The volume of DeFi Hacks climbed sharply in the month of October 2022. According to the data compiled by Defillama, crypto holders and investors have just lost another $700 million to hacks and exploits. This figure presents a 430% jump from the $165 million that was recorded in September.
There were a series of hacks worth over $100m, but the $570 million BNBChain exploit was by far the most high-profile one. Both in terms of the sophisticated attack and the timely response of the Chang Peng Zhao-led Binance security team.
Here is InsurAce’s expert overview of the high-profile hacks that occurred in the global DeFi space during the month of October 2022.
- Transit Swap
October 2, 2022: Transit Swap, a decentralized cross-chain exchange suffered a bug that allowed an attacker to drain users’ wallets who had approved the protocol’s swap contracts. The root cause was a lack of input validation for critical parameters within the contract’s claim Tokens function.
Root cause: Smart Contract Vulnerability
Loss: approx. $21m
Reference: SlowMist Analysis on Medium
Claimable event: Yes (Smart Contract Cover)
- Sovryn
October 5, 2022: Bitcoin Based decentralized finance protocol Sovryn was exploited through two legacy lending pools. The attacker took advantage of an unsafe external call of _callTokensToSend function to execute their attack contract
Root cause: Smart Contract Vulnerability
Loss: $554K
Reference: Analysis by Halborn
Claimable event: Yes (Smart Contract Cover)
- Sex DAO
October 5, 2022: Sex DAO, a web 3 social platform has been suspected to have been rug pulled. Its official website and Twitter account have been inaccessible, with its original white paper deleted.
Root cause: Rug Pull
Loss: approx. 220,000 USDT
Reference: News
Claimable event: No
- Binance Bridge
October 6, 2022: BNBChain cross chain bridge was attacked, and more than 500 US million dollars were lost. The hacker minted two batches of 1m BNB each through falsifying proof of deposits. This was a bug in the bridge that allowed attackers to forge arbitrary messages.
Root cause: Smart Contract Vulnerability
Loss: approx. 2,000,000 BNB
Reference: Twitter Announcement by SlowMist
Claimable event: No (Exclusion under Smart Contract Cover)
- BNBHACKINU
October 7, 2022: A malicious actor created fake tokens that were based on popular dog-themed memecoins after the initial hack on BNB chain. He used a function to create an arbtirary number of tokens before transferring them between token holders without any permission.
Root cause: Rug Pull
Loss: approx. $100K worth of Ethereum
Reference: Analysis by QuillAudits
Claimable event: No
- Xave Finance
October 9, 2022: Ancilia, Inc a cybersecurity partner for Web3 identified suspicious activity on Xave Finance. A user was able to mint over 100 trillion RNBW and swapping it in a Uniswap pool. Fortunately, the pools were built in a way that owners cannot withdraw funds on behalf of user, leaving funds unaffected.
Root cause: Smart Contract Vulnerability
Loss: Nil
Reference: Post Mortem by Xave Finance
Claimable event: Yes (Smart Contract Cover)
- Jumpn Finance
October 9, 2022: Jumpn Finance was rug pulled when the attacker called the 0xe156 contract’s 0x6b1d9018() function to withdraw user assets and transfer them into his address.
Root cause: Rug Pull
Loss: $1.15M
Reference: Analysis by QuillAudits
Claimable event: No
- TempleDAO
October 11, 2022: The TempleDAO project was hacked, involving an amount of approximately $2.36 million worth of LP tokens. The contract StaxLPStaking’s function had insufficient access control and allowed the hacker to create a contract with the oldStaking parameter and specifying an address to where the funds could be sent.
Root cause: Smart Contract Vulnerability
Loss: approx. $2.36M
Reference: Twitter Announcement by SlowMist
Claimable event: Yes (Smart Contract Cover)
- Rabby
October 11, 2022: DeBank’s plug-in wallet Rabby was attacked through its token exchange function. The function was directly called externally and parameters passed in by users were not checked. Hackers were able to transfer funds through this exploit.
Root cause: Smart Contract Vulnerability
Loss: $190K
Reference: Twitter Announcement by SlowMist
Claimable event: Yes (Smart Contract Cover)
10. QANplatform
October 11, 2022: The quantum-resistant Layer 1 blockchain QANplatform was exploited that QANX Bridge smart contract deployer wallet was compromised due to the profanity address vulnerability, resulting in the loss of $2 million in tokens.
Root cause: Private Key Leakage
Loss: $2M
Reference: Analysis by QANplatform
Claimable event: No
11. The Micro Elements
October 11, 2022: The Micro Elements Project was rug pulled and approximately $548,600 was stolen
Root cause: Rug Pull
Loss: $548K
Reference: Twitter Announcement by Certik
Claimable event: No
12. ATK
October 12, 2022: The Journey of Awakening (ATK) project was hacked through a flash loan attack. The hacker obtained many ATK tokens from the project’s contract and exchanged it for BNB which was then transferred to Tornado Cash.
Root cause: Unknown
Loss: approx. $120,000
Reference: Online News
Claimable event: No
13. Mango Markets
October 12, 2022: Mango Markets, a decentralized finance (DeFi) trading platform on the Solana blockchain, has been hacked which hackers stole $117 million from the platform. According to the tweet from Mango Market, the hack was caused by a price manipulation on the native MNGO token.
Root cause: Economic Attack/Price Manipulation
Loss: 117M
Reference: Post Mortem Tweet by Mango
Claimable event: No
14. FTX
October 13, 2022: Crypto Exchange FTX has lost 81 ETH due to a gas theft vulnerability. The hacker minted over 100 million XEN tokens which were then converted into ETH at zero cost. FTX’s mode of operation allowed the hack to happen, having no restrictions on the gas limit of withdrawal transactions. The hacker was able to steal at zero cost.
Root cause: Gas Theft Vulnerability
Loss: 81 ETH
Reference: Online News
Claimable event: No
15. Earning.farm
October 13, 2022: Yield Platform Earning.farm was hit by a flash loan attack. The contract was not able to verify if flashloan callbacks were initiated by the protocol, allowing the attacker to exploit this flaw and draw large amounts of funds
Root cause: Smart Contract Vulnerability
Loss: 750 ETH
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
16. MTDAO
October 17, 2022: Metaverse DAO was exploited through a flash loan attack. Both MT and ULM tokens were affected through functions in an unopened contract that allowed MT and ULM token contracts to profit.
Root cause: Unknown
Loss: 1930 BNB
Reference: Online News
Claimable event: No
17. LiveArtX
October 17, 2022: NFT platform LiveArtX’s wallet was stolen and several NFTs were sold. The attacker transferred 7.3 ETH and 22.30 WETH to Bitkeep before exchanging it for USDT. The price of the collection fell from 1 ETH to 0.1 ETH.
Root cause: Wallet Compromise
Loss: $39K
Reference: Online News
Claimable event: No
18. Bitkeep Swap
October 18, 2022: BitKeep crypto wallet’s Swap feature was hacked and used to drain approximately $1 million from the wallet. Affected users were compensated by the project in full.
Root cause: Smart Contract Vulnerability
Loss: approx. $1.1M
Reference: Official Twitter Announcement by BitKeep
Claimable event: Yes (Smart Contract Cover)
19. PLTD
October 18, 2022: The PLTD project was exploited due to loopholes in the PLTD contract. The attacker used two flash loans to borrow 666,000 BUSD which was exchanged into 1.57 million PLTD tokens.
Root cause: Smart Contract Vulnerability
Loss: approx. 24,497 BUSD
Reference: Analysis by QuillAudits
Claimable event: Yes (Smart Contract Cover)
20. BitBTC
October 19, 2022: A vulnerability was detected in the BitBTC bridge to Ethereum layer-2 network Optimism by a security researcher on Twitter. Following the tweet, an attacker generated 200 billion BitBTC coins to test that theory and claimed that it was just a test.
Root cause: Smart Contract Vulnerability
Loss: NIL
Reference: Online News
Claimable event: No (Exclusions under Smart Contract Cover)
21. Dataverse
October 19, 2022: Metaverse data platform Dataverse detected a hack on their GEO BSC contract. User were advised not to buy any GEO on BSC and any tokens bought from October 19th to 22nd are invalid.
Root cause: Unknown
Loss: NIL
Reference: Twitter Announcement by Dataverse
Claimable event: No
22. Moola Market
October 19, 2022: Lending Protocol Moola Market was exploited through a price manipulation, like Mango Markets. With an initial fund of 243K CELO, the attacker was able to use 60K of CELO to borrow 1.8M of MOO and the remaining CELO to buy MOO, increasing the value of their collateral. The attacker then drained the protocol off their remaining assets.
Root cause: Economic Attack/Price Manipulation
Loss: $8.4M
Reference: Post Mortem Tweet by Moola Market
Claimable event: No
23. Ethereum Alarm Clock
October 20, 2022: The Ethereum Alarm Clock had a smart contract bug that was exploited to allow hackers to make a profit on returned gas fees from cancelled transactions. The bug refunded hackers a greater value of gas fees than they initially paid for, allowing them to profit from the difference.
Root cause: Smart Contract Vulnerability
Loss: $260K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
24. Mango INU
October 20, 2022: The Mango INU project had a rug pull and the price of MNGO has dropped by more than 80%. The attackers behind the project leveraged on the Mango Market hack.
Root cause: Rug Pull
Loss: $48.5K
Reference: Twitter Announcement by CertiK
Claimable event: No
25. Petra
October 20, 2022: Aptos Labs discovered an error related to account creation in Petra Wallet. This error is related to the creation of an account in an existing wallet which results in an inaccurate mnemonic displayed on the page.
Root cause: Mnemonic Inconsistence
Loss: NIL
Reference: Twitter Announcement by Petra
Claimable event: No
26. OlympusDAO
October 21, 2022: OlympusDAO suffered an exploitation where the attacker was able to withdraw 30K of OGM due to a loophole via the project’s smart contract “BondFixedExpiryTeller” parameter. The attacker has since returned all the tokens.
Root cause: Smart Contract Vulnerability
Loss: $292K
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
27. Gate.io
October 22, 2022: Hackers impersonated Gate.io and created a fake website. After they took over Gate.io’s official Twitter account, they replaced the original link with the fake website that promotes a fake giveaway of 500,000 USDT. When a user connects their wallet to the fake website, it allows the hackers to drain their assets.
Root cause: Phishing Attack
Loss: NIL
Reference: Online News
Claimable event: No
28. Vivity
October 22, 2022: According to CertiK, Vivity’s discord server was hacked. Users are warned not to click on any links, mint or approve any transactions.
Root cause: Discord Server Hack
Loss: NIL
Reference: Online News
Claimable event: No
29. Blur
October 22, 2022: A fake phishing account of Blur NFT platform was discovered on Twitter. The account tweeted that the BLUR token query was open and users can access it through a URL. Users were warned not to click on any of their links.
Root cause: Phishing Attack
Loss: NIL
Reference: Online News
Claimable event: No
30. FTX & 3Commas
October 23, 2022: Automated crypto trading provider 3Commas discovered that some API keys associated with 3Commas accounts were not obtained from 3Commas. Fake websites posing as 3Commas were used to phish API keys as users linked their FTX accounts. These keys were then used to perform unauthorised DMG trades.
Root cause: Phishing Attack
Loss: approximately $4M
Reference: Online News
Claimable event: No
31. Freeway
October 23, 2022: Crypto investment platform reportedly banned withdrawals on assets worth more than $100 million. The names of all platform team members have been erased from the website, and a $100 million Rug pull is suspected of having occurred
Root cause: Rug Pull (Suspected)
Loss: $100M
Reference: Online News
Claimable event: No
32. Layer2DAO
October 23, 2022: Investment DAO Layer2DAO was exploited through a multisig hack on Optimism that drained 49 million L2DAO tokens. Layer2DAO has since repurchased 31 million tokens from the hackers through its treasury funds. The project announced it will be rolling out support for the token price in the coming days.
Root cause: Operations Failure
Loss: 49,950,000 L2DAO
Reference: Twitter Announcement by Layer2DAO
Claimable event: No
33. Quickswap
October 24, 2022: The Market XYZ lending market on Quickswap was compromised for $220,000 due to a vulnerability with the Curve Oracle, which Market XYZ was using.
Root cause: Oracle Failure/Attack
Loss: $220,000
Reference: Online News
Claimable event: No
34. Melody
October 25, 2022: Melody was compromised due to a vulnerability involving an off-chain frontend module which allowed the hacker to bypass the access control.
Root cause: Front-end Attack
Loss: 992,450 SGS
Reference: Online News
Claimable event: No
35. UvToken
October 27, 2022: The UvTokenWallet’s Eco Staking project was hacked due to lack of properly authenticated input data in its staking contract.
Root cause: Smart Contract Vulnerability
Loss: $1.5M
Reference: Twitter Announcement by UvToken
Claimable event: Yes (Smart Contract Cover)
36. Team Finance
October 27, 2022: Team Finance, a crypto liquidity provider, had lost $14.5 million due to a smart contract bug in its migration function.The attacker transferred liquidity from Uniswap V2 to an attacker controlled V3 pair with skewed pricing.
Root cause: Smart Contract Vulnerability
Loss: $14.5M
Reference: Twitter Announcement by Team Finance
Claimable event: Yes (Smart Contract Cover)
37. VTF Token
October 27, 2022: VTF Token on BSC was compromised due to a bug in VTF’s contract to receive holding rewards.
Root cause: Smart Contract Vulnerability
Loss: $58,000
Reference: Twitter Alert by Boesion
Claimable event: Yes (Smart Contract Cover)
38. THORChain
October 28, 2022: Cross-chain exchange and proof-of-bond network THORChain was halted on Oct. 27 due to a coding bug that caused “non-determinism between individual nodes.” The network is now fully operational after an outage of approximately 20.5 hours.
Root cause: Off-chain Coding Bug
Loss: NIL
Reference: Online News
Claimable event: No
39. FriesDAO
October 28, 2022: FriesDAO was hacked which the attacker stolen $2.3 million in FRIES tokens by controlling the team’s deployer wallet.
Root cause: Wallet Compromise
Loss: $2.3M
Reference: Online News
Claimable event: No
The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
For details on the coverage and exclusions for each cover, kindly read Cover Wording here.
Get your investment funds protected with InsurAce.io: Buy Cover