At least 14 DeFi projects were hacked this month, with a total loss of more than $250 million

The DeFi industry has developed rapidly this year, with a large number of DeFi projects emerging one after another, with the total locked-in amount reaching nearly 90 billion US dollars. However, due to the lax code audit of many projects, they have also become the target of many hackers. In particular, in May, the frequency of DeFi security incidents increased significantly.

According to Chain Catcher statistics, a total of 27 projects in the DeFi industry have been attacked by hackers this year, and at least 14 projects have been attacked by hackers this month. On average, one DeFi project is attacked every two days, with total losses of at least US$250 million. This is the month with the highest frequency of attacks and the largest losses in the history of DeFi.

Specifically, the DeFi projects that were hacked this month include BurgerSwap, Julswap, Merlin, AutoShark Finance, Bogged Finance, Pancake Bunnny, Venus, FinNexus, bEarn Fi, EOS Nation, xToken, Rari Capital, Value DeFi, and Spartan.

Among them, flash loans are the main method of hacker attacks, and at least 7 projects have been attacked as a result; BSC is the most active attack platform for hackers, and at least 11 attacks occurred on the BSC public chain; the attack amounts are generally large, with at least 7 projects losing more than 10 million US dollars, and the highest loss of Venus exceeding 100 million US dollars.

The following is a detailed summary of 14 DeFi project attacks this month by Chain Catcher:

1. BurgerSwap

Amount of loss: Approximately $7 million

Brief summary: On February 28, the BSC-based AMM project BergerSwap was attacked by a flash loan, and more than 432,874 BURGERs were stolen.

2. Julswap

Amount of loss: Unknown

Brief summary: On February 28, the BSC-based AMM project Julswap was attacked by a flash loan, and the coin price fell by as much as 90%.

3. Merlin

Amount of loss: Approximately $680,000

Briefly: On May 26, Merlin, the BSC ecosystem automatic revenue aggregator, was hacked. Due to a vulnerability in the getReward code of the project, a large number of CAKE tokens were manually transferred to the Vault contract, resulting in a total of approximately 59,000 MERL issuances and 240 ETH obtained through sales.

Solution: The team will airdrop compensation tokens cMERL to users, and the token holders will be able to receive BNB rewards from the compensation pool. At the same time, additional development team funds will be used to perform burning and buyback activities to restore the token price.

4. AutoShark Finance

Amount of loss: Approximately $820,000

Brief summary: On May 25, AutoShark Finance, a fixed-rate agreement based on BSC, was attacked by a flash loan. Due to errors in the LP value and the amount of handling fees obtained, the SharkMinter contract finally calculated a very large value when calculating the attacker's contribution, causing the SharkMinter contract to mint a large number of SHARK tokens for the attacker, causing its price to crash from US$1.2 to US$0.01, and the attacker made a profit of US$820,000 per month.

Solution: The official said it will issue a new token, JAWS, to compensate affected users.

5. Bogged Finance

Amount of loss: $3 million

Brief summary: On May 23, Bogged Finance, a BSC-based aggregation trading platform, officially stated that hackers launched a flash loan attack on the staking function vulnerability of the BOG token contract. The hackers used the Pancake Pair Swap code to extract the staking income before the contract verification was completed, resulting in the minting of more than 15 million BOG tokens, most of which were originally allocated to BOG pledgers.

Solution: Issue new coins and return the stolen BOG tokens to the pledged users.

6. Pancake Bunnny

Amount of loss: Approximately $42 million

Briefly: On May 20, PancakeBunny, a DeFi yield aggregator based on BSC, suffered a flash loan attack, losing 114,631 BNB and 697,245 BUNNY. The latter was minted and sold in large quantities by hackers, and the price crashed from $240 to below $2. According to the investigation of the CertiK security team, since PancakeBunny uses PancakeSwap AMM to calculate asset prices, hackers maliciously used flash loans to manipulate the price of the AMM pool, and successfully completed the attack by taking advantage of Bunny's calculation problems when minting tokens.

Solution: PancakeBunny will issue a new token pBUNNY and create a compensation pool to compensate the original BUNNY holders for the losses caused by the sharp drop in token prices.

7. Venus

Amount of loss: Over $100 million

Brief summary: On the evening of May 18, the price of XVS, the token of Venus, a DeFi lending platform based on BSC, was doubled by a whale. Afterwards, BTC and ETH worth hundreds of millions of dollars were borrowed and transferred using XVS as collateral. After that, the price of the collateral asset XVS plummeted and faced liquidation. However, due to insufficient liquidity in the XVS market, the system failed to liquidate in time, resulting in a huge deficit of hundreds of millions of dollars for Venus.

Solution: Venus sells some XVS tokens to Binance to make up for the platform's losses.

8. FinNexus

Amount of loss: $7 million

Briefly: On May 17, the on-chain options protocol FinNexus was attacked by a hacker who infiltrated and managed to recover the private key of the FNX token contract manager. The attacker minted more than 323 million FNX and then sold them on centralized and decentralized exchanges, causing the price to plummet.

Solution: The FinNexus team said it will issue new coins and compensate all users who held FNX before the hack at a 1:1 ratio; liquidity providers on DEX will receive additional compensation due to higher losses.

9. bEarn Fi

Amount of loss: Approximately $10.86 million

Brief summary: On May 16, the BUSD-Alpaca strategy of bEarn Fi, a cross-chain DeFi protocol based on BSC, suffered a flash loan attack, and nearly 10.86 million BUSD in the pool were exhausted.

Solution: bEarn Fi said it would create a compensation fund consisting of remaining savings funds, development funds, DAO funds, and a portion of the fees generated by the protocol, after which a snapshot of the balance would be taken to deploy a compensation contract.

10. EOS Nation

Amount of loss: $15 million

Brief summary: On May 14, the EOS Nation flash loan smart contract suffered a re-entry attack, and approximately 1.2 million EOS and 462,000 USDT were stolen.

Solution: flash.sx said that all lost funds are under the security control of eosio.prods, and a proposal has been initiated to change the permissions of the hacker's EOS account. If approved, the funds will be returned to the users.

11. xToken

Amount of loss: Approximately $25 million

Briefly: On May 13, the DeFi staking and liquidity strategy platform xToken was attacked by a flash loan. The liquidity of the xBNTa Bancor pool and the xSNXa Balancer pool was immediately drained, resulting in a loss of approximately US$25 million.

Solution: The xToken team said it plans to use 2% of the total XTK supply to make up for the stolen losses.

12. Rari Capital

Amount of loss: $14 million

Briefly: On May 8, the DeFi smart investment advisory protocol Rari Capital had a vulnerability in its ETH fund pool due to the integration of the Alpha Finance Lab protocol. The attacker manipulated the price of ibETH Token in ibETH by deploying an auxiliary contract, causing Rari to suffer a huge loss of US$14 million.

Solution: Rari Capital will return the 2 million reserved RGTs used to expand the team to the DAO to compensate users affected by the attack and reward contributors.

13. Value DeFi

Amount of loss: Two times, a total of $15 million

Summary: Value DeFi, a DeFi protocol based on Ethereum and BSC, suffered two attacks on May 5 and May 7 respectively. The first attack was caused by a code vulnerability in Value DeFi's ProfitSharingRewardPool contract, which affected its vStake pool and resulted in a total loss of more than 200,000 BUSD and 8,790 BNB. The second attack was caused by a code vulnerability in Value DeFi's vSwap contract, and some pools and products of IRON Finance were attacked.

Solution: The team will use 8,530 VALUE from the insurance fund and 122,463 VALUE from the multi-signature, a total of 130,994 VALUE for compensation, and the remaining 251,702 VALUE will be compensated using the team’s VALUE.

14. Spartan

Amount of loss: US$30 million

Brief summary: On May 2, the BSC-based synthetic asset protocol Spartan Pools V1 was attacked. Due to a vulnerability in improper calculation of liquidity shares, the attacker transferred approximately US$30 million from the fund pool.

Solution: Issue new SPARTA tokens and use the 20 million unissued tokens to compensate the LPs of the fund pool that suffered losses due to the attack.