Rob Behnke
April 4th, 2023
In March 2023, the biggest news in the financial sector was the collapse of Silicon Valley Bank (SVB) and Signature Bank. These incidents — caused by a combination of lax regulation, under-diversification, and rising interest rates — threatened bank runs across the sector.
The impact of these incidents on DeFi was minimal as only a few organizations had holding in these banks, and the US Fed elected to guarantee all deposits. However, the DeFi industry had a few major security incidents of its own this month.
In March 2023, SafeMoon was exploited via vulnerability introduced in the latest upgrade to the protocol. This upgrade created a publicly-accessible burn function that was used to drain approximately $8.9 million in value from the project’s SFM/BNB pool.
This vulnerability was so basic that it was suggested that it may have been the result of compromised private keys and a malicious update. In the end, the attacker claimed to be a whitehat MEV operator and discussed returning some funds to the protocol.
The March 2023 hack of Euler Finance was one of the largest to date, draining approximately $197 million from the protocol. The attack was made possible by a vulnerability in an update to the protocol’s smart contracts made in July 2022.
The updated code was missing checks to verify the health of a user’s position when donating eTokens to the project’s reserves. By creating bad debt on one contract, donating its collateral, and liquidating it at a discount with another, the attacker was able to drain value from the protocol, affecting both it and other projects who had integrated with it.
Technically, Swerve Finance wasn’t hacked in March 2023. However, the defunct project easily could have been to the tune of $1.3 million.
Swerve Finance uses a decentralized governance structure that allows users to make proposals and vote on them. A failed attack on the protocol in March 2023 tried to claim $120K in admin fees and $1.3 million in locked value using a malicious proposal. However, the attacker failed to muster the votes, needed to carry out the attack successfully.
In March 2023, the biggest DeFi hacks exploited a variety of different vulnerabilities including unprotected burn functions and incomplete validation. Protecting against these types of attacks requires a comprehensive analysis of smart contracts’ code and business logic. For more information, reach out to our Web3 security experts.