The year 2022 was a big one for DeFi hacks, filling most of the top slots in the Rekt leaderboard. As DeFi projects grow in value but lag in security, high-value hacks will remain common.
The biggest DeFi event in 2022 was the meltdown of the FTX exchange. The company’s failure to maintain sufficient reserves resulted in a bank run against the exchange and drove the organization into bankruptcy. While assets were being relocated in preparation for bankruptcy proceedings, $338 million in tokens were moved via “unauthorized transactions” from the company’s wallets.
In addition to the FTX hack, DeFi attackers used a diverse set of techniques to exploit Web3 projects. However, many of the most significant and expensive hacks of 2022 can be classified into just three different categories: broken bridges, compromised keys, and flash loan exploits. In this article, we’ll recap the biggest crypto hacks of 2022 by the category of hack they belonged to.
Broken Bridges
Cross-chain bridges link the blockchain ecosystem together. By allowing exchanges across multiple blockchains, they interconnect DeFi projects and expand what users can do with their cryptocurrency.
However, 2022 demonstrated that vulnerabilities in cross-chain bridges can result in large-scale, expensive hacks. Some of the most expensive DeFi hacks of 2022 targeted these bridges, including the following:
- Ronin Network: The most expensive DeFi hack to date, an attack against the Ronin Network in March 2022 netted the attacker approximately $624 million after they exploited weaknesses in the bridge’s consensus scheme.
- BSC Beacon: An attack against the BSC Beacon cross-chain bridge in October 2022 had a price tag of approximately $566 million and exploited a vulnerability in the validation of Merkle proofs.
- Wormhole: The February 2022 hack of the Wormhole bridge included losses of approximately $326 million and exploited errors in the validation of digital signatures.
- Nomad Bridge: An error in updating the Nomad smart contract code created a vulnerability exploited by multiple parties for over $190 million in losses.
- Harmony Bridge: The June 2022 hack of the Harmony Horizon cross-chain bridge for $100 million was caused by compromised private keys.
- Qubit Finance: The use of insecure, custom versions of token transfer functions lost Qubit Finance approximately $80 million in January 2022.
While these are some of the most expensive and visible cross-chain bridge hacks of 2022, this is not a complete list. Cross-chain bridges are often valuable, visible, and unaudited, making them an ideal target for attackers.
Compromised Keys
Private keys generate the digital signatures that are used to approve blockchain transactions. Control over a blockchain account’s private keys equates to control over that account.
In 2022, numerous DeFi hacks were made possible by compromised private keys. Some of the most significant include the following:
- Wintermute: In September 2022, a Wintermute contract private key — likely generated using Profanity — was compromised, leading to $160 million in losses.
- Ankr and Helio: A compromised private key of an Ankr deployment address allowed a malicious update and an unauthorized mint that resulted in $5 million in losses. A follow-on attack built on the Ankr vulnerability to steal $19 million from Helio.
Private key security is essential to blockchain security. Using a multi-signature wallet to secure critical addresses — such as those used to control smart contracts — is a fundamental blockchain security best practice.
Flash Loan Exploits
Flash loans allow a blockchain account to take out a massive loan without collateral. The only requirement is that the loan is repaid within the same transaction that it was taken out.
While flash loans have legitimate applications, they are also a common tool in DeFi hacks. Some of the major DeFi attacks in 2022 that leveraged flash loans include the following:
- Beanstalk: In April, an attacker used a flashloan to gain the votes needed to push through a malicious governance proposal on Beanstalk that allowed them to steal $181 million from the protocol.
- Mango Markets: An October 2022 attack against Mango Markets drained $100 million from the protocol by using a flash loan to manipulate spot prices for profit.
Flash loans are a useful tool that is unlikely to go away any time soon. Reducing the risk of flashloan attacks requires auditing smart contract code for price manipulation vulnerabilities and other security flaws that can be exploited via flash loans.
Making 2023 a Better Year For Blockchain Security
DeFi has significant promise, but regular, high-value attacks undermine its credibility. As long as expensive hacks and embarrassing incidents — such as the FTX meltdown — remain commonplace, the credibility of the industry will suffer.
One of the common threads among hacked DeFi protocols is a lack of security audits. Of the top 25 hacked DeFi projects, only 1 had undergone an external audit whose scope included the exploited vulnerability. Performing comprehensive security audits before launching code to the blockchain is essential to reducing DeFi hacks in 2023.
Get in touch with our Web3 security experts to learn more about our smart contract auditing and security advisory services.