Almost everywhere you turned in the cryptocurrency and blockchain space last year, there was some glaring issue. But in the end, declining crypto prices or business failures aren’t the worst issues for digital assets. More than $3 billion was outright stolen in 125 hacks, according to a report, in addition to the billions of dollars lost due to the failure of the TerraLUNA3 stablecoin and the failures of the crypto-financial companies CelsiusCEL Network, Voyager Digital, and FTX Trading.
Any new financial system must be based on trust, and despite all the buzz and promises around “immutable” ledgers and eliminating middlemen, these developments have not slowed down the den of criminals that has dogged the crypto markets from their beginning. The top five thefts in 2022 totaled $1.48 billion and involved decentralized financing (DeFi), accounting for 49% of the total amount taken.
Despite the fact that protocols are acclaimed for their openness, according to blockchain analytics company Elliptic, they lost 75% of the entire value locked during the past 11 months. The total value locked in DeFi protocols decreased from 166.58 billion at the beginning of the year to $39 billion in mid-December, according to data from the decentralized financial website DeFi Llama.
According to Elliptic, blockchain bridges were the primary target, causing 70% of all losses this year and stealing roughly $2 billion from decentralized financial protocols. One of the most common techniques to link two blockchains and enable users to transfer tokens from one chain to another has become cross-chain bridges. However, in order to do so, blockchain bridges need to keep the transaction value in each of the involved tokens for a brief period of time, which attracts hackers.
Sam Williams, CEO of the blockchain security company ArweaveAR, comments on the inherent dangers in so-called blockchain bridges by saying, In retrospect, there were a lot of corners cut for haste.
According to Williams, the distribution of private keys for multi-signature wallets is another example of an ecosystem vulnerability. Multi-signature wallets exist to distribute decision-making authority among various parties, making it more difficult to compromise one key and harm the ecosystem. However, in a number of cross-chain attacks this year, such as those on the Ronin Network and the HarmonyHARMONY Bridge, hackers were able to use several private keys owned by the same party to get access to the protocols of the bridges.
As an industry, they didn’t do well enough in identifying subpar designs across the board, he continued.
Over $3 billion in investor assets were stolen in the five biggest cryptocurrency heists of 2022, ranging from cross-chain hacks to code breaches.
The largest theft of the year occurred on the Ronin Network, a blockchain that underpins the non-fungible token-based video game Axie Infinity, when more than half a billion dollars worth of ether and USD coin were taken. The computers that handle network transactions are known as nodes, and according to Ronin, the attackers were able to hack them. The activity went undiscovered until a user encountered difficulties withdrawing money and reported it. Later, the Lazarus Group, a hacker group supported by the North Korean state, was implicated in the robbery by the US Treasury Department.
Wormhole Network, a bridging technology that enables users to transport cryptocurrencies and NFTs between numerous pairings of blockchains, was vulnerable on February 2 and was taken advantage of by an unidentified hacker. Chainalysis claims that the hacker may have discovered a bug in Wormhole’s code that allowed them to issue 120,000 wETH—an ether token equivalent on the SolanaSOL blockchain, valued at around $325 million at the time of the theft—without providing the required collateral. The parent business of Wormhole, Jump Crypto, replaced the stolen funds after offers to pay the hacker a bounty in exchange for the assets were rejected.
The cross-chain protocol was duped into distributing stored tokens without the required authorization on August 1 as a result of a hacker taking advantage of a flaw in Nomad’s code. The issue was so easy to exploit that it didn’t even call for programming experience. Numerous copycats quickly joined the heist. After pleading with users to return the money, Nomad was able to recover more than $20 million.
A hacker was successful in draining Beanstalk Farms, an Ethereum-based stablecoin project, of more than $150 million worth of cryptocurrency in April. According to blockchain security company CertiK, the attacker borrowed almost $1 billion worth of cryptocurrency through a flash loan obtained through the decentralized protocol AaveAAVE and exchanged that for a 67% voting stake in Beanstalk. Flash loans let users borrow large amounts of cryptocurrency for brief periods of time. The hacker was successful in getting the Beanstalk tokens transferred to their own cryptocurrency wallet with a supermajority. The process was completed in less than 13 seconds, which is based on the length of an Aave flash loan.
A hack on September 20 cost the London-based cryptocurrency market maker $160 million. Evgeny Gaevoy, the founder and CEO of Wintermute, claimed that the attack most likely started with a service called Profanity that Wintermute had utilized. Profanity creates “vanity addresses” for digital asset accounts to make them simpler to work with than the standard 30-character strings of various letters and numbers. These trading accounts were a component of Wintermute’s DeFi operation, which it uses to execute quick deals on decentralized exchanges like Uniswap and SushiSwap. It appears that hackers were able to generate every password for a firm vanity address using brute-force computing.
In order to force the organization to use the assets in its treasury to finance the bad debt it had taken on to bail out a significant investor earlier this year, Avraham Eisenberg drained the liquidity out of the decentralized cryptocurrency exchange Mango Markets, based in Solana, by holding $112 million in tokens in ransom. Mango, which established sizable positions in perpetual futures on the coin by selling from one account and buying in another at a premium to market price, claims that the heist involved Eisenberg’s two accounts on the platform with the dollar-pegged USD token. He leveraged the accumulated earnings to borrow and withdraw a number of tokens from Mango itself while the token’s value multiplied tenfold on other decentralized exchanges.
On October 6, at the start of 2022’s busiest month for cryptocurrency breaches, hackers were able to steal an estimated $110 million from Binance’s BSC Token Hub. Following a planned update, the cross-chain bridge between the BNB Smart Chain (BSC) and BNB Beacon Chain, two chains connected to Binance, was used for malicious purposes. Analysts and on-chain data show that the hackers were able to successfully exploit a flaw in the bridge’s validated proofs, enabling them to sham approval notifications and deposit the money into their accounts. In their attempt to steal $560 million off the bridge, the hackers were able to create 2 billion BNB tokens, but they were only successful in taking $110 million off-chain.
In June, hackers broke into Harmony’s primary link between the Ethereum and Binance Smart Chain blockchains and stole $100 million worth of cryptocurrencies. Although the protocol did not specify how the money was obtained, the attack happened over the course of 14 transactions. On-chain sleuths were worried about the bridge’s safety measures even before the hack in June since its multi-signature wallet had a limited number of validators, making it susceptible to attacks.
