DeFi, Cross-Chain Bridge Attacks Drive Record Haul from Cryptocurrency Hacks and Exploits

TRM InsightsInsights
DeFi, Cross-Chain Bridge Attacks Drive Record Haul from Cryptocurrency Hacks and Exploits

Hacks on DeFi targets and cross-chain bridges have driven a record-setting year for hacking activity in the cryptocurrency ecosystem, with over $3.6 billion in stolen funds through November 2022, according to a review of hacking incidents by TRM Labs1

Figure 1: Total amount stolen from hacks against DeFi and non-DeFi targets

The story in numbers:

  • 3.5:1 – The ratio by which DeFi hacks outnumber those against non-DeFi targets.
  • 80 - The percentage of the total amount stolen in crypto this year that came from DeFi attacks – as much as $3 billion.
  • 11x - The average cross-chain bridge hack is about 11 times larger than the average non-cross-chain bridge hack. Hacks against DeFi-enabled cross-chain bridges are less common than hacks against other targets but are much larger on average.
  • 13 - The number of cross-chain bridge hacks detected by TRM Labs as of November 2022, with nearly $2 billion stolen. 
  • 9/10 - Nine of the ten largest hacks so far this year were against DeFi targets, and five of these were against cross-chain bridges. Preventing the nine largest DeFi attacks would have resulted in 65 percent less money stolen.

Large Sums and Vulnerabilities Make DeFi an Appealing Target 

The total value locked (TVL) in DeFi has exploded in the past two years, from about $10 billion in October 2020 to $42 billion in November 2022. Bridge volume was about $1.3 billion over the seven day period at the end of November, according to the same aggregator website.

Aside from sheer size, two other key characteristics of DeFi projects and cross-chain bridges make them both more desirable targets for would-be hackers and more vulnerable to exploits:

  • Complexity: The DeFi ecosystem is complex and interconnected, allowing hackers to employ exploits in ways that developers did not anticipate or test. For example, in a flash loan attack, hackers can use services unrelated to the target to manipulate the price of an asset or magnify the impact of the attack on the primary target.
  • Transparency: DeFi projects naturally place a premium on transparency and are usually built on open source code. This allows anyone, from security researchers to hackers, to review the code and search for exploitable vulnerabilities.  

Some hackers have also claimed that DeFi projects can be manipulated and attacked in a way that does not violate the law. This may cause would-be attackers to view DeFi projects as lower risk than CeFi targets. 

In October 2022, the Solana-based platform Mango Markets lost around $115 million when a group manipulated its price oracle, the authority that determines a token’s value. The hackers’ self-proclaimed leader, Avraham Eisenberg, later revealed his identity and characterised his team’s activities as a “highly profitable trading strategy” rather than a hack. It remains unclear if Eisenberg will be prosecuted.

Figure 2: A Tweet from the alleged Mango Markets hacker claiming his actions were legal

DeFi Hacks Include Infrastructure Attacks, Code Exploits, and Protocol Attacks

Infrastructure attacks, code exploits, and protocol attacks are responsible for the majority of the total amount stolen from hacks so far this year. Some hackers use a combination of these attack types to gain access to funds. 

  • Infrastructure attacks allow hackers to penetrate a target's security controls to conduct unauthorized transactions, such as by sending funds from a victim address to one controlled by the hacker. Common methods in this category include private key theft, seed phrase theft, and front-end attacks.
  • Code exploits targeting smart contracts enable attackers to remove funds from DeFi protocols without authorization. In a smart contract code exploit, hackers may use the discovered vulnerabilities to carry out attacks against the protocol. Earlier this year, Solana’s wormhole bridge was targeted in a hack resulting in over $300 million being removed from the DeFi protocol (see below).
  • Protocol attacks are a type of business logic attack that, among other things, can enable an attacker to manipulate the price of a token and create arbitrage opportunities to buy low in one market and sell high in a separate market. Flash loans and governance manipulation are some of the most common types of protocol attacks.

CeFi Failures May Fuel DeFi Hacks 

The recent failures of FTX and other high-profile centralized crypto companies such as Celsius and Voyager - known as CeFi - are likely to drive increased interest in DeFi solutions. Any resulting investor exodus to DeFi could further embolden hackers. 

To mitigate such risks, DeFi projects should turn to conventional bug bounty programs, smart contract security audits, and commercial security solutions. 

  • Conventional bug bounty programs pay hackers and security researchers for discovering and turning over vulnerabilities to the DeFi project. The vulnerability can then be patched before it is leveraged in an attack. By contrast, crypto bounty programs that pay hackers to return a percentage of the stolen funds after an attack can actually encourage hacks. For more information on crypto bounties, see TRM’s recent analysis on bounties, “Bounties Playing Prominent Role in Stolen Cryptocurrency Recovery Efforts.”
  • Security audits can spot vulnerabilities in the smart contracts that are the backbone to DeFi projects, allowing projects to fix the bugs before hackers are able to exploit the vulnerabilities. Audits are not foolproof, however, and should be used with other security controls and policies.
  • New commercial solutions are being developed to improve security across the DeFi ecosystem. Especially when combined with existing controls such as smart contract audits, innovative security products may offer improved DeFi security, although it is still too early to judge their effectiveness.

When used in combination, these controls and technologies can shrink the attack surface of DeFi protocols. As DeFi keeps growing, hackers will seek ever more audacious ways to exploit its weaknesses– as such, continued vigilance is essential.

1 We define hacks broadly in this paper, to include smart contract and code exploits, as well as general infrastructure attacks, such as stolen private keys.

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.