Rob Behnke
August 2nd, 2023
July 2023 stood out from recent months with its large number of high-value hacks. Over $200 million in tokens were stolen from various projects, exploiting everything from zero-day vulnerabilities to compromised private keys.
Easily, the most significant and expensive hack of July 2023 was an exploit of a zero-day vulnerability in certain versions of the Vyper compiler. This attack exploited Curve pools, including those belonging to Alchemix, JPEG’d, and Metronome. The total theft was an estimated $70 million, but $18 million of this was stolen by whitehats and later returned.
This vulnerability was in reentrancy locks for smart contracts written in Vyper. Smart contracts relying on these protections were vulnerable to reentrancy attacks, leading to these high-value attacks.
In addition to the protocols impacted by the exploitation of Curve pools, multiple other DeFi projects suffered hacks in July 2023.
Some of the most significant include:
Alphapo: The private keys governing Alphapo’s smart contracts were exposed, allowing the attackers to steal an estimated $23 million from the payment platform’s contracts.
Conic Finance: Conic Finance — a liquidity pool balancing platform associated with Curve — experienced a read-only reentrancy exploit where the attacker drained $3.26 million from the project.
EraLend: EraLend is a zkSync-based decentralized lending protocol. A read-only reentrancy vulnerability allowed attackers to steal about $3.4 million.
Multichain: In July 2023, about $126 million in assets were removed from Multichain wallets, and, a while later, the project shut down entirely.
Poly Network: Poly Network suffered another major hack in July 2023. The attacker stole about $10 million in liquidity from the project after exploiting a vulnerability that allowed them to mint $43 billion in tokens.
July 2023 continued a trend of frequent rug pulls in recent months. The largest rug pulls of July 2023 included:
DeFiLabs: The team behind the decentralized finance platform withdrew an estimated $1.4 million from its smart contracts.
Encryption AI: Blaming a gambling addiction, the Encryption AI rug pull creator stole an estimated $2 million from the project.
GMETA: GMETA was a BNB Chain-based project where the creator dumped a large volume of previously-minted tokens, stealing $2.36 million and taking the project’s value by 96%.
Kannagi Finance: In July 2023, Kannagi Finance rugged, stealing about $2.13 million before deleting its social media, website, and GitHub repos.
One of the key takeaways of July 2023 is that rug pulls are still a major threat. Four major rug pulls netted their malicious teams over $7 million in assets stolen from users.
Other attacks in July 2023 mainly focused on reentrancy attacks, including exploits of read-only reentrancy vulnerabilities and zero-day vulnerabilities that eliminated reentrancy protections. For help in defending your smart contracts against reentrancy and other vulnerabilities, reach out to Halborn.