Rob Behnke
July 3rd, 2023
June 2023 had a relatively low number of large DeFi hacks compared to other months this year. The DeFi hacks totaling over $1 million in June 2023 included two rug pulls, a wallet hack, and a governance exploit.
Rug pulls are thefts where the team behind a blockchain project steals funds from users. In June 2023, there were two rug pulls totaling over $1 million, including:
USEA: The team behind the USEA token stole an estimated $1.1 million from users of the BNB Chain-based protocol. This rug pull involved an unauthorized mint in which 700 million USEA tokens were minted to drain the value from the protocol.
Chibi Finance: The Chibi Finance rug pull involved the deployment of a malicious smart contract to drain funds from the project. In total, the attackers were able to steal 555 ETH worth an estimated $1 million.
In June 2023, Atlantis Loans suffered a governance exploit. The project, hosted on BNB Chain, was abandoned by its creators a few months earlier.
However, the protocol had a decentralized governance system in which users could create and vote on proposals. The attackers created a malicious proposal granting them control over the project and pushed it through. Once the proposal passed, the attackers were able to drain value from the wallets of anyone who had active approvals for the contract, allowing them to steal an estimated $1 million from former users.
Atomic Wallet suffered a hack in early June 2023 that resulted in over $35 million in losses by the wallet’s users. The protocol performed a multi-week investigation of the attack, but no report has been made regarding the root cause of the incident.
June 2023 demonstrated the ongoing threat of rug pull attacks. The teams behind crypto projects continue to steal from their users, often netting massive returns.
The other incidents in June 2023 were more unusual. The Atomic Wallet hack exploited unknown vulnerabilities, and Atlantis Loans demonstrated the potential risks of decentralized governance protocols, especially if a protocol is abandoned by its creators.