Top DeFi hacks and exploits of 2022

The collapse of centralized crypto firms became the biggest news stories in 2022, with Celsius and FTX dominating mainstream coverage.

CeFi also experienced its share of hacks, such as exchanges Crypto.com, Deribit and the more than $400 million from FTX during its chaotic implosion last month.

DeFi has taken a hammering, too. CeFi’s failures can mainly be chalked up to mismanagement, opacity, and fraud. Many of the following DeFi hacks and exploits are down to smart contract vulnerabilities, from which there is generally no recourse.

Let’s take a look at the top five DeFi hacks and exploits that happened this year.

Axie Infinity’s Ronin bridge exploit

The concept of play-to-earn was one of 2022’s most hyped crypto narratives. Sky Mavis’s Axie Infinity, a play-to-earn NFT game where users could battle, breed, and trade axolotls, grew rapidly. It boasted around 3 million users earlier this year, many of which were attempting to earn above minimum wage by grinding in the game — until token inflation diminished their earning potential.

In order to keep transaction costs down and ease network congestion, Axie Infinity moved from Ethereum to its own Ethereum sidechain, Ronin Bridge. Players could move their original tokens onto the bridge and receive an equal amount of ‘wrapped’ tokens to play with.

However, the project’s centralized nature as well as the decision to build a cross-blockchan bridge led them vulnerable to attack. The hack was announced in March: 173,600 ether ($578 million) and $25.5 million in USDC was taken. Sky Mavis admitted that it took them a month to notice the funds were gone.

In April, North Korean state-sponsored hackers Lazarus Group were identified by US authorities as the culprits. The attack was executed by compromising a majority of the chain’s validators (five of nine), four of which were centrally maintained by Sky Mavis.

The play-to-earn crypto bubble has popped — Axie Infinity leads, down 99% from ATH

Read more: North Korean hackers used new methods to target Israeli crypto

Binance’s BNB Chain got rekt

A month before the collapse of rival exchange FTX, the cross-blockchain bridge to Binance’s smart contract blockchain, BNB Chain, was hit by an enormous hack. Two million BNB tokens were stolen from Binance’s BSC Token Hub, worth about $586 million at the time. However, the attacker was only able to make off with less than $150 million before validators halted the network.

Forged deposit transactions convinced the bridge that the hacker had previously deposited the 2 million BNB, which were then eligible to be withdrawn into their own account. Shortly after the hack, the offending address was blocked from accessing the remainder of the stolen BNB.

Explained: How $600M was stolen from Binance’s BNB chain

Read more: Reuters hints at ‘dark secrets’ surrounding Binance and its reserves

Terra’s collapse sent shockwaves across DeFi

While technically neither a hack nor an exploit, the implosion of the TerraForm Labs’ algorithmic stablecoin and native token, terraUSD and luna, was by far the single biggest disaster to hit the DeFi world in 2022. The fallout was immense, touching all corners of the industry and contributing to the collapse of CeFi firms.

The bull market in 2020 and 2021 caused yields to drop across DeFi. This created the temptation for users to place their trust in ‘safe’ 20% stablecoin yields via terraUSD and Anchor Protocol, often increased via looped leverage in MIM’s Degenbox. The algorithmic stablecoin skyrocketed.

Here’s how crypto’s third largest stablecoin Terra (UST) collapsed

Many saw the disaster coming, given that terraUSD’s dollar peg, maintained by algorithms that minted and burned luna tokens, would only hold up while luna’s market cap was valued higher than that of circulating terraUSD.

US prosecutors are now investigating whether crypto exchange FTX founder Sam Bankman-Fried — who now faces eight criminal and federal charges of fraud and money laundering — was responsible for the collapse. Reportedly, he shorted luna and tried to make gains by dumping huge amounts of it on the market. TerraUSD then de-pegged, causing a death spiral which coincidentally, had a hand in the collapse of his own firm a few months later.

Solana’s Wormhole bridge got jumped

Solana was one of the hottest DeFi platforms for a time last year, with total value locked (TVL) skyrocketing 20-fold in the second half of 2021. But in February this year, the Wormhole bridge, Solana’s portal to Ethereum, was exploited for over $300 million.

Smart contract hackers exploited a bug within Wormhole to mint themselves hundreds of millions of dollars worth of Solana-based wrapped ether (WETH) without putting up any ether as collateral, as is usually required. They then siphoned ether from the Wormhole protocol via the Ethereum blockchain.

Explained: Why hackers keep exploiting cross-blockchain bridges

Read more: Crypto crime spree continues with Deribit and Solend hacks

The Solana network was a favorite of FTX, Alameda Research, and a variety of VCs with deep pockets. Rather than see their investments damaged, a $320 million bailout was quickly arranged by Jump Crypto — which had previously acquired Wormhole developer Certus One — to prevent a major meltdown across Solana and Ethereum.

Nomad bridge’s exploit seemed unreal

In August, the industry saw multiple attackers drain a total of $190 million of users’ cryptocurrency from the Nomad bridge which connected various networks, including Ethereum, Evmos, and Moonbeam.

The vulnerability was introduced during a routine upgrade to Nomad’s smart contracts which caused invalid withdrawals to be read as valid. The initial attack transaction began to be copied and resubmitted by others.

1/ Nomad just got drained for over $150M in one of the most chaotic hacks that Web3 has ever seen. How exactly did this happen, and what was the root cause? Allow me to take you behind the scenes 👇 pic.twitter.com/Y7Q3fZ7ezm

— this is now a shitpost account (@samczsun) August 1, 2022

As one Paradigm researcher commented, anyone with a basic understanding of code could have pulled off an exploit against Nomad’s smart contract, as all it took was replacing their wallet address with someone else’s. However, some bad actors saw the light — over $30 million was returned in the days following the hack.

What’s in store for DeFi in 2023?

Countless other incidents and exploits have occurred in 2022, spelling a troubled year for DeFi. Many of the year’s largest hacks targeted cross-blockchain bridges, which Ethereum founder Vitalik Buterin warned carried higher security risks.

Looking ahead to 2023, heightened regulation will likely fuel censorship debates within the Ethereum community. Earlier this year, sanctions imposed on crypto mixer Tornado Cash signalled a willingness by the US Treasury to crack down on privacy, and sparked free speech protests. All in all, 2023 may be another tough year for DeFi.

For more informed news, follow us on Twitter and Google News or listen to our investigative podcast Innovated: Blockchain City.