$3 BILLION in DeFi Hacks in 2022—So Far

Fake money fans are once again mourning the theft of worthless tokens. Finding security flaws in brittle DeFi “smart contracts” seems like shooting fish in a barrel.

The notional value of that stolen cryptocurrency is $3 billion this year so far. And the losses are accelerating: Since that number was calculated, we’ve learned of another huge DeFi hack, adding another million or so to the total.

And nothing of value was lost. In today’s SB Blogwatch, we point and laugh at naked emperors.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Tesla <3 Westinghouse.

In Fiat We Trust

What’s the craic? Molly White reports—“Earning.Farm exploited for $971,000”:

The DeFi project Earning.Farm lost 748 ETH (~$971,000) to a hacker using a flash loan attack. The project contract was missing a check that a flash loan was initiated by the protocol, so the attacker was able to instruct the project to withdraw large amounts of funds.

A “flash loan” attack? Vladislav Sopov explains—“Earning.farm Yield Platform Under Attack”:

A month of unmatched attacks
EFLeverVault, a key element of earning.farm DeFi’s design, was targeted by flash loan attacks. Due to an architecture flaw of its contract, attackers managed to withdraw all Ethers (ETH) stored in the contract that was designed to act as collateral.

October 2022 will be remembered as a month of unmatched attacks against the mainstream DeFi infrastructure. On Oct. 7, 2022, a bridge between two elements of BNB Chain was exploited for $566 million. … On Oct. 12, Solana-based liquidity protocol Mango was drained of $100 million as a malefactor managed to manipulate the price oracles.

Good grief. But DeFi hacking is definitely on a tear, as Taylor Locke notes—“2022 is on pace to become crypto’s ‘biggest year for hacking on record’”:

Cross-chain bridges … have been repeatedly attacked
A record month in a record year—and the month isn’t even half over. In October alone, [$1.7 billion] was stolen from decentralized finance protocols.

Cross-chain bridges in particular have been repeatedly attacked this year. … Most notably of late, a bridge used by Binance, the largest crypto exchange, fell victim to a $100 million hack. Earlier this year, in February, the Wormhole bridge had a $325 million exploit, and in March, Axie Infinity’s Ronin bridge had a $625 million exploit.

How much so far this year? Sunil Jagtiani says it’s “Over $3 Billion”:

Cryptocurrencies may have crashed this year but they remain a digital cash-machine for one potent constituency: hackers. … Most of the targets are … DeFi protocols, which deploy software-based algorithms to enable crypto investors to trade, borrow and lend on digital ledgers without using a central intermediary. … Hackers have become adept at exploiting weaknesses in the security, coding and structure of DeFi marketplaces.

This is based on analysis by Chainalysis:

October is now the biggest month in the biggest year ever for hacking activity, with … half the month still to go. … At this rate, 2022 will likely surpass 2021 as the biggest year for hacking on record. So far, hackers have grossed over $3 billion dollars.

Say it with me, brothers and sisters: And nothing of value was lost. This Anonymous Coward agrees:

Exactly right. $5 billion in crypto has been stolen over the last 2 years. But that number is based on converting it into real money—which you can’t.

At best, you can convert a small amount into real money and maybe find someone who will give you some small amount of goods/services in exchange for a little of your fake money. But, in reality, all of that crypto is not actually “worth” anywhere near $5 billion.

$5 billion here, $5 billion there—pretty soon you’re talking serious money. mattwilsonn888 explains why DeFi is so fragile:

There is a lot of incentive to get these platforms up and running, and not always a lot to build them safely and even less to truly audit them. Often the developers make their money up front [which is] all that has to be said for the diligence developers … might have.

People are so concerned with making a quick buck they forget about subtleties like developer token lock up, third party audits, patience in general. But that’s how markets go — fast money is more valuable than slow money and the price you pay is risk. What the average Joe needs to know is that DeFi, while capable of producing huge gains, also comes with a lot of risk.

That’s a sympathetic analysis. KinjaKungen has very little sympathy:

People pay stupid money for ****ing Pokémon cards. That some dumb people will pay for numbers in a computer instead of little bits of printed paper doesn’t surprise me at all.

There’s nothing new under the sun. So says Steve Gibson:

More cryptocurrency chaos. [It’s] an extremely immature technology, coupled with a gold rush attitude. Recall that in the actual California Gold Rush, between 1848 and 1855—with very few exceptions—the only people who made money were those who were selling the gold digging, panning, and sluicing supplies.

It wasn’t those who were panning for gold. It was the people who sold them their pans.

Meanwhile, neither does TheReaperD:

I have zero sympathy for these idiots. They love to tout that cryptocurrency is “free from the guberm’nt!” and now they’re paying the price. … Too bad, so sad.

And Finally:

What if Westinghouse didn’t steal from Tesla?

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Adam Nir (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 595 posts and counting.See all posts by richi