2022 DeFi Security Incident Review

Author: a certain security expert

Recently, a seasoned security expert shared a lesson on DeFi security for community members. He reviewed the significant security incidents that the Web3 industry has encountered over the past year, discussed the causes and preventive measures of these incidents, summarized common security vulnerabilities in smart contracts, and provided some security recommendations. This article organizes his shared content as follows for the reference of DeFi enthusiasts.

According to statistics, over 300 blockchain security incidents occurred in 2022, with a total amount involved reaching 4.3 billion USD.

The following is a detailed analysis of 8 typical cases, most of which have losses exceeding 100 million dollars.

Ronin Bridge

Event Review:

• On March 23, 2022, the Axie Infinity sidechain Ronin Network was hacked, resulting in the theft of 173,600 ETH and 25.5 million USD, worth approximately 590 million USD.
• The U.S. Treasury Department pointed out that the North Korean hacking group Lazarus is related to this incident.
• According to reports, hackers contacted and tricked an employee of Sky Mavis through LinkedIn to gain system access.

This attack is a typical APT( advanced persistent threat). The hacker group first controlled a computer within the target organization through methods such as social engineering to serve as a springboard for further infiltration, ultimately achieving their attack objectives.

The incident exposed the weak security awareness of the company's employees and issues within the internal security system.

Wormhole

Event Review:

• The signature verification code of the Wormhole's core contract on Solana has an error, allowing attackers to forge "guardian" messages to mint Wormhole-wrapped ETH, resulting in a loss of approximately 120,000 ETH.
• Jump Crypto invested 120,000 ETH to cover losses.

Wormhole mainly encounters issues at the code level, using some deprecated functions. It is recommended that developers use the latest version to avoid similar problems.

Nomad Bridge

Event Review:

• The trusted root was set to 0x0 when the Nomad bridge replica contract was initialized, and the old root was not invalidated in time, allowing attackers to construct arbitrary messages to steal funds, resulting in a loss of over $190 million.
• Multiple addresses participated in the attack, including MEV bots, hackers, and white hat hackers.

This is a typical case. There are issues with the initialization settings, leading to valid transactions being executed multiple times. After discovering this, MEV bots and others broadcast attack transactions in large quantities, resulting in a money-grabbing incident.

The open-source nature of the smart contract ecosystem makes it easier for hackers to analyze and discover vulnerabilities. Once a project has a vulnerability, it is basically declared a failure.

Beanstalk

Event Review:

• Beanstalk Farms suffered a flash loan attack, resulting in a loss of approximately $182 million.
• The attacker profited over $80 million, including approximately 24,830 ETH and 36 million BEAN.
• The reason for the attack is that there is no time gap between proposal voting and execution, allowing the attacker to directly execute malicious proposals.

Attack Process:

1. Purchase tokens in advance to qualify for proposals, create malicious proposal contracts
2. Acquire a large amount of tokens for voting through flash loans
3. Malicious contracts executed directly, completing arbitrage.

This case exposes the potential risks of a purely decentralized governance mechanism. It is recommended that the project implements security measures such as proposal review mechanisms, voting thresholds, and time locks.

Wintermute

Event Review:

On September 21, 2022, Wintermute confirmed that it had been hacked. They had used the Profanity tool to create vanity wallet addresses to optimize transaction fees. Although they accelerated the phasing out of old keys after learning of the vulnerability in Profanity, an internal error resulted in the failure to completely revoke the signature permissions of the affected addresses, leading to the theft of funds.

When using open-source tools, security risks should be fully assessed. Tools related to key management require even more caution.

Harmony Bridge

Event Review:

• The Horizon cross-chain bridge has lost over $100 million, including more than 13,000 ETH and 5,000 BNB.
• The founder of Harmony stated that the attack was caused by a private key leak.
• Blockchain analysis firms believe that the North Korean hacker group Lazarus Group may be the mastermind behind it.

If it is indeed the work of North Korean hacker groups, the attack method may be similar to the Ronin Bridge incident. In recent years, North Korean hacker groups have been very active in targeting the cryptocurrency industry.

Ankr

Event Review:

• After the Ankr contract was updated, the attacker minted 100 trillion aBNBc out of thin air using the minting method.
• The attacker exchanged part of aBNBc for 5 million USDC, causing the price of aBNBc to plummet.
• Arbitrageurs exploited the price delay mechanism of the lending protocol Helio to profit over 17 million dollars.
• Ankr promises to compensate $15 million.

Subsequent investigations revealed that the incident was caused by a malicious act of a former employee. The exposed issues include:

• The key contracts are controlled by EOA accounts rather than multi-signature.
• Core employees can control the Deployer private key
• There are flaws in internal security management.

Mango

Event Review:

• The attacker used 10 million USDT to long and short on the Mango platform while simultaneously pumping the MNGO price on other platforms.
• The price of MNGO surged from $0.0382 to $0.91, allowing the attacker to profit $420 million.
• The attacker ultimately borrowed nearly $115 million in assets.
• The attacker proposed to use treasury funds to repay the bad debts of the agreement, on the condition that no criminal investigation would be conducted.
• In December 2022, self-proclaimed attacker Avraham Eisenberg was arrested in Puerto Rico.

This can be seen both as a security incident and as an arbitrage behavior. The main issue lies in the business model vulnerabilities, where the prices of small-cap coins are easily manipulated, leading to difficulties in position management on the platform.

Project teams should fully consider various extreme scenarios for testing. Users participating in the project should also comprehensively assess risks and not focus solely on returns.