Rob Behnke
November 3rd, 2022
October 2022 was unusual for the sheer volume of DeFi hacks that occurred. On October 11th, a “hat trick” of hacks — and one false positive — resulted in over $104 million being stolen. The week before, a BNB Chain hack took third place on the Rekt Leaderboard with $586 million in losses. In this article, part of our new Month in Review series, we’ll break down the biggest DeFi hacks of the month.
Dozens of DeFi projects were targeted by attackers in October 2022. These are some of the largest and most novel attacks that we observed that month.
Transit Swap is a cross-chain DEX aggregator that suffered a $21 million hack in October 2022. The attacker took advantage of a lack of input validation in the claimTokens function when transferring tokens. An attacker was able to specify the address of the token contracts and extract tokens from the accounts of users who had existing DeFi approvals.
The BSC Beacon cross-chain bridge suffered a $586 million hack in October 2022, placing it in the top three DeFi hacks to date. The attacker was able to fake transfers on the chain and perform two withdrawals of 1 million BNB. After the hack was discovered, BNB Chain validators halted operations, freezing the bulk of the stolen funds on-chain.
An attack on Rabby Swap was one of three hacks performed on October 11, 2022. The attacker took advantage of a vulnerability in the Rabby Swap function to drain value from users of the Rabby cryptocurrency wallet who had created DeFi approvals. In total, approximately $200,000 in tokens was stolen.
The Temple DAO Stax attacker took advantage of the fact that the contract’s migrateStake function was publicly accessible and lacked input validation. On October 11, the attacker was able to transfer stake from a fake old address, enabling them to drain about $2.3 million from the protocol.
Mango Markets was the third hack to occur on October 11, 2022. In this case, the attacker took advantage of flaws in how the contract tracked the value of collateral. By artificially amplifying the perceived value of collateral invested in the contract, the attacker was able to take out large loans for about $100 million in profit.
Sovryn, a Rootstock-based project, was exploited for approximately $1 million in October. A flashloan attack exploited an unsafe external call by the Sovryn contract. This unsafe call to the attacker’s contract allowed the attacker to mint tokens and take advantage of the price manipulation vulnerability to burn them for more tokens than were used to create them.
The October 2022 hack of BitKeep took advantage of DeFi approvals created by the project’s users. An attacker managed to take over the BitKeep swap/router and used these approvals to drain approximately $1 million in tokens from users’ accounts via these approvals.
OlympusDAO was piloting its new OHM Bonds project when the Bond protocol controls used for the pilot were exploited by an attacker. An input validation error in the contract’s redeem function allowed the attacker to steal $292,000 in tokens. Since this was a limited pilot, the damage was limited and, ironically, lower than the bug bounty payout on Immunefi would have been.
In October 2022, the DeFi space experienced a high volume of hacks as well as some high-impact ones, such as the hack of the BNB Chain. These hacks were made possible by various different factors; however, poor input validation and exploitation of DeFi approvals showed up in multiple examples.
In many cases, the vulnerabilities that enabled these attacks could have been identified and resolved via a smart contract audit before launch. To learn more about enhancing the security of your DeFi contracts, reach out to our blockchain security experts at halborn@protonmail.com.