It’s no exaggeration to say that the DeFi industry is still in its infancy. So far in 2022, there’s been over $1.57B lost due to hacks, already more than all of 2021 combined. Of this, $409.2M was lost last month in April alone.
Fortunately, ReFi did not lose any money in any of these.
Of course, there is an element of luck to this. However, we do keep constant surveillance of the developments in the space and would like to reassure our investors of the due diligence and research we do before entering new trades.
In this article, we also outline some of the lessons learnt.
Here’s a breakdown of the major hacks from last month:
- Beanstalk Farms
- Saddle Finance
- Jewel unlocks
1. Beanstalk: $182M protocol loss, $76M gains for the exploiter.
Type of Hack: Governance Attack
Beanstalk’s governance is decentralized. Part of the governance contract has an emergencyCommit function that when approved by ⅔ of the vote, can siphon funds out of the contract. The idea behind this was if something catastrophic was going to happen, the community could get together and vote to safely store the funds elsewhere with a supermajority vote. What ended up happening was the exploiter created two Beanstalk proposals, (#18 and #19). After 24 hours, the attacker was able to use a flashloan to deposit millions of dollars to Beanstalk’s Diamond contract. This allowed them to control almost 80% of all governance votes, much more than the 67% needed to invoke the emergencyCommit function. With this power, they siphoned away the funds and closed the flash loan. What’s crazy is this governance hack took place all in one block, anything more and the flash loan would have failed.
An in-depth summary of the exploit can be read here: https://medium.com/@nvy_0x/the-beanstalk-bean-exploit-b038f4d324ea
2. DEUS/DEI: 13.4M loss.
Type of Hack: Flash Loan & Flash Swap
Deus finance was hacked earlier in March for a few million dollars as well. The team responded very well, refunding everyone that was impacted.
March exploit post mortem: https://lafayettetabor.medium.com/deus-post-mortem-3c65df12927f
Last week’s exploit was a flash loan attack that manipulated the price oracle that reads from the StableV1 AMM — USDC/DEI pair. The manipulated price of DEI led to a drastic increase in the price and subsequent draining of the borrow pool. Further research by the Deus team found the exploit also included a flash swap which was used to manipulate the VWAP of its Muon oracles and another flash swap in the same tx was used to change the on chain price. All in all, this attack happened over multiple txs and minutes.
The flash loan happened here: https://ftmscan.com/tx/0x39825ff84b44d9c9983b4cff464d4746d1ae5432977b9a65a92ab47edac9c9b5
3. Saddle Finance: ~10M loss.
Type of Hack: LP Manipulation
Saddle finance, a Curve fork, was exploited due to a bug in an old version of the MetaSwapUtils library which doesn’t use a VirtualPrice to calculate the value of the LP token during swaps within the metapool. This issue is fixed currently, but the outdated version allowed the hacker to make a series of swaps within the sUSD/saddleUSD-V2 metapool that manipulated the price of the LP token which could then be swapped back for sUSD profit.
Rekt article detailing exploit: https://twitter.com/rekthq/status/1520816682155094016?s=21&t=tUslMbUKC0mzWPuWqpkHSA
4. FEI Protocol: $80M loss on RariCapital pools .
Type of Hack:: Reentrancy
Old Compound pools are subject to reentrancy hacks and many current forks on EVM chains have yet to correct this issue. Reentrancy attacks happen when a smart contract makes a call to an external smart contract, which is responded to by a return call from the external contract that seeks to explore a vulnerability in the initial call’s code. Rari developer Jack Longarzo revealed a total of six vulnerable pools (8, 18, 27, 127, 144, 146, and 156) which they have temporarily paused. The team has also offered a $10mm reward if the hacker returns the funds. The image below highlights the stages a reentrancy hack targets.
5. DefiKingdoms: 20% market cap drop.
Type of Hack: Unlock exploit
One of the largest P2E games, DFK, recently found a glitch that allowed users to rapidly unlock locked $jewel. Although only 12k $jewel were unfairly unlocked, this sent the daily price down 20% to cap off a 90% decline since January highs. This exploit was made possible by transferring all locked $jewel between multiple accounts, and then allowing more heroes than intended to mine these $jewel at the same time. The mining quest was temporarily paused while a fix was being implemented.
If you’ve been in crypto for a while now, you have most likely fallen victim to an exploit or rug. It’s a horrible feeling and oftentimes easily preventable. Everyone always says please don’t invest more than you’re willing to lose, and these past few months have put up a strong argument for that statement. We urge everyone to re-evaluate their risk tolerances and to reposition accordingly.
Here at Refi, our farming teams regularly hold lengthy discussions on the risk-reward of entering different pools. Just some of the due diligence process that goes on behind the scenes includes reviewing audits, following up with community members, getting involved in discords, setting up private calls with developers and founders, and internal code reviews when appropriate.
To conclude, we wish everyone best wishes in the treacherous Defi landscape and would love to thank everyone again for their continued trust and support of Refi!