Over $1 Billion in DeFi Hacks in 2021
Blackhat actors find increasing success tapping into a growing DeFi ecosystem - Insured Finance Research Report
Quick take;
CipherTrace reports highlight that 76% of crypto hacks this year have been in the DeFi space.
The token price for some affected projects has declined by over 80% from all-time highs.
DeFi protocols have stepped up bounty offerings for whitehackers.
Decentralized finance (DeFi) facilitates permissionless access to financial products and services without the need for intermediaries. However, the industry is still growing and bad actors have continued to target vulnerable DeFi projects with those allocating capital to such projects suffering the brunt of losses.
Blockchain analytics company CipherTrace recently published its August 2021 report. One of the major takeaways from the report is the fact that DeFi hacks and rug pulls now make up the majority of hacks in the crypto ecosystem.
In the first half of the year alone, the total value lost to DeFi incidents reached $471 million. This figure has now surpassed $1 billion given recent attacks such as the $600 million exploit on the Poly Network. Smaller exploits like $25 million on Popsicle Finance and $1.6 million on GeoDB have further pushed this number up.
DeFi has continued to attract increasing amounts of capital and value, making it a more attractive target for blackhat actors. In 2020, the total value of locked assets in the Ethereum DeFi was just above $20 billion at year-end.
At the time, Ethereum-based projects represented the majority of the DeFi ecosystem. There has since been tremendous growth across several chains, bringing the TVL across the entire DeFi ecosystem to close to $160 billion.
(Source: DeFiLlama)
However, hackers have found increasing success in their attempts to tap into this value. The over $1 billion lost this year represents over 0.5% of the TVL in the ecosystem. For the remainder of the article, we consider some of the major attacks that have taken place and their impact on the ecosystem and respective projects.
Pancake Bunny $45 million contract drain
Pancake Bunny (BUNNY), a yield farming aggregator on Binance Smart Chain, suffered a flashloan exploit on May 19th that drained $45 million from its smart contracts. The news caused the project’s TVL to drop from $10 billion to under $1 billion in the space of a few hours. The project’s token which had peaked at a price of $552 quickly dropped to $30, and is trading at $7 at the time of writing (a 98% decrease from its ATH).
(BUNNY price chart, Source:CoinMarketCap)
The team suffered another breach roughly two months later when it launched a fork of the protocol on the Polygon chain, causing the price of PolyBUNNY (pBUNNY) to drop 80% within a few hours. Although there was a compensation plan, users were unable to recover up to 5% of what was lost.
Popsicle Finance loses $25 million to widespread DeFi bug
Earlier this month, Popsicle Finance suffered a $25m hack involving an exploit that a bug hunter claims also exists in dozens of other DeFi protocols. Following the attack, the price of Popsicle’s native token ICE crashed by more than 50% in the space of two days.
ICE is currently more than 80% off its ATH of $9.72, trading $1.72. Trading volume has also dropped from $14 million to less than $1 million in recent days.
(Source: Nansen.ai)
As with Pancake Bunny, Popsicle didn’t go offline following the incident and price crash. The project, which is live on Ethereum, Binance Smart Chain, and Factom network, still has roughly $242 million in TVL.
EasyFi loses $81 million after attacker gains access to Metamask
EasyFi is a Polygon Network-based DeFi project that lost $81 million after hackers allegedly gained access to the admin Metamask account. CEO and founder Ankitt Gaur noted that the hackers made away with 2.98 million EASY (EZ) tokens worth $75 million at the time and also removed $6 million worth of liquidity from the project’s stablecoin pools.
(Source: Nansen.ai)
As you can already guess, the price of EZ tanked following the news and is still 85% off its all-time high. From a $37 peak in April, the token trades around $6.41 at the time of writing while it’s market cap is only $16 million.
It is worth noting that this section only reviews projects that are still active within the DeFi ecosystem. There are many long-dead DeFi projects which went offline following a security incident and token prices crashing by over 99% including Iron Titan, Merlin Labs, Whalefarm, etc.
Bug bounties and insurance options
It is fair to say that there have been vital lessons learned from the security incidents within the DeFi ecosystem over the past year. The need for higher bounties and insurance options rank chiefly among these lessons.
Given the complex nature of smart contracts, it is not surprising that even the most experienced developers and auditors can miss a bug. There is no better example than the $350 million bug recently found in Sushiswap’s MIDO platform which has been live for several months.
White hackers are always on the hunt to find and disclose such bug. However, the value at risk (VAR) is often magnitudes higher than what the project is offering via its bug bounty. The attacker in Poly Network’s $600m exploit noted in a message that a 10% VAR risk could have prevented them from revealing the exploit publicly. In other words, if they were to receive 10% of the funds that were at risk, then nothing would be stolen.
DeFi projects have indeed been upping their bounty offers. Immunefi, a service that helps fund the white hat hackers, has $34 million worth of bounties at this time. Popsicle Finance and Pancake Bunny currently have $250k and $100k in bug bounties listed on Immunefi.
Higher bug bounties is certainly giving rise to a safer DeFi ecosystem. However, users still need to protect themselves as exploits will continue to occur as DeFi continues to grow and evolve. Digital asset insurance options allow DeFi users to do so.
Polygon-based Insured Finance is an emerging two-sided marketplace that allows users to secure tailored insurance for their digital assets. Such solutions allow DeFi users to protect against the various risks that can occur in a rapidly evolving DeFi industry.
For a more secure DeFi ecosystem, both projects and users need to play their part. Projects can put in place higher bug bounties while users can mitigate their exposure by securing digital asset insurance.