Rob Behnke
January 3rd, 2023
In the last month of 2022, DeFi hackers closed out the year with a bang with multiple major hacks. This month’s top hacks used a range of techniques, including compromised private keys, phishing attacks, data breaches, and flashloan exploits.
As usual, December 2022 saw tens of millions of dollars stolen from DeFi projects. Below is a recap of some of the biggest and most novel crypto attacks that occurred in December 2022:
In December 2022, the private key governing Ankr contracts on BNB Chain was leaked in the midst of an update. With access to this key, the attacker was able to perform a malicious update to the contract that made the mint function publicly accessible. The attacker then minted 60 trillion aBNBc tokens with a total value of over $5 million. This and copycat attacks crashed the value of the token.
A follow-on attack against Helio exploited this vulnerability and a delayed price oracle used by the Helio smart contracts. An attacker minted 183,000 aBNB tokens and deposited them into Helio before taking out a loan for $16 million in HAY stablecoin.
The Lodestar protocol suffered a $7 million hack in December 2022. The attacker exploited a vulnerability in how the project tracked token prices. The smart contract allowed token values to be updated within a single block via donations, making it vulnerable to flashloan attacks.
After taking out an initial flashloan, the attacker began a cycle of depositing tokens into the platform and taking out loans against these deposits. This allowed the attacker to accumulate a large supply of lplsGLP. After manipulating the perceived value via donations, the attacker was able to cash out at a high profit, draining approximately $7 million from the protocol.
Raydium is another example of a major DeFi hack in December 2022 that exploited a compromised private key. In this case, a Trojan attack against the project pool manager was used to access the private key.
Access to this key allowed the attacker to manipulate how the platform managed fees. Manipulating the parameters of this function allowed the attacker to increase fees and drain over $4,395,000 from nine vulnerable pools.
The December attack against the DeFrost protocol was actually two different attacks. The first was a flashloan attack exploiting a lack of reentrancy protections in one version of the protocol. By manipulating the price of LSWUSDC used by the project, the attacker stole about $173,000.
The other attack involved a compromised private key for the protocol’s contracts. With this key, the attacker was able to add a fake collateral token and a malicious price oracle. This combination allowed the attacker to mint 100 million H20 tokens and liquidate users to drain about $12 million from the project.
The BitKeep attack is a lesson in doing your own research before trusting a site. Attackers used phishing sites to deliver malicious versions of the BitKeep Android app. Users who downloaded the malicious apps had value drained from their blockchain accounts via unauthorized transactions after they provided their private key or mnemonic seed to the malicious app.
The 3Commas hack demonstrates the risks of trusting centralized institutions with private keys and other data that controls blockchain accounts. The 3Commas platform suffered a data leak of API keys that allowed attackers to transfer approximately $20 million in tokens from users’ accounts on exchanges that they linked to the platform.
In December 2022, the biggest threat to DeFi smart contracts appeared to be private key security. Multiple attacks exploited compromised private keys, underscoring the importance of using multi-signature wallets for critical accounts. Additionally, multiple projects were exploited via flashloan attacks due to reentrancy and price manipulation vulnerabilities.
Many of these major DeFi hacks could have been prevented by a security audit that found and fixed these issues before deployment. To learn more about securing your blockchain project’s smart contracts, reach out to our Web3 security experts at halborn@protonmail.com.