However, this does not go to say it hasn’t been without hiccups This page will be used to provide context on the larger DeFi attacks which have resulted in millions of dollars being drained, siphoned or auction in unintended ways.
The reason for this page is not to belittle those who were affected, rather to inform new users to come on the mistakes of the past and what we as a community can do better to learn from these mistakes.
If there is a vulnerability, exploit or attack you believe should be added to this list, please give us a shout!
DeFi Attacks in 2020
dForce Lending Platform LendF.me
Estimated Funds Lost: ~$25M
Date: April 19th, 2020
TLDR: The Chinese lending platform lendf.me was drained of all its liquidity using an ERC777 token standard reentrancy attack. This attack came less than 48 hours after the imBTC hack which used a similar attack vector. Following the attack, other DeFi protocols were able to identify the attacker, will all funds subsequently being returned. Many have acknowledged that this hack was due in large part to dForce supposedly copying Compound Finances v1 contracts which did not safeguard from the specific attack.
imBTC Uniswap Pool
Estimated Funds Lost: ~$300k
Date: April 18th, 2020
TLDR: imBTC – a wrapped version of Bitcoin on Ethereum – was attacked using an ERC777 token standard reentrancy attack. The attacker was able to siphon the Uniswap liquidity pool for all of its volume by using “hooks” to request more funds before external balances could be updated. Uniswap had publicly shared their V1 contracts did not support the ERC777 standard, as published in this audit. It’s important to note that the Bitcoin backing the imBTC was never affected and that the main victims of this attack were those providing liquidity to the Uniswap pool.
Maker Black Thursday
Estimated Funds Lost: ~$9M
Date: March 12, 2020
TLDR: In light of the COVID-19, the entirely of the cryptocurrency market suffered a deep price crash of ~50% across the board. Amidst Ether quickly tanking from $200 to roughly $80 in a matter of hours, a vast majority of Maker Vault were liquidated. However, rather than the auctions resulting in owners taking a haircut, Keeper bots were able to leverage the liquidity crunch to buy the vast majority of liquidated collateral (roughly $9M in value) for pennies. While no code was exploited, the larger story here is that many Vault owners lost 100% of their collateral – resulting in both a class action lawsuit against the Maker Foundation and an executive poll to compensate victims.
bZx Flash Attack
Estimated Funds Lost: ~$1M
Date: February 15th, 2020
TLDR: bZx – a lending and margin trading protocol behind Fulcrum – was the victim of two attacks in which users were able to leverage Flash Loans and oracle manipulation to siphon funds on two separate occasions. The liquidity providers most largely affected were WBTC holders – all of which were compensated by bZx out of pocket following the attack.
Sythetix sETH Exploit
Estimated Funds Lost: $0
Date: June 30th, 2019
TLDR: Upon Synthteix price oracles reporting a wrong value, a bot was able to take instantly take advantage and inflate their sKRW balance. This was used to then purchase sETH with house money. No funds were lost in this exploit and the Synthetix team compensated the hacker in the form of a bug bounty with all funds being returned back to normal.
DeFi’s Black Swan
Prior to the large majority of these exploits and mishaps occurring, our lead analysts predicted that DeFi was likely to suffer from a Black Swan in the near future.
Using historical cryptocurrency exits, scams and smart contract vulnerabilities as historical evidence, it was obvious that similar exploits were sure to plague DeFi. The key takeaway here is that users should be aware that DeFi is highly experimental and that there is always a slight degree of risk, regardless of how big or how established any given DeFi project may be.
Over time, these events have battle hardened both DeFi and the projects involved – ultimately creating a strong foundation by the day.
For more news on all things DeFi, be sure to stay up with us right here at DeFi Rate.