Rob Behnke
January 8th, 2024
2023 paled in comparison to 2022 in terms of the size and number of high-value DeFi hacks. It also had significantly lower total losses, nearly half that of the previous year.
However, 2023 still had several hacks with major price tags. These included six hacks with losses that exceeded $100 million.
2023 included dozens of hacks with seven or eight-figure price tags. However, only six incidents cost a project or its users more than $100 million.
The biggest DeFi hack of 2023 occurred in September of that year. This attack took advantage of a third-party vulnerability to steal an estimated $200 million.
The Mixin Network hack was made possible by a hack of the project’s cloud service provider. Information in that provider’s database gave the attackers the ability to access the project’s hot wallets and drain them of crypto.
In March 2023, Euler Finance suffered the second-largest DeFi hack of 2023. This incident resulted in the loss of approximately $197 million by the protocol.
The Euler Finance attackers exploited a vulnerability included in a July 2022 update to the project’s smart contracts. This update was missing vital checks regarding the health of a user’s current position when performing donations to the project’s reserves.
Multichain — previously Anyswap — was exploited for about $126 million in July 2023. This was the project’s second major hack since the rebrand (and third total).
The Multichain attacker gained access to the project’s wallets, allowing them to perform unauthorized transactions. This likely was due to a compromised private key since multiple bridges were affected.
In November 2023, the Poloniex cryptocurrency exchange suffered losses of about $126 million. The source of this hack was the compromise of private keys for the project’s hot wallets.
Like many similar hacks, the Poloniex exchange hack was attributed to the Lazarus Group. This North Korean hacking group excels at social engineering and theft of private keys, enabling them to perform many of the biggest hacks in the DeFi space.
In February 2023, BonqDAO suffered a price oracle manipulation attack. This exploit caused an estimated $120 million in losses to the protocol.
The BonqDAO hack was made possible by the project’s instantaneous price updates. The attacker was able to request a price update for a token, inflating its value, and then use that inflated value to drain value from the protocol.
The June 2023 hack of Atomic Wallet was the final hack of 2023 to break the $100 million threshold. Like the Poloniex hack, this incident has been attributed to the Lazarus Group.
The exact cause of the Atomic Wallet hack remains unknown. However, the incident may be tied to previously reported vulnerabilities that the project left unaddressed after an audit.
Often, the focus in DeFi security is on smart contract security. Exploitation of high-impact vulnerabilities can make for great stories and result in millions in losses.
However, a closer look at the biggest DeFi hacks of 2023 reveals that only two of the six — Euler Finance and BonqDAO — were caused by exploitation of smart contract vulnerabilities.
The other four took advantage of other security weaknesses, such as insecure storage of the private keys used to manage the projects’ wallets.
This underscores the importance of a comprehensive security audit for smart contract platforms. Instead of solely focusing on vulnerability detection, a security audit should also look at business logic and the security practices of a project as a whole.
To learn more about protecting your crypto project against cyber threats, get in touch.