Lampros Tech

Web3 Hacks: The Biggest and Prominent Web3 Hacks Since 2016

I understand you’re eager to read this, but to talk about the most prominent hacks on Web3 since 2016 is an extensive list. It’s an extensive list of ~50 hacks in approximately 100 months. That’s a lot of Web3 hacks, close to 1 every 45 days on average.

So, we’ll be viewing this in 4 parts, each with its listicle and a light description to give you an idea about the hack.

  1. Hacks from 2016 – 2020
  2. Hacks in 2020 (Just the list.)
  3. Hacks in 2021
  4. Hacks in 2022

Lastly, we’ll end with a summary of the hacks and impacts it has had on the Web3 community and economy. So, let’s go!

Web3 Hacks Since 2016

DeFi hacks have had an immense impact on the DeFi economy. The first hack the DAO Attack in 2016 shook everyone – Especially Ethereum.

And how is a 1.5 yr old blockchain supposed to know it would be vulnerable and taken advantage of?

That was when everyone got a boon and a bane.

The lesson is that Web3 is susceptible to code vulnerabilities and information copied to the dark web which hackers exploit repeatedly.

The first few years were when Web3 was growing up – having more DAPPs, DEXes, 

  1. The DAO Attack of 2016
  2. The 2017 Coin Dash ICO Hack
  3. The 2017 Parity Multi-Sig Wallet Hack 
  4. NiceHash Hack of December 2017
  5. BitGrail Hack of Feb 2018
  6. MyEtherWallet DNS Hack of April 2018
  7. Bithumb Hack of June 2018
  8. Bancor Hack of July 2018
  9. The 2019 Cryptopia Hack
  10. The 2019 Hack of UpBit
anonymous hacker in front of a system

The DAO Hack (2016) 

The DAO was a decentralized autonomous organization built on the Ethereum blockchain. In June 2016, a hacker exploited a vulnerability in the smart contract code to siphon off a third of The DAO’s funds, worth around $50 million that day. The hack led to a contentious hard fork of the Ethereum blockchain, creating two separate versions of the network: Ethereum (ETH) and Ethereum Classic (ETC).

Parity Multi-Sig Wallet Hack (2017)

Parity is a popular Ethereum wallet. In July 2017, a hacker exploited a bug in Parity’s multi-signature wallet contract, freezing up to 500,000 ETH, worth approximately $150 million at the time. Unlike the DAO hack, this was not a theft but a freezing of funds. Unfortunately, the wallet contains frozen funds.

CoinDash ICO Hack (2017)

CoinDash is a blockchain-based trading platform. In July 2017, during its initial coin offering (ICO), hackers compromised the platform’s website and replaced the legitimate Ethereum address with a fraudulent one. Investors unknowingly sent their Ether to the hacker’s address, thus resulting in a loss of $7.5 million.

NiceHash Hack (2017)

NiceHash is a mining marketplace where users can rent hash power to mine cryptocurrencies. In December 2017, hackers gained access to NiceHash’s internal systems, stealing approximately 4,700 BTC, worth around $80 million that day.

BitGrail Hack (2018)

BitGrail was an Italian cryptocurrency exchange that specialized in Nano (XRB). In February 2018, hackers exploited a vulnerability in BitGrail’s wallet software, stealing around 17 million XRB, worth approximately $170 million. The crypto exchange had to file for bankruptcy.

Bancor Hack (2018)

Bancor is a decentralized exchange built on the Ethereum blockchain. In July 2018, hackers exploited a vulnerability in a smart contract to steal approximately $23.5 million worth of Ether, BNB, and NPXS tokens.

MyEtherWallet DNS Hack (2018)

MyEtherWallet (MEW) is a popular Ethereum wallet. In April 2018, hackers compromised MEW’s DNS servers, redirecting users to a phishing site. Some users unknowingly entered their private keys and passwords on the fake site, resulting in the loss of $152,000 worth of Ethereum.

Bithumb Hack (2018)

Bithumb is a South Korean cryptocurrency exchange. In June 2018, hackers stole around $31 million worth of cryptocurrencies, including Bitcoin, Ethereum, and Ripple, from Bithumb’s hot wallet. Bithumb promised to reimburse the affected users.

Cryptopia Hack (2019)

Cryptopia was a New Zealand cryptocurrency exchange. In January 2019, hackers got access to the exchange’s hot wallets, stealing approximately $16 million worth of cryptocurrencies, including Ethereum and ERC-20 tokens. The exchange had to go into liquidation without choice.

Upbit Hack (2019)

Upbit is a South Korean cryptocurrency exchange. In November 2019, hackers stole Ethereum estimated to be $49 M from Upbit’s hot wallet. The crypto exchange said it would cover the losses using its funds.

It is worth noting that this list is not exhaustive and there may have been other little hacks or attacks that were not widely reported. Additionally, since the Web3 ecosystem is constantly evolving, there may have been more hacks or attacks that have occurred since 2020.

Hacks in 2020

We’ve seen Web3 hacks since 2016. but what about after 2020? We’re going to look at those now. So, please brace yourself before we look into the list of hacks in 2020. The hacks mentioned are special for a good reason – and you might want to hold on to your breath, dear life and your crypto portfolio – because 2020 had the most number of hacks in the history of Web3 Hacks. 

Don’t believe me? Here’s the list:

  1. The Altsbit Hack
  2. The IOTA Robbery
  3. The bZx Strike
  4. The OKEx & Bitfinex Attack
  5. The Youtube Scam
  6. The UniSwap Loot
  7. The DForce Vulnerability
  8. The Hegic Exchange Heist
  9. The Balancer Transaction
  10. The Cashaa Raid
  11. The Twitter Scam
  12. The Cyberattack
  13. The 51% Attack On ETC
  14. The Opyn Case
  15. The Yam Finance Fiesta
  16. The Eterbase Hack
  17. The Two-Timer: The second attack on bZx
  18. The KuCoin Collective
  19. The Yearn Finance Incident
  20. The WLEO Collapse
  21. Harvest Finance 
  22. The Origin Protocol Ruination
  23. The Akropolis Strafe
  24. The Value DeFi Exploit
  25. The Pickle Finance Melee
  26. The Compounder Finance Fracas
  27. The Flash Attack on Warp Finance

Yup, we’ve had about 27 major hacks just in 2020.

And to be gentle with the listicle, we’ve mentioned only the biggest heists by hackers that occurred. The many little ones ($50 billion or less) are not spoken of to avoid the irking of the underlying fear that creeps in slyly – IS WEB3 A SAFE PLACE FOR DEFI AFTER ALL?

2020 proved to be a rough year for the Web3 economy due to the stolen funds and a loss of capital to restore what was once gone.

Hacks in 2021

Well, DeFi is a great place if security is tight. And yet there are times of vulnerability when someone exploits the bug or a coding mishap. The hacks in 2021 were no less than a spectacle that’ll leave you dumbfounded. The list of major hacks in 2021 is as follows:

  1. The Paid Protocol: March, $100mill.
  2. Beanstalk Protocol: April, $182 mill.
  3. Poly Network Hack: August, $600 mill.
  4. Cream Finance: August, $130 mill.
  5. Cream Finance: October, $130 mill.
  6. Compound Finance: October, $150 mill.
  7. Badger DAO Hack: December, $120 mill.
  8. Vulcan Forged: December, $140 mill.

February to December saw 8 hacks that ransacked more than $1.5B from multiple parties, have gone with the wind and are unknown till today. So, let’s take a closer look at the top DeFi hacks that happened in 2021:

The Paid Protocol: March, $100mill.

The Paid Protocol Network is a decentralized platform for business transactions. It allows users to transact without interference and ensures secure and efficient transaction processing.

Furthermore, the blockchain protocol is highly customizable and suitable for various industries, including finance, healthcare, and real estate. This protocol governs how transactions occur on the platform, providing standards for all parties involved.

Consequently, smart contracts are an important feature of the Paid Network, as they automate complex agreements. These self-executing contracts reduce the need for human intervention, ensuring prompt delivery of what parties are entitled to.

Moreover, the PAID token powers the protocol and gets employed for access and participation in the platform. Staking tokens earn rewards, governance participation, and premium features. The Paid Network offers tools and services to streamline transactions, such as document management, dispute resolution, and arbitration.

Overall, the Paid Network simplifies business transactions. Its customizable protocol and suite of tools make it ideal for reducing costs and streamlining operations.

Beanstalk Protocol (April, $182 mill.)

In August 2021, the Beanstalk Protocol suffered a loss of around $2.8 million worth of cryptocurrency. The DeFi platform is built on the Binance Smart Chain.

Further, the attacker exploited a vulnerability in the protocol’s code. The error within the code lets them mint fake tokens and swap them for legitimate ones. Thus causing the value of the actual coins to plummet, resulting in significant losses for investors.

Consequently, the Beanstalk Protocol team quickly responded to the hack by shutting down the platform and working to identify and fix the vulnerability. They also announced that they would compensate the affected users for their losses.

Eventually, the incident highlights the importance of security in DeFi protocols and the risks associated with investing in them. Users should carefully research and assess the security measures of any protocol they plan to invest in and take appropriate precautions to secure their assets.

Poly Network Hack (August, $600 mill.)

The Poly Network is a DeFi platform which allows users to swap tokens across different blockchains. In August 2021, the site suffered a loss of cryptocurrency totalling $610 million.

An anonymous cohort exploited a vulnerability in the platform’s smart contracts and fueled it to carry the attack.

The mishap within the contract enabled them to transfer the funds to their wallets.

Being quick on their toes, Poly Network immediately issued a public statement urging the hackers to return the stolen funds. Surprisingly, the hackers complied and gave back most of the funds within a few days, except a small amount that became stablecoins and got transferred to other accounts.

As a result, widespread concern in the DeFi community about the security of autonomous agreements arose. The Poly Network was quick with commendable communication throughout the incident, which helped to minimize the damage and recover the stolen funds.

Further, the incident highlights the need for better security measures and auditing processes for DeFi platforms. As the sector continues to grow and attract more mainstream attention, the Poly Network hack serves as a reminder that while DeFi can offer many benefits, it is still a relatively new and evolving field that requires cautious security and risk management.

Cream Finance (August, $130 mill.)

In August 2021, the DeFi platform Cream Finance lost $29M worth of cryptocurrencies due to a smart contract vulnerability. The attack was by a masked group of hackers who exploited the fact to transfer the funds to their wallets.

Following this, Cream Finance immediately shut down its platform and issued a public statement acknowledging the hack and urging users to refrain from interacting with the blockchain until further notice. The team assured user compensation for any losses incurred due to the hack.

In the aftermath of the attack, Cream Finance announced that it would implement additional security measures, such as more rigorous auditing and testing of its smart contracts and enhancing its bug bounty program to encourage security researchers to identify vulnerabilities in the platform.

The Cream Finance hack is just one of many recent high-profile DeFi hacks that have raised concerns about the security of decentralized systems. The incident serves as a reminder of the importance of strong security measures and risk management in the rapidly evolving DeFi sector.

Despite the negative impact of the hack, Cream Finance’s quick response to the incident, transparency and proactive approach to addressing the issue was commendable. The platform’s commitment to improving its security measures and reimbursement of affected users demonstrates its dedication to maintaining the trust of its community and continuing to innovate in the DeFi space.

Cream Finance (October, $130 mill.)

October saw another attack on the Creamy DeFi protocol. It is not the second time when Cream Finance got bankrupt due to a vulnerability within a code. The first time this happened to Cream Finance was in February, earlier this year. And all the money was gone within an hour. The second was in August, and shortly after, a third hack occurred within a fortnight. The third hack was after the stolen funds from the preceding attack were recovered.

However, the first time, the hacker managed only to loot about $37M worth of different cryptocurrencies. The second hack was in August as mentioned above, and this time the hacker pulled off a whopping $130M right from the platforms’ lending markets.

As soon as the liquidity pool was empty from their Ethereum C.R.E.A.M v1, the platform took control and paused the lending market in Ethereum. The protocol saw through the bug and patched the mishap present.

Eventually, Cream Finance pulled through over a month and recovered some money to give back to the users. The platform thanked the community for their patience and support and was committed to strengthening security with better measures for everyone’s safety.

Compound Finance (October, $150 mill.)

Compound Finance is a DeFi protocol for lending and borrowing. This Ethereum-based protocol quickly gained traction and became one of the most popular DeFi protocols to be.

Unfortunately, the platform took a huge hit in October 2021 when what is suspected to be a bunch of anonymous hackers swamped the system with multiple transactions. The hack resulted in lending vast amounts of COMP, their native token for tiny amounts of collateral in ETH, DAI, & USDC.

Upon analysis, it seemed that the cybercriminals’ ability to loot around $150M was due to a smart contract’s corrupted code. However, it’s unclear whether the transactions of COMP were a mistake and an act of a hack or if the transactions are legitimate.

Badger DAO Hack (December, $120 mill.)

The animal DAO is a DeFi platform that uniquely deals with BTC as collateral across various DeFi apps.

Similar to many DeFi platforms, on 2nd December Badger too fell victim to a malicious code on the Badger DAO website.

Moreover, suspicions arose from the victim’s discord channel since some users noticed a prompt requesting additional permissions while claiming their farming rewards.

However, the hacker could empty various wallets and steal around 2100 BTC and 151 ETH, almost equalling $120M. The DAO came forward to share the unfortunate news on Twitter to raise awareness. 

The Badger took steps to understand how the hack occurred, who the victims were and how it could be stopped from the website. On 3rd December they announced a pause on smart contract functionalities to halt the transactions occurring within the DAO.

Vulcan Forged (December, $140 mill.)

No, it’s not a game. Yet, Vulcan Forged, the Web3 game studio, lost $140M to a masked coder genius.

Vulcan Forged is a Web3 gaming environment that allows players to play and earn. In addition to the main gaming arena, it has features such as a DEX, an NFT Marketplace and a liquidity pool to stake and gains interest for DeFi users.

Moreover, many players of the platform want to quit the platform due to an insecurity of the code exploited by the hacker.

Consequently, the hacker exploited the platform hailing from the Polygon network and got hold of 96 private keys to specific crypto wallets. Thus giving them access to roughly $4.5M worth of native PYR tokens and 9% of the 50M supply.

Finally, the platform found itself $140 M poorer from 96,501 wallets (according to Etherscan). Speculations are the hacker managed to harvest ~$1 M from each wallet by targeting the fattest wallets present on the platform.

With this, gentle 2021 was towards web3 while hacking almost ~2B through a culmination of 10 hacks with a value lesser than or close to $50M.

And ten honourable mentions from reputed finance corps that lost close to a 50M are:

  1. February: Cream Finance – $37 M
  2. March: Meerkat Finance – $31 M
  3. April: Uranium Finance: $50 M
  4. April: EasyFi: $59 M
  5. May: Pancake Bunny: $45 M
  6. May: Belt Finance: $50 M
  7. June: Venus, ~$50 M
  8. September: Vee Finance – $35 M
  9. November: bZx: $50 M
  10. December: Grim Finance – $30 M

Hacks in 2022

It is important to note that the Web3 ecosystem is constantly evolving, and there may have been other hacks or attacks that have occurred since these incidents:

  1. Wormhole: $326 mill, Jan 2022
  2. Ronin Wallet: $552 mill, March 2022
  3. Elrond L1 Hack: $113mil, June 2022
  4. Nomad: $190 mill, Aug 2022
  5. Wintermute: $160mill., Sept 2022
  6. Binance (Binance Smart Chain): $566 mill, Oct 2022
  7. FTX: $477 mill, Nov 2022 

I know it gets a little overwhelming to read about hacks, but the year 2022 had very different means of hacking. Let’s see how the hacks in 2022 took place: 

Wormhole Hack

$326 mill, Jan 2022

2022 had just started, and the hackers decided to make some money to grow rich. They exploited a deprecated, insecure function to bypass signature verification and stole $326 million (~120k wETH).

Wormhole is a protocol in web3 that aids cross-chain transactions. The hacker took advantage of the code and exploited the blockchain program to lose all its funds. Shortly after the attack, the platform released a statement on Twitter that the platform’s security got breached.

Consequently, the hack on Feb 02 2022, saw a loss of 120k wETH tokens and was taken within a short time. Moreover, there was no collateral for the money taken from the vaults.

Further, there is a theory that the hack occurred a few hours before the code got fixed. This makes one ponder the following, “Is it an inside job?”, “How did the hacker know about the code glitch and the vulnerability of the platform?” 

Is it possible for the platform to have a snitch to provide information and get a part of the loot?

Nonetheless, the platform came forward to reward the looter with $10 M prize money. A year later, Oasis and Jump Crypto (the father company of the bridging platform) came together and worked on recovering the wallet addresses from where the funds got stolen.

Following this, the hacker creates a third-party wallet. This third-party wallet contains funds recovered from the hack. What they didn’t expect was a counterfeit attack from the attacker. The hacker had initiated a stop-loss code.

Eventually, the collaboration between Oasis and Jump Crypto restored and secured most of the funds from the hacker.

Ronin Wallet

$552 mill, March 2022

A couple of weeks later, after the Wormhole came to an attack on the Ronin Wallet. I don’t think the platform expected a grand showdown between the hacker and the platform, yet the hacker danced his way through to the wallet’s private keys.

You see, the Ronin wallet isn’t unsafe. The wallet is so secure that the hack did not catch attention for almost six days post-attack. This fact came to light when a user couldn’t withdraw 5k ETH from the bridge.

In March 2022, this became one of the biggest DeFi hacks Web3 had seen. However, the hack consisted of compromised private keys. 

The hacker gained control of 4 out of 9 validator nodes by using the private keys. Further, speculation goes around that the hacker gained control of nodes from Sky Mavis and a third-party Axie DAO validator node which signed the transactions.

Consequently, with access to 5 different signatures (nodes), the hacker initiated a transfer worth 173.600 ETH and 25.5M USDC from the Ronin bridge contract.

Elrond L1 Hack

$113mill. June 2022

The Elrond blockchain on the Maiar DEX was plunged into $113M worth of Elrond eGold (EGLD).

Sequentially, the Elrond L1 blockchain got hacked for $1.6M worth of tokens and dumped on the market. This resulted in a massive downfall of market value by 95%!

Following the attack, the Wu Blockchain took to Twitter to warn and inform everyone about the fraud that occurred at their end.

Speculations are that three addresses were simultaneously created and received funding from the BSC DEX. The hackers deployed a smart contract with a ‘deploy’ function to deploy after the funds were in their accounts.

What startled the developers was, ‘How did 1 smart contract manage to transfer huge amounts of money?’

However, the case and cause, the CEO of the blockchain (Beniamin Mincu) stated that they were investigating malicious activities occurring in the Maiar DEX. A short period after reporting, the DEX got attacked. The blockchain halted all operations until the blockchain was fit to resume. They managed to make the DEX go live.

Further, a blockchain researcher, fondly known as ‘Foudres’, stated about a hack within the network as soon as the price went down by 95%.

In addition, the three wallets contained various amounts of EGLD in a combination of 800,000 EGLD, 450,000 EGLD, and 400,00 EGLD. Upon further investigation, the 800,000 EGLD [close to $54 M] was sold by the hacker.

Nomad

$190 mill, Aug 2022

Nomad, similar to Wormhole, is a crypto bridge. It links different blockchains together for cross-network functionalities. A security breach within the platform code led to a loss of $190 M in the first week of August. The platform offered a bounty of 10% of the funds returned to counter the attacker.

Furthermore, the bug present within the security code was effortless to crack. The bug was such that one could enter a value and withdraw the funds, even if there weren’t enough in the assets present.

The blockchain has regained more than $20M of the loss. In addition to that, Elliptic, a blockchain analysis company stated that the Nomad attack is the biggest DeFi attack Web3 has seen to date. They also said that the hack consisted of a team of 40+ hackers. And amongst the 40+ hackers, one hacker stole around $42 M for themselves.

Now, we have got to consider, ‘Why Bridging Protocols?’ Why are they being attacked more frequently? The answer is simple: It’s got funds. Lots of funds, in abundance and of different values. It’s an easy target for many hackers who want fast money.

Wintermute

$160mill., Sept 2022

Wintermute is a DeFi protocol that helps bridge between networks, provides liquidity, and provides a crypto exchange space.

This wonderful DeFi network is known for its custom web3 wallet addresses from Profanity. Unfortunately, the fancy address maker protocol had a bug that got exploited.

DID YOU KNOW: Wintermule provides liquidity on over 50+ exchanges and platforms.

Consequently, the hacker created and funded a custom wallet from the admin vault. Knowing that Profanity has a bug, the hacker decided to take advantage of the same and stole around $160M by stealing more than 20M OP tokens and various cryptocurrencies worth $118.4M.

The other funds looted amounted to 671 WBTC (~13 M) and 6,928 ETH ($9.4M). 

Eventually, three hours post-loot, the CEO of Wintermute released a statement on Twitter. The company also convinced the viewers that the CeFi and OTC services were not affected during the hack.

Furthermore, deductions roam around that the compromise of multiple private keys of wallets led to the event. But let’s be aware that the smart contract functions were just fine, and the hacker managed to carry out the heist by funding their wallet with their own ETH.

Binance (Binance Smart Chain)

$566 mill, Oct 2022

Halt. That’s what the Binance Smart Chain did when it faced an exploit. The sudden halt of transactions on the BSC led everyone to be alert. Giving a quick response to the attack the platform issued a notice on its Reddit and Twitter accounts.

The fiasco happened in the cross-chain bridge, BSC Token Hub. 

“Software code is never bug-free” – CEO, Binance.

The CEO of Binance, Changpeng Zhao stated that no funds were stolen from the users’ wallets/ accounts, but also told the reporters that the cross-chain vulnerabilities are more prone to hacks.

So, if the users’ funds weren’t stolen where would the hacker get the money from? Well, it seems that the hacker had generated their BNB tokens from the platform and took it to their address.

Eventually, the hacker could transfer about 1,000,000 BNB to their wallet by making two transactions. Since the decentralized network cannot stop completely, they halted operations in some nodes and figured out through which nodes the capital was flowing. Soon, they were able to control and minimize the loss. 

FTX

$477 mill, Nov 2022

FTX is a DeFi exchange that gained traction and yet performed well within the market, while competing with other exchanges such as Binance, Arbitrum, and Optimism.

A move to sell all the FTT tokens on the BNB. There were ~23M FTT tokens culminating in an amount of $530M. Following the mishap, Changpeng ‘CZ’ Zhao said the decision to liquidate the exchanges FTT was to manage any risk it may possess right after the collapse of LUNA. Consequently, FTX was facing a liquidity crisis like never before.

The value of an FTT token fell steeply and gravely, by 80% within 48 hours. To counter the crisis, Binance came forward to help FTX by buying the non-US business of FTX – the world’s largest cryptocurrency platform to aid its closest rival.

Turning down the offer, the FTT token platform suffered a major loss.

Turning down the offer, the FTT token platform suffered a major loss. Resulting of cancelling the deal with BNB, the FTX platform saw a freeze in accounts and assets. Some of the implications of the FTX were as follows:

  • Bankman-Fried had quoted $8M for the exchange
  • The California Department of Financial Protection and Innovation started an investigation into FTX
  • Bankman-Fried stepped down as a CEO.
  • FTX filed for Chapter 11 bankruptcy
  • Unauthorized transactions took place
  • A lawsuit against FTX was filed
  • Bahamas took control of FTX Digital Assets

Eventually, the charges against Bankman-Fried led to the arrest of the person mentioned by the Bahamian authorities. At the time of writing, former CEO Sam Bankman-Fried pleaded not guilty to criminal charges and allegations on Jan 3rd. His next trial date of October 2nd will let us know what happens next to Bankman-Fried and FTX.

Summary

So, that’s about 60+ web3 hacks in 100+ months, from 2016 to 2022. And it’s not that Web3 is not safe, it just isn’t completely safe yet and volatile nature of cryptocurrency leads to fall and rise of market shares in a second. Code vulnerabilities, compromised keys, and scams are ways hackers employ to steal. This reminds us that we must be vigilant with our information and must give Web3 a chance to grow to its fullest potential.

Try to understand why and how blockchain can be susceptible to various web3 hacks and how to stop them.