The 10 largest crypto hacks and exploits in 2022 saw $2.1B stolen

December 30, 2022 Coin Telegraph

The 10 largest crypto hacks and exploits in 2022 saw .1B stolen

billions

Just the top 10 major cryptocurrency exploits garnered over $2 billion for malicious actors in a year that was marred with bankruptcies and collapses.

It's been a turbulent year for the cryptocurrency industry — market prices have taken a huge dip, crypto giants have collapsed and billions have been stolen in crypto exploits and hacks.

It was not even halfway through October when Chainalysis declared 2022 to be the “biggest year ever for hacking activity.”

As of Dec. 29, the 10 largest exploits of 2022 have seen $2.1 billion stolen from crypto protocols. Below are those exploits and hacks, ranked from smallest to largest.

10: Beanstalk Farms exploit — $76M

Stablecoin protocol Beanstalk Farms suffered a $76 million exploit on April 18 from an attacker using a flash loan to buy governance tokens. This was used to pass two proposals that inserted malicious smart contracts.

The exploit was initially thought to have cost around $182 million as Beanstalk was drained of all its collateral but in the end, the attacker only managed to get away with less than half that.

9: Qubit Finance bridge exploit — $80M

Qubit Finance, a decentralized finance (DeFi) protocol on BNB Smart Chain, had over $80 million worth of BNB (BNB) stolen on Jan. 28 in a bridge exploit.

The attacker duped the protocol's smart contract into believing they had deposited collateral that allowed them to mint an asset representing bridged Ether (ETH).

They repeated this multiple times and borrowed multiple cryptocurrencies against the unbacked bridged ETH, draining the protocol’s funds.

8: Rari Fuse exploit — $79.3M

Another DeFi protocol called Rari Capital was exploited on April 30 for the sum of roughly $79.3 million.

The attacker exploited a reentrancy vulnerability in the protocol’s Rar Fuse liquidity pool smart contracts, making them call a function to a malicious contract to drain the pools of all crypto.

In September, Tribe DAO, which includes Rari Capital and other DeFi protocols, voted to reimburse affected users from the hack.

7: Harmony bridge hack — $100M

In yet another bridge hack, the Horizon Bridge that links Ethereum, Bitcoin (BTC), and BNB Chain to Harmony’s layer-1 blockchain was drained of around $100 million in multiple cryptocurrencies.

Blockchain forensics firm Elliptic pinned the hack on North Korean cybercriminal syndicate Lazarus Group, as the funds were laundered in a similar way to other known Lazarus attacks.

Lazarus is understood to have targeted Harmony employee login credentials, breaching the platform’s security system and gaining control of the protocol before deploying automated laundering programs to move their ill-gotten gains.

6: BNB Chain bridge exploit — $100M

The BNB Chain was paused on Oct. 6 due to “irregular activity” on the network, which later was revealed as an exploit that drained around $100 million from its cross-chain bridge, the BSC Token Hub.

Initially, it was thought the attacker was able to take around $600 million due to a vulnerability that allowed the creation of roughly two million BNB, the chain’s native token.

Unfortunately for the attacker, they had roughly over $400 million worth of digital assets frozen on the blockchain and more was possibly stuck in cross-chain bridges on the BNB blockchain side.

5: Wintermute hack — $160M

United Kingdom based crypto market-maker Wintermute suffered from a compromised hot wallet that saw approximately $160 million across 70 tokens transferred out of the wallet.

Analysis from blockchain cybersecurity firm CertiK claimed a vulnerable private key was attacked that was likely generated by Profanity — an app that allows users to generate vanity crypto addresses, that has a known exploit.

According to CertiK, this allowed the attacker to use a function with the private key that allowed the hacker to change the platform’s swap contract to the hacker’s own.

Conspiracy theories alleging the hack was an “inside job” due to how it was carried out were debunked by blockchain security firm BlockSec, who said the allegations were “not convincing enough.”

4: Nomad token bridge exploit — 190M

On Aug. 2, the Nomad token bridge, which allows users to swap cryptocurrencies across multiple blockchains, was drained by multiple attackers to the tune of $190 million.

A smart contract vulnerability that failed to properly validate transaction inputs was the cause of the exploit.

Multiple users, seemingly both malicious and benevolent, were able to copy the original attacker’s moves to funnel funds to themselves. Around 88% of addresses taking part in the exploit were identified as “copycats” in a report.

Only around $32.6 million worth of funds were able to be intercepted and returned to the protocol by white hat hackers.

3: Wormhole bridge exploit — $321M

The Wormhole token bridge suffered an exploit on Feb. 2 that resulted in the loss of 120,000 Wrapped Ether (wETH) tokens worth $321 million.

Wormhole allows users to send and receive crypto between multiple blockchains. An attacker found a vulnerability in the protocol’s smart contract and was able to mint 120,000 wETH on Solana (SOL) unbacked by collateral and was then able to swap this for ETH.

At the time it was marked as the largest exploit in 2022 and is the third-largest protocol loss overall for the year.

2: FTX wallet hack — $477 million

During the start of FTX’s bankruptcy proceedings on Nov. 11 and 12, a series of unauthorized transactions took place at the exchange, with Elliptic suggesting that around $477 million worth of crypto was stolen.

Sam Bankman-Fried said in a Nov. 16 interview that he believed it was “either an ex-employee or somewhere someone installed malware on an ex-employee’s computer” and had narrowed the perpetrator down to eight people before he was shut out of the company’s systems.

According to reports, on Dec. 27 the United States Department of Justice launched an investigation into the whereabouts of around $372 million of the missing crypto.

1: Ronin bridge hack — $612M

The largest exploit to take place in 2022 happened on March 23, when the Ronin bridge was exploited for around $612 million — 173,600 ETH and 25.5 million USD Coin (USDC).

Ronin is an Ethereum sidechain built for Axie Infinity, a play-to-earn nonfungible token (NFT) game. Sky Mavis, Axie Infinity’s developers, said the hackers gained access to private keys, compromised validator nodes and approved transactions that drained funds from the bridge.

The U.S. Treasury Department updated its Specially Designated Nationals and Blocked Persons (SDN) list on April 14 to reflect the possibility that Lazarus Group was behind the bridge’s exploit.

The Ronin bridge hack is the largest cryptocurrency exploit to ever take place.

White hat finds huge vulnerability in ETH to Arbitrum bridge: Wen max bounty?

September 21, 2022 Coin Telegraph

Arbitrum

The ethical exploiter thanked Arbitrium for the 400 ETH payday, but said such a find should be eligible for the max bounty of nearly 1,500 ETH, or $2 million.

A self-described white hat hacker has uncovered a “multi-million dollar vulnerability” in the bridge linking Ethereum and Arbitrum Nitro and received a 400 Ether (ETH) bounty for their find.

Known as riptide on Twitter, the hacker described the exploit as the use of an initializing function to set their own bridge address, which would hijack all incoming ETH deposits from those trying to bridge funds from Ethereum to Arbitrum Nitro.

Riptide explained the exploit in a Medium post on Sept. 20:

“We could either selectively target large ETH deposits to remain undetected for a longer period of time, siphon up every single deposit that comes through the bridge, or wait and just front-run the next massive ETH deposit.”

The hack could have potentially netted tens or even hundreds of millions worth of ETH, as the largest deposit riptide recorded in the inbox was 168,000 ETH worth over $225 million, and typical deposits ranged from 1000 to 5000 ETH in a 24-hour period, worth between $1.34 to $6.7 million.

Despite the earning potential from the ill-gotten gains, riptide was thankful that the “extremely based Arbitrum team” provided a 400 ETH bounty, worth over $536,500, however they added later on Twitter that such a find “should be eligible for a max bounty,” which is worth $2 million.

No big deal just bridging a cool $470mm through the same Inbox contract

Definitely should be eligible for a max bounty

https://t.co/w7S58QNQZu
— riptide (@0xriptide) September 20, 2022

Neither Arbitrum nor its creator company OffChain Labs have publicly commented on the exploit, Cointelegraph contacted OffChain Labs for comment but did not immediately hear back.

Arbitrum is a layer-2 Optimistic Rollup solution for Ethereum, clustering batches of transactions before submitting it to the Ethereum network in an effort to minimize network congestion and save on fees. Arbitrum Nitro launched on Aug. 31st, an upgrade aimed to simplify communication between Arbitrum and Ethereum as well as increasing its transaction throughput at lower fees.

Similar style bridge hacks have been successful for exploiters this year, notably the $100 million stolen from the Horizon Bridge in June and the recent Nomad token bridge incident in August which saw $190 million drained by the original and “copycat” hackers repeating the exploit.

Maiar decentralized crypto exchange goes offline after bug discovery

June 7, 2022 Coin Telegraph

Coin Telegraph

The DEX has been taken offline due to the discovery of the bug, and the team has implemented an “emergency fix” and update.

The Maiar Exchange, a decentralized exchange (DEX) native to the Elrond blockchain, has been temporarily taken offline after an attacker utilized an exploit and made off with roughly $113 million worth of Elrond eGold (EGLD).

Minutes before 12:00 am UTC on Monday, the co-founder and CEO of Elrond, Beniamin Mincu, tweeted that he and his team were “investigating a set of suspicious activities” on the Maiar decentralized cryptocurrency exchange.

Soon after, the DEX was taken offline, with Mincu reporting that the issue had been identified and an “emergency fix” was being implemented.

In a Twitter thread posted almost 24 hours later at around 11:00 pm UTC on Monday, Mincu said a potentially critical bug was identified that opened “an exploit area that we simply had to address and mitigate immediately.”

The suspicious activities have been possibly identified and explained in a Twitter thread by pseudonymous on-chain analyst Foudres, who revealed that the potential attacker deployed a smart contract that somehow allowed them to withdraw over 1.65 million EGLD.

Three wallets were able to mysteriously withdraw 800,000, 400,000 and 450,000 EGLD, respectively, which at current prices is worth nearly $113 million in total.

The attackers were able to sell around 800,000 EGLD, worth around $54 million, which caused the price of EGLD on Maiar to plummet from $76 down to around $5. The rest of the crypto is either still held in various wallets, has been bridged to USD Coin (USDC) and Ether (ETH), or was sold on centralized exchanges.

The price of EGLD dropped 9.5% from around $74 down to a 24-hour low of $65.50 but has since slightly recovered, now trading near $68.

Mincu stated in his update that an upgrade was implemented to fix the bug and a technical explanation would be provided after clarification that the implemented solutions are tested and working.

He claimed that all funds are safe and will be available when the DEX restarts, which is scheduled for Tuesday, saying most exploited funds have been either recovered in full or will be covered by the Elrond Foundation.

As previously reported by Cointelegraph, approximately $1.6 billion in cryptocurrency has been stolen from decentralized finance (DeFi) platforms in the first quarter of 2022, and over 90% of all stolen crypto is from hacked decentralized finance (DeFi) protocols such as DEXs.

crypto bridge