<p><span style="font-weight: 400;">In 2022, cryptocurrency-based projects experienced a series of devastating hacks and exploits in what’s considered the worst year ever when it comes to securing digital assets. </span></p> <p><span style="font-weight: 400;">Overall, the frequency of crypto hacks accelerated rapidly this year, topping at $3 billion in total funds lost, </span><a href="https://go.chainalysis.com/2022-Crypto-Crime-Report.html"><span style="font-weight: 400;">according to</span></a><span style="font-weight: 400;"> a </span><span style="font-weight: 400;">Chainalysis </span><span style="font-weight: 400;">report.</span></p> <p><span style="font-weight: 400;">The year showed us how blackhat or malicious hackers are using increasingly advanced tactics to exploit weaknesses in decentralized apps that may have bugs, like every other piece of software. </span></p> <p><span style="font-weight: 400;">Among the major crypto heists of 2022, security incidents involving </span><a href="https://www.theblockresearch.com/understanding-cross-chain-bridges-148589"><span style="font-weight: 400;">cross-chain bridges</span></a><span style="font-weight: 400;"> and decentralized finance protocols stood out for suffering damages to the tune of hundreds of millions of dollars in individual exploits. During such exploits, hackers accessed and stole crypto assets without authorization by taking advantage of vulnerabilities in smart contracts. </span></p> <p><span style="font-weight: 400;">This exclusive article from The Block explores the largest crypto hacks of 2022 and went wrong leading up to each attack.</span></p> <h2><strong>Ronin Network — $625 million</strong></h2> <p><span style="font-weight: 400;">On Mar. 29, Ronin, a sidechain that hosts Sky Mavis’ Axie Infinity game was </span><a href="https://www.theblock.co/post/140165/ronin-replaces-compromised-validators-and-plans-to-bolster-security-after-600-million-hack"><span style="font-weight: 400;">exploited for</span></a><span style="font-weight: 400;"> $625 million in various crypto assets, making it the largest crypto heist to date. </span><span style="font-weight: 400;">Sky Mavis developed Ronin to host its popular blockchain game Axie Infinity. But things took a turn for the worst when the team failed to secure the Ronin network from perpetrators, later </span><span style="font-weight: 400;"><a href="https://techcrunch.com/2022/04/15/us-officials-link-north-korean-lazarus-hackers-to-625m-axie-infinity-crypto-theft/">identified</a> to be North Korea's Lazarus hacking group. </span></p> <p><span style="font-weight: 400;">Through an </span><a href="https://www.theblock.co/post/156038/how-a-fake-job-offer-took-down-the-worlds-most-popular-crypto-game"><span style="font-weight: 400;">email-based phishing attack</span></a><span style="font-weight: 400;"> on a former employee, the hacking group gained access to Sky Mavis’ IT infrastructure. There, the hackers located and stole private keys to Ronin blockchain validator nodes, which the firm stored on its internal servers. When the hackers had access to validator keys, they took control over the entire Ronin network and transferred more than 173,600 ether (ETH) and 25.5 million USDC stablecoin, totaling over $625 million. </span></p> <p><span style="font-weight: 400;">Fortunately for users who had their funds taken during this incident, most were fully reimbursed, the firm claimed. A week after the hack, SkyMavis </span><a href="https://www.theblock.co/post/140800/sky-mavis-raises-150-million-from-binance-to-reimburse-ronin-hack-victims"><span style="font-weight: 400;">raised</span></a><span style="font-weight: 400;"> $150 million in a funding round led by Binance and combined this with its own assets to </span><span style="font-weight: 400;">pay back everyone who was affected by the exploit.</span></p> <h2><strong>FTX — $370-$400 million </strong></h2> <p><span style="font-weight: 400;">Unlike other major security heists during the year — such as those affecting decentralized blockchain apps operating on smart contracts — the now-collapsed centralized exchange FTX fell for one of the largest hacks of 2022. </span><span style="font-weight: 400;">Taking place in November, the FTX hack came to light after the exchange’s official Telegram admins</span> <a href="https://www.theblock.co/post/186289/ftx-claims-it-has-been-hacked-of-all-of-its-funds-website-and-mobile-app-compromised"><span style="font-weight: 400;">reported</span></a> <span style="font-weight: 400;">“unauthorized access.” </span></p> <p><span style="font-weight: 400;">Onchain data showed that the exchange's </span><span style="font-weight: 400;">wallets lost funds anywhere between $370 million to </span><a href="https://www.theblock.co/post/186279/over-400m-worth-of-tokens-ftx-funds-drained-from-company-accounts"><span style="font-weight: 400;">$400 million</span></a><span style="font-weight: 400;"> shortly after its </span><span style="font-weight: 400;">former CEO Sam Bankman-Fried filed for Chapter 11 bankruptcy protection. </span></p> <p><span style="font-weight: 400;">A few m</span><span style="font-weight: 400;">edia outlets </span><a href="https://www.marketwatch.com/story/supposed-477-million-ftx-hack-was-actually-a-bahamian-government-asset-seizure-11668782216"><span style="font-weight: 400;">conflated</span></a><span style="font-weight: 400;"> the hack wit</span><span style="font-weight: 400;">h another suspicious transfer of $400 million made from FTX on the order of the Securities Commission of the Bahamas for safekeeping the assets, which caused confusion. However, the two were separate incidents.</span></p> <p><span style="font-weight: 400;">The new FTX chief John J. Ray III </span><a href="https://www.youtube.com/watch?v=J1JPc9Fjf9k"><span style="font-weight: 400;">testified</span></a><span style="font-weight: 400;"> the hack and another large asset transfer ordered by the Bahamian regulators were separate. This is verified by analytics firm Chainalysis, which is working with FTX to track down the assets.</span></p> <p><span style="font-weight: 400;">“The $400 million stolen and hacked from FTX is completely separate from the $400 million held by the Securities Commission of the Bahamas. It's totally understandable that people were confused by this, though,” a spokesperson from Chainalysis told The Block.</span></p> <p><span style="font-weight: 400;">While the identity of the hacker remains unknown, Bankman-Fried <a href="https://finance.yahoo.com/finance/news/sam-bankman-fried-says-ftx-203431501.html">spoke</a> in an interview of an insider, likely a “ former employee” or bad actor, who may have stolen private keys to FTX's crypto wallets.</span></p> <p><span style="font-weight: 400;">Ray also </span><a href="https://www.theblock.co/post/194706/ftx-stored-private-keys-without-encryption-the-exchanges-new-chief-said"><span style="font-weight: 400;">revealed</span></a><span style="font-weight: 400;"> in a prepared testimony </span><a href="https://financialservices.house.gov/uploadedfiles/hhrg-117-ba00-wstate-rayj-20221213.pdf"><span style="font-weight: 400;">document</span></a> <span style="font-weight: 400;">that FTX stored private keys to its wallets in an unencrypted manner, and had adopted very poor security controls — factors that could have easily allowed the hack to have taken place.</span></p> <h2><strong>Wormhole — $325 million </strong></h2> <p><span style="font-weight: 400;">In February, Wormhole, a cross-chain bridge protocol, was hacked in this year’s biggest bridge exploit. Wormhole allows users to lock their ETH and receive a pegged asset called Wormhole ETH (wETH) on the Solana network. </span></p> <p><span style="font-weight: 400;">On Feb. 2, Wormhole fell to a hacker who spoofed certain security signatures on the bridge and minted 120,000 wETH worth </span><a href="https://www.theblock.co/post/132909/wormhole-replenishes-its-blockchain-bridge-after-325-million-exploit"><span style="font-weight: 400;">$325 million</span></a><span style="font-weight: 400;"> out of thin air. The hacker swapped the illicitly minted wETH for actual ETH on the Ethereum network, thereby draining all of the assets held on Wormhole. </span></p> <p><span style="font-weight: 400;">The incident halted the bridge operations and for some time it appeared the end for Wormhole was near. It would have been incredibly challenging to recover the losses but to everyone's surprise, a few days after the hack, Wormhole said it </span><a href="https://www.theblock.co/post/132909/wormhole-replenishes-its-blockchain-bridge-after-325-million-exploit"><span style="font-weight: 400;">replaced</span></a><span style="font-weight: 400;"> all of the stolen ETH and opened the bridge.</span></p> <p><span style="font-weight: 400;">Jump Crypto, a trading and venture capital firm that incubated Wormhole, confirmed that it replenished the stolen 120,000 ETH from its own funds to help sustain the bridge.</span></p> <h2><strong>Nomad — $190 million </strong></h2> <p><span style="font-weight: 400;">On Aug. 7, Nomad — a bridge connecting Ethereum, Avalanche, Moonbeam and Evmos blockchains — suffered the second largest cross-chain bridge hack of the year with </span><a href="https://www.theblock.co/post/160851/nomads-190-million-bridge-exploit-drew-hacking-feeding-frenzy-of-300-addresses"><span style="font-weight: 400;">$190 million</span></a><span style="font-weight: 400;"> worth of assets lost. The hack resulted from a faulty update in which Nomad developers erroneously designated </span><a href="https://etherscan.io/address/0x0000000000000000000000000000000000000000"><span style="font-weight: 400;">0x00</span></a><span style="font-weight: 400;"> (the zero address) as the trusted root. </span></p> <p><span style="font-weight: 400;">This function meant that anyone could withdraw funds from the bridge without going through the trust contract check and could easily bypass its security. As the update </span><span style="font-weight: 400;">issue became public, over </span><a href="https://www.theblock.co/post/160851/nomads-190-million-bridge-exploit-drew-hacking-feeding-frenzy-of-300-addresses"><span style="font-weight: 400;">300 addresses</span></a> <span style="font-weight: 400;">rushed in to grab money from Nomad in a free-for-all exploit. </span><span style="font-weight: 400;">Luckily, some of the addresses belonged to ethical hackers who later <a href="https://www.theblock.co/post/161715/nomad-has-recovered-22-4-million-after-hackers-drained-190-million?utm_source=twitter&amp;utm_medium=social">returned</a> $22 million back to Nomad. </span></p> <h2><strong>Beanstalk Farms — $182 million</strong></h2> <p><span style="font-weight: 400;">Beanstalk Farms, a stablecoin protocol, was </span><a href="https://www.theblock.co/linked/142272/ethereum-based-stablecoin-protocol-beanstalk-loses-more-than-80-million-to-exploit"><span style="font-weight: 400;">attacked</span></a><span style="font-weight: 400;"> in April of 2022 in the year’s largest governance hack.</span></p> <p><span style="font-weight: 400;">An unknown hacker took advantage of a security loophole in Beanstalk's decentralized autonomous organization (DAO), which oversees the decision-making for the stablecoin project. </span><span style="font-weight: 400;">On Beanstalk, anyone could submit a proposal and get it passed in a day if it received the majority votes from holders of Beanstalk’s native governance called bean. </span></p> <p><span style="font-weight: 400;">A malicious actor submitted a proposal asking the community to send crypto assets from Beanstalk treasury to the hacker’s crypto address. When the vote passed, the transfer was automatically made.</span></p> <p><span style="font-weight: 400;">The attacker took a <a href="https://www.theblockcrypto.com/news+/108081/flash-loans-a-blessing-or-a-curse">flash loan</a>, a loan that can be taken without any collateral, if it’s returned within the same transaction. With this, the hacker </span><a href="https://etherscan.io/tx/0xcd314668aaa9bbfebaf1a0bd2b6553d01dd58899c508d4729fa7311dc5d33ad7"><span style="font-weight: 400;">purchased</span></a><span style="font-weight: 400;"> millions of dollars in bean tokens to ensure they had enough tokens to get the vote approved. </span></p> <p><span style="font-weight: 400;">With this trick, the hacker was able to funnel some $80 million in bean tokens from the project’s treasury unbeknownst to Beanstalk core developers. </span><span style="font-weight: 400;">After this, the hacker </span><span style="font-weight: 400;">sold off those bean tokens on the platform, the final loss ended up being significantly higher for Beanstalk. Security firm PeckShield </span><a href="https://twitter.com/peckshield/status/1515713013868814336"><span style="font-weight: 400;">estimated</span></a><span style="font-weight: 400;"> the incident cost Beanstalk $182 million in protocol losses.</span></p> <h2>Mango Markets — $114 million</h2> <p>Though not technically a hack, Solana-based lending platform suffered a massive market manipulation exploit in October.</p> <p>The attacker — later alleged to be a DeFi trader Avraham Eisenberg — led a team to attack Mango Markets to funnel <a href="https://www.theblock.co/post/177736/mango-markets-proposes-plan-to-pay-back-victims-after-114-million-hack">$114 million</a> in customer deposits from the platform. He later admitted his involvement.</p> <p>The attack was twofold. First, Eisenberg allegedly bought tens of millions of illiquid Mango tokens — which he deposited into the protocol as lending collateral.</p> <p>Second, with about $5 million in the USDC stablecoin, he allegedly drove up the price of Mango tokens several times — thereby artificially growing the dollar value of his lending collateral deposits on Mango. He was able to do this because Mango tokens have very thin liquidity across many exchanges.</p> <p>The increased market value of Mango tokens spoofed data oracles into thinking the assets deposited by Eisenberg were worth more than $400 million.</p> <p>With the pumped-up collateral value, he borrowed $114 million in crypto assets with the intention of not paying it back — netting himself a giant profit. A day later, he forced Mango's governance to <a href="https://www.theblock.co/post/177736/mango-markets-proposes-plan-to-pay-back-victims-after-114-million-hack">pass a vote</a>, agreeing to return $47 million as a white hat negotiation deal. By this time, the identity of the attacker was unknown.</p> <p>On-chain sleuths traced the attack to Eisenberg. He <a href="https://www.theblock.co/post/177424/mango-markets-exploiter-comes-clean-claims-all-actions-were-legal">admitted</a> his involvement but he refuted doing anything illegal, arguing he was "using the protocol as designed." Clearly the authorities didn't buy the “code is law” argument made by Eisenberg. </p> <p>In December, Eisenberg was <a href="https://www.theblock.co/post/198172/mango-markets-exploiter-arrested-in-puerto-rico-for-alleged-market-manipulation">taken into custody</a> and charged with crimes related to market manipulation by the United States Department of Justice. The DoJ arrested him on charges of commodities fraud and commodities manipulation in Puerto Rico.</p> <h2><strong>BNB Token Hub — $120 million </strong></h2> <p><span style="font-weight: 400;">On Oct. 6, an unknown entity carried out a large-scale <a href="https://www.theblock.co/post/175437/biance-bnb-chain-is-back-up-after-bridge-exploit">attack</a> on BNB Token Hub, a bridge service that runs between BNB Chain — a blockchain founded by crypto exchange Binance — and Ethereum.</span></p> <p><span style="font-weight: 400;">Exploiting a bug in the bridge’s cryptographic proof system, a hacker was able to take control over 2 million BNB tokens locked on the bridge and valued at $550 million at the time.</span></p> <p><span style="font-weight: 400;">The hacker only managed to transfer anywhere between $120 million-$130 million worth off BNB Chain to </span><span style="font-weight: 400;">other chains before the network was halted. </span><span style="font-weight: 400;">As soon as the attack was detected, BNB Chain validators agreed to freeze the network to take over $430 million held in the hacker's address. The network was down for several hours but was back up and running a day later.</span></p> <h2><strong>Horizon — $100 million</strong></h2> <p><span style="font-weight: 400;">Another protocol that fell victim to a massive hack was Horizon, a bridge that connects Ethereum to the Harmony blockchain. In June, an attacker </span><a href="https://www.theblock.co/post/154029/harmonys-100-million-hacker-took-control-of-its-multi-signature-wallet-analysts-say"><span style="font-weight: 400;">stole $100 million</span></a><span style="font-weight: 400;"> locked on Horizon after compromising a couple of private keys owned by security admin accounts that controlled the bridge.</span></p> <p><span style="font-weight: 400;">The process of transferring assets from Horizon’s deployer contract to Ethereum involved a multi-signature scheme that needed approval from only two of the five admin accounts. This meant a malicious actor had to steal two private keys to approve unauthorized transfers, which is precisely what happened, as </span><a href="https://halborn.com/explained-the-harmony-horizon-bridge-hack/"><span style="font-weight: 400;">noted</span></a><span style="font-weight: 400;"> by security firm Halborn. </span></p> <p><span style="font-weight: 400;">After gaining access to two of the bridge’s admin private keys, possibly via phishing attacks on the admins. Then the hacker was able to approve a transaction that extracted $100 million into their control.</span></p> <h2><strong>Qubit — $80 million </strong></h2> <p><span style="font-weight: 400;">Qubit, a BNB Chain lending and bridge protocol, was the target of the first large scale crypto hack of the year in January. </span><span style="font-weight: 400;">On Qubit, users could deposit ether (ETH) from Ethereum and the bridge issued a pegged asset “xETH” on BNC Chain. xETH could be used as collateral on Qubit’s lending platform.</span></p> <p><span style="font-weight: 400;">On Jan. 27, a hacker </span><a href="https://cryptobriefing.com/binance-smart-chain-protocol-qubit-finance-hacked-for-80m/"><span style="font-weight: 400;">exploited</span></a><span style="font-weight: 400;"> a software logic vulnerability in Qubit which made xETH available for use on BNB Chain without having deposited ETH on Ethereum. The nature of the vulnerability was such that it allowed the attacker to mint a large amount of xETH without depositing any real assets.</span></p> <p><span style="font-weight: 400;">After the hacker was able to mint lots of xETH, they took several loans from Qubit with those tokens as collateral. In the end, the attacker drained all of the 206,000 BNB staked on Qubit Finance by taking loans in a loop, worth about $80 million at the time.<br /> <br /> <iframe frameborder="0" height="420" src="https://embed.theblockcrypto.com/data/decentralized-finance/exploits/largest-defi-exploits/embed" title="Largest DeFi exploits" width="100%"></iframe><br /> </span></p><br /><span class="copyright"><p>© 2023 The Block Crypto, Inc. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.</p> </span>