Rob Behnke
March 3rd, 2023
While February 2023 was quieter than many months, there were still a few significant DeFi hacks. In general, these DeFi attackers exploited common and avoidable vulnerabilities and security errors.
In February 2023, BonqDAO was the victim of a price oracle manipulation attack. By taking advantage of the protocol’s price update mechanisms, the attacker was able to drain approximately $120 million from the protocol.
The root cause of the incident was the fact that BonqDAO allows users to request updates to price information that are immediately applied. By strategically increasing and decreasing the perceived value of a token, the attacker was able to inflate the amount of value that they could redeem deposited tokens for and then liquidate other users’ deposits for a profit.
The February 2023 dForce hack exploited a known reentrancy vulnerability in the protocol’s Curve Finance vaults. By targeting certain vaults on the Arbitrum and Optimism blockchains, the attacker was able to steal about $3.6 million from the protocol.
The reentrancy vulnerability was exploited via a classic flashloan attack. The attacker used the vulnerability to drive down the perceived price of an asset, enabling them to liquidate the positions of other users. In the end, the stolen $3.6 million was returned to the protocol.
The LianGoPay attack was made possible by compromised private keys. The attacker deployed fake contracts and tricked users into deposits that allowed them to steal $1.6 million from the protocol.
This hack was obviously performed by someone with access to the project’s private keys because the attacker was able to create fake pledge pools using malicious contracts with similar addresses to real ones. These contracts were created at nearly the same time as a legitimate one and used deception to fool users into depositing funds into the wrong ones.
Like dForce, Orion was the victim of a reentrancy attack. The attacker exploited the reentrancy vulnerability to steal about $3 million from the project.
The Orion attacker created a fake ATK token and performed a swap using it within the Orion smart contract. The call to the token contract to make the transfer allowed the attacker to exploit the reentrancy vulnerability and inflate the balance of their account within the Orion contract. Then, the attacker could simply withdraw this balance to steal $3 million from the protocol.
The biggest DeFi hacks of February 2023 weren’t very sophisticated. Reentrancy is a well-known vulnerability, price oracle manipulation is common, and protecting private keys is fundamental to blockchain security. However, attackers were able to steal millions from DeFi projects by exploiting these flaws.
A common thread among these and other victims of DeFi hacks is that the protocols were unaudited or the attack targeted vulnerabilities outside the scope of the audit. To learn more about protecting your project from these and other common attacks, reach out to Halborn’s smart contract auditors here.