A review of hacks, exploits and thefts in the crypto sector
A review of hacks, exploits and thefts in the crypto sector in 2020
Unlike previous years, crypto-related news in 2020 was not dominated by hacks against large exchanges or multi-million dollar Bitcoin thefts. However, there was no shortage of such incidents, and most involved the nascent decentralised finance sector.
DeFi has been a major driver of momentum in the crypto market during the 2020s, but also a magnet for fraudsters and hackers. Largely unverified smart contracts coupled with cloned code have been an ideal recipe Ethereum Code for vulnerabilities and exploits, often resulting in millions of dollars worth of digital assets being stolen.
A CipherTrace report published in November 2020 reported that, in the first half of the year, DeFi suffered 45% of all hacks and thefts, resulting in a loss of more than $50 million. According to the report, in the second half this share rose to 50% of all hacks and thefts. Speaking to Cointelegraph, CipherTrace CEO Dave Jevans warned of potential regulatory action:
„Hacks in DeFi make up more than half of all hacks in the crypto industry during 2020, a trend that is attracting the attention of regulators.“
Continuing, he added that lack of compliance with anti-money laundering measures is the biggest concern for regulators:
„The funds stolen in the biggest hack of 2020, the $280 million theft from KuCoin, were laundered using DeFi protocols.“
In addition, Jevans believes that in 2021 authorities will likely shed light on the steps DeFi protocols will need to take to avoid the consequences of non-compliance with AML, Capture the Flag and possible penalties.
Exchange hacks in 2020
The cyber-attack against KuCoin occurred in late September, when the exchange’s CEO Johnny Lyu confirmed that the breach had affected the platform’s Bitcoin, Ethereum and ERC-20 hot wallets, after private keys were disclosed.
In early October, KuCoin announced that it had identified the suspects and officially involved law enforcement in the investigation. In mid-November, the Singapore-based exchange said it had recovered 84% of the stolen crypto, and restored services for most of the assets on the platform.
2020 saw other hacks against exchanges, but KuCoin was the biggest. In February, Italian exchange Altsbit lost almost all of its funds in a $70,000 hack, and other smaller platforms suffered breaches. From the beginning of the year to October 2020, up to 75 centralised cryptocurrency exchanges shut down for various reasons, including cyber attacks.
Hacks and exploits in DeFi during 2020
With billions of dollars poured into protocols and yield farming, the emerging DeFi sector has become a hotbed for hackers. The first major breach of 2020 occurred in February on DeFi’s lending platform bZx, when two flash loan exploits resulted in the loss of nearly $1 million in user funds. A flash loan is a particular service in which crypto collateral is borrowed and repaid within the same transaction.
bZx froze operations to prevent further losses, however, generating a wave of criticism from industry commentators who called the project a centralised platform destined to be the „bane of DeFi.“
The market crash in March triggered large liquidations of collateral, especially for Maker’s MKR token, but these events do not qualify as hacks. Another incident occurred the following month, when a tokenized version of Bitcoin called imBTC suffered an attack via the so-called ‚indentation method‘ of the ERC-777 standard. The perpetrator managed to drain all the value from a pool of liquidity on the Uniswap exchange, estimated at $300,000 at the time.
In April, the Chinese lending platform dForce also saw all of its liquidity drained using the same exploit. The hacker repeatedly increased his ability to borrow other assets and disappeared with around $25 million in funds.
In June, an exploit was discovered in Bancor’s smart contracts that resulted in the theft of $460,000 in tokens. Automated market maker DeFi said it had implemented a new version of the smart contract to fix the vulnerability.
The next DeFi protocol targeted was Balancer, which lost $500,000 in Ether tokens from its liquidity pools due to a well-planned arbitrage attack. A series of flash loans and token swaps were executed to exploit a vulnerability that Balancer’s team was allegedly already aware of.
Another exploit brought bZx back into the spotlight in July, with a dubious token sale manipulated by bots that placed buy orders in the same block that marked the start of the token generation event. The perpetrators embezzled nearly half a million dollars.