ImmuneFi has published a new report stating that DeFi protocols collectively lost more than $670 million in 50 exploits over the last quarter. While the frequency of attacks increased versus...
Over $200 million worth of users' funds could have been at risk if the whitehat chose to exploit the vulnerability for personal gain instead of reporting it to developers.
On Tuesday, Ethereum (ETH) bridging and scaling solution Aurora announced it had paid out a $6 million bounty to ethical security hacker pwning.eth, who discovered a critical vulnerability in the Aurora Engine. The exploit allegedly placed over $200 million worth of capital at risk. The sum was paid in collaboration with Immunefi, a leading platform for Web 3.0 bug bounties, with $145+ million bounties available and $45+ million bounties paid out.
On April 26, Immunefi received a report from pwning.eth about a critical flaw in the Aurora Engine that would have enabled the infinite minting of ETH in the Aurora Ethereum Virtual Machine as to drain and siphon the corresponding nested ETH (nETH) pool on NEAR. At the time of discovery, the pool contained more than 70,000 ETH worth at least $200 million.
Mitchell Amador, founder and CEO at Immunefi, said: "Hats off to Aurora and pwning.eth for the flawless overall processing of the report. The bug was quickly patched, with no user funds lost." Aurora had launched a bug bounty program with Immunefi just one week before discovering the security vulnerability. Meanwhile, Frank Braun, head of security at Aurora Labs, commented: "We look at the bug bounty program as the last step in a layered defense approach and will use this bug as a learning opportunity to improve earlier steps, like internal reviews and external audits.
Though arguably innovative, cross-chain communication protocols have been a prime target of hackers as of late. In February, one of the largest decentralized finance hacks occurred when the Wormhole token bridge was drained of over $321 million in digital assets after hackers exploited an infinite minting glitch between its wrapped ETH and ETH pool.
Immunefi’s largest bug bounty to date aims to help MakerDAO pinpoint potential vulnerabilities in its smart contracts and apps to prevent monetary losses.
MakerDAO has announced that it will begin offering a maximum of $10 million bounty to white hat hackers and cybersecurity specialists who point out legitimate security threats in its smart contracts.
Maker’s (MAKER) plan to front-run attacks on its smart contracts is the largest ever on the bug bounty platform Immunefi. In fact if someone claimed the lot, it would equal the total amount of $10 million that Immunefi has paid out to date from active and inactive events. Its website claims the bugs found have averted up to $20 billion in damages from hacks.
Whitehat hackers stand to gain payouts ranging from $1,000 for low-level vulnerabilities thought to a maximum of $10 million for critical issues found in Maker’s smart contracts and apps. The payouts will be made in DAI stablecoins. The next largest bug bounty on Immunefi is a $3.3 million bounty from Olympus DAO.
MakerDAO is the community that governs how DAI is collateralized and spent from Maker’s treasury. DAI is currently the fifth largest stablecoin with a $9.7 billion market cap according to CoinGecko.
The Maker Foundation had previously controlled aspects of governance on Maker before its CEO and founder Rune Christensen announced the dissolution of the foundation in July 2021, making the DAO “fully self-sufficient”.
Immunefi co-founder Travin Keith said in a Feb. 11 statement,
“We’re glad to announce one of the key pillars of our mandate, which is to launch and maintain a bug bounty program that will help MakerDAO ensure its safety.”
This new bug bounty comes at a time when smart contract exploits appear to be on the increase with hundreds of millions of dollars in losses over the past two weeks alone. Yesterday, hackers withdrew over $10 million from Dego Finance through a smart contract exploit.
Related: ImmuneFi report $10B in DeFi hacks and losses across 2021
On Feb. 7, token bridge Meter.io’s smart contracts were hacked, causing $4.4 million in losses. On Feb. 2, the Wormhole token bridge’s smart contracts on Solana (SOL) were exploited to the tune of $321 million, which is the largest single loss in a hack so far this year.
The research reveals that crypto losses in the nature of exploits and rug-pulls saw a 137% rise in comparison to figure calculated in 2020.
Decentralized finance, or DeFi, security platform and bug bounty service ImmuneFi published an official report on Thursday, which calculated the total volume of losses in the cryptocurrency markets in 2021. According to its report, the company found that losses resulting from hacks, scams and other malicious activities exceeded $10.2 billion dollars over the past year.
Responsible for protecting over $100 billion worth of assets for a number of well-established DeFi protocols, including Synthetix, Chainlink, SushiSwap and PancakeSwap, among others, ImmuneFi has regularly facilitated seven-figure pay-outs to whitehat hackers and other good-willed entities for preventing protocol compromises.
According to the report, across 2021, there were 120 instances of crypto exploits or fraudulent rug-pulls, the highest-valued hack being Poly Network at $613 million, followed by Venus and BitMart with $200 million and $150 million, respectively.
Other notable entries to the list were Alpha Finance and Cream Finance, who were both hacked for $37.5 million, Yearn.finance’s $11 million, Furucombo’s $14 million evil contract exploit, as well as the infamous Alchemix reverse rug in which the platform’s users claimed a welcome fortune due of $6.5 million after a withdrawal issue arose with one of the platform’s smart contracts synthetic assets, alETH.
The year 2021 saw a stark rise in both the frequency and volume of security breaches in comparison to the previous year, which recorded 123 incidences totaling $4.38 billion, a 137% increase.
We've just released our report for 2021 on crypto losses stemming from hacks and scams.
— Immunefi (@immunefi) January 7, 2022
In total, the DeFi ecosystem saw a loss of $10,210,188,549
Read more facts and figures here:https://t.co/gCWiOqjhhZ pic.twitter.com/zEX28yg0vD
In conversation with Cointelegraph, CEO and founder of Immunefi, Mitchell Amador, spoke of his optimism for the future of on-chain security, despite what he described as a “year of dramatic losses” for the industry.
“Despite the appearance of entirely new vulnerabilities in the onchain economy, the community is adapting rapidly. At Immunefi alone, we saved double the amount lost to exploitation this year, and security best practices are circulating throughout the community.”
Amador cited ImmuneFi’s role in facilitating Polygon’s (MATIC) recent $3.47 million pay-out to two whitehat hackers for their instrumental role in averting what was described as a “critical” vulnerability in the network’s proof-of-stake Genesis contract, placing almost all of the MATIC token supply of $10 billion at risk.
Related: Recounting 2021’s biggest DeFi hacking incidents
In September last year, ImmuneFi organized what was reported at the time as being the largest bounty in the history of DeFi to renowned white hat programmer Alexander Schlindwein for averting a potential $10-million bug crisis in automated market maker, or AMM, protocol Belt Finance.
Schlindwein received a compensation of $1.05 million in total, $1 million of which was granted by Belt Finance with ImmuneFi acting as the middleman, and the remaining $50,000 offered by Binance Smart Chain’s Priority One program.
In October, ImmuneFi announced a $5.5 million capital raise from a number of institutional investors, including Blueprint Forest, Electric Capital, with the intention of expanding its security services across the DeFi industry in a concerted effort to lower the prevalence and financial impact of benevolent security exploits in the space.
The platform has paid out more than $7.5 million in bug bounties since inception in December 2020.
DeFi security platform Immunefi has announced a $5.5 million funding from a panoply of eleven institutional investors including Blueprint Forest, Electric Capital, Framework Ventures and Bitscale Capital, in addition to a series of private individuals.
Immunefi will utilize the funds to advance its services in DeFi security, providing asset protection to smart contract protocols, as well as implementing financial incentives to benevolent hackers.
The service is reportedly responsible for protecting more than $50 billion in protocol assets from projects such as Synthetix, Chainlink, SushiSwap and PancakeSwap. It has paid out $7.5 million in bug bounties throughout its history.
According to analytical data from REKT Database, the DeFi space has experienced malicious hacks totaling more than $1.74 billion in its entire lifespan, a vast proportion of which has been witnessed in the months since July 2021.
The $609 million hack of cross-chain protocol Poly Network in early August this year bears the undesirable crown for the industry's largest-ever hack. However, in welcomely unusual circumstances, Mr. White Hat — as they came to be known — returned all of the available funds, the remaining balance being the $33 million USDT tokens initially frozen.
Over the past year, the prevalence and severity of financial breaches within the DeFi space have established a surging demand for security services such as Immunefi.
Related: White hat hacker paid DeFi’s largest reported bounty fee
Founder and CEO of Immunefi, Mitchell Amador, spoke of the importance of offering DeFi protective measures:
“DeFi is unique because vulnerabilities in code represent a possibility of a direct loss of users’ money. Bug bounty programs are open invitations to security researchers to find those vulnerabilities in exchange for a reward, and have proved one of the most effective ways to deal with critical security holes.”
In late September, a $1.05 million bug bounty fee was paid to renowned white hat programmer Alexander Schlindwein in the aftermath of the Belt Finance saga, for his instrumental role in preventing a potential $10 million downfall for the protocol. The claim was facilitated through Immunefi’s specialist bounty program.
More recently, white-hat hacker, Gerhard Wagner, pocketed a cool $2 million for diligently advising a solution to a “double-spend” flaw on the Polygon network, preventing a potentially catastrophic $850 million, the former of which now stands as an industry record.
Immunefi’s Amador also commented on the potential impact a service such as Immunefi could have on the wider technology landscape:
"We believe that by helping launch such programs on Immunefi, we contribute not only to protecting DeFi projects for today, but also to shaping the tech industry for the future.”
DYdX volume tops Coinbase for the day, Cardano enables a new stablecoin, and a DeFi bounty hunter is highly rewarded — all coming to you this week in Finance Redefined.
Welcome to the latest edition of Cointelegraph’s decentralized finance (DeFi) newsletter.
DYdX surpassed Coinbase in daily trading volume for the first time this week. Read on to discover why this was a seminal moment for the project’s founder.
What you’re about to read is the concise version of this newsletter. For the full breakdown of DeFi’s developments over the last week — released with more anticipation than a layer-two airdrop — register below.
Decentralized derivatives exchange dYdX has risen to prominence through 2021 as an alternative to the hegemony and governmental transparency of centralized exchanges. It was revealed that dYdX surpassed the daily trading volume of crypto exchange stalwart Coinbase for the first time in its history.
Analytical data from CoinGecko revealed that dYdX facilitated in excess of $4.3 billion trading activity on Sept. 26, eclipsing Coinbase’s output of $3.7 billion by almost 15%.
This marks a full-circle moment for dYdX founder Antonio Juliano, who previously applied his trade at Coinbase. He recalled a time when he first spoke to CEO Brian Armstrong about his ambitions to launch a company in the future, receiving the response, “That’s awesome, let’s see how we can help you do that.”
Juliano celebrated the landmark in a series of tweets last Sunday:
5 years ago I left @coinbase and eventually founded dYdX
— Antonio | dYdX (@AntonioMJuliano) September 26, 2021
Today, for the first time, @dydxprotocol is doing more trade volume than Coinbase pic.twitter.com/QzoKAUpH29
It was announced this week that Cardano’s payment gateway provider, Coti, is expected to issue a new stablecoin called Djed to support the ecosystem’s ambitions in ensuring price stability and increasing the transparency of gas fees on the network.
According to Djed’s research paper released in August, its stablecoin protocol will behave like an “autonomous bank that buys and sells stablecoins for a price in a range that is pegged to a target price.” The stablecoin will operate by maintaining a reserve of base coins while minting and burning various other stable assets and reserve coins.
Cardano founder Charles Hoskinson believes that the Djed stablecoin could be revolutionary for the crypto space, as it appeals to an “entirely new audience at a time when the industry is already experiencing astronomical growth.”
Automated market maker protocol Belt Finance offered the largest reported bounty in the history of DeFi this week to a white hat hacker responsible for discovering a bug that, if exploited, could have exposed $10 million in assets.
For his good-willed efforts, industry programmer Alexander Schlindwein received a generous compensation of $1.05 million, $1 million of which was granted by software security platform Immunefi, while the additional $50,000 was offered by Binance Smart Chain’s Priority One program upon which Belt Finance is built.
Cointelegraph spoke to Schlindwein for an exclusive insight into the timeline of events, as well as the wider implications of bounty programs on DeFi’s security landscape:
“I am strongly convinced of the importance of bug bounties and initiatives such as bounty funds. Bug bounties are the last line of defense should an issue slip through the overlying layers with the potential to prevent a devastating hack while instead seriously fixing the issue and compensating the finder.”
Schlindwein concluded, “It’s great to see hundreds of projects launching their bug bounty nowadays, which will certainly bring DeFi security forward in the long run.”
Analytical data reveals that DeFi’s total value locked has increased 15.34% across the week to a figure of $121.41 billion.
Analytical data on Cointelegraph Markets and TradingView reveals that DeFi’s top 50 tokens by market capitalization largely struggled across the last seven days, with a handful of prominent exceptions.
DYDX secured the podium’s top spot with an impressive 82.39%. UNI came a respectable second with 23.88%, while PERP bagged third with 21.45%. Fourth and fifth place were claimed by FTM and XTZ with 11.62% and 8.67%, respectively.
Extra DeFi stories from the week:
Thanks for reading our summary of this week's most impactful DeFi developments. Join us again next Friday for more stories, insights and education in this dynamically evolving ecosystem.
Cointelegraph spoke to the hacker for insights on the timeline of events, as well as the wider implications of bounty programs on DeFi’s security landscape.
Belt Finance, an automated market maker (AMM) protocol operating a yield optimization strategy on Binance Smart Chain (BSC), claims to have paid the largest bounty in the history of decentralized finance (DeFi) to a white hat hacker who averted a $10-million bug crisis.
Industry white hat programmer Alexander Schlindwein discovered the vulnerability in Belt Finance’s protocol this week and reported the news to the team. For his efforts, Schlindwein received a generous compensation of $1.05 million, the majority of which ($1 million) was granted by Immunefi, with the additional $50,000 offered by Binance Smart Chain’s Priority One program.
Immunefi is one of the market leaders in software security for cryptocurrency projects. Since its inception, the platform has reportedly paid out in excess of $3 million to white hat hackers who have successfully identified technical infrastructure flaws in smart contracts and crypto platforms.
Priority One is a BSC initiative launched in July to enhance the security of decentralized applications (DApp) within the platform’s native ecosystem. Mirroring the structure of Immunefi, the service provides a $10-million incentive fund to blockchain bounty hunters who successfully contribute to the avoidance of security breaches across 100 DApps.
Schlindwein told Cointelegraph about how he discovered the vulnerability:
“I went through the list of bug bounties on Immunefi and picked Belt Finance as the next one to work on. While I was studying their smart contracts, I noticed a potential bug in the internal bookkeeping, which keeps track of each user’s deposited funds. Playing the attack through with pen and paper gave me more confidence in the existence of the bug. I continued by producing a proper proof-of-concept [PoC] which undoubtedly confirmed its validity and economic damage.”
“The next step was to create an official report on Immunefi including the PoC and an extensive description of the exploit,“ Schlindwein said, adding, “Immunefi reacted immediately to the critical report, and within three minutes after submission, it was escalated to the Belt team. Shortly after, Belt confirmed the validity of the report and began implementing a fix, which then patched the vulnerability.”
Related: The perfect storm: DeFi hacks will advance the crypto sector moving forward
Although DeFi’s security breaches remain a prevalent concern, it has been argued by some that the nascent ecosystem will benefit from such incidents in the long term, as areas of weaknesses are starkly highlighted.
Cointelegraph asked Schlindwein his perspective on the importance of bounty programs in supporting DeFi’s antifragile ambitions:
“I am strongly convinced of the importance of bug bounties and initiatives such as bounty funds. DeFi security consists of multiple layers, starting with peer review and unit testing to external audits and formal verification. Bug bounties are the last line of defense should an issue slip through the overlying layers with the potential to prevent a devastating hack while instead seriously fixing the issue and compensating the finder.”
“Bug bounties in DeFi have been a rare sight before Immunefi existed, only offered by the ‘Crème de la Crème’ of projects. It’s great to see hundreds of projects launching their bug bounty nowadays, which will certainly bring DeFi security forward in the long run,” Schlindwein concluded.