$232M lost due to hacks in DeFi alone

I didn’t want to write another post like this, but at 10:36:20 AM +UTC, May 16, 2021, Bearn.fi was exploited, and $11M of funds was stolen from the pool. As Peckshield reports:

The incident was due to a bug in its internal withdraw logic in inconsistently reading the same input amount but with different asset denomination betweenBvaultsBank and the associated strategy BvaultsStrategy.

I won’t dive into technical details of the exploit as post-mortem is already available on the project site.

bVaults’ BUSD Alpaca Strategy Exploit Post-Mortem and bEarn’s Compensation Plan
Firstly, we must say that we deeply regret this incident and that we are sorry for any economic loss endured by our community members. We hope that the actions detailed within this article will help…

I want to focus on something different. The staggering amount of money was already stolen from DeFi protocol. Not counting any DNS hijacking and only counting major hacks/exploits of DeFi’s smart contracts, we already ~$232M down. All data is taken from this excellent summary.

openblocksec/blocksec-incidents
A curated list of blockchain security incidents including exchange hacks, DeFi compromises, blockchain attacks, and others. - openblocksec/blocksec-incidents

Ethereum DeFi hacks

Since the beginning of the year, around $115M were lost due to hacks in Ethereum. If you look at the list I shared, many hacks were happening, the most devastating being Alpha Homora, which resulted in $38M loss.

DeFi projects are continuing to be hacked, but let’s remember hackers are also getting more and more sophisticated. Sometimes, projects are not making proper due diligence of their code checkup. It’s not only for projects on Ethereum, and it’s significantly more prominent on Binance.

Binance Smart Chain DeFi hacks

There were fewer hacks on Binance, but most devastating is also happening on that chain. Total value lost sits at around $117M. $2M more than Ethereum, but with a lower amount of hacks. We saw an Uranium Finance being drained of $51M, Spartan Protocol lost $30M, Value DeFi lost in total $25M, and now Beam.fi added $11M to that pool.

We’re seeing FOMO happening in front of our eyes, and colossal money is thrown into new projects that promise being new, hot things, or having high return yields. Unfortunately, most of such projects are on Binance Chain where they are forks of known DeFi projects from Ethereum, like Uranium Finance was a copy of Uniswap.

As I stated in one of my previous articles about State of Security in DeFi
It’s been a while since I saw an original solidity code and idea. Everything is a mix of everything. I’m not saying every project should be an original one. Iterations of an idea are welcomed, but make sure changes are introduced in all places. We don’t want another Uranium Finance hack to happen.

There is an abundance of copy-pasted projects like SafeMoon tokens forks that changes only 10-15 lines of code, sometimes not thinking about what the change introduces. ValueDeFi also copied code and unintendedly introduced so many bugs, and three hacks have happened to them in one week.

I’m not saying Binance Smart Chain only has DeFi products like that. Ethereum also has its fair share of crappy projects. But looking at the recent hacks and amounts being stolen, it’s hard to think otherwise.