Rob Behnke
August 14th, 2024
Halborn recently completed and released a comprehensive analysis of the most expensive DeFi hacks from 2016 to 2023. By analyzing the top 100 DeFi hacks through 2023, Halborn was able to identify various trends and extract key lessons learned that can be used to guide and prioritize security efforts in the future.
This article explores some of the key findings and trends from the crypto hack report. For a more in-depth analysis, download the full report.
Halborn’s analysis focused on the most significant attacks against DeFi protocols, ranked by the amount of crypto stolen during the attacks. Looking across all attacks performed against DeFi protocols between 2016 and 2023, Halborn identified the 100 with the greatest total losses.
Diving into this dataset, Halborn analysts looked for trends, such as commonly exploited vulnerabilities or factors that seem to increase or decrease a protocol’s probability of suffering an expensive hack.
Some of the most significant findings identified during Halborn’s hack analysis include the following:
Incident Severity Dropped in 2023: DeFi hacks were unfortunately commonplace, even in 2023. However, among the top 100 hacks, there was a 6% decrease in incidents compared to 2023, and the total crypto stolen decreased by $43 million.
Top Chains Aren’t Always Most Targeted: Ethereum and Binance Smart Chain (BSC) are in the top three DeFi chains for TVL, number of protocols, number of hacks, and value lost. However, Polygon, a much smaller chain, scored third for attack volume and fourth for total losses, edging out larger chains.
Not All Risks are On-Chain: While on-chain threats, such as smart contract vulnerabilities and price manipulation, are often top-of-mind, off-chain threats are growing. 29% of attacks and 34.6% of losses were associated with off-chain threats, such as compromised private keys. In 2023, this threat dominated the space, accounting for over half of attacks and losses.
Comprehensive Audits are Vital: Most smart contract hacks are of unaudited protocols, and these attacks are often more substantial than those of audited protocols. Of the top 100 DeFi hacks, audited protocols accounted for 20% of hacks but only 14.3% of losses.
Poor Wallet Security is a Common Problem: Of the protocols included in the study, only 21.1% used multi-sig or MPC wallets, and only 5.3% stored private keys in cold wallets. These failures in security hygiene likely contributed to the growth of hacks involving compromised private keys.
Poor Input Validation Enables Smart Contract Hacks: Failing to validate untrusted input is the leading cause of smart contract hacks. It also leads as the main vulnerability by number of hacks and total losses.
Reentrancy is an Ongoing and Growing Problem: Reentrancy vulnerabilities have been a well-known smart contract vulnerability since the DAO hack in 2016. However, protocols continue to fall to this attack years later, and, in 2023, reentrancy exploits even increased to account for 16.7% of the year’s incidents.
Proof Verification is Vital: Cross-chain bridges commonly use proofs to demonstrate that a transfer is valid; however, these and other protocols don’t always perform proper validation of a proof before trusting it. These errors are especially costly, accounting for 4.3% of attacks but 25.7% of total losses.
Logic Errors a Leading 2023 Vulnerability: In 2023, nearly two-thirds of hacks exploiting smart contracts exploited logical errors in the contract code. Additionally, these incidents tended to be more expensive for impacted protocols, accounting for three-quarters of losses for attacks targeting smart contract vulnerabilities.
Flawed Oracles Enable Price Manipulation: Price manipulation attacks trick smart contracts into using incorrect data regarding token prices, enabling the attacker to drain value from the contract. In the majority of these attacks, flawed price oracles were crucial to the attacker’s ability to perform these attacks.
Flashloans Support Certain Attacks: While most DeFi hacks don’t involve flashloans, they’re a common feature in certain exploits, such as price manipulation and governance attacks. The malicious use of flashloans is also on the rise, accounting for 62.5% of attacks in 2023, compared to 26.3% in 2022.
Lending Protocols, Bridges, and CEXs are Most Insecure: Lending protocols were the most commonly attacked protocol among the top 100, while bridges and CEXs took the top two slots by the amount of value stolen. Bridges and CEXs are also disproportionately represented in the top 100, with many more hacks than would be expected by the number of these protocols in existence.
Decentralization Reduces Losses: Decentralized protocols account for a little under half (44%) of the top 100 hacked protocols. However, they make up only a bit over a quarter (28.2%) of losses, indicating that decentralization seems to have security benefits for DeFi protocols.
Certain Functions are Prime Targets: Withdraw and deposit functions are common targets of DeFi hacks, and exploits targeting functions for proof verification and smart contract ownership transfers racked up the highest losses. These functions deserve special attention when performing security audits of DeFi protocols.
Unfortunately, DeFi hacks are commonplace even today, and next year’s report will include multiple high-value attacks that occurred in 2024. This Halborn report explored the biggest DeFi hacks through 2023, identifying important trends, such as the top types of attacks and the most commonly exploited vulnerabilities in DeFi smart contracts. To dive deeper into the data and learn more about its findings, download the report here.
One of the most significant takeaways from this report — and any analysis of blockchain and DeFi hacks — is the importance of comprehensive security audits for on-chain projects. Unaudited protocols dominate the results in both volume and value stolen, and many of these security incidents were made possible by vulnerabilities that could easily have been detected and prevented by a holistic security audit and implementing security best practices.
Halborn has extensive experience in helping on-chain protocols to secure their smart contracts and operations. For help in protecting your project from making the mistakes detailed in this report, get in touch with Halborn.