Report: over $160 Million Lost in DeFi Exploits and Scams in September
Cryptocurrencies have experienced a significant amount of turbulence this year. Ever since they hit their peak in late 2021, big players within the sector like Ethereum and Bitcoin have witnessed substantial reductions in prices.
Such reductions produced a chain reaction in the other parts of the cryptocurrency market, where numerous crypto platforms ultimately went bankrupt, i.e., it was a crash that totally ruined the value of some major cryptocurrencies.
With that, September, which has historically been Bitcoin’s (BTC) worst month, also saw a continual decline for the cryptocurrency market. Meanwhile, Ethereum (ETH) finished its long-awaited shift to the proof-of-stake consensus mechanism (PoS).
However, Ethereum investors had anticipated a more positive spark following its shift, but it did not materialize.
Beyond the price action, however, we also observe that September has been a particularly profitable month for exploiters. The top exploits in terms of dollars lost occurred in the month of September was Wintermute, contributing to $160m in total amount lost.
An Overview of Losses
Through DeFiYield’s very own Rekt Database, which has also been mentioned by large news outlets like Yahoo Finance and Investing.com, one can precisely deduce every scam, hack, or exploit out there in the cryptocurrency space.
All of it is made possible through a comprehensive display that lists every minute detail surrounding such unfortunate events. Hence, by looking at the data provided by the Rekt Database, we can find out the total funds lost so far this year, which is a staggering number, consisting of more than $40 billion.
Much of that loss was due to the substantial collapse of TerraUSD’s value, which is an algorithmic stablecoin that was supposed to have behaved similar to cash.
Although TerraUSD’s system was designed to keep it closely pegged to the dollar, the peg failed, which caused panic selling and the simultaneous fall of LUNA, another well-known coin that was connected to TerraUSD. Consequently, both the tokens have lost a tremendous amount of their former value or market capitalization.
Another notable incident that shook the world of digital assets was the downfall of a cryptocurrency hedge firm known as Three Arrows Capital (3AC).
This then had a domino effect where several other cryptocurrency trading platforms, which were counterparties to the 3AC, were forced to freeze client withdrawals.
Among some of the projects that have recently lost funds due to exploits or other means, the top 3 in September include the likes of Wintermute, Boy X Highspeed, and New Free DAO, all of which lost millions of dollars.
Largest Incidents This Month
1. Wintermute (September 20th, $160 million)
Wintermute is an algorithmic market maker that provides liquidity across CeFi and DeFi exchanges as well as over-the-counter deals. According to the company’s CEO, its DeFi operations were hacked, where it appeared as if the network suffered from a private key compromise that was brute-forced. The company used Profanity’s services for generating vanity addresses, whose private keys were known to be more vulnerable to brute force attacks.
The attacker gained control over Wintermute’s wallet and repeatedly used a privileged function to transfer funds from the Wintermute wallet to his malicious smart contracts. These then transferred the funds to the attacker’s externally owned address
2. Boy X Highspeed (September 20th, $2.6 million)
This was the second time that Boy X Highspeed was involved in an exploit, with the previous occasion being in 2021. This time round, the Boy X Highspeed exploit happened using privileged access, 1865 $ETH was stolen and transferred using Tornado Cash.
Boy X Highspeed’s staking pool contract on the Binance and the AVAX chain was exploited for the total amount of various assets worth 2,584,890 $USD. All funds were withdrawn from the staking contract using a privileged function.
1st Attacker address used for transfer assets;
2nd Attacker address used for transfer assets;
3. New Free DAO (September 8th, $1.3 million)
The New Free DAO project was subjected to a flash loan attack, suffering losses of $1.25M. The attackers took 250 WBNB via flash loan and swapped the loaned funds for NFD tokens. They then created multiple contracts to claim airdrop rewards from the targeted victim contracts.
The attacker returned the flash loan and swapped all the NFD for WBNB, before cashing out the WBNB into USDT.
1st Swap NFD to BNB transaction;
2nd Swap NFD to BNB transaction;
Key Rekt Stats this Month
Year-on-year, we saw an increase in funds lost by $36m. Fortunately, however, for September 2022, a total of $79.7m was recovered, bringing down net losses below that of last year.
September’s loss figure was also down month-on-month. This is an empty victory, however, because the amount of funds lost from January to September this year is more than 5 times greater than that for the same period last year, at $42b.
The top type of exploit in September 2022 was the Private Key exploit. As can be seen in the yearly summary below, this has been a recurring theme in several high-profile exploits this year, including Wintermute, Harmony One Bridge and Ronin Bridge.
This once again highlights the various ways in which a private key may be stolen. This month, it was in the form of a vulnerability in a vanity address generated by Profanity. We would advise users to avoid using such addresses, especially if they are investing large sums of money.
Are some chains more risky than others?
This month, we saw most of the losses being concentrated in Ethereum, where the Wintermute exploit took place.
Losses have been tallied by chain as follows:
If we exclude the exceptional case of Wintermute where $160m was lost, however, we see that the chain with the highest losses is instead BNB Chain.
We have analysed the differences in risk as compared to total value locked on our security YouTube channel:
Other Exploits this Month
The data mentioned below includes the rest of the top 10 incidents that took place this month, with all of them gathered from DeFiYield’s Rekt Database, based on the total amount of funds compromised. To read more details on each exploit, check out our Rekt Database.
4. Profanity Wallet (September 18th, $977k)
Profanity-generated wallet addresses suffered an exploit due to a known vulnerability in the private key generation process. 732 $ETH was stolen from the wallet generated by the Profanity tool.
The hacker compromised the private key and transferred funds to Tornado Cash.
5. TIGER (September 23rd, $784k)
TIGER, a BEP-20 token listed on PancakeSwap, was rugpulled by an externally-owned address selling a large amount of tokens.
The token’s price dropped by over 90%, netting the attacker a profit of ~$784,106.
Tokens transferred to the attacker;
6. DAO_Officials (September 4th, $581k)
DAO_Officials, a project on the BNB Chain, was exploited in a flash loan attack. The attacker created a contract in which the mock function was called, a script that executed a flash loan for a large amount in $USDT tokens.
In the same transaction, the hacker exchanged $DAO for $USDT, then repeated this process in order to receive a reward from the contract, and then repaid the flash loan. The hacker was able to profit by $581k.
7. Arbitrage Robot (September 8th, $472k)
Arbitrage Robot Token is a platform that provides arbitrage opportunities. The project’s Staking contract was hacked a week after deployment by an attacker, who drained all native $RBTR tokens from the staking contract and cashed out for $472k.
The $RBTR token price dumped by 96% as a result of the large sell.
8. Dollar (September 26th, $383k)
The Dollar token, a token on the BNB Chain, was rug-pulled. The token deployer removed liquidity and profited by $383k.
9. Cauldron (September 6th, $370k)
This was the biggest flash loan attack on Avalanche in 2022. The attacker was able to profit by $370k after interacting with several assets across Cauldron, Curve, Aave and Joeswap
CauldronV2 vulnerable contract;
Address that stolen funds sent to.
10. ShadowFi (September 2nd, $303k)
ShadowFi is a project on the BNB Chain, focused on anonymous payments, NFTs and passive income.
The ShadowFi project was exploited by a hacker who took advantage of a vulnerability in the $SDF token, making a profit of 1078 $BNB, equivalent at the time to $303k.
Affected address of token paid;
As always, stay safe and DYOR!
For more DeFiYield updates you can visit us at:
🌐 Website | 📱 Telegram | 🐦Twitter
Check our DeFiYield Blog !
Good luck in farming!
Report: over $160 Million Lost in DeFi Exploits and Scams in September was originally published in DEFIYIELD Official Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.