TL;DR
- DeFi sector suffers multiple hacks and exploits in January, losing nearly $40 million in crypto assets.
- Gamma Strategies, Radiant Capital, Socket Protocol, Wise Lending, and Goledo Finance are the affected protocols.
- Hackers use flash loans, rogue contracts, rounding errors, and input validation flaws to drain funds from the protocols and use Tornado Cash to launder them.
The decentralized finance (DeFi) sector has suffered a series of security breaches and exploits in the first month of 2024, resulting in losses of nearly $40 million worth of cryptocurrencies. According to a report by Quantstamp, a blockchain security firm, at least five DeFi protocols were hacked or exploited in January, exposing the vulnerabilities and risks of the developing industry.
🚨$38.9M has been lost to web3 security incidents so far in January 2024 🚨
Let's take a look at 5 of the largest smart contract hacks so far ⬇️
— Quantstamp (@Quantstamp) January 30, 2024
On January 4, Gamma Strategies, an Ethereum-based protocol that offers liquidity management and market-making solutions, suffered a $3.4 million hack. The hacker deployed several rogue contracts and executed transactions that drained funds from the protocol.
The hacker then converted the funds to $ETH using $USDT as an intermediary token, to evade being tracked or frozen. The hacker currently holds 1535 ETH, worth about $3.4M.
This hack follows a common pattern of using Tornado Cash, a popular service that anonymizes crypto transactions, to launder the stolen funds. The hacker has already transferred more than $1.65M to Tornado cash, making it harder to trace the source and destination of the funds.
Other DeFi Protocols in Quantstamp’s List
Next was a $4.5 million (2337 ETH) hack that forced Radiant Capital, a protocol enabling cross-chain lending and borrowing, to pause its Arbitrum markets. The hack occurred on one of its new USDC Coin (USDC) markets, which was launched on Arbitrum, a layer-2 scaling solution for Ethereum.
The hacker used a flash loan attack, which exploits a rounding error in the protocol’s code. The hacker increased the index parameter, which is used as a divisor to a very high value. This caused a significant loss of precision, which the hacker exploited by repeatedly depositing and withdrawing funds.
Another protocol that suffered an attack was Socket Protocol. A $3.3 million hack hit Socket due to a user input validation flaw. The flaw let hackers access wallets that had given unlimited permissions to Socket contracts. The flaw was linked to a new route that was added three days before the hack. The hackers used this flaw to transfer funds without authorization.
The rest of the protocols that suffered losses were Wise Lending and Goledo Finance. A contract vulnerability in Wise Lending, a leading Web3 lending platform, and yield aggregator, enabled a flash loan attack that caused a loss of around $464,000.
On January 28, Goledo Finance, a lending and borrowing market on Conflux eSpace, also suffered a major security breach. The company detected anomalies in its lending pool and quickly shut it down to stop further intrusions.
