According to on-chain analytics firm Chainalysis, the volume of crime-related crypto transactions will hit an all-time high of $14 billion in 2021. But despite the increased volume of illicit remittances, its relative share of total crypto trading volume hit an all-time low in 2021. These stats show that the rate of expansion of the crypto sector is outpacing the cybercrime associated with it. At the same time, however, it also shows that security in the industry is catching up with demand.

While the share of crime-related transaction volume in the crypto space has declined in 2021, there are still some cases that have taken their toll.

The most lucrative cyber attacks of 2021

Poly Network – $611 million

The Poly Network hack took place on August 10, 2021 and stole approximately $611 million worth of digital assets across three blockchains: Ethereum, BSC, and Polygon. After that, the hacker returned the full amount, stating that he only wanted to warn about vulnerabilities in the Poly Network protocol, not for personal gain.

Poly Network is a cross-chain network that allows users to perform cross-blockchain operations in a decentralized manner. For example, transferring money from one blockchain to another. This requires a large amount of liquidity in the protocol. At Poly Network, liquidity is controlled by special smart contracts.

The contracts attacked were EthCrossChainManager and EthCrossChainData. EthCrossChainData is owned by EthCrossChainManager and stores a list of public keys that can control liquidity (keepers).

The attacker exploited a vulnerability in the EthCrossChainManager contract and tricked it into replacing it instead of the contract keeper. The hacker then seized the liquidity of the Poly Network protocol and gained full control over the protocol’s operation.

Bitmart – $196 million

On December 4, 2021, centralized exchange Bitmart stole $200 million worth of crypto from a hot wallet. The attackers stole the private key to access the exchange’s hot wallet.

The Bitmart exchange claimed it lost $150 million, but blockchain cybersecurity firm Peckshield later claimed that more than 20 cryptocurrencies and tokens were stolen from the Ethereum blockchain and the Binance Smart Bottle, with losses already totaling $196, million dollars. They also planned the route of the stolen assets except for the final destination. The attacker first exchanged the stolen assets for ETH using a 1-inch DEX aggregator, then washed the ETH using a Tornado Cash private mixer and lost track.

This cyber attack again exposes the vulnerability of storing the private keys of many addresses with a huge sum on a single server. This will uncover all of the exchange’s hot wallets at once.

Cream Finance – $130 million

During the December 2021 attack, one or two hackers used multiple protocols (MakerDAO, AAVE, Curve, Yearn.finance) to steal $130 million in tokens and cryptocurrencies from Cream Finance.

The evidence suggests that there could be two hackers since there are two addresses in use: Address A and Address B. First, Address A loaned $500 million to DAI from MakerDAO, pulled that liquidity through Curve and Year Finance, and they used to mint 500 million CryUSD on Creme Finance. At the same time, Address A increased liquidity in Yearn.finance’s YUSD Vault to 511 million YUSDTVault.

Address B then took out a quick loan of $2 billion in ETH from AAVE and deposited it in Cream to mint $2 billion of cEther. Then address B exchanged 1 billion yUSDVault and 1 billion cryUSD and transferred them to address A. Thus, address A received 1.5 billion cryUSD.

Address A then buys 3 million DUSD from Curve and exchanges it all for yUSDVault, leaving 503 million yUSDVault in the account. Address A exchanges 503 million yUSDVault for the underlying yUSD token, bringing yUSDVault’s total supply to 8 million.

Next, Address A transfers 8 million yUSD to Yearn.finance’s yUSD vault, doubling the value of the vault. This prompted Cream’s PriceOracleProxy to double its cryUSD valuation as it determines the price of cryUSD based on the valuation of the total supply of yUSD Yearn Vault/yUSDVault ie $16M/8M yUSDVault. As a result, Cream finds out that address A has 3 billion CryUSD.

This mistake ultimately cost Cream Finance. The hackers were able to quickly repay the loan and pocket all of the liquidity ($130 million) tied up in Cream Finance with the remaining $1 billion in cryUSD.

The most common attack patterns in 2021

Speaking of smart contract attacks, the most common type of attack is the quick lending described above. According to The Block Crypto, of the 70 DeFi attacks in 2021, where 34 used quick loans, the Cream Finance heist in December was the most damaging. The most typical feature of this type of attack is the use of multiple protocols. In essence, any protocol is likely to be secure, but when multiple protocols are used, vulnerabilities can be found.

Another form of smart contract compromise that can be categorized as a classic DeFi attack is a reentrancy attack. A reentrancy attack occurs when a function that calls an external contract does not update the address list before calling that contract again. In this case, the external contract can be withdrawn continuously, since the list of addresses in the contract is not updated after each withdrawal. These continuous orders can continue until the balance of the contract is exhausted.

The third most common type of attack in 2021 is targeting centralized exchanges by stealing private keys that access their hot wallets. This is an all too well-known cyber attack in cryptocurrency history, but it can still be successfully carried out.

How to protect money in the crypto space?

To protect money in the crypto space, it is better to take a good look at the platform you plan to deposit funds on: watch the website, the social interaction of your team members, check the white paper (book white) and the technical one audit. In addition, it would be nice to use a feature in crypto wallets that allows to whitelist (set up a list) contracts that users use frequently. This feature is available in Metamask Wallet and dedicated online cryptocurrency safekeeping services such as Unrekt and Debank. When funds are transferred to an approved contract, the feature flags those contracts.

If you are worried about the security of the DeFi protocol, it is better to use the code base of other tested projects. But the founder should still conduct at least one technical audit of the project’s smart contracts. This is especially important for protocols that are deployed on multiple blockchains and interact with other protocols. Because they require particularly strict monitoring during the audits.

Subscribe to Bitcoin Magazine Telegram to follow updates and comment on this article: https://t.me/coincunews

Minh Anh

According to Cryptoslate