June 2nd, 2023
May 2023 saw a relatively high number of large-scale DeFi hacks and rug pulls. This included high-profile hacks — such as an exploit of Tornado Cash’s decentralized governance mechanism — as well as some exploits of smart contract vulnerabilities and several high-value rug pulls.
Several of the biggest DeFi hacks of May 2023 involved smart contract vulnerabilities. Some major exploits include:
Deus DAO: The Deus DAO smart contract’s burnFrom function had an error in the ordering of its arguments. An attacker was able to create allowances for their address on other users’ accounts, allowing them to drain about $6.5 million from users’ wallets.
Jimbos Protocol: The Jimbos protocol suffered a flashloan attack enabled by a lack of slippage protections. By creating an imbalance in a trading pair, an attacker was able to steal an estimated $7.5 million via highly profitable swaps.
Level Finance: The Level Finance project suffered a $1.1 million hack in May 2023. The reward claiming code was missing a check that validated that referral rewards were only claimed once per epoch, allowing the attacker to drain value from the protocol.
Swap-LP: The Swap-LP exploiter took advantage of an exposed low-level function in the project’s smart contract that allowed them to transfer all WDZD tokens in a trading pair to be transferred to the factory address. This unbalanced the trading pair, enabling the attacker to steal approximately $1 million from the protocol.
In May 2023, an attacker exploited Tornado Cash’s governance system via a malicious proposal to steal about $2,173,500 from governance vaults. The proposal had a self-destruct function that allowed the attacker to replace benign code with malicious functionality that issued them enough governance tokens to completely control the system. This control allowed them to drain tokens from governance vaults and to perform a denial-of-service (DoS) attack against the Tornado router.
May 2023 also saw several high-value rug pulls and exit scams, with the Arbitrum blockchain especially targeted. The most high-value rug pulls include:
Fintoch: The BSC-based Fintoch blockchain financial platform was a Ponzi scheme that resulted in a $31.6 million rug pull after user funds were locked in the protocol.
Swaprum: Swaprum’s founders used a backdoor add() function in its smart contract to steal deposited liquidity pool tokens, which allowed them to drain about $3 million from the project.
XIRTAM: The Arbirtrum-based XITRAM project performed a rug pull for about $3.5 million, draining value collected during a recent fund-raising round.
With the exception of the Tornado Cash governance hack, most of the major DeFi hacks in May 2023 were preventable. Several involved the exploitation of smart contract vulnerabilities, and the rest were rug pulls that used backdoor functions built into the protocol’s smart contracts.
While rug pull backdoors are intentional features, both they and the vulnerabilities exploited in these hacks could have been detected and remediated as part of a smart contract audit. To learn more about protecting your Web3 project against a major hack, get in touch with Halborn.