The 10 Biggest DeFi Hacks of 2021: A Recap

On May 19, 2021, PancakeBunny, a yield management platform operating on BSC and Polygon, became a victim of yet another flash loan attack. The attacker borrowed a large amount of BNB on PancakeSwap; proceeded to manipulate the price of the platform’s native token, BUNNY, in the BUNNY/BNB pool; and dumped massive amount of BUNNY in the market, causing the price of the token to plunge. The attacker then paid the borrowed BNB back on PancakeSwap. The hack affected the platform’s BSC operations, sparing its Polygon-based pools. The entire manipulation resulted in $45 million of value lost.

Read Halborn’s in-depth analysis of the PancakeBunny hack here.

Uranium Finance is a decentralized exchange (DEX) on Binance Smart Chain (BSC). In late April 2021, the platform suffered a loss of $50 million during its token migration process. The hacker stole funds from the platform in an array of cryptocurrencies – mostly in BNB and BUSD, but also in USDT, BTC, ETH, DOT, ADA, and U92, Uranium’s native crypto.

Given the nature of the exploit, a smart contract hack at the upgrade stage, allegations of the hack’s internal nature were rife online in the aftermath of the incident. Uranium posted a detailed outline of the hack on their Medium page.

Despite appealing to BSC’s security team for help in identifying the attacker or preventing the funds from leaving the chain, the stolen amount has since not been recovered.

Read Halborn’s in-depth analysis of the Uranium Finance hack here.

Exactly one month after the attack on Uranium Finance, another BSC-based DEX, Belt Finance, suffered a hack that resulted in a loss of $50 million. The incident was a result of a flash loan attack. 

The attacker used the PancakeSwap platform to manipulate flash loans. Most of the damage was inflicted on the BeltBUSD pool. While the overall loss amounted to around $50 million, the hacker themselves pocketed approximately $6.2 million.

Just as in the case with Uranium Finance, the hacker has not been identified, nor have they returned the stolen funds.

Read Halborn’s in-depth analysis of the Belt Finance hack here.

bZx, a margin trading decentralized protocol on the BSC and Polygon chains is no newcomer to the painful world of DeFi hacks, with three such incidents suffered by the platform in the year 2020 alone.

bZx had been operating largely without any major security issues until November 2021. On November 5, the protocol was hacked when its private key was compromised, allowing the attacker to steal $55 million. Both chains used by bZx, BSC and Polygon, were affected by the hack.

Three days after the attack, bZx announced that it was cooperating with cryptocurrency exchanges to recover the stolen funds. So far, there has been no update on the success of the recovery efforts.

Meanwhile, in more recent news, bZx and Ooki, another protocol for margin trading, have reportedly joined forces, with bZx’s BZRX token migrating to the Ooki platform. The move is likely the end of bZx as a stand-alone protocol of its own.

Read Halborn’s in-depth analysis of the bZx hack here.

EasyFi, a multi-chain Layer 2 lending protocol, lost around $80 million in April when the private key to the MetaMask wallet operated by the platform’s CEO, Ankitt Gaur, was compromised.

The hacker stole the funds from EasyFi’s official wallet, and the losses included around $6 million siphoned off the stablecoin pools on the platform and $53 million in the platform’s native EASY tokens. Four days after the incident, EasyFi retired EASY and introduced the new EZ token to replace it as part of the platform’s hard fork.

The hack affected EasyFi’s pools linked to all three chains it operates on –  Polygon, BSC, and Ethereum. Similar to the hacks listed above, the attacker was not identified, nor were the funds recovered.

Read Halborn’s in-depth analysis of the EasyFi hack here.

Badger, a lending protocol that uses Bitcoin collaterals and operates on Ethereum, lost $120 million in early December 2021 due to an attack that targeted its user interface functionality. The attack affected a few dozens of users, and it seems unlikely that these users will be reimbursed.

Badger does have an insurance policy from crypto insurer Nexus Mutual which covers some potential hacks, however, the policy only covers smart contract hacks, not user interface breaches. Nexus has already stated that this attack was classified as “front-end”, and therefore no compensation under the policy will be paid.

Read Halborn’s in-depth analysis of the BadgerDAO hack here.

Paid Network, a decentralized app (DApp) on Ethereum providing smart contract-based agreement services to businesses, was hit by one of the biggest hacks in DeFi history, with an attacker using a previously compromised private key.

Using the key, the attacker replaced the original smart contract on the platform with a modified version. This allowed them to burn the existing PAID tokens and mint a large supply of new ones. Some of the newly minted tokens were swapped to ETH on Uniswap before the breach was identified and the PAID/ETH swap pair was blocked.

Read Halborn’s in-depth analysis of the Paid Network hack here.

In late October, Cream Finance, a multi-chain lending protocol, suffered a flash loan attack that wiped out an estimated $130 million from its Ethereum-based liquidity pools. It is not reported whether funds held at other chains, BSC, Fantom, Polygon, and Avalanche, are affected.

However, given that the official statement from the platform mentioned only Ethereum pools, it is likely that the attack targeted only the pools held at the world’s largest DeFi chain. 

This was the third hack involving Cream Finance this year, as just two months before the $130 million breach, the platform had been hit with a $19 million hack, also involving a flash loan attack.

Read Halborn’s in-depth analysis of the Cream Finance hack here.

Compound Finance, an Ethereum-based lending and borrowing protocol, is among the biggest DeFi projects out there, with a total value locked (TVL) of around $10 billion as of the time of writing. 

On September 30, 2021, the protocol erroneously paid out vast sums in its native cryptocurrency COMP to some users who provided only miniscule levels of collateral in ETH, USDC, and DAI. An error in the protocol’s smart contract was suspected as the cause of the malfunction.

It is still unclear whether the erroneous distribution of the COMP tokens was a planned attack or an honest mistake by the protocol’s developers. Compound’s CEO, Robert Leshner, did not deliberate on it too long, though. 

Within hours of the incident, he went on Twitter, asking recipients of the funds to return them. Leshner promised 10% of the amounts as a reward for returning, and, in the same tweet, threatened to report non-responders to the IRS. It is unknown precisely how much of the total lost amount has been recovered thanks to Leshner’s online arm-twisting, but it remains to be seen.

The DeFi industry’s largest hack ever occurred on August 10, 2021, and involved a cross-chain crypto swap provider, Poly Network. The attacker hacked a smart contract on the platform and transferred a total of $610 million to their addresses on Ethereum and BSC.

Funds were drained from all three chains used by Poly Network: Ethereum, BSC, and Polygon. The losses on Ethereum amounted to $273 million, while the BSC and Polygon operations of the platform lost $253 million and $85 million, respectively.

Poly Network appealed to the hacker to return the funds. The next day after the incident, on August 11, the hacker returned around $260 million.

On August 12, the hacker engaged in an online conversation with Poly Network, introducing themselves as “Mr. Whitehat.” A day later, Mr. Whitehat assured the platform that he would return all the remaining funds, justifying that his actions were the result of demonstrating the vulnerability of crypto platforms.

By August 23, Mr. Whitehat had returned all the hacked funds. In the course of his online public conversation with Poly Network, the hacker was first offered $500,000 and then a position of a Chief Security Advisor (CSA) on the platform. Both of the offers were turned down by the mysterious author of the largest DeFi hack in history.

Read Halborn’s in-depth analysis of the Poly Network hack here.

The year’s top 10 DeFi hacks amounted to over $1.5 billion of total stolen value. This figure includes the funds returned to the platform, as was the case with the Poly Network hack, and represents the lion’s share of the nearly $2 billion lost to hackers on DeFi platforms in 2021.

While the year 2020 produced only 16 DeFi hacks where any monetary losses were suffered, there were 55 such hacks in 2021.

The average size of a DeFi hack in 2021 also increased substantially compared to the 2020 figure. While in 2020, a DeFi hack resulted in an average loss of $8.3 million, the respective figure for 2021 is nearly $36 million.

The year 2021 has seen a massive increase in DeFi hacks compared to 2020. In 2021, we witnessed the largest DeFi hack on record so far, with those funds fortunately being returned. Unfortunately, however, most of the other top hacks did not have kind enough hackers, and the funds were not recovered. This is all a stark reminder to any DeFi user, developer, or operator that crypto cybercriminals are always on the lookout for platform vulnerabilities to exploit.

So if you want to ensure that your project, digital assets and sensitive information are as secure as possible, be sure to reach out to our blockchain cybersecurity experts at halborn@protonmail.com to inquire about smart contract security audits, and a number of other ways to protect your organization and stakeholders.