In September the volume of DeFi Hacks slowed down relative to the previous months. After figures rose above $200M for 2 consecutive months, in September the volume of digital assets lost to hackers dropped below $180m. Prominent Automated Market Maker (AMM), Wintermute was responsible for 90% of the exploits recorded in September.
Here is an overview of the high-profile hacks that occurred in the global DeFi space during the month of September 2022.
Hacks in September:
- Wintermute
September 20, 2022, prominent London-based AMM, Wintermute was reported to have had digital assets worth around $160 million stolen from its crypto trading arm. CEO Evgeny Gaevoy, confirmed the hack in a series of tweets where he offered a 10% Whitehat offer to the hackers. The firm, which provides liquidity across major crypto exchanges and trading platforms, remains solvent after the hack.
Root cause: Smart Contract Vulnerability
Loss: approx. $160M
Reference: Twitter Statement by CEO
Claimable event: Yes (Smart Contract Cover)
- ShadowFi
September 2, 2022: Hacker hacked ShadowFi’s liquidity pool contract and exploited the vulnerability in the SDF token, leading to a drainage in funds. Stolen funds were transferred to TornadoCash.
Root cause: Smart Contract Vulnerability
Loss: $301K
Reference: Twitter Announcement from PeckShieldAlert
Claimable event: Yes (Smart Contract Cover)
- Kyber Network
September 2, 2022: KyberSwap, a decentralised exchange has been hacked for a total of 265K through a frontend exploit which involved a “malicious code” in its Google Tag Manager. Whale wallets were targeted and funds were drained to different addresses.
Root cause: Front-end hack
Loss: approx. $1.6M
Reference: Twitter Announcement
Claimable event: No
- Bill Murray
September 3, 2022: The actor Bill Murray’s wallet was compromised that a hacker stole $185k worth funds shortly after the closing of his NFT auction that was destined for charity.
Root cause: Wallet Compromise
Loss: approx. $185k
Reference: Online News
Claimable event: No
- DaoSwap
September 5, 2022: Hacker set the inviter’s address to themselves and was able to do so due to larger mining rewards as compared to fees charged during the swap process.
Root cause: Smart Contract Vulnerability
Loss: $580K
Reference: Online News by BlockSec
Claimable event: Yes (Smart Contract Cover)
- Rug Pull Finder
September 5, 2022: Rug Pull Finder’s NFT contract was exploited due to a flaw in their smart contracts, allowing 2 people to mint 450 NFTs instead of one per wallet.
Root cause: Smart Contract Vulnerability
Loss: 450 NFTs
Reference: Official Twitter Announcement
Claimable event: Yes (Smart Contract Cover)
- Nereus
September 6, 2022: Avalanche-based lending protocol Nereus Finance has been exploited where a user deployed a custom smart contract and that utilized a $51M flash loan to manipulate the AVAX/USDC Trader Joe LP pool price. The user was able to mint 998,000 NXUSD against ~$508k worth of collateral. According to Nereus, the exploit resulted from a “missed step” in the price calculation, resulting in the opportunity to be exploited.
Root cause: Smart Contract Vulnerability
Loss: approx. $371K
Reference: Official Post-mortem
Claimable event: Yes (Smart Contract Cover)
- GERA
September 7, 2022: According to the official announcement by the GERA team, GERA token’s security was compromised due to a private key leak resulting in hackers transferred the ownership of the GERA token’s smart contract deployer to another address.
Root cause: Private Key Compromise
Loss: $1.48M
Reference: Twitter Announcement
Claimable event: No
- New Free DAO
September 8, 2022: New Free Dao project on BSC chain suffered from a flash loan attack. that the attacker took advantage of weak reward calculation code to drain 4,481 WBNB worth approximately $1.25 million from the contract.
Root cause: Smart Contract Vulnerability
Loss: 4,481 WBNB
Reference: Twitter Announcement by SlowMist
Claimable event: Yes (Smart Contract Cover)
9. Ragnarok Online Invasion
September 8, 2022: Ragnarok Online Invasion($ROI) was attacked due the access control vulnerability in the ownership transfer function. Around 158 BNB (44,222.5 BUSD) was stolen by the hackers.
Root cause: Smart Contract Vulnerability
Loss: 158 BNB
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
10. Sandbox
September 8, 2022: The instagram account of Sandbox Game was compromised, and it was used to try to rent out Bored Ape Yacht Club nonfungible tokens (NFTs).
Root cause: Social Engineering Attack
Loss: NA
Reference: Online News
Claimable event: No
11. Dogechain
September 11, 2022: Hackers minted 9.7m Doge and transfered 316K worth through a cross chain bridge Anyswap
Root cause: Smart Contract Vulnerability
Loss: approx. $600K
Reference: Twitter Announcement
Claimable event: No (Exclusions under Smart Contract Cover)
12. Binance
September 15, 2022: Binance misallocated roughly $20 million of Helium’s HNT token to its users due to an accounting bug, leading to a windfall in HNT.
Root cause: Operations Failure
Loss: NA
Reference: Online News
Claimable event: No
13. ETHPoW
September 16, 2022: ETHPoW suffered bridge replay exploit resulted in a hacker exploiting 200 WETH from the Ethereum PoW chain. The root cause of the exploit is that the Omni bridge on the PoW chain uses the old chainId and doesn’t correctly verify the actual chainId of the cross-chain message. The hacker used this opportunity to send 200 WETH across the Omnibridge of the Gnosis chain. The identical transaction was then carried out again on the PoW chain to earn 200 more ETHW.
Root cause: Smart Contract Vulnerability
Loss: 200 ETHW
Reference: Online News
Claimable event: No (Exclusions under Smart Contract Cover)
14. GMX
September 18, 2022: Decentralized exchange (DEX) GMX has suffered a price manipulation exploit from an exploiter who managed to make off with around $565,000 from the Avalanche (AVAX)/USD market.
Root cause: Economic Attack
Loss: $565,000
Reference: Official Twitter Announcement
Claimable event: No
15. CoinDCX
September 20, 2022: The official Twitter account of India-based crypto exchange CoinDCX has been hacked and used by the hacker to post fake Ripple (XRP) promos partnered with phishing links.
Root cause: Social Engineering Attack
Loss: NA
Reference: Online News
Claimable event: No
16. Wintermute
September 20, 2022: Crypto market maker Wintermute Protocol was hacked due to a private key comprimise that was linked to Profanity-related bug. The vulnerability in Profanity allowed the hacker to gain access to the private key of Wintermute’s Externally Owned Account (EOA).
Root cause: Private Key Compromise
Loss: approx. $160M
Reference: Article by QuillAudits
Claimable event: No
17. BXH
September 21, 2022: The private key of the original owner of BXH VaultPool was suspected to be stolen. The funds in the contract were transfered to the hackers’ address by calling the inCaseTokensGetStuck function. Since then, the hacker has transfered all stolen funds to Tornado Cash.
Root cause: Private Key Compromise
Loss: $2.5M
Reference: Online News
Claimable event: No
18. MEV Bots
September 28, 2022: A user tried to swap $1.85M of Compound cUSDC for USDC MEV bot Oxbad on Uniswap but only received $500 due to a lack of liquidity. MEV bot 0xbad backrun the trade and made $1.02M but a hacker exploited the arbitrage contract code and stole a total of 1,101 ETH in 0xbad’s wallet.
Root cause: Smart Contract Vulnerability
Loss: approx. $1.5M
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
19. BXH
September 28, 2022: BXH’s TokenStakingPoolDelegate contract was exploited through a flash loan attack. The hacker made a net profit of 31,794 after stealing 40,085 USDT
Root cause: Smart Contract Vulnerability
Loss: Approx. 40,085 USDT
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
20. Gnosis Guild
September 28, 2022: Gnosis Guild Reality Module (DAO Module) has suffered an attack. The main cause of the attack was malicious proposals that the attacker first proposed and then pushed for execution.
Root cause: Governance Attack
Loss: 7.5 ETH
Reference: Online News
Claimable event: No
The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
For details on the coverage and exclusions for each cover, kindly read Cover Wording here.
Get your investment funds protected with InsurAce.io: Buy Cover