September 11 2023 • 9 minutes
In August 2023, the decentralized finance (DeFi) arena bore witness to a series of setbacks, culminating in a total loss of $29,043,560. While the DeFi ecosystem demonstrated resilience in the face of adversity, these figures undeniably underscore the persistent vulnerabilities within the sector. This report delves deep into the month’s incidents, offering insights into prevalent exploit trends, significant losses, and the distribution of these misfortunes across various chains.
As we transitioned from the eventful month of July, August 2023 brought its share of challenges, with a total fund loss of $29.04 million.
This alarming figure, although lower than the previous month, continues to emphasize the inherent risks within the decentralized finance sector. Furthermore, the absence of any recovered funds accentuates the urgency for enhanced security measures and vigilance. On a positive note, this pales in comparison to the 2022 figure of $271m lost.
The figures from August 2023, albeit distressing, serve as a potent reminder of the persistent vulnerabilities within the DeFi realm. As the industry evolves, the need for fortified security mechanisms and heightened user awareness becomes increasingly paramount. Unfortunately, the lack of any recovery in August, with $0 recouped from the vast $29.04 million lost, underscores the challenges the DeFi sector continually faces, even amidst growing interest and development.
DeFi Exploit Trends: August 2023 Overview
The DeFi space in August 2023 witnessed a series of unfortunate events, cumulatively resulting in the loss of $29,043,560. Ethereum emerged as the prime target for malicious actors, with losses on this chain alone accounting for over $10 million.
Following closely in second place was Optimism, with losses amounting to $7,197,240. Other chains, such as Base, Binance, Arbitrum, and Solana, also faced significant losses, emphasizing the pervasive nature of the challenges within the DeFi industry.
The month’s incidents highlight the continuous security challenges within the DeFi sector. Regardless of the scale of these attacks, the implications on investor confidence and the broader DeFi ecosystem are profound. The industry must continually adapt, innovate, and educate to stay ahead of these threats.
In terms of protocols, The Exactly Protocol bore the brunt of these attacks, enduring a loss of over $7 million.
Types of Exploit
The DeFi ecosystem in August 2023 was marred by a series of attacks, with access control issues and rugpulls emerging as the most prolific sources of loss.
While the term might sound casual, its implications on investor confidence and the broader DeFi ecosystem are profound. “Rugpulls” involve developers or project leaders abandoning a project after fundraising, resulting in significant investor losses.
The frequent occurrence of such exploits highlights the importance of thorough project vetting and due diligence for potential investors.
Funds Recovered
In August 2023, the DeFi space witnessed a complete absence of fund recoveries, marking a total of $0 recouped. This stark contrast to August 2022 is alarming, where a substantial sum of $211,020,741 was successfully recovered.
The difference year over year is a testament to the challenges and evolving nature of the DeFi sector.
To compound concerns, July 2023 also saw relatively low recoveries, indicating a continuous trend in the recent months.
The absence of fund recoveries over two consecutive months underscores the pressing need for heightened security measures and robust mechanisms to trace and recover lost assets in the DeFi ecosystem.
Attack Vectors
August 2023 witnessed a diverse range of DeFi categories succumbing to malicious activities, each revealing distinct vulnerabilities intrinsic to their respective operations. Notably, the Borrowing and Lending Protocols bore a significant brunt, with three incidents culminating in a daunting loss of $13,015,419.
In contrast, Tokens consistently emerged as favored targets for attackers. With 35 reported incidents throughout the month, the token category saw an aggregate loss of $7,127,478. This high frequency accentuates the imperative need for reinforced security measures and rigorous due diligence in token interactions, as well as greater education on the part of investors. With the use of the De.Fi Scanner for instance, a large number of these token risks can be identified before one actually buys a particular coin.
Meanwhile, Decentralized Exchanges, or DEX, reported a loss of $4,396,169 stemming from four distinct incidents. These breaches, often exploiting smart contract vulnerabilities or employing traditional attack vectors like phishing, emphasize the persistent risks in decentralized trading platforms. Once again, this underscores the need for sophisticated yet user friendly tools, allowing investors to carry out greater due diligence.
Top Exploits in August 2023
Let’s take a look at the top 5 cases this month:
1. Exactly Protocol — $7.2m Lost (Access Control)
On August 18, 2023, Exactly Protocol, a lending and borrowing protocol on the Optimism chain, was exploited. The attacker utilized a reentrancy attack to bypass the permit check in the DebtManager contract’s leverage function. By using a fake market address and changing the msg.sender to the victim’s address, the attacker reentered the crossDeleverage function and stole the collaterals.
The stolen amount, 4332.92 ETH, was bridged to the Ethereum mainnet through the Across Protocol and the Optimism Bridge, amounting to a total loss of approximately $7,197,240.
Block Data Reference
Attacker Addresses:
https://optimistic.etherscan.io/address/0x3747dbbcb5c07786a4c59883e473a2e38f571af9
https://optimistic.etherscan.io/address/0xE4f34a72d7c18b6f666d6cA53fBC3790bc9da042
Malicious Transactions:
https://optimistic.etherscan.io/tx/0xe8999fb57684856d637504f1f0082b69a3f7b34dd4e7597bea376c9466813585
https://optimistic.etherscan.io/tx/0x1526acfb7062090bd5fed1b3821d1691c87f6c4fb294f56b5b921f0edf0cfad6
https://optimistic.etherscan.io/tx/0x3d6367de5c191204b44b8a5cf975f257472087a9aadc59b5d744ffdef33a520e
Malicious Contract:
https://optimistic.etherscan.io/address/0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
2. Magnate Finance — $5.4m Lost (Access Control)
Magnate Finance, a borrowing and lending platform on the Base chain, was exploited on August 25, 2023. The deployer removed assets from Magnate Finance’s smart contract, which had unverified source code. These funds were subsequently bridged to several chains, including Arbitrum, Ethereum, Optimism, and Binance Smart Chain, through Stargate. They were later swapped for DAI or ETH to prevent potential freezing. The total loss was confirmed at $5,357,862, with an additional reduction in the platform’s total value locked (TVL) by about $6,400,000.
Block Data Reference
Scammer Address: https://basescan.org/address/0xa146dffe1c304a8a3de74c460ffe8dc73e5ce6e1
Malicious Transaction:
https://basescan.org/tx/0x39555e75d76b294248a434fdfe9640e0cfe3f22bd7fceb675fd4ef4b5e02f719
3. Zunami Protocol — $2.2m Lost (Rugpull)
On August 13, 2023, Zunami, a Yield Aggregator on the Ethereum chain, was compromised. An attacker employed a flash loan attack, exploiting a price manipulation issue in two transactions. By utilizing a donation method, the price was miscalculated, leading to the theft of assets totaling $2,177,741 or roughly 1,180 ETH. The stolen funds were subsequently deposited into TornadoCash for anonymization.
Block Data Reference
Attacker Address: https://etherscan.io/address/0x5f4C21c9Bb73c8B4a296cC256C0cDe324dB146DF
Malicious Transactions:
https://etherscan.io/tx/0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8cceb
https://etherscan.io/tx/0x2aec4fdb2a09ad4269a410f2c770737626fb62c54e0fa8ac25e8582d4b690cca
4. Balancer — $1.9m Lost (Rugpull)
Balancer, an AMM-based DEX operating on Ethereum, Optimism, and Fantom chains, was exploited on August 27, 2023. The attacker targeted Balancer V2 liquidity pools using a flash loan attack. Despite previous vulnerability disclosures by Balancer and their mitigation measures, the attacker was successful, leading to a loss of $1,898,586 spread across Ethereum, Optimism, and Fantom chains. The stolen assets were predominantly stablecoins, including USDT, USDC, and DAI.
Block Data Reference
Attackers:
https://etherscan.io/address/0xEd187F37E5Ad87d5b3B2624C01dE56C5862b7a9B
https://optimistic.etherscan.io/address/0xbc794f1ff9ad7711a9d2e69be5b499e290b8fd3c
https://ftmscan.com/address/0x64e08fa89c2bae9f123cc8a293775f0e6cc86760
Malicious Transactions:
https://etherscan.io/tx/0x2a027c8b915c3737942f512fc5d26fd15752d0332353b3059de771a35a606c2d
https://etherscan.io/tx/0x773fa597c4b58f86ee91b2c57d0d4b12014a60b939a6eb186d50ec45300bfa4a
https://etherscan.io/tx/0x42441d8ed0034e337dad0365a64dd19a57639801dcbf4939863f47bf6c80daa4
https://etherscan.io/tx/0x72a655cedf8dca4551db987a8196d5063a768be48cfba64553f0b6087e64686e
https://etherscan.io/tx/0x85d7aec3f12191f0c0ae5fe8e4442915ac9fc24da96901b9e531af7082b3c2df
5. Steadefi — $1.1m Lost (Reentrancy)
Steadefi, operating on both the Arbitrum and Avalanche chains, was exploited on August 7, 2023. Due to compromised private keys of the deployer, the attacker changed the owner of the pools and withdrew assets including WBTC, WETH, and USDC. These funds were then bridged to the Ethereum chain through the Synapse Bridge, resulting in a total loss of $1,148,309, equivalent to 624.63 ETH.
Block Data Reference
Attacker Address:
https://etherscan.io/address/0x9cf71f2ff126b9743319b60d2d873f0e508810dc
Malicious Transactions: https://snowtrace.io/tx/0x2425a422d09a229759f1e4e229255944d4ab773e4c9285f43b7c488b43f9fc71
https://snowtrace.io/tx/0xd82491c7bea6ca0e6342107cc25c5d73a364f7b117708d77c826b6d01b178cda
https://snowtrace.io/tx/0xd280f22da697779e7b28690327e117a4d8d344df5d7829e97dcddf1074f130eb
https://arbiscan.io/tx/0xa193821c30ed2c671b332caef9e217ad2812b7ac7e6901568bc751aaf48f85c4%20-%20
https://arbiscan.io/tx/0x5983968bdffcebaecc1ca56aece3d21767086959ffa883df21c00c378caa9cef%20-%20
https://arbiscan.io/tx/0x141119aab391ca22e1f93fb66bfea80f03f5c028032b4292f36a4ead0eecb125
Conclusion
The substantial financial losses recorded in August 2023 underscore the critical need for enhanced risk management and vigilance when interacting with the Decentralized Finance (DeFi) landscape. It is incumbent upon investors to acquaint themselves with potential vulnerabilities and to strategize effectively to secure their investments. At De.Fi, we understand the pivotal role that guidance and support play in traversing the complex and evolving DeFi ecosystem. As such, we remain devoted to equipping our users with useful resources and data to empower informed investment decisions in the field.
About De.Fi
De.Fi is an all-in-one Web3 Super App featuring an Asset Management Dashboard, Opportunity Explorer, and home of the world’s first Crypto Antivirus powered by the largest compilation of hacks and exploits, the Rekt Database. Trusted by 600K users globally, De.Fi aims to drive DeFi adoption by making the self-custody transition as simple and secure as possible. Backed by Okx, Huobi, former Coinbase M&A, and used by large companies worldwide, including University College London and Coingecko.
Website | Twitter | De.Fi Security | Rekt Database
September 11 • 9 minutes
In this blog, we'll walk through what Gnosis token approvals are and how you can audit + revoke them using the free De.Fi Shield tool.
April 19 • 7 minutes
During Q1 2024 ... total losses amounting to $414,875,820 across a range of exploits and security incidents.
April 1 • 10 minutes
Among the many options available, Phantom Wallet has emerged as a popular choice for those in the Solana ecosystem, sparking questions about its safety, legitimacy, and features.
March 22 • 17 minutes
A total of $148,690,165 was lost across various platforms and chains due to diverse exploits.
March 2 • 11 minutes
Celo token approvals can go by many names including token permissions, smart contract permissions, token allowances, etc.
February 23 • 7 minutes
The top three largest governance hacks resulted in $414M in losses over the years
February 12 • 5 minutes
© De.Fi. All rights reserved.
