Monthly DeFi Blood Bath Report #5

Monthly DeFi Blood Bath Report #5
Photo by Ed Leszczynskl / Unsplash

Welcome to another instance of the Blood Bath report. This months we saw a fix of critical bug in OpenZeppelin, a Supply Chain attack on SushiSwap and just yesterday we saw a Compound proposal that went wrong.

Enough of the talk. Let’s dive into the topic. Below you will find a summary of all hacks that had happened. All info was compiled from  openblocksec , rekt.news, Peckshield, and Blocksecteam, Knownsec

Siren Protocol

When? Sept-02-2021
How much? $3.5M
Where? Polygon
Why? Reentrancy bug
Link: https://twitter.com/BlockSecTeam/status/1433682132090568705

DAO Maker

When? Sept-03-2021
How much? $4M
Where? ETH
Why? Authentication issue
Link: https://twitter.com/Mudit__Gupta/status/1434059922774237185, https://www.rekt.news/daomaker-rekt/

Zabu Finance

When? Sept-12-2021
How much? $3.2M
Where? Avalanche
Why? Staking calculation bug
Link: https://medium.com/@Knownsec_Blockchain_Lab/knowsec-blockchain-lab-zabu-finance-flash-loan-security-incident-analysis-5fe10e7f4849

NowSwap Protocol

When? Sept-15-2021
How much? $1M
Where? ETH
Why? Logic Error
Link: https://twitter.com/peckshield/status/1438061295534698498?s=20

DeFiBox

When? Sept-15-2021
How much? $24k
Where? EOS
Why? SupplyChain
Link: https://support.defibox.cc/hc/en-us/articles/4406632860569-September-16-Incident-Explanation-For-EOS-EMOON-Swap-Error-and-Solution

SushiSwap

When? Sept-17-2021
How much? $3M
Where? ETH
Why? SupplyChain
Link: https://www.rekt.news/jaypegs-automart-rekt/

pNetwork

When? Sept-17-2021
How much? $12.5M
Where? BSC
Why? Faulty tx processing
Link: https://medium.com/pnetwork/pnetwork-post-mortem-pbtc-on-bsc-exploit-170890c58d5f

Vee Finance

When? Sept-20-2021
How much? $35M
Where? Avalanche
Why? Price oracle manipulation
Link: https://blocksecteam.medium.com/the-real-root-cause-of-the-vee-finance-security-incident-8ed6562814e5 ; https://www.rekt.news/veefinance-rekt/

PolkaDog

When? Sept-23-2021
How much? $144K
Where? ETH/BSC
Why? Private keys compromised on the bridging server
Link: https://blocksecteam.medium.com/the-real-root-cause-of-the-vee-finance-security-incident-8ed6562814e5

Compound

When? Sept-30-2021
How much? $80M
Where? ETH
Why? Bug in distribution of tokens
Link: https://www.rekt.news/overcompensated/

In hacks alone, excluding Compound, we saw ~$62.2M gone from various DeFi protocols on different chains. We saw first EOS DeFi hack in a while and also we saw few Avalanche hacks, Vee Finance being the largest.

Stay safe out there, and remember that we’re still early in blockchain, and it will take time until the numbers of hacks and their impact will go down.


Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the newsletter. Subscription box below 👇

If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.