Compared to the first three months of the year, April 2023 suffered a greater number of large-scale ($1M+) DeFi hacks. This month, several protocols were hacked, major rug pulls were carried out, and even MEV operators suffered significant losses.
April 2023 DeFi Hacks Recap
Sentiment
The Sentiment hack was enabled by a read-only reentrancy vulnerability. By exploiting this error, the attacker was able to steal $1 million from the protocol.
In this case, exploiting the reentrancy vulnerability caused the vulnerable contract to miscalculate the number of tokens in its pool. This caused it to miscalculate the value of those tokens, allowing the attacker to take out a loan that stole $1 million from the protocol.
SushiSwap
A vulnerability in SushiSwap’s RouteProcessor2 contract was exploited by an attacker only a few days after launch. The attacker took advantage of a failure to validate user-provided input to steal about $3.3 million from the protocol.
The issue was that an attacker could manipulate the previous pool address, which is used to validate a future request. By pointing the pool address to a malicious pool, the attacker was able to drain value from users with existing approvals for the new RouteProcessor2 contract.
Yearn Finance
In April 2023, Yearn Finance suffered another major hack. In this case, the attacker exploited a vulnerability that lurked in the protocol’s smart contracts for years.
A copy-paste error in an old Yearn contract used the address of a Fulcrum USDC contract rather than the intended USDT contract. An attacker exploited this mismatch to manipulate the value of yUSDT tokens and steal approximately $10 million from the protocol.
Hundred Finance
In April 2023, Hundred Finance suffered a $7.4 million hack. The attacker exploited the fact that two, duplicate WTC hToken contracts were set up by the protocol.
The attacker donated value to the unused contract, changing the WTC/hWTC exchange rate. This allowed the attacker to drain value from the contract, an issue exacerbated by a rounding error in the value calculation.
MEV Bots
Frontrunning bots usually steal value from others, but a vulnerability in mev-boost-relay allowed a malicious validator to turn the tables. In this case, the issue cost bot operators approximately $25 million.
Normally, a block proposer for a MEV relay only sees the block’s contents after it has signed the block header. In this case, a proposer who was also a validator sent an invalid block to the relay. The block contents were sent to the validator but not submitted to the network, allowing the validator to perform a sandwich attack and claim $25 million that the exploited bots planned to claim.
Ordinals Finance
In April 2023, Ordinals Finance performed a $1 million rug pull. The contract had built-in functions that allowed the owner to drain the value deposited in it.
Merlin DEX
In April 2023, Merlin DEX was the victim of a $1.8 million hack. The new protocol was undergoing a Liquidity Generation Event when an attacker exploited the protocol’s centralized permissions.
The Feeto address used to launch the protocol had full access, allowing it to drain liquidity being deposited into the project. The potential rug pull exploited issues marked as resolved in a security audit but never actually fixed.
Lessons Learned in April 2023
April 2023 saw DeFi hacks exploiting a wide range of security issues. In some cases, smart contracts contained exploitable vulnerabilities. In others, deployment errors placed funds at risk. Finally, rug pulls exploited centralized control over smart contract functionality.
In most cases, these issues could and should have been identified and fixed as part of a smart contract audit. To learn more about securing your smart contracts, contact us.