Informed Crypto News
Three DeFi hacks net $10 million in 48 hours despite ‘renaissance moment’
Headline, three DeFi hacks net $10 million in 48 hours despite Renaissance Moment, published at 6.06 p.m. September 27, 2024 on Protos.com. Yesterday, two hacks on decentralized finance, DeFi protocols netted a total of over $5 million, with a further $5 million siphoned off from compromised wallets on Wednesday. While the founders of two OG protocols, Ave and Maker, NowSky, broke down over StarCraft while basking in a DeFi Renaissance Moment, some of the sector's less well-established projects were going down in history for the wrong reasons. Subheading, repeat DeFi hack or a new bug. First up was Onyx Protocol, whose $3.8 million loss was first thought to be a repeat of the well-known bug that drained $2.1 million from the project toward the back end of last year. Onyx is a fork of compound finance, which contains an infamous vulnerability in which freshly launched empty lending markets are briefly left open to a price manipulation attack, if not handled correctly. Given the popularity of Compound's V2 codebase with fast-forking DeFi devs, the bug is exploited with alarming regularity across the sector and was initially identified as having been the cause of Onyx's latest loss. However, as the team pointed out in a post-mortem thread on X, formerly Twitter, this time the vulnerability also lay in the platform's NFT liquidation contract. The attacker was able to drain the VUSD stablecoin, which was then sold off, causing it to depegg. Subheading, Something's not adding up. Next came Bitcoin restaking protocol Bedrock, which appeared to be overly bullish on ETH, costing it around $2 million. The faulty code allowed users to mint Bedrock's unibtc token at a one-to-one ratio with staked ETH tokens, not taking into account the price difference between the two assets, valued at the time at approximately $65,000 versus $2,650 respectively. The unibtc tokens were then sold off for an alternative wrapped Bitcoin token for a return of almost 25 times. Cryptosecurity auditor D-Dob claims to have identified the vulnerability in advance, stating that such a simple bug could be discovered and exploited automatically by fuzzing bots. Despite warning the Bedrock team two hours before the attack, there was no response due time zone differences. However, by raising the issue separately with Pendle, a platform with $30 million of exposure to unibtc, further losses were successfully averted. The Bedrock team responded to the incident, reassuring users that all unibtc collateral remains intact. It estimated the losses at approximately $2 million, mostly in DEX LPs, adding that a comprehensive reimbursement plan is being finalized. Compromised keys? On Wednesday, real-world asset-focused Truflation warned of some abnormal activity, which it attributed to a malware attack. Blockchain investigator Zach XBT traced total losses of over $5 million from addresses identified as the project's treasury multi-sig and personal wallets, providing a list of addresses via his investigations telegram channel. While the initial disclosure was scant on details, it does mention a reward to any white hats able to aid the investigation. This was followed up with an on-chain message to the hacker, offering a 10 percent bounty for the return of the funds. Assuming funds aren't returned before 8 a.m. UTC on Saturday, the bounty will be opened up to the public in return for information leading to a conviction. This recording was AI generated. Get more crypto news at protos.com.