Here at DeFi Rate, we’ve been pretty vocal about the booming DeFi ecosystem. Whether it takes the form of volume, users, or new money legos, 2020 has been quite an exciting year for DeFi at large.

However, this does not go to say it hasn’t been without hiccups This page will be used to provide context on the larger DeFi attacks which have resulted in millions of dollars being drained, siphoned or auction in unintended ways.

The reason for this page is not to belittle those who were affected, rather to inform new users to come on the mistakes of the past and what we as a community can do better to learn from these mistakes.

If there is a vulnerability, exploit or attack you believe should be added to this list, please give us a shout!

DeFi Attacks in 2020

dForce Lending Platform LendF.me

Estimated Funds Lost: ~$25M

Date: April 19th, 2020

TLDR: The Chinese lending platform lendf.me was drained of all its liquidity using an ERC777 token standard reentrancy attack. This attack came less than 48 hours after the imBTC hack which used a similar attack vector. Following the attack, other DeFi protocols were able to identify the attacker, will all funds subsequently being returned. Many have acknowledged that this hack was due in large part to dForce supposedly copying Compound Finances v1 contracts which did not safeguard from the specific attack.

Read our full story on the dForce hack.

imBTC Uniswap Pool

Estimated Funds Lost: ~$300k

Date: April 18th, 2020

TLDR: imBTC – a wrapped version of Bitcoin on Ethereum – was attacked using an ERC777 token standard reentrancy attack. The attacker was able to siphon the Uniswap liquidity pool for all of its volume by using “hooks” to request more funds before external balances could be updated. Uniswap had publicly shared their V1 contracts did not support the ERC777 standard, as published in this audit. It’s important to note that the Bitcoin backing the imBTC was never affected and that the main victims of this attack were those providing liquidity to the Uniswap pool.

Read our full story on the imBTC Uniswap hack.

Maker Black Thursday

Estimated Funds Lost: ~$9M

Date: March 12, 2020

TLDR: In light of the COVID-19, the entirely of the cryptocurrency market suffered a deep price crash of ~50% across the board. Amidst Ether quickly tanking from $200 to roughly $80 in a matter of hours, a vast majority of Maker Vault were liquidated. However, rather than the auctions resulting in owners taking a haircut, Keeper bots were able to leverage the liquidity crunch to buy the vast majority of liquidated collateral (roughly $9M in value) for pennies. While no code was exploited, the larger story here is that many Vault owners lost 100% of their collateral – resulting in both a class action lawsuit against the Maker Foundation and an executive poll to compensate victims.

Read our full story on the Black Thursday situation.

Read our full story on the Poll to compensate Vault Victims

Read our full story on the DSR dropping to 0% as a result of Black Thursday and the additional of USDC collateral.

bZx Flash Attack

Estimated Funds Lost: ~$1M

Date: February 15th, 2020

TLDR: bZx – a lending and margin trading protocol behind Fulcrum – was the victim of two attacks in which users were able to leverage Flash Loans and oracle manipulation to siphon funds on two separate occasions. The liquidity providers most largely affected were WBTC holders – all of which were compensated by bZx out of pocket following the attack.

Read our full story on the first bZx attack.

Read more about the second bZx attack.

Sythetix sETH Exploit

Estimated Funds Lost: $0

Date: June 30th, 2019

TLDR: Upon Synthteix price oracles reporting a wrong value, a bot was able to take instantly take advantage and inflate their sKRW balance. This was used to then purchase sETH with house money. No funds were lost in this exploit and the Synthetix team compensated the hacker in the form of a bug bounty with all funds being returned back to normal.

Read more about the Synthetix sETH Exploit

DeFi’s Black Swan

Prior to the large majority of these exploits and mishaps occurring, our lead analysts predicted that DeFi was likely to suffer from a Black Swan in the near future.

Using historical cryptocurrency exits, scams and smart contract vulnerabilities as historical evidence, it was obvious that similar exploits were sure to plague DeFi. The key takeaway here is that users should be aware that DeFi is highly experimental and that there is always a slight degree of risk, regardless of how big or how established any given DeFi project may be.

Over time, these events have battle hardened both DeFi and the projects involved – ultimately creating a strong foundation by the day.

For more news on all things DeFi, be sure to stay up with us right here at DeFi Rate.

Sign up for This Week in DeFi