by Re-entry, price oracle attacks, and exploits across seven protocols caused the decentralized finance (DeFi) space to bleed at least $21 million in cryptocurrency in February.
According to DeFi-centric analytics platform DefiLlama, one of the biggest of the month was an instant loan re-entry attack on Platypus Finance that resulted in a loss of $8.5 million in funds.
DefiLlama highlighted six other noteworthy hacks this month, the first of which was the price oracle attack on BonqDAO on February 1.
BonqDAO: $1.7 million
BonqDAO revealed to its followers in a February 1st post that its Bonq protocol was vulnerable to an oracle attack that allowed an exploit to manipulate the AllianceBlock (ALBT) token price.
The miner raised the price of ALBT and minted large amounts of BEUR. BEUR was then exchanged for other tokens on Uniswap. The price then dropped to almost zero, causing the ALBT treasures to be liquidated.
Blockchain security company PeckShield estimated losses at around $120 million, however it was later revealed that hackers reportedly only paid out around $1 million due to a lack of liquidity on BonqDAO.
Orion Protocol: $3 million
Just a day later, the decentralized exchange Orion Protocol suffered loss approximately $3 million on February 2 through a reentrancy attack where the attackers used a malicious smart contract to drain funds from a target with repeated withdrawal requests.
We’ve been investigating this highly sophisticated attack since it occurred. We will not restart escrow until we are sure the bug has been fixed, which will only be after new audits by leading audit firms have been successfully passed.
— Alexey Koloskov (@alexeykoloskov) February 2, 2023
Orion Protocol CEO Alexey Koloskov confirmed the attack at the time, assuring everyone that “all users’ funds are safe.”
“We have reason to believe that the problem was not the result of any shortcomings in the code of our underlying protocol, but rather may have been caused by a vulnerability in the mixing of third-party libraries in one of the smart contracts used by our experimental and private brokers,” he said.
dForce Network: $3.65 million
The dForce network with the DeFi protocol was another victim of an attack in February that caused losses of approximately $3.65 million.
On February 10 fastdForce confirmed the exploit; however, at one point, all funds were returned when the hacker came forward as a Whitehat hacker.
2/5 Shortly after the incident, we initiated talks with an exploiter who had come forward as a white hat. We have agreed to offer a reward and will drop all ongoing investigations and law enforcement actions.
— dForce (@dForcenet) February 13, 2023
“February 13, 2023, used funds were fully returned to our multi-sig in both Arbitrum and Optimism, which is a perfect conclusion for everyone,” said dForce.
Platypus Finance: $9.1 million
On February 16, the DeFi protocol, Platypus Finance, was attacked by an instant loan, resulting in $8.5 million being washed out of the protocol.
An autopsy report by auditor Platypus Omniscia concluded that the attack was possible due to the code being in the wrong order.
On February 23, the team announced that it was trying to return approximately 78% of the funds from the main pool, recalling frozen stablecoins.
Updated compensation page
We updated our claims page today! If you have deposited or withdrawn LP Tokens from our profit aggregators prior to the pool being held, your compensation amount will be updated accordingly.
More https://t.co/GfLIn5jmtF— Platypus (++) (@Platypusdefi) March 3, 2023
The team also confirmed the second and third incidents, which led to the use of another $667,000, bringing total losses to approximately $9.1 million.
French police arrested two suspects related to the hack and seized crypto assets worth approximately $222,000 on February 25.
Hope Finance: $1.86 million
A few days later, users of the arbitrage-based algorithmic stablecoin project, Hope Finance, fell victim to a smart contract exploit on February 20, which resulted in approximately $2 million being stolen from users.
#community alert @hope_fin announced that the community had been defrauded of approximately $2 million, making it the largest #exitscam at Arbitrum in 2023.
$1.86 million was donated @TornadoCash.
Hope_fin has posted steps to allow a user to withdraw their LP stake https://t.co/hJbFXiKujt
— Alert CertiK (@CertiKAlert) February 21, 2023
CertiK, a Web3 security firm, reported the incident on February 21, following an announcement from the Hope Finance Twitter account notifying users of the scam.
A member of the CertiK team told Cointelegraph at the time that the scammer changed the details of the smart contract, leading to a drain of funds from the Genesis Hope Finance protocol:
“It appears that the scammer changed the TradingHelper contract, which meant that when 0x4481 calls OpenTrade on GenesisRewardPool, the funds are transferred to the scammer.”
Flexible: $2 million
The multi-chain exchange aggregator Dexible was attacked by an exploit targeting the application’s selfSwap function, and as a result of the February 17 attack, $2 million worth of cryptocurrency was lost.
According to a February 18 post from the exchange, “a hacker exploited a vulnerability in our latest smart contract. This allowed the hacker to steal funds from any wallet that had permission for unspent spending under the contract.
Dear Dexible community, we regret to inform you that a hacker exploited a vulnerability in our latest smart contract in the early morning of February 17. This allowed the hacker to steal funds from any wallet that had permission to spend unspent under the contract.
1/5
— Flexible (@DexibleApp) February 17, 2023
After investigating the case, the Dexible team discovered that the attacker used the app’s selfSwap feature to transfer over $2 million worth of cryptocurrency from users who had previously authorized the app to transfer their tokens.
After receiving the tokens for his own smart contract, the attacker withdrew the coins via Tornado Cash to unknown BNB wallets.
Starting Zone: $700,000
The DeFi protocol based on the BNB chain LaunchZone had $700,000 in funds on February 27.
According to to blockchain security company Immunefi, the attacker used an unverified contract to drain funds.
“An unverified deal was approved 473 days ago by the LaunchZone installer,” said Immunefi.
Related: Cryptocurrency losses in January saw a nearly 93% year-on-year decline
According to DefiLlam’s data, February’s data is a clear increase over January.
The tracking tool lists only $740,000 of hacks on DeFi platforms in a month using two protocols – Midas Capital and ROE Finance.
In the 2023 Crypto Crime Report, blockchain data firm Chainalysis revealed that hackers stole $3.1 billion from DeFi protocols in 2022, more than 82% of the total amount stolen during the year.
