Market

The Biggest Security Breaches of 2021

The Biggest Security Breaches of 2021.

According to on-chain analytics firm Chainalysis, the volume of crime-related crypto transactions will hit an all-time high of $14 billion in 2021. But despite the increased volume of illicit remittances, its relative share of total crypto trading volume hit an all-time low in 2021. These stats show that the rate of expansion of the crypto sector is outpacing the cybercrime associated with it. At the same time, however, it also shows that security in the industry is catching up with demand.

While the share of crime-related transaction volume in the crypto security breaches has declined in 2021, there are still some cases that have taken their toll.

The most lucrative cyber attacks of 2021

Poly Network – $611 million

The Poly Network hack took place on August 10, 2021 and stole approximately $611 million worth of digital assets across three blockchains: Ethereum, BSC, and Polygon. After that, the hacker returned the full amount, stating that he only wanted to warn about vulnerabilities in the Poly Network protocol, not for personal gain.

Poly Network is a cross-chain network that allows users to perform cross-blockchain operations in a decentralized manner. For example, transferring money from one blockchain to another. This requires a large amount of liquidity in the protocol. At Poly Network, liquidity is controlled by special smart contracts.

The contracts attacked were EthCrossChainManager and EthCrossChainData. EthCrossChainData is owned by EthCrossChainManager and stores a list of public keys that can control liquidity (keepers).

The attacker exploited a vulnerability in the EthCrossChainManager contract and tricked it into replacing it instead of the contract keeper. The hacker then seized the liquidity of the Poly Network protocol and gained full control over the protocol’s operation.

Bitmart – $196 million

On December 4, 2021, centralized exchange Bitmart stole $200 million worth of crypto from a hot wallet. The attackers stole the private key to access the exchange’s hot wallet.

The Bitmart exchange claimed it lost $150 million, but blockchain cybersecurity firm Peckshield later claimed that more than 20 cryptocurrencies and tokens were stolen from the Ethereum blockchain and the Binance Smart Bottle, with losses already totaling $196, million dollars. They also planned the route of the stolen assets except for the final destination. The attacker first exchanged the stolen assets for ETH using a 1-inch DEX aggregator, then washed the ETH using a Tornado Cash private mixer and lost track.

This cyber attack again exposes the vulnerability of storing the private keys of many addresses with a huge sum on a single server. This will uncover all of the exchange’s hot wallets at once.

Cream Finance – $130 million

During the December 2021 attack, one or two hackers used multiple protocols (MakerDAO, AAVE, Curve, Yearn.finance) to steal $130 million in tokens and cryptocurrencies from Cream Finance.

The evidence suggests that there could be two hackers since there are two addresses in use: Address A and Address B. First, Address A loaned $500 million to DAI from MakerDAO, pulled that liquidity through Curve and Year Finance, and they used to mint 500 million CryUSD on Creme Finance. At the same time, Address A increased liquidity in Yearn.finance’s YUSD Vault to 511 million YUSDTVault.

Address B then took out a quick loan of $2 billion in ETH from AAVE and deposited it in Cream to mint $2 billion of cEther. Then address B exchanged 1 billion yUSDVault and 1 billion cryUSD and transferred them to address A. Thus, address A received 1.5 billion cryUSD.

Address A then buys 3 million DUSD from Curve and exchanges it all for yUSDVault, leaving 503 million yUSDVault in the account. Address A exchanges 503 million yUSDVault for the underlying yUSD token, bringing yUSDVault’s total supply to 8 million.

Next, Address A transfers 8 million yUSD to Yearn.finance’s yUSD vault, doubling the value of the vault. This prompted Cream’s PriceOracleProxy to double its cryUSD valuation as it determines the price of cryUSD based on the valuation of the total supply of yUSD Yearn Vault/yUSDVault ie $16M/8M yUSDVault. As a result, Cream finds out that address A has 3 billion CryUSD.

This mistake ultimately cost Cream Finance. The hackers were able to quickly repay the loan and pocket all of the liquidity ($130 million) tied up in Cream Finance with the remaining $1 billion in cryUSD.

The most common attack patterns in 2021

Speaking of smart contract attacks, the most common type of attack is the quick lending described above. According to The Block Crypto, of the 70 DeFi attacks in 2021, where 34 used quick loans, the Cream Finance heist in December was the most damaging. The most typical feature of this type of attack is the use of multiple protocols. In essence, any protocol is likely to be secure, but when multiple protocols are used, vulnerabilities can be found.

Another form of smart contract compromise that can be categorized as a classic DeFi attack is a reentrancy attack. A reentrancy attack occurs when a function that calls an external contract does not update the address list before calling that contract again. In this case, the external contract can be withdrawn continuously, since the list of addresses in the contract is not updated after each withdrawal. These continuous orders can continue until the balance of the contract is exhausted.

The third most common type of attack in 2021 is targeting centralized exchanges by stealing private keys that access their hot wallets. This is an all too well-known cyber attack in cryptocurrency history, but it can still be successfully carried out.

How to protect money in the crypto space?

To protect money in the crypto space, it is better to take a good look at the platform you plan to deposit funds on: watch the website, the social interaction of your team members, check the white paper (book white) and the technical one audit. In addition, it would be nice to use a feature in crypto wallets that allows to whitelist (set up a list) contracts that users use frequently. This feature is available in Metamask Wallet and dedicated online cryptocurrency safekeeping services such as Unrekt and Debank. When funds are transferred to an approved contract, the feature flags those contracts.

If you are worried about the security of the DeFi protocol, it is better to use the code base of other tested projects. But the founder should still conduct at least one technical audit of the project’s smart contracts. This is especially important for protocols that are deployed on multiple blockchains and interact with other protocols. Because they require particularly strict monitoring during the audits.

Join CoinCu Telegram to keep track of news: https://t.me/coincunews

Follow CoinCu Youtube Channel | Follow CoinCu Facebook page

Annie

Championing positive change through finance, I've dedicated over eight years to sustainability and environmental journalism. My passion lies in uncovering companies that make a real difference in the world and guiding investors towards them. My expertise lies in navigating the world of sustainable investing, analyzing ESG (Environmental, Social, and Governance) criteria, and exploring the exciting field of impact investing. "Invest in a better future," I often say. That's the driving force behind my work at Coincu – to empower readers with knowledge and insights to make investment decisions that create a positive impact.

Recent Posts

Best Altcoins to Buy Today: Qubetics Rides 1000x Potential to Hit $2.6M, Ethereum Stays Rangebound, Tron USDT Transactions Hit $52B

Discover the best cryptos to buy and hold today: Qubetics leads with 1000x potential, Ethereum…

1 hour ago

Trump Media Company Is Pushing New Venture For Crypto Service

With the platform facing a cracked whip, Trump Media company is expanding into new business…

2 hours ago

Crypto Advisory Council Now A White House Position Attracting Leaders

Major crypto firms, including Ripple, Kraken, and Circle, are competing for spots on President-elect Donald…

2 hours ago

Analyst Sounds Major Breakout Alert Amid Shiba Inu, WallitIQ, And Dogecoin Price Recoveries

Analysts highlight a breakout alert as Shiba Inu (SHIB), and Dogecoin show signs of recovery…

3 hours ago

SEC Chair Gary Gensler Will Lose Power From January 20

SEC Chair Gary Gensler will step down on January 20, 2025, coinciding with President-elect Donald…

3 hours ago

MicroStrategy Convertible Notes Now Out of Stock With $3B Raised

The MicroStrategy convertible notes offering, initially set at $1.75 billion, was increased to $2.6 billion…

3 hours ago

This website uses cookies.