7 hacks to DeFi protocols in February resulted in the theft of $21 million: DefiLlama

Re-entry, price oracle attacks, and exploits across seven protocols caused the decentralized finance (DeFi) space to bleed at least $21 million in cryptocurrency in February.

According to DeFi-centric analytics platform DefiLlama, one of the biggest of the month was an instant loan re-entry attack on Platypus Finance that resulted in a loss of $8.5 million in funds.

DefiLlama highlighted six other noteworthy hacks this month, the first of which was the price oracle attack on BonqDAO on February 1.

DeFi platforms suffered seven attacks in February. source: DefiLlama

BonqDAO: $1.7 million

BonqDAO revealed to its followers in a February 1st post that its Bonq protocol was vulnerable to an oracle attack that allowed an exploit to manipulate the AllianceBlock (ALBT) token price.

The miner raised the price of ALBT and minted large amounts of BEUR. BEUR was then exchanged for other tokens on Uniswap. The price then dropped to almost zero, causing the ALBT treasures to be liquidated.

Blockchain security company PeckShield estimated losses at around $120 million, however it was later revealed that hackers reportedly only paid out around $1 million due to a lack of liquidity on BonqDAO.

Orion Protocol: $3 million

Just a day later, the decentralized exchange Orion Protocol suffered loss approximately $3 million on February 2 through a reentrancy attack where the attackers used a malicious smart contract to drain funds from a target with repeated withdrawal requests.

Orion Protocol CEO Alexey Koloskov confirmed the attack at the time, assuring everyone that “all users’ funds are safe.”

“We have reason to believe that the problem was not the result of any shortcomings in the code of our underlying protocol, but rather may have been caused by a vulnerability in the mixing of third-party libraries in one of the smart contracts used by our experimental and private brokers,” he said.

dForce Network: $3.65 million

The dForce network with the DeFi protocol was another victim of an attack in February that caused losses of approximately $3.65 million.

On February 10 fastdForce confirmed the exploit; however, at one point, all funds were returned when the hacker came forward as a Whitehat hacker.

“February 13, 2023, used funds were fully returned to our multi-sig in both Arbitrum and Optimism, which is a perfect conclusion for everyone,” said dForce.

Platypus Finance: $9.1 million

On February 16, the DeFi protocol, Platypus Finance, was attacked by an instant loan, resulting in $8.5 million being washed out of the protocol.

An autopsy report by auditor Platypus Omniscia concluded that the attack was possible due to the code being in the wrong order.

On February 23, the team announced that it was trying to return approximately 78% of the funds from the main pool, recalling frozen stablecoins.

The team also confirmed the second and third incidents, which led to the use of another $667,000, bringing total losses to approximately $9.1 million.

French police arrested two suspects related to the hack and seized crypto assets worth approximately $222,000 on February 25.

Hope Finance: $1.86 million

A few days later, users of the arbitrage-based algorithmic stablecoin project, Hope Finance, fell victim to a smart contract exploit on February 20, which resulted in approximately $2 million being stolen from users.

CertiK, a Web3 security firm, reported the incident on February 21, following an announcement from the Hope Finance Twitter account notifying users of the scam.

A member of the CertiK team told Cointelegraph at the time that the scammer changed the details of the smart contract, leading to a drain of funds from the Genesis Hope Finance protocol:

“It appears that the scammer changed the TradingHelper contract, which meant that when 0x4481 calls OpenTrade on GenesisRewardPool, the funds are transferred to the scammer.”

Flexible: $2 million

The multi-chain exchange aggregator Dexible was attacked by an exploit targeting the application’s selfSwap function, and as a result of the February 17 attack, $2 million worth of cryptocurrency was lost.

According to a February 18 post from the exchange, “a hacker exploited a vulnerability in our latest smart contract. This allowed the hacker to steal funds from any wallet that had permission for unspent spending under the contract.

After investigating the case, the Dexible team discovered that the attacker used the app’s selfSwap feature to transfer over $2 million worth of cryptocurrency from users who had previously authorized the app to transfer their tokens.

After receiving the tokens for his own smart contract, the attacker withdrew the coins via Tornado Cash to unknown BNB wallets.

Starting Zone: $700,000

The DeFi protocol based on the BNB chain LaunchZone had $700,000 in funds on February 27.

According to to blockchain security company Immunefi, the attacker used an unverified contract to drain funds.

“An unverified deal was approved 473 days ago by the LaunchZone installer,” said Immunefi.

Related: Cryptocurrency losses in January saw a nearly 93% year-on-year decline

According to DefiLlam’s data, February’s data is a clear increase over January.

The tracking tool lists only $740,000 of hacks on DeFi platforms in a month using two protocols – Midas Capital and ROE Finance.

In the 2023 Crypto Crime Report, blockchain data firm Chainalysis revealed that hackers stole $3.1 billion from DeFi protocols in 2022, more than 82% of the total amount stolen during the year.