Crypto Attacks of 2022

In 2022, we saw a spate of hacks that focused almost exclusively on DeFi protocols. These attacks didn't target the blockchain technology itself. Instead, they targeted cross-chain exchanges where crypto could be exchanged between blockchains.?

The damages are astonishing: almost $3 billion stolen in 2022 !

Cross-chain exchanges or crypto bridges function as way to exchange crypto in between different blockchains. Normally the credit is issued on the destination blockchain and funds are placed in the special address on the source blockchain. This is where the concept of wrapped crypto originates. Wrapped BTC is a token on Ethereum blockchain that holds the value of BTC and, along with Wrapped ETH, it could be used to exchange for ERC-20 tokens.

Ronin Network

Ronin's proof-of-authority system, centralized in just nine validator nodes, is the key to its ability to provide a higher volume of transactions at a much lower cost than the proof-of-work ethereum network at the time. Ronin network only had 9 validators instead of the entirety of nodes on the blockchain. An attacker was able to compromise 4 Ronin nodes and find a backdoor to an external validator, having the majority to approve 2 illegitimate transactions that resulted in a loss of over $625MM.

Wormhole Bridge

Attacker cleverly exploited the lack of validation on auxillary input field of a signature validation function to execute its own code that minted out-of-blockchain WETH coins to be later converted to real ETH blockchain currency. The root problem was in usage of deprecated 'load_current_index' function that would skip input validation, instead of using 'load_current_index_checked' function that included validation.

The intent to patch the issue became public in form of committed GitHub code right before the attack. It can be inferred that the attacker kept a close eye on a GitHub repository to look for any upcoming security patches before they got deployed.

Nomad Bridge

Nomad Bridge was hacked due to a mistake in the code that allowed anyone to take a valid transaction and change the recipient to attackers address. That would result in wrapped crypto being transferred in the attackers account. First attack transferred 100 BTC, others followed since everybody discovered vulnerability. The bridge was drained in a matter of days.

Replica contract was mistakenly initialized with commitedRoot value of zero. That allowed anyone to validate transactions by calling process(byte memory _message) function with an arbitrary "_message" to bypass the verification.

acceptableRoot function would always return true and let the function succeed instead of failing.

Beanstalk Farms

An attacker used a flash loan to accumulate a large amount of Beanstalk's native governance token STALK, which he then used to pass his own governance proposals (BIP-18 and BIP-19). These proposals asked the protocol to donate funds to Ukraine, but instead sent the funds to the attackers wallet.

Wintermute

Wintermute was subject to an attack that resulted in 162.5MM in losses. The exploited weakness seems to have been the tool that generates Wallet addresses: Profinity. Due to security flaws of Profinity it was possible to decipher the private key from the wallet address. Attacker redirected funds using a brute-forced private key from Profinity generated wallet address.

Mango Markets

Solana DeFi Platform Mango Markets has been exploited with its primary function: Loans. DeFi platforms allow for taking out Flash Loans that have to be repaid before the end of block. That gives lenders about 10 minutes to repay them. DeFi is no stranger to Price Oracle Manipulation with Flash Loans exploits, this is one of them.

The attacker made a substantial deposit of $5MM USDC and bought MNGO-PERP token. The prices of MNGO-PERP rose dramatically in just a few minutes which led to the collateral value of his account to go up. Attacker then took out massive loans and withdrew the funds.

We are currently investigating an incident where a hacker was able to drain funds from Mango via an oracle price manipulation. We will be disabling deposits on the front end as a precaution, and will keep you updated as the situation evolves.

The attack was made possible by a combination of lack of liquidity of token markets that are susceptible to manipulation and the fact that a volatile token can be considered a collateral for a loan.

Conclusion

As crypto infrastructure continues to grow and evolve, we are seeing growing pains due to one of its virtues: Automation. Code is written by humans and when a human makes a mistake in code, it can lead to exponential risk exposure of millions of lost funds. There are processes to prevent this, like SAST, DAST, and SDLC. However, they are not exhaustive.?

The bottom line, code updates require a review by other humans who will look at it from the perspective of an attacker.

Another risk factor is the volatility of funds, and ability to borrow at high margin against volatile assets. Crypto holds real value, however many perceive it to still be somewhat of a game currency.

P.S.

If you're interested in learning more about other types of crypto attacks, navigate to our blog