flash loan attack, with the key point being that the price calculation of the WBNB-BUNNY LP had defects. The number of BUNNY tokens minted by the BunnyMinterV2 contract relied on this flawed LP price calculation, ultimately leading the attackers to manipulate the WBNB-BUNNY pool using flash loans, thereby inflating the LP price and causing the BunnyMinterV2 contract to mint a large number of BUNNY tokens for the attackers.

After suffering the flash loan attack, the PancakeBunny team released an assessment and compensation plan, which would involve issuing a new token, pBUNNY, and creating a compensation pool funded by performance fees (direct contributions from the team), funds recovered from the exploit, and QFI token airdrops. After 90 days, original holders would be able to exchange pBUNNY for BUNNY at a discount below market price.

15. Kucoin, $45 million

On September 20, 2020, Kucoin's hot wallet was attacked, resulting in losses exceeding $280 million.

Afterward, Kucoin CEO Johnny Lyu stated that they had recovered $222 million (78%) through cooperation with exchanges and project parties and recovered $17.45 million (6%) through further cooperation with law enforcement and security agencies. Finally, KuCoin used its insurance fund to cover the remaining losses, approximately $45 million (16%), and no users suffered losses in this incident.

16. Secretswap, over $40 million

On September 14, 2021, the DEX project Secretswap based on the privacy public chain Secret Network was hacked, with over $40 million in funds withdrawn from the liquidity pool. After the incident, the project suspended the use of the Secretswap and Secret Network cross-chain bridge to prevent hackers from transferring assets to the Ethereum network.

Subsequent investigations revealed that the vulnerability involved a single LP contract related to SecretSwap reward staking, and no stolen funds left the network, nor were any bridge/token contracts attacked, and the network itself was not compromised.

Days later, Secret Network rolled back the network through a hard fork, returning the stolen assets to users' liquidity pools and restoring the use of the cross-chain bridge.

17. Alpha Finance, $37 million

On February 13, 2021, Alpha Finance Lab announced on its official Twitter that hackers exploited a vulnerability in Alpha Homora V2 to borrow assets such as ETH, DAI, and USDC from Iron Bank (Cream V2), resulting in a debt relationship between Alpha Homora v2 and Cream v2, with losses of approximately $37 million.

The Alpha team's repayment method was to use the 1,000 ETH deposited by the attacker in the Alpha Homora V2 deployer contract to pay off the debt; to use the 1,000 ETH deposited by the attacker in the Cream V2 deployer contract to pay off the debt; and the Tornado Cash Foundation would return the 100 ETH donation made by the attacker to Alpha Homora to pay off the debt. Alpha committed to using 20% of the reserves from Alpha Homora V1 and V2 to repay the remaining funds, making monthly payments to Cream V2 Iron Bank until all new debts were cleared.

18. Vee Finance, $37 million

On September 21, 2021, the lending platform Vee Finance on the Avalanche ecosystem was attacked, resulting in losses of approximately $37 million.

It is understood that the main reason for the vulnerability was that during the process of creating leveraged trading orders, the oracle only used the price from the Pangolin pool as the price feed source, while the price of that pool fluctuated by more than 3%. The oracle refreshed the price, allowing the attackers to manipulate the price of the Pangolin pool. Additionally, the pricing of the Vee Finance oracle and the acquisition of oracle prices did not handle decimals, leading to the expected slippage check before the swap not functioning.

Subsequently, Vee.Finance announced a $500,000 bounty to track down the attackers and would bear all losses, compensating all lenders and depositors with platform revenue and reserves of VEE tokens. The team tokens would not be released until all debts were repaid.

19. Crypto.com, $33 million

On January 18, 2022, some accounts of the cryptocurrency exchange Crypto.com were suspected to have been hacked, resulting in losses of approximately $33 million.

It is understood that the hackers bypassed existing 2FA verification to become part of the withdrawal whitelist, compromising a total of 483 accounts and stealing 4,836 ETH and 444 bitcoins, with the ETH sent to Tornado Cash for mixing.

After the incident, Crypto.com stated that it had compensated all users for their losses and restored the assets in the accounts to their original state.

20. MonoX Finance, $31 million

On November 30, 2021, the automated market maker protocol MonoX was attacked via a flash loan, with approximately $31 million worth of cryptocurrencies stolen from Ethereum and Polygon.

It is understood that the attackers manipulated the swap contract to push the price of MONO to an exorbitant level and then used MONO to purchase all other assets in the pool.

Afterward, the project team stated that they would issue debt tokens dMONO for all stolen assets and deploy a dMONO vault, using their revenue to buy back MONO and send it to this vault. Any dMONO holders could redeem MONO from the vault at any time by burning their dMONO, but if users chose to withdraw it before dMONO reached the owed value, it would mean waiving the remaining debt.

Further statistics reveal that although the cumulative loss amount of these security incidents reached billions of dollars, most users of the stolen projects received full compensation. Among them, the stolen assets of Poly Network and Secretswap were fully recovered, while eight projects, including Wormhole, compensated users with the original tokens. Most of the remaining projects compensated users in the form of their own tokens, but often the actual compensation amount was lower than the loss amount due to token price declines, with only Uranium Finance not providing any compensation to users.

This indicates that hacker attacks are not as terrifying as imagined; what matters is the project party's resource background and sense of responsibility towards users. Crypto users should remain cautious with any financial operations while prioritizing participation in projects and platforms with strong capabilities, and invest and mine within their own risk tolerance to ensure the safety of their funds.