A “Hat Trick” of DeFi Hacks Underscores the Importance of DeFi Security

On October 11, 2022, Rabby Swap, Temple DAO’s Stax, and Mango Markets were all hacked on the same day for a total of over $104 million.  An alleged fourth hack of ParaSwap was discovered to be a false positive. Let’s break down the latest string of DeFi hacks…

The Rabby Swap Hack

Rabby Swap is a relatively new function in the Rabby cryptocurrency wallet. This function was discovered to contain a vulnerability that an attacker exploited to steal approximately $200,000 in tokens from the wallet’s users.

This hack took advantage of approvals that the wallet’s users had created. These approvals allowed value to be extracted from the user’s accounts without explicit consent from them, enabling the attacker to drain their wallets.

The Temple DAO Stax Hack

The Temple DAO Stax contract was exploited for approximately $2.3 million in tokens.  The attackers took advantage of a couple of vulnerabilities in the contract’s migrateStake function, including:

1. The function had no access controls, allowing anyone to call the function.
2. The function did not verify the source address or stake value of the old address.

This combination meant that an attacker could call the contract with a fake old address and stake value. The Stax contract would then mint tokens to the attacker’s indicated address, allowing them to drain value from the contract.

The Mango Markets Hack

Mango Markets was the victim of a $100 million exploit. In this case, the attacker exploited errors in how the contract tracked collateral values.

The attacker was able to dramatically increase the value of the collateral that they had deposited within the contract.  With this increased collateral, they took out a massive loan from the project.  Since this loan was far more valuable than the deposited collateral, they abandoned the collateral for a profit of about $100 million.

An Alleged Fourth Hack

The same day, a fourth potential hack was reported regarding the ParaSwap project.  The deployer addresses for this project’s contracts were reportedly created using Profanity, which was found to generate weak private keys that could be guessed by an attacker.

However, this hack was a false positive as pointed out by the ParaSwap and Curve Finance teams. The address in question was a throwaway deployment address that is used once and then holds no further power or authority over the project’s contracts. As a result, an attacker who used the Profanity exploit to gain knowledge of the account’s private key could do nothing with it.

Lessons Learned From the Recent String of DeFi Hacks

The hacks of Rabby Swap, Temple DAO Stax, and Mango Markets demonstrate the scale and diversity of DeFi hacks today.  Each attack took advantage of a different mechanism to steal a total of over $104 million in tokens from the three DeFi projects.

However, the reports of the ParaSwap hack underscore the importance of properly researching an incident before calling it a hack. While the fact that the deployer addresses were vulnerable to the Profanity hack isn’t ideal, the compromised private key posed no risk to the project.Protecting DeFi projects against the types of hacks reported on October 11, 2022 requires an in-depth security audit.  To learn how to secure your project, reach out to our Web3 security experts at halborn@protonmail.com.