In many ways, 2022 was a record-breaking year for DeFi. In early 2022, crypto adoption and TVL on DeFi protocols reached near record levels, with TVL breaking $150 billion. As the year continued, the deteriorating economic conditions in the broader financial markets has caused, and continues to cause, a decline in crypto and therefore DeFi.
The losses seen in DeFi have not solely been caused by the worsening economic conditions in traditional finance, however. Hacks played a large role in the overall losses accrued by DeFi in 2022. Take a quick glance at the Rekt leaderboard or DefiLlama’s hack dashboard, and you will see billions of dollars stolen in DeFi or bridge related hacks.
Last year, AE took a look at the nastiest hacks from 2021 and we wanted to do the same this year. In this blog post, we’ll walk through the top 5 DeFi hacks of 2022 by total value stolen.
Note that all values represented in these walkthroughs are approximations
#5: Beanstalk, $181M
Beanstalk was an algorithmic stablecoin protocol. The $1 peg on its native currency, BEAN, was maintained by encouraging trading at the peg price. Beanstalk was considered a decentralized protocol, where users could vote on various proposals using Beanstalk's custom governance mechanism.
Unfortunately for Beanstalk, their governance mechanism was the source of the attack. The attacker was able to temporarily amass enough of their governance token, Stalk, to bypass each significant threshold of the governance mechanism.
Firstly, they staked enough BEAN and Stalk to propose two malicious proposals. The first proposal was the attack vector, while the second proposal was simply a cover for the first one. The attacker then waited the minimum one-day period before initiating a flash loan via Aave to accrue two-thirds of all Stalk that existed. This allowed the attacker to forcefully initiate the malicious proposals via a two-thirds supermajority emergency vote function. Ideally, this governance 'escape-hatch' was intended for emergencies only and initiated by the community, but the attacker was able to use it to steal funds from the protocol. Since all of this was happening during a flash loan, the attacker used the stolen funds from the Beanstalk protocol to pay off the interest from the loans, and then kept the leftover funds.
After paying off the flash loans to Aave, the attacker was able to steal around $76M. The stolen tokens were quickly sent to Tornado Cash to be laundered, and so far none of the stolen tokens have been recovered. Today, Beanstalk has rebuilt its protocol, though its TVL is still diminished.
#4: Nomad Bridge, $190M
The Nomad Bridge was a multi-chain bridge that enabled transactions from popular blockchains such as Ethereum, Avalanche, and more. Similarly to the Wormhole Bridge, smart contracts were deployed on each blockchain that Nomad wanted to bridge against. Each bridge smart contract contained a large store of assets, making for an attractive target for attackers.
This attack occurred against the Nomad Bridge smart contract located on Ethereum. The code exploited in this attack vector was the validation logic used to ensure that cross-chain transactions were genuine. Like other blockchains, the Nomad Bridge used proofs to validate transactions.
What was unusual about this attack was that the actual proof validation logic was correct, but a recent upgrade to the Nomad Bridge had updated the root of its Merkle Trie to be all 0s. This caused the validation logic to erroneously approve forged transactions. Another unusual factor of this attack was that there was more than one attacker involved. In fact, there were over 1000 attackers that took advantage of this vulnerability as it was easy to copy and paste the original attack and replace the receiver of the stolen tokens with any address.
A single erroneous upgrade resulted in over $190M stolen from the Nomad Bridge smart contract on Ethereum in a frantic smash and grab. Only around $33M has been returned to Nomad at this time.
#3: Wormhole Bridge, $320M
The Wormhole cross-chain token bridge enabled users to bridge assets between some of the most popular blockchains including Solana, Ethereum, Polygon, and more. For each blockchain that Wormhole intended to bridge between, a smart contract was deployed to the blockchain. Each smart contract held a large amount of assets to facilitate bridging assets between blockchains. Similar to the Nomad Bridge, the large amount of assets made the Wormhole Bridge an attractive target to attackers.
This hack occurred against the Wormhole bridge smart contract located on Solana. As part of the on-chain verification process for cross-chain transactions, the Wormhole bridge smart contract on Solana would verify that the guardian signatures provided with a transaction were valid. Guardians are trusted entities whose signatures were used to ensure only valid transactions were finalized by the bridge contract. However, the bridge contract's signature checks were outsourced to a separate instruction that was meant to be performed from a specific Solana address.
This particular instruction, used by Wormhole, had been deprecated by Solana for security purposes:
Therefore, the attacker was able to provide their own address for the instruction logic, enabling them to incorrectly validate their forged transaction. Interestingly, Wormhole had patched this vulnerable code in their GitHub repo but had not deployed an upgrade yet, which may have tipped off the attacker to this attack vector.
Wormhole's loss was eventually fully subsidized by one of their investors, but this raises an interesting point on the complexity of multichain bridge systems. For each and every blockchain that Wormhole wanted to bridge between, they had to deploy a smart contract that implemented the necessary functionality in the native language of said blockchain.
This meant Wormhole needed to keep track of each and every change to the blockchains they deployed on, in the event that they needed to update their smart contracts. In this case, being unable to keep up with the pace of changes in Solana's blockchain cost the protocol $320M.
#2: Binance Build and Build (BNB) Bridge, $560M
As of today, Binance is the largest cryptocurrency exchange on the market. In addition to their centralized institution, Binance has its own token, BNB coin, as well as a host of decentralized services. These services include the Binance Smart Chain (BSC), which is a blockchain designed to enable a large volume of transactions with low gas fees. As with all other blockchains, BSC needs a bridge in order to have cross-chain interoperability. Binance's BNB Bridge facilitates the transfer of assets to and from BSC.
The BNB Bridge attacker was able to exploit a vulnerability within one of BSC's precompile contracts. Precompile contracts are simply abstractions of on-chain smart contracts, where the actual logic and computation is done within the node software of the specific blockchain. Precompile contracts can be called by other smart contracts deployed on-chain. In this specific case, the precompile contract was used to validate the correctness of proofs that contained cross-chain transactions sent by an off-chain relayer.
Typically, a relayer would simply pass along a proof generated as part of the process of bridging an asset, where the proof represents the confirmation that the asset is being bridged from the Binance Beacon Chain to the Binance Smart Chain (or vice versa). The proof is verification that value is actively being transferred. Without the proof, users could request to transfer money that they do not own, effectively printing money.
The attacker was able to do just that by manipulating the precompile contract's verification to accept a forged proof. The attacker registered themselves by staking 100 BNB to become a BNB Bridge relayer, and then tricked the bridge into erroneously minting over 2 million BNB worth approximately $560M at the time of the hack.
While 2 million BNB was minted into existence by the attacker, they only managed to steal about $110M worth of BNB as the Binance Smart Chain and Bridge were suspended approximately 3 hours after the attack occurred.
#1: Ronin Bridge, $650M
Ronin was the blockchain and bridge that powered the popular game Axie Infinity. The Ronin blockchain enabled higher throughput and lower cost transactions, which were vital to enabling the game mechanics of Axie Infinity. However, because Axie Infinity was on an entirely separate blockchain, a bridge was necessary. The Ronin Bridge facilitated transfers to and from the network, thus allowing people to play Axie Infinity.
The attacker did not go after the smart contracts that powered the Ronin Bridge, but rather the way the bridge validated cross-chain transactions. The Ronin Bridge validated bridge transactions off-chain using a trusted M-of-N validator system. This means that in order for a deposit or withdrawal to or from the Ronin Bridge to be considered valid, it must be signed by at least M out of N validators of the bridge. The security model of this type of trusted system relies on a large number of validators. Thus, as M and N get larger, the harder it would be for an attacker to finalize an invalid transaction.
Unfortunately, the Ronin Bridge validator count was small enough where compromise was feasible. The bridge had only 9 validators, of which 5 signatures were required to approve a bridge transaction. Through means of social engineering and unrevoked privileges, the attacker was able to compromise the minimum 5 validator signatures needed to finalize transactions. The attacker was then able to fraudulently approve $650M in withdrawals from the Ronin bridge.
Shockingly, this attack was discovered when a user was unable to withdraw money from the Ronin Bridge 6 days after the attack occurred. Consequently, a large amount of the funds had been laundered by the time the Ronin developers and other companies started investigating the attack. Only about $40M has been recovered by law enforcement today. While Axie Infinity and Ronin are still around today, the popularity of the game and its blockchain has diminished greatly.
Trends in Bridge Exploits
4 of the top 5 hacks this year targeted bridges. The natural complexity of bridges (with on-chain and off-chain components) makes their attack surface larger than smart contracts. Bridges also tend to hold as much value as some of the most popular DeFi protocols like Compound and Aave. Both of these properties make bridge systems attractive targets for attackers, who search for a wide attack surface and high potential profits. If you are interested in learning more about how bridges work, be sure to check out our What is a blockchain bridge blog post.
Arbitrary Execution Provides Security for Your DeFi Project
Arbitrary Execution (AE) is an engineering-focused organization that specializes in securing decentralized technology. We are a group of experienced security professionals providing high-quality security services and smart contract audits. Our extensive background in Web2 security, along with our domain expertise in Web3 security, enables us to provide audits for not only smart contracts but off-chain code as well. For more information on Arbitrary Execution's professional services, contact firstname.lastname@example.org. Follow us on Twitter and LinkedIn for updates.