DeFi hackers make bank at the start of 2023
The crypto sector has been characterised by unexpected upwards price moves in early 2023, coupled with an onslaught of regulatory pressure. As these contradictory situations unfold, it’s seemingly been fairly quiet on the decentralised finance (DeFi) front.
DeFi, which typically suffers from a near-constant barrage of hacks, scams and indiscriminate rug-pulls, has largely flown under the radar while the likes of Binance and Kraken face off with the United States Securities and Exchange Commission (SEC).
Centralised platforms are under attack – some would argue the attacks are an elaborate ploy, rumoured to be called ‘operation choke point’. It is said that regulators are deliberately going all out after last year’s spectacular downfalls of Celsius, 3AC, FTX and its disgraced former-CEO Sam Bankman-Fried, to name a few. The recent examiner’s report on Celsius also suggests Alex Mashinsky’s days are numbered.
That being said, the crypto sphere is not one homogenous blob of centralised actors. The diverse financial spectrum gave rise to federated projects too. While some areas appear quieter, it does not mean DeFi hasn’t had its fair share of drama.
Two-for-one vulnerability DeFi hack
For instance, last week Platypus Finance saw $8.5 million drained from the project in a messy hack. But the amateur attacker managed to get a portion of the funds stuck in their own smart contract, frozen by Tether. Funds were also accidentally sent to lending protocol Aave, which is in the process of discussing the details and trails.
Following the investigative work of on-chain investigator ZachXBT, the hacker’s address was subsequently linked to a number of social media accounts. Shortly after, another $2.4 million were recovered through a reverse hack. The operation was executed by the security firm BlockSec.
The impressive reverse hack saw a substantial chunk of the stolen Platypus funds safely recovered.
In total, over $4 million were stolen via a known vulnerability, from both Midas Capital and dForce Network. The two hacks occurred less than a month apart, and hackers twice exploited a known mechanism described in a chain security post back in April 2022.
dForce then announced that the hacker had responded to a ‘bug bounty offer’, and subsequently returned the funds ($3.65 million).
NFTs; a haven for scammers
Earlier in February, ZachXBT published a detailed report on a scammer who goes by the name of Loyalist. The scam artist is estimated to have stolen upwards of $4 million over the last 12 months.
One commonly used tool to scam NFT users is known as “Monkey Drainer”, a phishing toolkit that drains victims’ wallets who are tricked into interacting with a (usually) cloned website – mistakenly thinking they’re minting NFTs.
These scams and security risks are easy to miss and go to show that you just can’t be too careful in crypto.
Walkouts and Rug-pulls
On Monday, Feb. 21, $1.8 million in funds were drained from Hope Finance following a protocol update to divert assets to a different account.
The project managers took to Twitter to vent their supposed anger, accusing a team member of rug-pulling the project. But it’s unlikely the culprit will face any consequences given the fact that the upgrade was signed by all three accounts on the project’s multi-signature wallet. Also, acquiring fake known-your-customer information online is doable, and perhaps becoming more prevalent with the aid of deep-fake AI tech.
Another NFT project by the name of fRiENDSiES, announced a sudden shutdown on Tuesday, in what has been labelled a rug-pull. The team practically has no progress to show a year after its launch and blamed “market volatility” before deleting their Twitter account. In other words, the project was not financially viable, underwater and down big time on their Ether holdings before selling and bucking out.
Just two weeks ago, Umami Finance’s team exited the project’s legal wrapper, Umami Labs LLC. The project claimed that the ex-CEO, Alex O’Donnell, had slammed the price of the token by unloading all his holdings. After that, O’Donnell allegedly took control of the project’s multi-signature wallet and treasury. A week later, he tried to reassert control, despite prior statements that neither of the project’s two legal wrappers have any control over the DAO.
It remains to be seen what will come of these scam artists and dodgy project teams. One thing is clear though, there’s no shortage of ponzi games. Countless other incidents and exploits are undoubtedly taking place as we speak.
While 2022 was arguably the worst year for the crypto sector as a whole, cross-blockchain bridges are still vulnerable – a prime target for hackers. Vitalik Buterin himself warned that these bridges carry higher security risks.
Looking ahead, as more hacks come to light and regulators continue their crusade against the cryptocurrency sector, regulation will likely fuel more censorship debates within the Ethereum community. The sanctions that were imposed on Tornado Cash signalled a willingness by the US Treasury to crack down on privacy.
This sparked free-speech protests and debates about Ethereum’s proclivity towards regulatory capture. As of February 22nd, Ethereum’s post-merge OFAC compliant blocks stand at 47%, down from 80% in Nov. 2022.
Bitcoin and Litecoin do not suffer from the same censorship concerns.
