Decentralized finance () refers to blockchain applications that cut out middlemen from financial products and services like loans, savings, and swaps. While DeFi comes with high rewards, it also carries plenty of risks.
Since just about anyone can spin up a DeFi protocol and write some , flaws in the code are common. And in DeFi, there are many unscrupulous actors ready and able to exploit those flaws. When that happens, millions of dollars are put on the line, often with no recourse for users.
DeFi users lost $10.5 billion to theft in 2021, according to a November report by Elliptic. But as our list of the largest DeFi exploits shows, that figure has since grown by millions. (All figures below are in the values of the funds at the time of the incident.)
Often dApps take thematic inspiration from the blockchains on which they’re built. As a result, the Avalanche ecosystem is chock-full of snow references, like Snowtrace, Blizz, and Defrost. Meanwhile, the Fantom ecosystem feels like an on-chain Halloween party. That adds a darker spin when things go wrong, as was the case with Grim Finance, a yield optimizer protocol.
In December 2021, the protocol suffered a reentrancy attack, a type of exploit where an attacker fakes additional deposits into a vault while a previous transaction has yet to be settled. Eventually, the attack tricked the smart contract into releasing $30 million in Fantom tokens.
DeFi protocols normally use reentrancy guards—pieces of code that prevent such attacks. Grim Finance’s audit report from Solidity Finance incorrectly stated that the protocol had reentrancy guards in place—a reminder that audits are no guarantee that exploits won’t happen.
Sometimes it doesn’t take long for a DeFi protocol to suffer its first exploit. Binance Smart Chain-based lending protocol Meerkat Finance lost $31 million in user funds just a day after it launched in March 2021.
The attacker called a function in the contract that made their address become the vault owner, draining the project of $13.96 million in Binance’s BUSD, and a further 73,000 BNB (Binance’s native token). The BNB heist was worth about $17.4 million at the time.
Many users argued it was an insider job: a rug-pull by the protocol’s developers. Meerkat denied the allegations.
Summer 2021 saw a boost in activity on Avalanche, which also attracted those hungry to exploit the blockchain network’s fledgling ecosystem.
In September 2021, only a week after lending platform Vee Finance celebrated a milestone of $300 million in total value of assets locked, it suffered what remains the biggest exploit on the Avalanche network.
The attack was possible largely because Vee Finance’s leveraged trading feature relied on token prices provided by Avalanche’s main liquidity protocol, Pangolin. To abuse that, the attacker created seven trading pairs on Pangolin, provided liquidity, and finally placed leveraged trades on Vee. That allowed them to drain $35 million in cryptocurrencies out of the protocol.
In a tweet addressed to “dear Mr/Ms 0x**95BA,” the protocol demanded that the attacker return the funds as part of a bounty program, which would let the attacker keep a portion. But the Vee hacker showed no desire to return the funds.
Crypto often goes through brief-but-intense fads. And in spring 2021, Binance Smart Chain (BSC) (now just BNB Chain) was the hottest DeFi trend, especially for retail users, due to its low network fees.
But BSC was also host to lots of scams and hacks, the largest of which was a May 2021 exploit that targeted yield-farming protocol PancakeBunny.
A hacker manipulated PancakeBunny’s pricing algorithm through a series of eight flash loan attacks, jacking up the price of the protocol’s native token, $BUNNY. The hacker made off with $45 million by buying $BUNNY cheap at market rates and selling it at artificially inflated highs.
Multi-chain lending protocol bZx was hacked in November 2021 after a “private key” was compromised. The protocol lost a total of $55 million deployed on Binance Smart Chain and Polygon.
But bZx had already been through similar pain twice before.
Although flash loan attacks are a common DeFi exploit tactic these days, bZx is an “OG” in that regard. It became subject to flash loan attacks in February 2020, which targeted its margin-trading platform Fulcrum. The hacker made off with 1,300 wrapped ETH, worth $366,000 at the time.
In another attack in September 2020, bZx lost 30% of the funds locked into its vaults, then worth $8 million. However, users with open margin positions didn’t suffer losses because, as the protocol later said in a report, those funds were debited against bZx’s insurance fund.
It’s not always a smart contract vulnerability that evaporates millions from a DeFi project.
In December 2021, Bitcoin-to-DeFi bridge Badger DAO suffered a $120 million loss after scammers conned Badger DAO members into approving malicious transactions, which let them control users’ vault funds and move funds.
Blockchain security firm PeckShield told Decrypt that the protocol’s contracts were safe from the exploit, and only the user interface was impacted.
Lending protocol Cream Finance lost $130 million in a flash loan attack in October 2021—marking the third attack suffered by the protocol.
Flash loans allow you to take out instant loans, provided you pay them back in the same transaction. Though useful for arbitrage plays, they’re widely deployed by malicious actors to exploit vulnerabilities in DeFi protocols. In the case of Cream Finance, the flash-loan hacker was able to exploit a pricing vulnerability by repeatedly taking out flash loans across different Ethereum addresses.
Cream had seen it all before. In August 2021, a hacker stole around $25 million in another flash loan attack primarily targeting Flexa Network’s native token, AMP. And in a February 2021 flash loan attack, hackers siphoned $37.5 million out of the protocol’s pool.
Play-to-earn is one of the newest trends in crypto, but it isn’t free from old-school tricks and traps—especially those that exploit centralized features. Vulcan Forged, a play-to-earn platform on Polygon, learned that lesson the hard way in December 2021 when its users lost $140 million.
According to a post-mortem report, a hacker obtained the credentials of the platform’s centralized user wallets—Venly—to get hold of the private keys to 96 crypto wallets. Later, the hacker used it to obtain the private keys in the platform’s asset portfolio feature—MyForge—and eventually made off with 4.5 million of Vulcan Forged native PYR tokens.
In his address to the community, Vulcan Forged CEO Jamie Thomson said, “Going forward, of course, we’re going to be using nothing but decentralized wallets so we never have to encounter this problem again.”
Like most DeFi protocols, lending protocol Compound has a governance token, COMP. The protocol distributes tokens to users under specific conditions.
It emerged in October 2021 that Compound had a bug—“the best-kept secret in DeFi”—that let borrowers claim more than their intended share of COMP. The bug involved two of its vaults, or pools of funds on the smart contract. Users would call a specific function—drip()—on the Reservoir vault, which would refill another vault, Comptroller. That vault would automatically distribute large amounts of COMP to wrong addresses. The leaky tap was the result of an error introduced in a previous protocol update.
After $80 million in COMP was sent to the wrong people, the team rushed to patch a fix. But before any fix could be implemented, the protocol required a governance proposal to pass. It was created on October 2 and finally accepted on October 9. While the community debated, the vaults lost a further $68.8 million.
How did Compound’s founder, Robert Leshner, try and get the money back? By tweeting, “Anyone who returns COMP to the community is an alien giga-chad; and if a squad of alien giga-chads ever summon me, I will appear.” Almost half of the funds were returned.
Doh. Flash loans—so useful yet so dangerous. Just two days after celebrating that $150 million in assets had been locked into its protocol, Ethereum-based Beanstalk discovered that $182 million had gone missing in a flash loan attack. The hacker(s) managed to launder $80 million in Ethereum via Tornado Cash. Beanstalk is known for its algorithmic stablecoin, BEAN, which is supposed to be worth $1. While it managed to hold its peg in the immediate aftermath of the attack, the exploit demonstrated that algorithmic stablecoins are only as stable as the contracts that underpin them.
As there are more and more layer-1 blockchains with DeFi built atop them, there’s a greater desire for users to transfer funds between chains. Cross-chain bridges address that need, but they also bring up new vulnerabilities. The most damaging cross-chain incident occured in January 2022, when Wormhole, a popular bridge, lost $320 million in Wrapped Ethereum (wETH). WETH is a cryptocurrency pegged to the price of Ethereum on a 1:1 basis.
The hacker targeted the bridge’s leg on Solana, where users must first lock Ethereum into a smart contract to get an equivalent amount in Wrapped Ethereum. The hacker managed to find a way around this by minting WETH without locking up ETH in Wormhole.
Jump Trading Group, a stakeholder in Wormhole’s development, took the initiative to replenish Wormhole’s Ethereum coffers and make it whole again.
NFT-powered play-to-earn gameis one of the biggest crypto success stories of the last year. On March 23, 2022, it became the victim of one of the biggest hacks in crypto, with an estimated $552 million in cryptocurrency drained from the bridge to its Ronin sidechain using “hacked private keys”.
By the time the exploit was disclosed by Axie Infinity developer Sky Mavis a week later, the value of the funds stolen had risen to $622 million.
According to a report from Sky Mavis, the attacker used “a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator.”
Explaining that in November 2021, Sky Mavis turned to the Axie DAO to distribute free transactions due to high user load, the report added that, “The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.”
Using the exploit, the attacker was then able to sign transactions from five of the nine validator nodes on the Ronin network, including AxieDAO’s node and four of Sky Mavis’ own nodes. This, in turn, let the attacker forge transactions and claim 173,600 WETH (Wrapped Ethereum) and 25.5 million USDC, totaling around $622 million.
Calling it, “one of the bigger hacks in history,” Axie Infinity co-founder Jeff Zirlin noted that “there’s a chance that [the hacker] can be identified and brought to justice.”
The Poly Network hack remains the largest in crypto—not just DeFi. Fortunately though, the saga that began on August 10, 2021 ended happily three days later following a series of strange twists.
The heist began when a hacker exploited a vulnerability in Poly Network’s “contract calls”—pieces of code that power the protocol. The hacker swiftly made off with $611 million in various cryptocurrencies, leading Poly to publish a letter of despair with the salutation “Dear Hacker.”
That communication attempt, and subsequent outreach efforts, eventually worked. The protocol offered a bounty of half a million dollars and the opportunity for the hacker to become its chief security adviser. But in an on-chain Q&A session, the hacker explained that the exploit was only meant to teach Poly Network a lesson. Returning the stolen funds was “always the plan,” they said.
Cryptocurrency security firm SlowMist said it identified the attacker’s identity markers and that the exploit was “likely to be a long-planned, organized and prepared attack.”
“Now everyone smells a sense of conspiracy,” the hacker said, denying they’re an insider. “But who knows?”