Crypto, DeFi Hacks Grow in April – Yearn Contract Exploit, MEV Bot Drain, Euler and Sushi Redemption Updates

PeckShield reported early Thursday that non-custodial money market protocol Aave and DeFi yield farming platform Yearn Finance had been impacted in an exploit. The blockchain security team postulated that a misconfigured yUSDT had resulted in the compromise, allowing the bad actor to mint a considerable amount of yUSDT from $10K USDT.

Yearn Finance involved in latest DeFi hack incident

Initial assessment shared by PeckShield indicated that the individual/team exploiting the ‘misconfigured' vulnerability for infinite minting cashed out as much as $11 million worth of Dai (DAI), Tether (USDT), USD Coin (USDC), Binance USD (BUSD) and Tru USD (TUSD) tokens. A tweet update from Aave integrations lead Marc Zeller confirmed the incident, clarifying that only version 1 of the protocol, which has been frozen since Dec 22, was impacted. Yearn Finance’s team also notified users that it was aware of the incident in a separate post.

“We're looking into an issue with iearn, an outdated contract from before Vaults v1 and v2. This problem seems exclusive to iearn and does not impact current Yearn contracts or protocols. iearn is an immutable contract predating YFI, it was deprecated in 2020. Vaults v1, with upgradeable strategies, was also deprecated in 2021. There's no indication it's affected. The current version v2 Vaults remain unaffected as well.”

Markedly, the flash loan exploit resulted in an unexpected outcome – a repayment of Aave user's USDT, on-chain records show Several security entities like Otter Sec and other teams associated with Aave chipped in to break down the attack. DeFi tracking platform Nansen noted that the actor sent the haul to three addresses. On-chain data shows that the exploiter deposited 1000 ETH coins, representing a significant portion of the stolen tokens, to Tornado Cash, possibly to cover his tracks. A second wallet received over 4.7 million DAI and 2.5 million USDC stablecoins. The exploit on the Yearn Finance lending platform follows a string of several similar incidents reported in the decentralized finance (DeFi) space thus far this year.

Hackers and scammers fleeced investors $452M in Q1, with a 29% recovery rate

Blockchain data provider Chainalysis previously reported that hacks in the DeFi niche accounted for 82% of $3.8 billion losses in the crypto sector across 2022. In a recent update on the same, antivirus and app provider De.Fi observed that cybercriminals looted $452 million in the just-concluded quarter. Though massive, this amount represents a significant downturn from the $1.3 billion loss in the same period last year.  The latter report also highlighted that nearly half of the Q1 losses occurred in the first three weeks of March, with the flash loan attack on Euler Finance on March 13 resulting in the highest loss in the quarter – $197 million.

The duo of blockchain-based platforms BonqDAO and AllianceBlock suffered a smart contract hack in early February, losing $120 million. Meanwhile, the alleged $ 45 million scam of CoinDeal investors, Monkey Drainer’s $16.5 million phishing attack, and an $8.5 million flash loan attack on Platypus Finance wrapped up the list of top five leading exploits in the quarter.

Breaches target novices with FOMO

In terms of prevalence, smart contract exploits were the most common type of attack, accounting for 17 incidents, followed by eight rug pull reported instances. Flash loan exploits remained rampant, contributing to a loss of $200 million in the said period. De.Fi also approximated that it's clear that as far as attack vectors are concerned, tokens were the preferred choice for malicious actors – they are simple to launch and prey on the vulnerability of novices who fear missing out on opportunities.

Borrowing and lending was a prime target such that though it accounted for just five incidents, its net losses totaled $336 million. BNB was the biggest victim among chains, being a target in 18 attacks. On recoveries, $130 million of stolen funds were returned to victims, but it was still a decline in the recovery rate seen last year in the same period, 40% of the $1.29 billion.

SafeMoon bug-related exploit

In one isolated incident, SafeMoon platform allegedly got compromised on Mar 29 through a public burn function featured in a recently shipped upgrade. The purported attacker capitalized on this bug-driven loophole to steal as much as 27,000 BNB coins from the compromised SFM WBNB liquidity pool. The exploiter left a message, “Hey relax, we are accidently frontrun an attack against you, we would like to return the fund, setup secure communication channel, let's talk.” SafeMoon said tweet last week that trading had resumed on its platform.

The April 5 update also outlined some tokenomics refinements and conveyed that an upgraded SWaP interface had been deployed.

“We continue working on the recovery of the LP funds […] We have made great progress and continue working hard to get back to business as usual for all our users,” SafeMoon said in the most recent communication this week.

DeFi security breaches in April

Early this month, multichain bridge Allbridge suffered an attack on April 2. The hacker used liquidity provision and swapping techniques to pump the price of the pool and steal funds. This was possible as they were able to manipulate Allbridge’s BNB Chain pools swap price by acting as both a liquidity provider and swapper.

Cross-chain protocol Allbridge exploited

Smart contract auditor CertiK reported that the cross-chain protocol lost as much as $549,874. On the other hand, blockchain security firm PeckShield approximated that a total of $573,000 was exploited – $282,889 worth of BUSD and $290,868 in USDT. At the time, Allbridge said it was working with its partners and community to track the hacker across social networks and ensure they are held accountable. The protocol offered the hacker a bounty and legal immunity if they came forward as a white hat – to encourage them to restore the stolen funds.

1,500 BNB returned

Seemingly the hacker took the option and returned 1,500 BNB ($465,000), which was converted to BUSD to help settle the affected individuals, while the remaining stolen cash was left as a white hat bounty. The Allbridge team also noted that a second attacker used the same technique to drain funds that has yet to reach out and discuss the settlement – Allbridge had shared a wallet address of this alleged exploiter, having a balance of 0.97 BNB, worth $302.5. On Tuesday, Allbridge shared in a tweet that it had completed the first round of recovery payments for the batch of submissions filed as of April 9, while urging those with pending issues to follow through with the exploit compensation process.

The aftermath pf SushiSwap exploit

In a different incident, blockchain security and intelligence firm PeckShield reported early on Sunday that SushiSwap was exploited, with one individual, Twitter user oxSifu, losing about $3.3 million. The security firm and SushiSwap Head Chef Jared Grey both asked the affected to revoke on all chains. Further, the attack seemingly affected persons who have used the DEX within the last four days.  The exploit affected SushiSwap's ‘RouterProcessor2' contract, which facilitates trade routing. According to PeckShield, the bug was related to the ‘approve' mechanism.

 ‘Approve-related' bug leaves some SushiSwap users short'

Users approving this bad contract inadvertently allowed the exploiter to exit user tokens without receiving approval from the owner – or ‘yoink’ them, as it were.  According to Brad Kay, an analyst at The Block Research, the initial attacker, seemingly a white hat hacker, leveraged the ‘yoink’ function to exploit the SushiSwap router contract for 100 ETH, after which a second individual took advantage of the same contract to steal approximately 1800 ETH, this time using the “notyoink” function.

Recovery efforts

Grey confirmed in an update that more than 300 ETH of oxSifu’s lost assets had been recovered, with plans to recoup another in excess of 700 Ether. SushiSwap CTO Matthew Lilley also updated that several rescue efforts continue and urged users to double-check their approvals and scan for and disapprove any malicious addresses possibly allowed for any of their tokens. Nevertheless, he assured users that Sushi Protocol is safe to use, as exposure to RouterProcessor2 has been shut off from the front end, ensuring that liquidity provider and swap activity are safe.

Victims made whole

Sushi chief said on Discord that the team intends to launch a claims website for vested tokens in the protocol’s Merkle Distributor contract. The site will be live until the expiration date of the claims on April 23 after which unclaimed SUSHI tokens will be sent to SushiSwap’s treasury. In a later update shared on Wednesday, the Ethereum-based decentralized exchange indicated that it plans to returned affected claimants.

“If your funds rest in the whitehat contract, then it means security experts collected your funds, they're safe and will be claimable shortly. If your funds do not reside in the whitehat contract, you must submit an email or open-a-ticket in our Discord and include: the transaction ID(s) and blockchain(s) data for the lost funds. Blackhat funds will take longer to process, as the team will have to manually verify the legitimacy against on-chain data that validates the claim and then pay it out accordingly,” SushiSwap tweeted.

Ethereum MEV bot attack

In yet another incident, a rogue validator made away with $25M following an Ethereum MEV bot exploit on April 3. Several Ethereum maximal extractable value (MEV) bots, which help arbitrageurs and traders optimize profit opportunities, were the victims of a complex attack that led to the loss of $25 million to a rogue validator.

Here is what transpired

CertiK explained that eight MEV transactions were targeted, as they were executing sandwich trades – which involve spotting traders attempting to acquire tokens and getting in between the trade to bag a profit. With all these events occurring within a single Ethereum block – 6964664, CertiK noted that the sandwich trades began with few tokens, and by the time they were swapping millions, the rogue validator was replacing the reverse transactions.

A total of $25.39 million got into the wrong hands, with a breakdown posted by the security firm showing – 64.9 WBTC, 7,460.8 WETH, 5,297,649.9 USDC, 3,027,396 USDT, and 1,698,384 DAI. As of the time of writing, the funds are largely held in three wallets. CertiK termed it one of the largest MEV bot exploits ever, with the last such major hack being in September 2022, when 800 ETH in MEV arbitrage gains was stolen due to a bot vulnerability.

At the same time, blockchain auditor OtterSec termed it a contemplated attack, given that the attacker had preloaded their wallet more than two weeks ago. CertiK determined that the bots had failed to identify the node validator as malicious and pegged the exploited weakness to the centralization of powers amongst validators.

Flashbots implemented a feature fix

Flashbots, the creator of Ethereum's principal MEV program, MEV-Boost, has since taken steps to prevent similar issues from recurring. The team implemented a new feature that requires relayers (which serve as the trusted intermediary between block builders and validators) to sign a block and publish it to the Beacon Chain before it is passed onto the proposer. This step was a previously missing step that can now help reduce the chances of a proposer straying from the received contents of a relay. Besides, CertiK told CoinTelegraph that other MEV searchers might become reluctant to engage in non-atomic strategies, including sandwich trading, as they appear to be the principal target.

Tether blacklists linked to an MEV exploit

This week, stablecoin issuer Tether wrote in an April 10 tweet that it had blocked the address ‘Sandwich the Ripper’ associated with the recent MEV exploit. The Tether address held $3 million in USDT, which can no longer be moved. The exploiter possesses a larger sum of the haul, including $14.3 million in Wrapped Ethereum (WETH) and more than $3.6 million in other assets.

Tether appeared to have been acting in good interests and on reasonable grounds. Nonetheless, the decision got criticized by sects that believe the move sets a “bad precedent” in the crypto space. Tether's block listing actions could be interpreted as censorship on transactions, implying a centralized authority by the stablecoin issuer. The decriers pointed to concerns about the potential abuse of power and the implications to the DeFi niche.

Euler opens redemptions after negotiating return of all stolen funds

Euler Finance this week said it received the final tranche of repayments following negotiations on $197 million worth of crypto stolen last month. The protocol said all recoverable funds had been restored, effectively ending the $1 million reward program for information on the hack. Blockchain analytics firm Arkham Intelligence confirmed that the permissionless lending protocol received 10,580 ETH worth $19 million on Monday and a further $12 million in DAI split across three transactions.

Following the March 21 incident, Euler proposed a reward of $19.7 million – equivalent to 10% of the amount stolen – to the culprit responsible for the theft. Additionally, they cautioned that a $1 million reward would be given to anyone who provided information on the attacker if the remaining 90% of the stolen funds were not returned.  Though they initially laundered $1.8 million via Tornado Cash, the attacker started giving back the money on March 18 – starting with $1.8 million. The exploiter continued sending the money, with the biggest return being a lump sum of 58,737 ETH, worth $102 million, on March 24.

At the time of writing, a total of 95,556 ETH and 43 million DAI had been recovered while a sum of 1,100 ETH was deemed irrecoverable having been sent to the sanctioned coin mixer. In the midst of all this, the hacker apologized in a series of on-chain messages about a fortnight ago and promised to surrender all remaining funds. The tokens transferred back on Monday brought the total funds recovered from the hack to over $177 million. This makes up 90% of the anticipated recoverable funds after accounting for the 10% bounty offered by the Euler team.

The Ethereum-based noncustodial lending protocol later said it has since allowed users to redeem recovered funds bringing to an end the flash loan exploit that involved all manners of chaos.  DeFi insurer Nexus Mutual which paid $2.4 million in claims for their losses attributable to the hack, demanded that Euler make a refund. Nexus allegedly backed Euler by covering for losses, except that no users technically lost their assets with the return of funds.

Other reported incidents of security breaches

MetaPoint, a metaverse project, reported this week that it had been exploited by an attacker that made away with 2,515 BNB. The hacker sent the funds into Tornado Cash, PeckShield said. The Metaverse project confirmed the incident on Telegram, adding that it had suspended all operations.

Terraport Finance also appeared to have been the victim of a security breach, barely two weeks after launching. Reports surfacing on April 10 detailed that the protocol's liquidity wallet had been hacked for 2 million. Terraport said in an update shared was aware of the incident and was looking to investigate the issuer after securing the platform.

Outside DeFi, South Korean crypto exchange GDAC this week said it had been hacked for nearly $14 million. The exchange suspended deposits and withdrawals temporarily to carry out necessary remediation, CEO Han Seunghwan said while confirming that the lost funds represented slightly over 20% of its total custodial assets. The hacker reportedly gained control of some of the exchange’s hot wallets early on April 9 (Korean Standard Time) before moving the funds to the wallet they control. GDAC lost around 61 BTC, 350.5 ETH, 220,000 USDT, and 10 million of the WEMIX gaming currency.

Withdrawal services remain unavailable: Seunghwan said that the exchange is dedicated to investigating the same and hasn't formulated a plan to allow the resumption of currently disabled services. The GDAC attack marks this year's first major centralized crypto exchange hack coming just over a dozen months since Crypto.com was hacked for over $15 million last January.

HTX and Gala Games committed $50M to compensate parties affected by the pGALA incident

Following a recent collaboration between Gala Games and crypto exchange HTX to bolster the former’s Web3 ecosystem, the duo has announced a plan to distribute crypto and software licenses valued up to $50 million to GALA token holders who suffered losses in a utility token scam on the platform last November.

The two will equally split the $50 million worth of compensation to be issued – HTX's share will be $25 million, comprising cash and user benefits that account for 15 million USDT and 10 million equities. On the other hand, Gala Games will issue $25 million worth of node licenses, and the program is set to begin this week.

The incident in question involved hackers that minted $1 billion worth of pGALA – a wrapped token of GALA issued by the pNetwork on BNB Chain. As the tokens were dumped on PancakeSwap, the attackers were able to drain $4.5 million from the liquidity pool and massively injured GALA’s token price.

A suit against pNetwork is incoming

The GameFi project last month initiated legal action against pNetwork for its role in the attack. The lawsuit alleged the incident caused Gala Games $25 million in damages and filed for $27.7 million to cover the out-of-pocket expenses related to the breach, additional compensation for injuries, punitive damages, and other relief.  Moreover, the platform invited other affected parties to contact its legal team to join in the pursuit of compensation. HTX indicated in the recent announcement that it’s supporting these efforts. In the event of a favorable verdict, any damages awarded, minus legal costs, will be converted to GALA tokens and subsequently burned.