$22 Million Was Stolen From Three Defi Platforms Last Weekend

While most of the DeFi community had their eyes glued to the ETH rally over the weekend, hackers took the opportunity to steal mooning assets through several protocol exploits.

From Wednesday through Saturday, exploits occurred across three different protocols—Rari Capital, Value DeFi, and within Larva Labs’ Meebits NFT project—resulting in over $22M worth of stolen digital assets.

The crypto industry seems almost acclimated to hacks and thefts, as for all its progress in pushing into the mainstream consciousness, the industry remains largely unregulated, if even a bit lawless. And this weekend’s hacks only go to highlight that as crypto prices soar, it not only garners attention from new potential users but also looks very lucrative in the eyes of bad actors. 

Which means both users and the developer teams behind these burgeoning DeFi platforms need to take special care to make sure their technology is secure. 

$11M Lost on Value DeFi

Value DeFi has had a rough few months as the yield and DEX aggregator and automated market maker protocol has fallen victim to three different hacks in the past six months. The latest comes as a twofer—two in one week. 

Value DeFi lost $10M early last week to hackers, followed by another $11M attack on Friday May 7. And in November 2020, Value DeFi fell victim to a $7M hack.

During the latest attack, a profit-sharing pool was exploited in a manner where the hacker turned himself into the sole operator of the pool and drained the original stake token (vBWAP/BUSD LP). Then the hacker removed all of the tokens, and removed liquidity to receive over 7300 vBSWAP and 205k BUSD, before selling the vBSWAP for nearly 8800 BNB on 1inch, using the BNB and BUSD to buy renBTC, and ultimately using renBridge to swap the funds into BTC. 

In its post-mortem, Value DeFi said the exploit was possible due to a missing line of code that allowed anyone to re-initialize the pool to set themself up as the owner.

Value DeFi has since patched the vulnerability, and is now planning on using part of their reserve fund to buy insurance against future hacks. They are also setting up a community vote on potential plans for compensating affected parties.

$10M Lost on Rari Capital

In an early Saturday morning exploit, the Ethereum Pool of Rari Capital, a teen-run yield aggregator, was hacked for 2600 ETH (more than  $10M USD worth), equating to roughly 60% of all user funds in the pool.

In the post-mortem, the Rari Capital team explained that the hacker had exploited Rari’s yield-generating strategy with Alpha Finance’s ibETH token by essentially manipulating the value of ibETH from inside Alpha Finance’s `ibETH.work` function and then withdrawing more ETH from Rari’s pool before anyone caught on.

In order to boost security going forward, Rari intends to make sure that protocols they integrate fully understand how they will be integrated from a security standpoint to avoid situations where hackers can manipulate Rari through protocols outside of their control, and to internally review newly integrated protocols for potential attack vectors. They also plan to prevent deposits and withdrawals within the same block to mitigate the speed of potential attacks.

Rari also announced plans to reallocate 2M of their government token, $RGT, set aside for developer incentives to Rari’s DAO, in order for it to be used to reimburse lost funds and reward those who helped solve the problem.

$700k+ Worth of MeeBits

Larva Labs, the OG NFT team behind CryptoPunks, released their new MeeBits project last week to major fanfare.

But as one collector proved, the MeeBits data storage system was rife for gaming the auto-generative MeeBits trait lottery.

After gaining access to a zipped InterPlanetary File System (IPFS) file containing the ID and traits of each pre-minted MeeBit, Twitter user @0xNietzsche designed a contract to mint MeeBits over and over, but cancel the transaction if he didn’t receive a MeeBit with a desirable trait.

It took 345 transactions, according to Etherescan. 0xNietzche estimated this cost him around $20k per hour in gas fees, but eventually he landed on an ultra-rare Alien “Visitor” MeeBit. He immediately sold the MeeBit on OpenSea for 200 ETH to the well-known NFT collector Pranksy (who didn’t know the MeeBit was a hack job).

Larva Labs has since paused MeeBits’ sale and trading functions to prevent further hacks of this sort, as one ultra-rare Dissected MeeBit remains unminted which could potentially become the prime target of a similar exploit before a fix is implemented. 

As for the exploited Visitor Meebit, which now has an enhanced lore throughout the MeeBits community, Pranksy immediately flipped it for 299 ETH.

Double-Edged Sword

Lack of regulation in DeFi is a double-edged sword. 

While DeFi offers unprecedented financial freedom through trustless and permissionless protocols, there’s always an inherent risk in putting your money into systems that can be exploited and hacked without any regulated recourse.  

Crypto veterans are already well-aware, but for everyone new to this space, remember to always keep your wits about you when playing with DeFi.