2021 DeFi Security Incident Full Record (Updated on June 23)

31. Eleven Finance

Loss Amount: $4.6 million

Summary: On June 23, the BSC-based yield aggregator Eleven Finance's gun pool related to Nerve was attacked via a flash loan. The attack stemmed from an error in calculating the Emergencyburn balance in Eleven Finance, and the destruction mechanism was not executed, resulting in the attacker profiting nearly $4.6 million. This attacker is the same as the one from Impossible Finance.

30. Impossible Finance

Loss Amount: $500,000

Summary: On June 21, the BSC-based DeFi project Impossible Finance suffered a flash loan attack. Due to a lack of K value checks in the cheapSwap function, the attacker was able to perform multiple exchange operations in a single swap to obtain additional tokens.

Solution: All users who deposited into the liquidity pool before the attack received 100% compensation.

29. Visor Finance

Loss Amount: $500,000

Summary: On June 20, the DeFi project Visor Finance based on Uniswap V3 was attacked, and the Hypervisor was compromised during the attack, allowing the attacker to gain access to a management account and withdraw funds from deposits that had not yet been allocated to liquidity provider positions.

Solution: The official team compensated users with $500,000 from the treasury.

28. Alchemix

Loss Amount: $8.66 million

Summary: On June 16, the future yield tokenization protocol Alchemix's alETH contract encountered a security issue. Due to a deployment error in the alETH pool script, users who borrowed alETH at a 4:1 collateral ratio had no debt to repay, and nearly 2,000 ETH of debt limit was released, allowing for the minting of new alETH. Additionally, Alchemix used an incorrect index in the treasury array, forcing funds in the transmuter support protocol mechanism to be completely sent to repay users' debts.

27. PancakeHunny

Loss Amount: $100,000

Summary: On June 3, the BSC-based PancakeHunny project was hacked. The attack method used by the hacker was similar to the previous attack on PancakeBunny, involving a large issuance of tokens in a short time and dumping them into the market, causing the price of HunnyToken to plummet.

26. BurgerSwap

Loss Amount: Approximately $7 million

Summary: On May 28, the BSC AMM project BurgerSwap suffered a flash loan attack, with over 432,874 BURGER stolen. The attacker borrowed 6,047.13 WBNB from the PancakeSwap WBNB-BUSDT liquidity pool via a flash loan; then exchanged 6,029 WBNB for 92,677 BURGER in BurgerSwap and created fake tokens to carry out the attack.

25. Julswap

Loss Amount: $7 million

Summary: On May 28, the BSC-based AMM project Julswap was attacked via a flash loan. The attacker borrowed 70,000 JULB tokens through a flash loan, then called the JULB-WBNB trading pair to exchange for 1,400 BNB, and subsequently invoked the JulProtocolV2 contract function for collateral mining. Finally, these WBNB were transferred to a wallet address, completing the flash loan arbitrage.

Solution: An updated version will be released, and JULB tokens will be repurchased for user compensation.

24. Merlin

Loss Amount: Approximately $680,000

Summary: On May 26, the BSC ecosystem automatic yield aggregator Merlin was hacked. Due to a vulnerability in the project's getReward code, a large number of CAKE tokens were manually transferred to the Vault contract, resulting in approximately 59,000 MERL being minted and 240 ETH obtained through sales.

Solution: The team will airdrop compensation tokens cMERL to users, allowing token holders to receive BNB rewards from the compensation pool. Additionally, extra funds from the development team will be used for burning and repurchase activities to restore token prices.

23. AutoShark Finance

Loss Amount: Approximately $820,000

Summary: On May 25, the BSC-based fixed-rate protocol AutoShark Finance suffered a flash loan attack. Due to errors in LP value calculations and fee acquisition amounts, the SharkMinter contract calculated a very large value when determining the attacker's contribution, resulting in the SharkMinter contract minting a large number of SHARK tokens for the attacker, causing the token price to crash from $1.2 to $0.01, with the attacker profiting approximately $820,000.

Solution: The official team stated they would issue a new token JAWS to compensate affected users.

22. Bogged Finance

Loss Amount: $3 million

Summary: On May 23, the BSC-based aggregation trading platform Bogged Finance announced that hackers exploited a vulnerability in the BOG token contract's staking function through a flash loan attack. The hacker used Pancake Pair Swap code to extract staking rewards before contract verification was completed, resulting in the minting of over 15 million BOG tokens, most of which were originally intended for BOG stakers.

Solution: A new coin will be issued, and the stolen BOG tokens will be returned to stakers.

21. Pancake Bunny

Loss Amount: Approximately $42 million

Summary: On May 20, the BSC-based DeFi yield aggregator PancakeBunny suffered a flash loan attack, losing 114,631 BNB and 697,245 BUNNY, the latter of which was heavily minted and sold off, causing the price to crash from $240 to below $2. According to an investigation by the CertiK security team, the attack was successful because PancakeBunny used PancakeSwap AMM for asset price calculations, allowing the hacker to maliciously exploit the flash loan to manipulate the AMM pool's price and take advantage of issues in Bunny's token minting calculations.

Solution: PancakeBunny will issue a new token pBUNNY and create a compensation pool to reimburse original BUNNY holders for losses due to the token price drop.

20. Venus

Loss Amount: Over $100 million

Summary: On the evening of May 18, the BSC-based DeFi lending platform Venus's token XVS was pumped by a whale, which then borrowed and transferred over $100 million worth of BTC and ETH using XVS as collateral. Afterward, the price of the collateral asset XVS plummeted and faced liquidation, but due to insufficient market liquidity for XVS, the system failed to liquidate in time, resulting in a massive loss for Venus.

Solution: Venus sold part of its XVS tokens to external institutions to cover platform losses.

19. FinNexus

Loss Amount: $7 million

Summary: On May 17, the on-chain options protocol FinNexus was hacked. The hacker infiltrated and managed to recover the private key of the FNX token contract manager, minting over 323 million FNX tokens and selling them on centralized and decentralized exchanges, causing the price to plummet.

Solution: The FinNexus team stated they would issue a new coin and compensate all users who held FNX before the hack on a 1:1 basis; DEX liquidity providers who suffered greater losses will receive additional compensation.

18. bEarn Fi

Loss Amount: Approximately $10.86 million

Summary: On May 16, the cross-chain DeFi protocol bEarn Fi's BUSD-Alpaca strategy in its bVaults suffered a flash loan attack, depleting nearly $10.86 million in BUSD from the pool.

Solution: bEarn Fi stated it would create a compensation fund composed of remaining savings, development funds, DAO funds, and a portion of fees generated by the protocol, and then take a snapshot of the balance to deploy a compensation contract.

17. EOS Nation

Loss Amount: $15 million

Summary: On May 14, EOS Nation's flash loan smart contract suffered a re-entry attack, resulting in the theft of approximately 1.2 million EOS and 462,000 USDT.

Solution: flash.sx stated that all lost funds are under the secure control of eosio.prods, and a proposal has been initiated to change the hacker's EOS account permissions, which will allow funds to be returned to users once approved.

16. xToken

Loss Amount: Approximately $25 million

Summary: On May 13, the DeFi staking and liquidity strategy platform xToken suffered a flash loan attack, with liquidity in the xBNTa Bancor pool and xSNXa Balancer pool being immediately depleted, resulting in approximately $25 million in losses.

Solution: The xToken team stated they plan to use 2% of the total supply of XTK to compensate for the stolen losses.

15. Rari Capital

Loss Amount: $14 million

Summary: On May 8, the DeFi smart advisory protocol Rari Capital's ETH fund pool encountered a vulnerability due to the integration of the Alpha Finance Lab protocol, allowing the attacker to manipulate the price of ibETH tokens by deploying a helper contract, resulting in a massive loss of $14 million for Rari.

Solution: Rari Capital will return 2 million reserved RGT tokens intended for team expansion to the DAO to compensate affected users and reward contributors.

14. Value DeFi

Loss Amount: A total of $15 million from two attacks

Summary: The DeFi protocol Value DeFi on Ethereum and BSC suffered two attacks on May 5 and May 7, respectively. The first attack stemmed from a code vulnerability in Value DeFi's ProfitSharingRewardPool contract, affecting its vStake pool, resulting in losses of over 200,000 BUSD and 8,790 BNB; the second attack was due to a code vulnerability in Value DeFi's vSwap contract, affecting some pools and products of IRON Finance.

Solution: The team will use 8,530 VALUE from the insurance fund and 122,463 VALUE from the multi-signature, totaling 130,994 VALUE for compensation, while the remaining 251,702 VALUE will be compensated using the team's VALUE.

13. Spartan

Loss Amount: $30 million

Summary: On May 2, the BSC-based synthetic asset protocol Spartan Pools V1 was attacked. Due to a vulnerability in the improper calculation of liquidity shares, the attacker transferred approximately $30 million from the liquidity pool.

Solution: A new SPARTA token will be issued, and the previously unissued 20 million tokens will be used to compensate the liquidity providers who suffered losses due to the attack.

12. Uranium

Loss Amount: $50 million

Summary: On April 28, the BSC-based AMM protocol Uranium was hacked, with the contract being exploited during migration, involving amounts as high as $50 million. According to SlowMist's analysis, the issue occurred in Uranium's pair contract, where the swap function had a precision handling error when checking the contract balance based on the constant product formula, leading to a calculated balance in the contract being 100 times larger than the actual balance. In this case, if the attacker used a flash loan to borrow, they only needed to repay 1% of the borrowed amount to pass the check, stealing the remaining 99% of the balance, resulting in project losses.

Solution: The Uranium project has ceased operations.

11. EasyFi

Loss Amount: Approximately $40.9 million

Summary: On April 19, members of the Layer 2 lending protocol EasyFi reported that a large number of EASY tokens were transferred from EasyFi's official wallet to several unknown wallets on the Ethereum and Polygon networks. It is suspected that someone attacked the management key or mnemonic phrase. The hacker successfully obtained the admin key and transferred $6 million of existing liquidity funds from the protocol pool in USD/DAI/USDT form, along with 2.98 million EASY tokens (approximately 30% of the total supply of EASY tokens, currently valued at $40.9 million) to a suspected hacker's wallet.

Solution: EasyFi's users on Polygon released a compensation plan, which will take a snapshot at block height 13464478. Each eligible address will receive compensation in two parts, with 25% of the funds being directly compensated, and the remaining 75% being paid in EZ (IOU). EZ (IOU) is a token corresponding 1:1 with the EASY V2 token EZ.

10. Force DAO

Loss Amount: Approximately $367,000

Summary: On April 4, the DeFi quantitative hedge fund Force DAO's FORCE token was massively minted, with the hacker profiting approximately $367,000 by selling the minted tokens. The main reason for this vulnerability was that the FORCE token's transferFrom function used a "fake recharge" method, but the external contract did not strictly check its return value when calling it, ultimately leading to the incident.

Solution: The Force team stated that they have recovered 45 ETH from the hacker's address, and approximately 75% of the remaining losses will be compensated by airdropping new FORCE tokens. The airdrop ratio for users who suffered losses due to panic selling or continued holding after the hacker incident will be 1.5:1.

9. Iron Finance

Loss Amount: $170,000

Summary: On March 17, the stablecoin collateral platform Iron Finance was hacked, with two vFarm liquidity pools losing a total of $170,000. According to the official statement, the attack was caused by an upgrade to the cloud service (FaaS) that changed the reward rate integer, which the official team did not realize.

8. TSD

Loss Amount: $16,000

Summary: On March 15, the cross-chain stablecoin True Seigniorage Dollar (TSD) reported that malicious attackers used the TSD DAO to mint 11.8 billion TSD tokens in their account and sold them all on Pancakeswap, earning $16,000.

7. Meerkat Finance

Loss Amount: $31 million

Summary: On March 4, the BSC-based DeFi protocol Meerkat Finance allegedly ran away, claiming that the treasury contract was hacked. Subsequently, a person claiming to be a developer of Meerkat Finance, Jamboo, released a statement saying this was just an experiment, and Meerkat would update data and execute smart contracts to compensate users. Solution: Directly refund 95% of the Vault balance, with the remaining 5% fairly distributed through a new product XFarm (which will offset the losses of MKAT holders and liquidity providers MKAT-BNB). Meerkat restarted staking and Vault contracts at 18:00 UTC on March 6 and will deploy a swap contract and issue instructions to users 24 hours later.

6. DODO

Loss Amount: Approximately $3.8 million

Summary: On March 9, decentralized exchange DODO announced that its DODO v2 version's WSZO, WCRES, ETHA, and Fusible crowdfunding pools were hacked, and the team has taken down the relevant liquidity pool entry. According to the Chengdu Chain Security team's analysis, the attack was due to the contract's init function not being restricted, allowing the attacker to call it.

Solution: The hacker voluntarily returned tokens worth approximately $3.1 million, about $200,000 worth of funds were frozen on centralized exchanges, and the remaining approximately $500,000 loss will be borne by the DODO team.

5. Paid Network

Loss Amount: Approximately $3 million

Summary: On March 6, the DeFi protocol Paid Network was attacked due to a contract vulnerability, with the attacker minting PAID tokens worth nearly $160 million and selling them to obtain 2,000 ETH (approximately $3 million).

Solution: The token contract will be redeployed, and users who traded within four hours after the hacker attack will receive airdropped PAID V2 tokens.

4. Furucombo

Loss Amount: $15 million

Summary: On February 28, the DeFi yield aggregation protocol Furucombo's smart contract had a serious vulnerability, with the attacker using a fake contract to confuse the Furucombo Proxy, exploiting the vulnerability to steal over $15 million in ETH and other ERC-20 tokens, transferring them to their wallet address.

Solution: Furucombo created a compensation pool and allocated 5 million COMBO tokens, issuing 5 million iouCOMBO tokens to affected users, which will unlock linearly over 360 days, allowing token holders to claim COMBO from the repayment pool.

3. Alpha Finance

Loss Amount: $37.5 million

Summary: On February 13, the cross-chain DeFi platform Alpha Finance was attacked. Due to the integration of Cream Finance's unsecured loan feature, the hacker exploited a vulnerability in this feature to steal approximately $37.5 million from Cream Finance using a flash loan.

Solution: Alpha Finance will pay off the debt with 2,000 ETH deposited by the attacker into the Alpha Homora V2 and Cream V2 deployer contracts and promises to use 20% of the reserves from Alpha Homora V1 and V2 to repay the remaining funds, paying monthly to Cream V2 Iron Bank until all new debts are cleared.

2. BT.Finance

Loss Amount: $1.5 million

Summary: On February 9, the smart yield aggregator BT.Finance suffered a flash loan attack, affecting strategies including ETH, USDC, and USDT.

Solution: Cover Protocol compensated the project for 60% of the 140,906 DAI lost in the hacker attack.

1. Yearn Finance

Loss Amount: $11 million

Summary: On February 5, the Yearn Finance v1 version's yDAI gun pool vulnerability was exploited by hackers, resulting in a loss of $11 million. The attacker obtained a total of 513,000 DAI, 1.7 million USDT, and 506,000 3CRV. According to the Certik security team, this attack occurred because the hacker obtained the initial funds for the attack through a flash loan and exploited a vulnerability in the Yearn project code.

Solution: Yearn's official team used YFI to create a Maker CDP (collateral debt position) to cover the deficit and will reimburse through protocol fees. Meanwhile, DeFi insurance protocols such as Cover Protocol and Nexus Mutual have compensated Yearn for part of the losses.