DeFi hackers are making bank this year — it’s February
In early 2023, the cryptocurrency industry has been characterized by unexpected price pumps and mounting regulatory pressure, yet it’s been a fairly quiet time for the decentralized finance (DeFi) sector.
DeFi, which usually suffers from a near-constant barrage of hacks, scams, and rug pulls, has flown largely under the radar while the likes of Binance and Kraken have faced off repeatedly with the SEC.
Centralized crypto platforms are feeling the heat from regulators who seem keen to appear tough after last year’s spectacular downfalls of Celsius, FTX, and its disgraced former-CEO Sam Bankman-Fried.
However, just because things in that particular part of the cryptosphere appear quieter, doesn’t mean that DeFi hasn’t had its fair share of drama.
Read more: Top DeFi hacks and exploits of 2022
DeFi hacks: A blockchain blunder and a two-for-one vulnerability
Last week’s messy hack of Platypus Finance saw $8.5 million drained from the project. However, the amateur attacker managed to get some of the funds stuck in their own smart contract, frozen by Tether, and accidentally sent some profit to lending protocol Aave (currently discussing the return of funds).
The hacker’s address was also quickly linked to various social media accounts by on-chain investigator ZachXBT. Shortly after, a further $2.4 million was recovered via a reverse-hack, conducted by security firm BlockSec.
In a dazzling reverse hack, a substantial chunk of the Playtpus hack stolen funds have been recovered.
Here’s how it worked: (1/4) pic.twitter.com/gRWkLPMr7Q
— Daniel Von Fange (@danielvf) February 17, 2023
A total of over $4 million was stolen via a well-known vulnerability, from both Midas Capital and dForce Network. In two attacks, less than a month apart, hackers exploited the same mechanism which had originally been described last April. dForce later announced that the hacker had responded to a bug bounty offer, and returned the funds ($3.65 million).
The NFT sector also continues to be a target for hackers and scam artists
Earlier this month, ZachXBT published a detailed report on one scammer, known as Loyalist, who is estimated to have stolen upwards of $4 million over the past year.
One tool commonly used to scam NFT investors is known as ‘Monkey Drainer,’ a phishing kit that saps victims wallets once they’ve been tricked into interacting with a (typically) cloned website to mint NFTs.
Read more: High-profile investor accidentally gives away NFT collection
Rug-pulls and walkouts
Yesterday, $1.8 million was drained from Hope Finance after the protocol was updated to divert assets to an external account. The project took to Twitter to accuse a team member of rug-pulling the project, but it’s unlikely that culprits will face any consequences. Identification efforts are hindered by the fact that the modification was signed by all three accounts on the project’s multisig wallet, and acquiring fake know-your-customer (KYC) information online isn’t difficult.
Another NFT project, fRiENDSiES, today announced a sudden shutdown in what has been branded a rug-pull. With nothing to show for the $5 million raised less than a year ago, the team blamed “market volatility” before deleting the project’s Twitter.
btw when these guys say “market volatility” they really mean “we bagheld ETH down 70% and then sold the bottom” pic.twitter.com/6g1LeOQC6C
— Arkham (@ArkhamIntel) February 21, 2023
Read more: DeFi protocol Umami Finance sours as CEO goes rogue and core team quits
Two weeks ago, Umami Finance’s team quit the project’s legal wrapper, Umami Labs LLC. It claimed that the former CEO, Alex O’Donnell, had crashed the token price by dumping his holdings, and took control of the project’s multisig wallet and treasury.
Almost a week later, O’Donnell attempted to reassert control, despite previous statements that neither of the project’s two legal wrappers have any control over the DAO.