Blockchain Hacks: 2020 | $15 billion lost, how can we mitigate hacks in 2021?

Originally published
January 26, 2021

“If it looks like a duck and quacks like a duck, it’s probably a duck.”

This quote seems to resonate for many of us, and, indeed, holds true in almost every circumstance. What we expose to the world, is often fed back to us through external evaluations — this principle is echoed throughout, seemingly, all aspects of life and industry.

Image for post

Birthed in 2009 with Sathoshi’s first Bitcoin block, blockchain is no longer the infant it once was. However, for many, the wider crypto space is still akin to the wild west; an area in which scams, runaways, and hacks are prevalent.

The challenge which presents itself, and one which the CertiK Foundation is rising up to, is to change the global perception of this. Who can be blamed for echoing the wild west sentiment when hacks are so prevalent in the industry? Opinions can be changed, and anxiety reduced, by tackling the source of these issues at the core; security. A secure, healthy, open blockchain works to throw back the curtains for the typical institutional investor.

Image for post

According to statistics, the security rate of websites and software in traditional fields, that is the amount which have not suffered a hack, reached 97.5% in 2020, whilst the largest asset based hack resulted in a loss of a mere $7.5k

Over in the cryptosphere, the security rate of smart contracts and related nodes is a mere 89%, and the losses often range from $1 million up to $10 million+. Due to the intangible nature of blockchain based assets, the value of stolen crypto can easily exceed the loss of assets from traditional networks and industries. .

As a response to this epidemic, CertiK security experts reviewed 21 typical blockchain projects in 2020, analyzed the reasons for their attacks and the attack methods used by hackers, as a reference for the industry’s security incident warnings. Among the 21 blockchain projects analyzed, 8 attacks were caused by implementation logic errors, 4 price prediction machine manipulation incidents, 3 project fraud incidents, 3 reentry attacks, and lightning loan attacks. 2 cases, 1 case of wallet attack. The list of these security incidents is as follows:

Figure 1: List of major blockchain accidents in 2020

Image for post

Figure 2: Blockchain major accidents’ losses in 2020

Image for post

Figure 1 and Figure 2 show the loss of major blockchain accidents in 2020.

Image for post

Figure 3: Loss of each attack type.

Details of major attacks in 2020

1. Cover Protocol On the evening of December 28, 2020, the CertiK security verification team discovered that Cover Protocol suffered an unlimited token issuance vulnerability attack. The attacker repeatedly pledged and retrieved the project’s smart contract, triggered the operation of minting tokens, and carried out unlimited additional issuance of COVERtokens, causing the price of Cover tokens to collapse. Total loss; approximately $4.4m

2. Warp Finance On December 17, 2020, the attacker used the oracle used by the Warp Finance project to calculate the incorrect price of the pledged LP token asset, and profited from the Warp Finance project about 1462 ETH, with a total value of approximately$950,000. In addition, the attacker minted DAI-ETH LP shares worth about $6 million, and about $1 million of profits flowed into uniswap and sushiswap’s LP. In this attack. Total loss; approximately $7.7m

3. Compounder.Finance At 3 pm on December 1, 2020, the CertiK security technical team discovered through Skynet that several transactions of a large number of tokens occurred in the Compounder.Finance’s smart contract. After careful verification, it was learned that these transactions were internal operations, and the project owner transferred a large amount of tokens to his account. Total loss; approximately $11.76m

4. SushiSwap On November 30, 2020, the Sushiswap project was discovered to have been attacked by malicious liquidity providers. The attacker exploited the vulnerability in the Sushi Maker contract of the project to carry out the attack, and made a profit of approximately $15,000.

5. Compound On November 26, 2020, an error was uncovered in the Compound project stemming from an issue with the price oracle. The Coinbase price oracle has caused huge fluctuations in the price of DAI. Total loss; approximately $90m

6. Pickle Finance At 2:37 on November 22, 2020, the CertiK security verification team discovered through Skynet that the Pickle Finance project was attacked. The attacker took advantage of a vulnerability in the contract that did not check whether the external Jar contract was legal or not. Total loss; 19.75m DAI, amist $20 million.

7. Origin Protocol On November 17, 2020, Original Protocol project OUSD was attacked by a combination of flash loan and reentry attacks. The attacker used the reentrance vulnerability in the mintMultiple() function in the contract to increase the funds from the flash loan as leverage to expand the attack revenue. Total loss; approximately $7m

8. Cheese Bank On November 16, 2020, Cheese Bank, a DeFi project, was attacked through flash loans. Attackers manipulated the number of tokens in the liquidity pool and reset the oracle to increase the price of Uniswap LP liquidity certificates. Total loss; approximately $3.3m, including $2m in USDC.

9. Value DeFi On November 15, 2020, the DeFi project Value Defi was attacked through flash loans. The attacker used the Curve price oracle in the project to manipulate the oracle token price calculation vulnerability through flash loans. Total loss; approximately $7.4m in DAI.

10. Eminence On September 29, 2020, the attacker used a script program to borrow funds through flash loans, exploiting the Bonding Curve model vulnerability in the Eminence project, the hacker repeatedly bought and sold EMN and eAAVE to gain revenue. Total loss; approximately $15m.

11. GemSwap On September 26, 2020, DeFi project GemSwap was attacked by the project owner’s backdoor. The project owner took out all the liquidity certificates and transferred them to his own account by calling the backdoor function emergencyWithdraw(). Total loss; approximately $1.3m.

12. Soda Finance On September 21, 2020, the CertiK security research team discovered a smart contract security vulnerability in the soda blockchain project. This vulnerability allowed arbitrary external callers to forcibly settle the victi’s debt by calling the smart contract function, ignoring the number of tokens in the victim’s debt, and to transfer the proceeds from the settlement operation to their own payment address. Total loss; approximately $160,000

13. BASED On August 14, 2020, the liquidity mining project Based had a loophole caused by an initialization error. When its smart contract was deployed, the official Base only declared the owner by calling the renounceOwnership function in the smart contract, and did not initialize the smart contract. An external attacker preemptively called the initialize function to initialize the smart contract before the official website of Based.

14. YAM On August 12, 2020, YAM Finance officially announced that they had discovered a smart contract vulnerability, and stated that the vulnerability would generate YAM tokens that exceeded the initial set amount. When calculating totalSupply, it gave an incorrect result. It would result in too many tokens reserved by the system. Total loss; approximately $750,000

15. NUGS On August 11, 2020, the CertiK security research team discovered that the Ethereum-based token project NUGS had security issues. There were security vulnerabilities in its smart contracts, causing huge inflation in its token system. Since the security vulnerability of the smart contract could not be repaired, the NUGS project officially announced the decision to abandon the project, and the tokens deposited in it cannot be withdrawn. The loss of this attack was huge, which directly caused the project to fail.

16. Opyn On August 4, 2020, an attack occurred on the DeFi project Oypn. The cause of the attack was a vulnerability in the exercise function of the smart contract oToken. When the attacker sent a certain amount of ETH to the smart contract, the smart contract only checked whether the amount of ETH was consistent with the amount required to complete the futures transaction, instead of dynamically checking whether the amount of ETH sent by the attacker was still equal to the amount required to complete the futures transaction after every transaction. In other words, the attacker could use ETH as a mortgage, and redeem two transactions, and ultimately receive twice the amount of ETH sent.. Total loss; approximately $370,000

17. Cashaa First attack occurred on July 10th. One of Cashaa’s Bitcoin wallets was stolen and 1.05977049 BTC was transferred to the attacker’s account. According to the Cashaa report, the attacker controlled the victim’s computer and operated the victim’s Bitcoin wallet on to transfer BTC to the attacker’s account. The second attack occurred on July 11. A total of 8 bitcoin wallets in Cashaa, a total of 335.91312085 bitcoins were transferred to the same address by the attacker through the same method. Total loss; approximately $3.1m.

18. Balancer At 2:03 am on June 29, 2020, the attacker used WETH borrowed from the dYdX lightning loan to buy a large amount of STA tokens, causing the exchange price of STA and other tokens to rise sharply. Then they used the smallest amount of STA (value 1e-18) to continuously repurchase WETH, and after each repurchase, they used the contract vulnerability of Balancer to reset the number of internal STAs (value 1e-18) to stabilize the STA to the higher price. Attackers continued to use vulnerabilities to completely buy a certain token (WETH, WBTC, LINK and SNX) with high-priced STA, and finally used WETH to repay the flash loan, acquiring a large number of STA, WETH, WBTC, LINK and SNX, and transferring their illegal gains to their own account through uniswap.

After CertiK captured the Balancer attack at 2 am on June 29, the Balancer project was attacked again at 20:23 and 23:23 on June 29, 2020. After the attacker borrowed tokens from the dYdX lightning loan and minted them, they obtained cWBTC and cBAT tokens through a Uniswap flash loan, and then traded the borrowed tokens in a large amount in the Balancer token pool, thereby triggering the airdrop mechanism of the Compound protocol. After obtaining the airdropped COMP tokens and using the vulnerable gulp() function of Balancer to update the number of token pools, all tokens would be removed and the flash loan would be returned. The attack was the equivalent to exploiting the financial model of the Compound protocol, flash loan and Balancer code vulnerabilities, creating COMP out of nothing.Total loss; approximately $500,000

19. Hegic On April 27, 2020, due to an error in the code implementation in the Hegic project, the user funds in the contract were locked and could not be operated by any method. Total loss; approximately $28,000

20. Lendf.Me On April 19, 2020, the project was attacked by a reentry attack based on a flaw in the ERC777 standard.Total loss; approximately $25m.

21. Uniswap On April 18, 2020, the DeFi project Uniswap was attacked. The attacker used ERC777 to complete the token exchange feature in the same transaction, and used its tokensToSend() function to perform a reentry attack on Uniswap. Total loss; approximately $220,000


As illustrated by the above statistics, these 21 major attacks resulted in a total loss of approximately $200 million. This was stolen through various attack methods including price oracle manipulation, reentry attacks, implementation logic errors, lightning loan attacks, project party fraud, and wallet attacks, making it impossible to guard against. Perhaps due to the fundamental statistical nature of computer science, we’re able to gain insight into the average amount of bugs in typical code.. On average, there are 1–25 bugs in every 1,000 lines of code. In other words,the probability of one of these vulnerabilities arising is 0.1–2.5%). Looking for a little more insight into what this means? Check out our video below. (Insert our video link)

In blockchain, any minor bug may cause irreparable losses to the project or investors. To change the prejudices and stereotypes of the “duck”, and to establish a safe and secure blockchain ecology, it needs the persistence and dedication of every project and individual towards security.

There is no doubt about the importance of security audits for blockchain projects. However, statically audited projects cannot guarantee 100% static and dynamic security. According to the statistics of CertiK security experts, the security rate of audited smart contracts and nodes in the industry is 92.6%, but with CertiK’s formal verification technology, the security rate can be as high as 99.6%!

The remaining 0.4% is mostly due to changes in the smart contract during the interaction process, which led to the failure of static auditing.

At this time, a security oracle that can monitor the security status at any time, such as the one developed and introduced by the CertiK Foundation, and a decentralized fund pool that can obtain compensation after an accident, CertiKShield, will be the most beneficial long term, decentralized, solution to the issue of security, and lost/stolen assets.