The Worst Hacks of 2022
DeFi

The Worst Hacks of 2022

18 Minuten
2 years ago

This year's many hacks have damaged the industry's reputation — and left big questions about the safety of cross-chain bridges needed for a multi-chain crypto ecosystem.

The Worst Hacks of 2022

Inhaltsverzeichnis

Listen to the CoinMarketRecap podcast on Apple Podcasts, Spotify and Google Podcasts

As of August, cryptocurrency users had been robbed of $1.6 billion. By the end of November, that number had grown past $3.5 billion.

The worst month was October — dubbed "Hacktober" — with more than 44 exploits bringing thieves more than $760 million.

What were the 50 biggest crypto stories of 2022? You decide!

DeFi was by far the biggest victim, with cross-chain bridges proving the most vulnerable and valuable to hackers. Bridges make it easy to borrow tokens usable on one chain by locking in those of another, and then retrieving the collateral when the borrowed tokens are returned — essentially making payments and moving value across blockchains without the time and expense of going through an exchange.

Often set up rapidly to support specific blockchains or projects, many have proved to have very exploitable code. But here's the problem: they are key to a multi-chain industry succeeding. Chainalysis head of research Kim Grauer was quoted by Pymnts as saying:

"The reputational risk is huge. I can't emphasize that enough. Having a hack happen every day makes it so that every trader, everyone involved in DeFi has an awareness that they could be the victim of a hack. And that's not healthy for sustainable long-term growth. That's not healthy for the industry. That is, in fact, a major reason why people are likely not getting into DeFi, not testing the waters."

Of course, that was before Sam Bankman-Fried showed how untrustworthy centralized exchanges could be by having his Alameda Research trading firm allegedly borrow and lose some $10 billion of his FTX exchange customers' funds without permission.

For all that, 2022 is notable in that far more hacked funds were recovered than were stolen. In just two cases, the Department of Justice seized almost $7 billion in Bitcoin: $3.36 billion stolen in 2012 from the Silk Road dark web marketplace, and $3.6 billion stolen in 2016 from the Bitfinex exchange. Years after these crimes, detectives are catching up.

January

Crypto.com, $30 million

It took four days, but Crypto.com finally admitted that the Jan. 16 "incident" it reported was actually a hack that saw 483 customers lose about $32 million in Bitcoin and Ether from their exchange wallets. CEO Kris Marszalek said in a tweet that "no customer funds were lost" — which was true in the sense that they were reimbursed.

The exchange halted withdrawals for about 14 hours while it "hardened the infrastructure in response to the incident."

What happened, it turned out, is that a hacker found an exploit that let them bypass the exchange's two-factor authentication requirements. This left accounts protected only by a password, which were apparently compromised externally.

In response, Crypto.com on Jan. 20 announced it was moving from 2FA to multi-factor authentication. It also instituted a 24-hour delay on adding new fund withdrawal addresses, and launched a Worldwide Account Protection Program that provides up to $250,000 of protection if certain security protocols have been followed and a police report has been filed.

Qubit Finance, $80 million

DeFi crypto lending/borrowing protocol Qubit Finance was the target of the first cross-chain bridge exploit hacks of 2022, losing $80 million in BNB to someone who figured out how to mint "unlimited" xETH tokens without depositing any collateral on its QBridge.

They then traded it for the 206,809 BNB tokens available. A "bug bounty" was offered for its return, to no avail.

It was reportedly run through the since sanctioned Tornado Cash mixing service and made untraceable.

February

Wormhole, $326 million

The next bridge exploit came less than a week later — and at more than $320 million, was four times as large. Alas, while the bug bounty offered for the return of the funds was 40 times as large at $10 million, nothing was recovered.

Jump Trading's Wormhole serves as a bridge between Solana and Ethereum. In this case, a flaw in the code allowed the hacker to mint 120,000 Wrapped Ether (wETH) — usable on the Solana blockchain — without depositing any Ether. Those wETH were then traded in for real ETH.

None of the other Wormhole clients who'd locked ETH into the bridge lost anything, however, as Jump Trading — which was flush as it also executes cryptocurrency trades for Robinhood — replaced the whole 120,000 ETH loss out of its own pocket.

This was a comfort to the many Wormhole users who saw their life savings disappear for several days. One wrote:

"I lost $100,000 in your attack. I am a nurse. These are all my savings. I hope you can return it to me. Everyone will get sick. Think of the nurses who care for you when you are sick. I wish you always healthy and enjoy the happiness of the world. GOD BLESS YOU."

That's the thing about bridge hacks — they tend to have a huge number of victims as the funds stored in the bridge as collateral belong to individual users. So, it's like robbing individual wallets on a centralized exchange insteading of targeting funds belonging to the exchange itself. The main difference being that decentralized bridge programs don't use offline cold wallets like centralized exchanges do.

IRA Financial Trust, $37 million

The least clear part of the IRA FInancial Trust hack, in which $21 million of Bitcoin and $15 million in Ether were drained from Roth IRA accounts held in custody by the Gemini exchange, is who was to blame.

What is clear is that, on Feb. 8, someone using an account under the name Benjamin Chloe began withdrawing BTC, ETH and cash from other accounts that were protected by a wide range of security features including 2FA and whitelisted withdrawal addresses, CoinDesk reported.

At the time, Gemini told victims that the "transfer requests were made by utilizing properly authenticated accounts controlled by IRA Financial Group, which were used to execute asset transfers to another account."

Saying that these requests were in line with the IRA Financial approval process, Gemini said they looked legitimate, adding:

"To date, our investigation has found no indication of any unauthorized access to your account resulting from any security failure or breach of Gemini systems."

It told Bloomberg: "While IRA Financial's accounts are serviced on the Gemini platform, Gemini does not manage the security of IRA Financial's systems."

In June, IRA Financial denied it was to blame, accusing Gemini in a lawsuit of failing to protect accounts by giving the company a master account with a "master key" that allowed the user to bypass individual account security features, creating  "a single point of failure." It added:

"Critically, Gemini never informed IRA about the power of this master key. To the contrary, Gemini itself handled IRA's master key as if it was a mundane piece of information, repeatedly exchanging unsecured, unencrypted emails with IRA containing the master key."

Like the Qubit hack, the IRA Financial funds were run through Tornado Cash to hide their whereabouts.

DoJ Seizes Funds Stolen in Bitfinex Hack, $3.6 billion

The hacking news wasn't all bad in February. On the same day IRA Financial was hacked, the U.S. Department of Justice revealed that it had arrested a New York couple in connection with the 2016 hack of the Bitfinex exchange. Allegedly stolen Bitcoin worth $3.6 billion was seized — representing 80% of the nearly 120,000 BTC taken in the hack.
Ilya Lichtenstein and his wife Heather Morgan — who's alter ego is (or was) the cringe-inducing rapper Razzlekhan, the self-proclaimed "Crocodile of Wall Street" — are each facing 25 years in prison. She is free on $8 million bail, while Lichtenstein remains in custody.

The arrests and seizure came after a $500 Walmart gift card allegedly bought with stolen funds was traced to purchases made via Morgan's mobile, according to reports.

March

Cashio, $52 million

Several months before the $48 billion collapse of the UST algorithmic stablecoin, a far smaller stablecoin crashed and burned. The Solana blockchain-native Cashio algorithmic stablecoin lost its dollar peg to fall far below one penny after faulty code allowed a hacker to exploit an "infinite mint glitch" to make off with $52 million.

The way Cashio worked was anyone could mint CASH stablecoins by depositing USDC and USDT stablecoins into a liquidity pool. The problem was that the DeFi project's smart contracts failed to verify that the user's collateral was real, allowing the thief to mint real CASH tokens with fake collateral.

While the project was killed, the hacker later claimed to have returned the funds of anyone whose account held less than $100,000.

"The intention was only to take money from those who do not need it, not from those who do," the hacker wrote, according to Vice. That said, there were a lot of "prove it"-style requirements attached ranging from proof of ownership to providing justification of why victims deserved their own money back.

"an explanation of the source of this money and why you need it back. more detail is better. money will not be refund [SIC] to rich american [SIC] and european [SIC] that don't need it."

A number of victims tried, many calling the thief "Robinhood." One such request from someone claiming to be a victim read:

"Robinhood, I have tried my luck in crypto but ended up with massive losses, debt, and PTSD. My life is in disarray. 3 ETH will put me back in a slightly better position to turn my life around. Please."

It's not clear if funds were returned.

Ronin Network, $625 million

The Ronin Network was used to turn ETH into RON tokens, enabling users to take part in the play-to-earn game Axie Infinity — and was also targeted in March.

It's difficult to know what was more shocking when the hack emerged: that a staggering $625 million worth of ETH and USDC had been stolen, or that the theft hadn't been noticed for six days.

This really is quite a long time not to notice that you're missing more than a half billion dollars.

Unlike most hacks, particularly of DeFi bridges, the Ronin Network thieves didn't exploit any coding flaws. Instead, they highlighted a potential security problem with Proof-of-Stake consensus mechanisms that use too few validators.
With just nine validators, the elite hackers — more on that in a minute — simply obtained the passwords of five and started approving withdrawals, Axie Infinity developer Sky Mavis said in a postmortem. They made off with 173,000 ETH and $25.5 million in USDC. The number of validators was quickly increased.
Surprisingly given the size of the theft, Sky Mavis was able to make whole all customers who lost funds after a $150 million funding round in April. But that's not the only way the hack hurt the company. Although the bear market may have played a role here, Axie Infinity's user numbers plunged dramatically in 2022 — going from almost 2.8 million in January to 700,000 in October.
The fallout didn't end there. The theft was traced to the Lazarus Group, a very successful North Korean government-sponsored hacking organization whose proceeds are used to fund the rogue nation's nuclear weapons program.
Five months later, on Aug. 8, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced that $455 million of the Ronin Network funds had been laundered through Tornado Cash, a mixing service used to anonymize cryptocurrency, making it nearly impossible to trace along the blockchain. Along with more than $100 million taken in two other crypto hacks, that made it enough of a threat to impose sanctions on Tornado Cash similar to those placed upon Russian oligarchs and their companies following the invasion of Ukraine.
While it wasn't the first sanction of a crypto mixer — blender.io was hit on May 6 — the Tornado Cash sanction was groundbreaking. As a fully DAO-controlled DeFi project, there is no person or legal person (a company) to sanction. (Although an original developer of the project has been arrested in The Netherlands.) First Amendment advocates including the Electronic Frontier Foundation (EFF) accused the government of sanctioning computer code, which has long been seen as protected speech by the courts. Coinbase is funding a crypto industry lawsuit challenging the sanctions designation.

April

Beanstalk, $182 million

Another algorithmic stablecoin, Beanstalk's BEAN was chopped down by a hacker who used an enormous flash loan to briefly take control of the project's governance with a two-thirds supermajority that enabled the passage of new rules that sent about $182 million worth of the assets backing it to an address of their choosing.

In all, almost 25,000 ETH and 36 million BEAN tokens were looted — although given that BEAN depegged and lost most of its value in minutes, they weren't worth much. The attack required an Aave flash loan of almost $1 billion to buy 79% governance power for a few seconds, and in the end, the thief netted about $77 million — as well as a $250,000 "donation" sent directly to Ukraine's crypto donation address.

It started with a pair of malicious governance proposals — one draining the tokens, the other sending them — which weren't noticed in the 24-hour waiting period required by the smart contract. The supermajority allowed the hacker to pass them under an emergency no-waiting-period provision.

Flash loan attacks are becoming more common. The DeFi lending products allow a user to borrow funds, use them, and return them in a single transaction.

While BEAN's value dropped to almost nothing, developer Beanstalk Farms revived it on Aug. 6. While it regained its peg, the market cap is presently only about one third of what it was before the hack.

Fei Rari, $80 million

The newly and very briefly merged DeFi lending protocols Rari Capital and Fei Protocol were hit with an $80 million loss following a re-entrancy attack — the same technique behind the infamous $60 million The DAO hack that threatened to kill off Ethereum. Rari's Fuse lending protocol had the weakness, and despite a $10 million bug bounty offer by Fei, no return was forthcoming.
But the damage didn't end there. Despite promises that victims would be made whole, the DeFi protocol's decision making was a mess. A preliminary "snapshot" vote — essentially an opinion poll — on Fei's Tribe DAO was in favor of covering the losses, but the real vote in June was for only partial repayment and winding down Tribe. This was followed by a firestorm and another pair of votes in September, which approved of the full repayment.
Whether the hack would have been survivable is debatable, but the long repayment fight was not. Both Fei and Rari died. And they weren't alone. Asset management platform Babylon Finance lost $3.4 million in the Rari exploit, which "was the domino that kickstarted a series of unfortunate events" that saw more than 95% of its total value locked withdrawn, project founder Ramon Recuero wrote in a Medium post on Aug. 31.

May

NFT hacks, $458,000

A pair of NFT-based hacks this month displayed the risks of trusting official outlets too much.

On May 6, top NFT marketplace OpenSea's Discord channel was hacked. A post announced a fake YouTube partnership designed to "to bring their community into the NFT space" and offered free minting passes, warning that only 100 were available. A link then promised to bring users to the minting, piling on pressure with an "80% gone" counter. More than a dozen wallets were compromised, with at least $18,000 worth of NFTs taken.
Then on May 23, top NFT artist Mike "Beeple" Winkelmann — he of the $69 million NFT sale — saw his Twitter account hacked. But instead of launching a giveaway scam, the crooks announced an unscheduled mint with a link that pulled one ETH from their wallets. Another tweet posted later that morning promised a free NFT mint to the first 200 users. Winkelmann later tweeted:
"Stay safe out there, anything too good to be true IS A F****** SCAM. And as a side note, there will never be a SURPRISE MINT I mention one time in one place starting at 6am Sunday morning."

At least one victim — who recognized that they'd clicked without thinking — said they'd lost their life savings.

June

Elrond's Maiar Exchange, $113 million

The Maiar Exchange, a decentralized exchange on the Elrond Network blockchain, was hacked for $113 million worth of Elrond eGold.

Elrond developer Andrei Marinica explained that a new virtual machine function was found to have an exploitable flaw.

While it was discovered and a patch was created, adding to the code is a process that takes several days. There's a good reason for that — look back at the Beanstalk hack in April — but the downside is that the patch wouldn't go live until June 8. Unfortunately, with the patch in place and waiting to go live, a bigger and more dangerous flaw was found. That's when security went off the rails. He said:

"Bafflingly, these discoveries are discussed quite nonchalantly on the public Elrond Developers channel during the weekend, without raising any security or safety concerns. Since a patch is known to come to the network in two days, there is little attention to responsible disclosure and immediate action."

The hacker moved fast. The developers took Maiar Exchange offline but the damage was done. Maiar's native token dropped 90% and Elrond's 7%.

Horizon Bridge, $100 million

The Harmony blockchain's Horizon Bridge connects it to both Ethereum and BNB Chain (then known as Binance Smart Chain) — with ETH, USDC, USDT, DAI, BNB and a number of other assets including NFTs able to be moved onto Harmony.

Like the Ronin Network hack, the culprit in this attack again appears to be too few multisig validators: just two of five were able to validate transactions. This meant just two passwords had to be compromised — a weakness that had been pointed out in early April. Phishing and trojans were apparently both used, and about $100 million was stolen from 65,000 wallets.
And also like the Ronin hack, the U.S. Department of Justice blamed the attacks on North Korea's Lazarus Group, and OFAC cited Horizon in its decision to sanction the Tornado Cash mixing service.
Making the victims whole was also a struggle, with the community shouting down a July proposal to mint five billion more ONE tokens to do it. In September, the Harmony developers decided to deploy the project's treasury instead.

August

Nomad Bridge, $190 million

It's not entirely accurate to call the $190 million Nomad Bridge attack "a hack." Free-for-all is more like it.

The basics are pretty simple. An update on the Moonbeam-Ethereum cross-chain bridge was not sufficiently scrutinized and had a hole that allowed a small amount of Wrapped Bitcoin sent from Moonbeam to unlock a much larger amount on Ethereum.

Essentially, attackers could "bypass the message verification process and drain the tokens from the bridge contract," blockchain security firm Certik said.

The problem was that the hack was so easy that once someone exploited it, hundreds of other people were able to essentially cut-and-paste the exploit. Which at least 40 people did, Elliptic said, emptying Nomad Bridge's wallets of all but a few hundred dollars. About 14,000 users were cleaned out in the process.

"This is why the hack was so chaotic — you didn't need to know about Solidity or Merkle Trees or anything like that. All you had to do was find a transaction that worked, find/replace the other person's address with yours, and then re-broadcast it," explained Sam Sun, a researcher for Web3 investment firm Paradigm, in a Twitter thread.

Not all were black hats, however, and some exploiters began sending funds back even before Nomad announced a 10% bug bounty. About 20% was recovered, and Nomad announced on Dec. 9 that it was relaunching and would offer a partial refund to users on a pro-rata basis.

September

Wintermute, $160 million

Witntermute, an automated market maker, had a hot wallet hacked for $160 million spread across 90 different cryptocurrencies, with no more than $2.5 million of any one token taken. The problem appeared to be a flaw in the hot wallet's security rather than Wintermute.

While the number is large, founder and CEO Evgeny Gaevoy said that its over-the-counter (OTC) and centralized finance operations are unaffected and that the firm is "solvent with twice over that amount in equity left."

Three weeks later, the firm was able to pay off a $96 million, uncollateralized loan a day before it came due. The firm offered a bug bounty, but apparently hasn't heard from the thief.

October

Binance Bridge, $586 million

While "Hacktober" was the worst month in a year chock full of DeFi hacks, the vast majority of the more than $760 million stolen came from a hack of the Binance's cross-chain bridge for its BNB Chain, the fourth-largest blockchain with a market cap of $57 billion.

A flaw in the chain's Binance Bridge allowed a hacker to create two million BNB tokens, worth $570 million, out of thin air. Because of that, no individual bridge user was injured.

And, a lot less was lost as Binance was able to shut down the BNB Smart Chain (BSC) before the attacker could move more than $100 million worth of stolen tokens off the chain. CoinMarketCap is owned by Binance.

Binance's chief communications officer Patrick Hillmann told CoinDesk on Oct. 10 that as the number of attacks on cross-chain bridges grows, "the communities that rally around these blockchains are getting much better at shutting them down quickly, updating their systems and being able to prevent a worst case scenario from happening."

But, he added, if attackers become better organized they could do more damage.

Two weeks later, Binance CEO Changpeng "CZ" Zhao told CNBC that thanks to some information from law enforcement agencies, the company is getting closer to identifying the culprit.

Mango Markets, $114 million

The second big exploit that month targeted Mango Markets, a DeFi trading platform on the Solana blockchain. Except, it was really an exploit but a market manipulation — and a legal one according to Avraham Eisenberg, a trader who outed himself as part of "a team that operated a highly profitable trading strategy."

The attack and/or trading strategy worked like this, CoinDesk explained: use $5 million in USDC stablecoins to buy up MNGO tokens and short the token, buy another $5 million worth to hedge, then use other funds to buy up the thinly traded MNGO token, which low liquidity, on the spot market, driving the price from $0.02 to $0.91 in 10 minutes. The second $5 million account was then worth $420 million, and Eisenberg cleaned out MNGO's $116 million liquidity.

Its native Mango token was down 40% on the day of the attack. Eisenberg said:

"I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are."

As this led the Mango Markets exchange into insolvency, and left its insurance fund unable to cover liquidations, he said:

"To remedy the situation, I helped negotiate a settlement agreement with the insurance fund with the goal of making all users whole as soon as possible as well as recapitalizing the exchange."

This entailed giving back $67 million (and getting a promise not to pursue criminal charges or freeze tokens.) Which got him little thanks in the Mango community. However, there was a great deal of gloating when an attack on Aave's CURV token failed, leaving him $17 million in the red.

November

Derebit, $28 million

Crypto derivatives exchange Derebit was hacked to the tune of $28 million by someone who got into its hot wallets. Chief commercial officer Luuk Strijers said that only 1% of its holdings are kept in hot wallets, and that the loss will be covered by the exchange, which temporarily halted trading.

DoJ Seizes Silk Road Hack Funds, $3.36 billion

The Department of Justice announced its second $3 billion-plus seizure of stolen Bitcoin in November. The 50,676 BTC was found in the home of James Zhong, who has pleaded guilty to robbing it from the Silk Road darknet market in 2012.

The action actually took place in Nov. 2021 — which would have been a much better time to sell it — and Zhong faces up to 20 years in prison for wire fraud, according to U.S. Attorney for the Southern DIstrict of New York Damian Williams. He said:

"Thanks to state-of-the-art cryptocurrency tracing and good old-fashioned police work, law enforcement located and recovered this impressive cache of crime proceeds.  This case shows that we won't stop following the money, no matter how expertly hidden, even to a circuit board in the bottom of a popcorn tin."

FTX, $477 million

It's hard to think of a better use of the phrase "adding insult to injury" than to describe the $477 million hack of FTX exchange funds just as CEO Sam Bankman-Fried's crypto empire was collapsing into bankruptcy.

The attack, which several experts and even Bankman-Fried himself has suggested was an inside job, occurred on Friday, Nov. 11, the day FTX filed for bankruptcy.

Some $280 million has been converted to ETH, and another $74 million to BTC via the RenBridge cross-chain bridge as on Nov. 21, Elliptic CEO Tom Robinson told CNBC.

"This is a common tactic in the laundering of crypto thefts," Robinson said, adding that RenBridge has been used to launder hundreds of millions of dollars in crypto his firm believes came from ransomware and hacking. To make matters even worse, RenBridge is owned by Alameda.

2 people liked this article