Here’s how three DeFi protocols lost $115M in one day

Three DeFi protocols were hacked and drained of $115 million yesterday, marking one of the most devastating 24-hour periods in DeFi’s recent history.

Mango Markets, Stax, and Rabby Swap were relieved of $112 million, $2.36 million, and $200,000 respectively. Decentralized exchange aggregator ParaSwap was also reported to have been hit but has since denied the rumors.

Yesterday’s hacks have added to an already bad month for DeFi. Transit swap, a multi-chain decentralized aggregator lost ~$21 million a week ago when a bug was exploited in its smart contract, and on October 7, Binance’s BSC Token Hub was exploited for two million BNB, worth over $580 million.

So, how did the three most recent attacks go down?

Mango Markets

The Solana-based platform, which focused on trading perpetual futures and margin, lost $112 million. 

On Tuesday, a hacker apparently manipulated Mango Markets’ collateral to take out a loan of $116 million that essentially drained the platform of its liquidity. FTX is investigating the matter after online sleuths noticed the hacker used the exchange. Mango Markets has offered a bug bounty if the funds are returned. 

@mangomarkets was just drained for over $100M. https://t.co/SI4hccCIQx

🧵 pic.twitter.com/IAKyXgN8gM

— OtterSec (@osec_io) October 11, 2022

Temple DAO’s Stax

The DeFi protocol, which offers yields on deposits, lost $2.36 million (1,831 ETH) yesterday. 

The hacker exploited a flaw in Temple DAO’s Stax contract system which was meant for switching old stakes to newer contracts using the migrate stake function. According to blockchain security firm Paladin, the contract and the vulnerability that allowed the attack were deployed for over 100 days before someone took advantage.

🚨 Temple DAO's https://t.co/kQK1dEfpkQ was exploited 1 hour ago for a total value of $2.3m (1,831 ETH).

We have reached out to the team to assist and have contacted Binance which the wallet was funded by.

Funds are presently on-chain in eth.https://t.co/jyeEUYyUw1

— Paladin Blockchain Security (@0xPaladinSec) October 11, 2022

The auditor also described the hack as “one of the most trivial exploits at scale in a while.”

Read more: Explained: Why hackers keep exploiting cross-blockchain bridges

Rabby Swap

The open-source browser plugin, which allows users to make transfers between different chains was reportedly exploited for $200,000.

The exploit found in its smart contract allowed hackers to transfer user funds. Rabby Swap has since asked users to revoke approvals on all chains and has warned of fake accounts offering help.

There is an exploit on Rabby Swap smart contract.

If you have used it, please revoke all existing approvals on all chains for Rabby Swap.
For those who haven't used Swap, your wallet is safe and unaffected.

We are actively working to solve it and we will keep you updated.

— Rabby Wallet (@Rabby_io) October 11, 2022

Read more: Zcash chain triples in size thanks to $10-a-day spam attack

ParaSwap

The decentralized exchange aggregator, which offers users the option to exchange various crypto tokens, was reportedly exploited and it was claimed that funds were stolen on multiple chains. However, ParaSwap quickly shut down claims of a DeFi hack. 

✅ No vulnerability found! Please check the facts & Don't Trust, Verify!

We’ll follow up with analysis & an explanation of what’s a deployer address and how we made sure they have no power at all! https://t.co/uQKVncMZof

— ParaSwap (@paraswap) October 11, 2022

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.