The market cap of all digital assets reached $3 trillion in November 2021, a 21,000% increase since 2016. But that growth has been far from smooth and more recently the crypto industry has come under diamond creating pressure to conform.
Not only has the price of cryptocurrencies such as Bitcoin careened like a rollercoaster, but the market has also been subjected to a barrage of crypto hacks, cybersecurity breaches and frauds.
The year 2022 was another landmark one for the digital asset industry. From bi-partisan legislative proposals in the US to the European Union’s landmark Markets in Crypto-assets (MiCA) regulation, crypto’s entry into the mainstream continues apace – according to a Blog originally posted on Elliptic Connect.
However, one issue which has spooked governments, regulators, law enforcement and others has been the worrying number of crypto hacks, which have been growing in intensity.
Elliptic research found that the total amount stolen in exploits in 2022 was around $3.3 billion – up from $2 billion the previous year.
According to its State of Cross-chain Crime report, 2022 has seen hackers increasingly utilising decentralized finance (DeFi) platforms such as decentralised exchanges (DEXs) and cross-chain bridges to facilitate crypto thefts.
These services have removed many of the barriers to the free flow of capital between cryptoassets.
As a result, the daily average amount stolen from DeFi protocols has now exceeded a record-breaking $7.6 million, the research found.
Decentralized exchanges (DEXs) are decentralized applications (dApps) running as smart contracts on blockchains like Ethereum.
These smart contracts provide a peer-to-peer exchange mechanism that allows users to trade tokens without relying on an intermediary. The terms of the trade are defined and automatically executed by code, as well as being recorded on the blockchain.
Unlike bridges, their exchange capabilities only extend to assets on the same blockchain. DEXs are also referenced as automated market makers (AMMs), referring to their ability to automatically execute buy and sell orders on their platform using smart contracts.
This is in stark contrast to centralized exchanges (CEXs), which control the security, pricing and execution of trades as well as taking custody of assets being traded during the transaction.
DEXs are therefore considered to be safer, as users always retain custody of assets being traded, however they cannot offer trading with fiat, which CEXs do.
Now, hardly a week goes by without some sort of crypto hack making the news. In just October 2022 alone, blockchain security firm Peckshield estimated that there were at least 44 exploits involving 53 protocols.
Below is a list of the highest-earning hacks of 2022 – ranked by the amount stolen in each attack.
BSC Token Hub: $569 Million
In October 2022, Binance confirmed an exploit on the Binance Smart Chain (BSC) that resulted in BNB being minted with a value of $569 million.
The attacker(s) became a relayer for the Binance Bridge (BSC Token Hub) before exploiting a verification proof vulnerability within, allowing them to mint two million BNB into the BSC address 0x489A8756C18C0b8B24EC2a2b9FF3D4d447F79BEc.
According to Twitter user @FrankResearcher, the attacker(s) managed to find a way to forge proof for block 110217401 – a block confirmed two years ago. Based on their findings, the vulnerability was exploited by forging arbitrary messages to mint the new tokens.
The newly-minted BNB tokens were then exchanged for other assets both on and off the BNB Smart Chain, including on Ethereum, Polygon, Fantom, Avalanche, Optimism and Arbitrum.
Ronin Network: $540 Million
In March 2022, the Ronin Network announced that 173,600 Ether and 25.5 million USD Coins had been stolen from the Ronin cross-chain bridge. The total value of the digital assets at the time of the theft was $540 million – making it the second largest crypto theft of all time.
The breach reportedly came as a result of an attacker hacking the “validator nodes” of the Ronin bridge. Funds can be moved out if five of the nine validators approve it.
The attacker managed to get hold of the private cryptographic keys belonging to five of the validators, which was enough to steal the cryptoassets.
Ronin’s post mortem claimed that “all evidence points to this attack being socially engineered, rather than a technical flaw”.
The incident occurred six days before the exploit was announced by Ronin. Amid confusion over the delayed response, it announced that the exploit was only discovered after a 5,000 ETH withdrawal attempt from one of their users failed. At the time of discovery, the stolen funds were worth over $615 million.
Two weeks after Ronin’s announcement, the US Treasury’s Office of Foreign Assets Control (OFAC) announced new sanctions against the thief’s Ethereum address and listed the owner of this address as the Lazarus Group – a North Korean state hacking organisation.
FTX: $477 Million
In November 2022, just 24 hours after filing for Chapter 11 bankruptcy in the US, FTX’s wallets were drained of $477 million in cryptoassets, through what were believed to have been a series of “unauthorised” transfers.
Within hours, the majority of the tokens taken from FTX were swapped for ETH through decentralised exchanges.
This is a tactic commonly seen in large hacks, where thieves seek to avoid seizure of stolen assets such as stablecoins, which can be frozen by their issuers.
Though this was not before approximately $100 million of the USDT (Tether) and Paxos Gold (PAXG) tokens taken from FTX were frozen by their respective issuers.
On the morning of November 20th, the ETH in the account began to be converted to RenBTC, before being bridged to Bitcoin through the RenBridge service. Ren was acquired by Alameda Research – FTX’s parent company – last year.
The use of RenBridge in this way was often seen in the laundering of proceeds of hacks. Research has shown how the service had previously been used to launder hundreds of millions of dollars in crypto.
However, RenBridge is set to be shut down in the aftermath of the FTX collapse. As Ren was acquired by Alameda, and given that both Alameda and FTX have filed for bankruptcy, the bridge has no choice but to be sunsetted.
That said, the group behind RenBridge have announced plans to launch a fully decentralised version 2.0, so this may not be the last you hear about it.
Wormhole Portal: $325 Million
In February, the Wormhole Portal – a DeFi bridge between Solana and other blockchains – suffered an exploit which saw the theft of 120,000 Ether (worth $325 million at the time).
The exploit allowed the attacker to mint 120,000 Wrapped ETH on the Solana blockchain, 93,750 ETH of which was then transferred to the Ethereum blockchain.
According to Blockworks, Wormhole’s parent company Jump Crypto paid back all of the Ether lost in the attack that same month.
Wintermute: $162 Million
Crypto market maker Wintermute lost around $162 million after its DeFi operations were breached in September 2022.
According to blockchain security company Certik, a vulnerable private key was used to attack the platform, which it speculated was either brute-forced or leaked. It added that a vulnerability in the Profanity vanity address generator was probably the cause of the breach.
Nomad: $156 Million
In August 2022, Nomad – a bridge network allowing users to convert their assets across blockchains – was exploited for over $156.4 million.
Over 40 attackers utilised a code error that allowed them to spoof transactions – draining Nomad’s Ethereum contract of most of its funds.
The attack was made possible by a recent change in Nomad’s smart contract that made it possible for users to ‘spoof’ transactions – thereby falsely claiming ownership of collateral within the bridge. The initial exploiter utilized the vulnerability to bridge 0.1 Wrapped Bitcoin (WBTC) through the Moonbeam blockchain – ending up with 100 WBTC ($2.3 million) on Ethereum.
Mango Markets: $118 Million
In October 2022, the trading platform Mango Markets lost $118 million after an attacker successfully manipulated the protocol’s price oracle.
The exploit – which occurred in the evening of October 11th – was initiated after two Solana accounts funded by USDC took an outsized position on the Mango (MNGO)-Perpetual Protocol (PERP) token pair, which caused MNGO prices to briefly surge.
The Mango Markets attack took place over a 30-day period between mid-September and mid-October, in which almost $900 million was stolen from DeFi protocols.
As observed at the time, attacks predominantly targeted cross-chain bridges in 2022, due to their high levels of liquidity and operations on less secure blockchains.
Horizon: $100 Million
In June 2022, the Horizon bridge – which operates on the Harmony, Ethereum and Binance Smart Chain blockchains – suffered a theft which resulted in the loss of $100 million.
As reported at the time, the hacker stole a variety of assets including ETH, BNB, USDT, USDC and Dai. The thief immediately used Uniswap – a decentralised exchange (DEX) – to convert the Ethereum-based assets into a total of 85,837 Ether. This is a common laundering technique used to avoid seizure of stolen assets.
The thief then moved all of the ETH into Tornado Cash over the following six days. By sending these funds through Tornado, the thief attempted to break the transaction trail back to the original theft – making it easier to cash out the funds at an exchange.
However, Elliptic was able to use its Tornado demixing techniques to trace the stolen funds through Tornado Cash to a number of new Ethereum wallets.
It is now believed likely that North Korea’s Lazarus Group was responsible for this theft, based on the nature of the hack and the subsequent laundering of the stolen assets.
Beanstalk Farms: $76 Million
April 2022 saw a series of malicious transactions targeting Beanstalk Farms – an Ethereum-based decentralised stablecoin protocol. This resulted in the loss of 25,000 Ether (ETH), which was worth $76 million at the time.
The exploiter stole various cryptoassets from the platform, including BEAN – the protocol’s native stablecoin. With much of its assets depleted, the protocol lost more than $182 million in value and the price of BEAN fell from $1 to $0.1.
Almost all of the stolen funds were sent through the now-sanctioned Ethereum-based smart contract mixer Tornado Cash, while $250,000 in USDC was donated to the Crypto Fund of Ukraine.
The attack began when the exploiter purchased 212,858.50 BEAN with an initial 73 ETH investment. The BEANs were then deposited into the “silo” – a protocol-specific term for a funding pool – where users can deposit assets in return for rewards. Assets in the silo maintain BEAN’s pegged price of $1.
The exploiter then proposed two “Bean Improvement Proposals” (BIPs) to Beanstalk’s smart contract code. Proposals for code changes are common in DeFi, with their approval subject to democratic consensus by the protocol’s users.
The BIPs – disguised as Ukraine donation proposals – were malicious proposals to transfer the protocol’s funds to the explorer’s own wallet, which were already creating controversy amongst confused users before the theft.
Upon taking out a flashloan of almost $1 billion in assets, the exploiter deposited them into the silo to accumulate a roughly 67% “stalk position” – the protocol’s term for voting power.
Per the protocol’s rules for the acceptance of BIPs, the exploiter was then able to single-handedly approve the malicious proposals to transfer funds into their wallets – 24 hours after they were initially proposed.
Stolen BEAN and associated liquidity pool units were then converted to ETH.