In November 2023, the DeFi industry experienced significant setbacks, with a total loss of $331,935,737. This figure, while lower than the $3.87 billion lost in November 2022, still illustrates ongoing vulnerabilities and challenges within the DeFi ecosystem. In our usual fashion, this article will provide an analysis of the incidents, highlighting key trends and the distribution of losses across different chains and types of exploits.
November 2023’s losses, although substantial, show a decrease compared to the same month in the previous year. In 2022, the DeFi sector witnessed a loss of $3.87 billion, with only a marginal recovery of $204,800. At that time the industry saw significant losses amounting to punctuated by FTX’s bankruptcy which in turn affected Genesis, BlockFi and more.
In contrast, November 2023 saw a slightly better recovery rate, with $264,000 recouped, despite the lower total loss.
The distribution of losses in November 2023 highlights the targeted chains by malicious actors. Ethereum was the most affected, with 18 cases amounting to $283,444,335 in losses. The BNB Chain followed, experiencing twenty incidents totaling $2,898,974. Other chains, including Arbitrum and Base, also faced attacks, contributing to the total loss.
This distribution indicates that while Ethereum remains a prime target due to its prominence and high total value locked, other chains are not immune to similar threats.
In November 2023, the DeFi space witnessed a variety of exploit types.
A key issue in November 2023 was the exploitation of Access Control mechanisms. Six incidents of this nature resulted in an overwhelming loss of $275,259,718. These events highlight the crucial need for more stringent access controls and thorough security audits in DeFi protocols. The high-value losses in these cases underscore the devastating impact that lapses in access control can have on the entire ecosystem.
Rugpulls continued to be a common tactic employed by malicious actors, with twenty four instances causing a loss of $3,861,130. This type of exploit remains a significant concern, particularly in newer or less vetted projects. It underscores the ongoing need for rigorous due diligence and investor education. Platforms like De.Fi Scanner play a critical role in identifying potential risks associated with emerging tokens before investors commit their funds.
The DeFi space also saw phishing attacks and flash loan exploits. A single phishing incident led to a loss of $768,000, reinforcing the necessity for heightened awareness and preventative measures against such deceptive practices. Additionally, five flash loan attacks, a relatively newer exploit method in DeFi, resulted in losses totaling $48,959,554. These incidents highlight the risky nature of DeFi tools.
A major aspect of November’s attacks was exploits involving Centralized Exchanges (CEX). Altogether, these exchanges suffered two major incidents, resulting in a loss of $144,836,3351, or close to half of the total amount lost in November. This significant figure points to the persistent vulnerabilities in even the more traditional aspects of the crypto market, emphasizing the need for enhanced security protocols in centralized systems.
Decentralized Exchanges (DEX) were not immune, with two but severe incidents resulting in a loss of $46,725,428. This incident highlights the inherent risks in DEX platforms, particularly around smart contract security and the need for more robust auditing practices. Here at De.Fi, we offer the De.Fi Scanner, which allows you to scan any smart contract for potential risks before actually interacting with it, greatly reducing the chances of losing your hard-earned money.
Borrowing and Lending protocols faced two separate attacks, leading to a total loss of $2,515,830, indicating a continuing trend of vulnerabilities within lending protocols, including flash loan attacks and price manipulation.
Stablecoins and Tokens also experienced several breaches. Two incidents in the stablecoin category resulted in losses of $594,440, while twenty one incidents involving tokens led to losses of $2,915,657. These events continue to underscore the importance of vetting tokens before purchase you can do this today with the De.Fi Scanner.
In November, Yield Aggregators have emerged as a new vector for cyberattacks, as evidenced by recent incidents involving VelodromeFi and CarolProtocol. VelodromeFi suffered a frontend compromise, leading to a loss of approximately $42,000. Similarly, CarolProtocol, operating on the Base chain, was targeted in a flash loan attack resulting in a theft of over $53,000. The exploit was traced to a manipulation of the stake amount within the contract, where the calculation of user balances was influenced by Uniswap Pair balance and reserve numbers.
The ‘Other’ category, encompassing various types of DeFi projects, recorded six incidents with a cumulative loss of $47,740,417. This diversity in attacks underlines the broad range of vulnerabilities that can be exploited in the DeFi space.
With the above overview in mind, let’s have a look at some of the largest losses in November 2023:
1. Poloniex Exchange Access Control Exploit – $123m
On November 10, an attacker breached the Poloniex exchange, resulting in a staggering loss of $122,981,391. Assets across Bitcoin, Ethereum, and Tron chains were compromised, later exchanged for native tokens and moved to new addresses. The owner, Justin Sun, offered a 5% bug bounty in a bid to recover the funds. Notably, market research platform X-explore suspects North Korea’s Lazarus Group as the perpetrators.
Ethereum Attacker Address: https://etherscan.io/address/0x0a5984f86200415894821bfefc1c1de036dbf9e7
2. Heco Bridge Access Control Exploit – $86m
The Heco Bridge was subject to an access control exploit on November 22, leading to a loss of $86,284,430. The breach involved a variety of assets including ETH, USDT, and HBTC. The attacker exploited compromised private keys to withdraw these funds.
The stolen funds were transferred to the hacker’s main address in several transactions and swapped for ETH in DEXes using multiple EOA addresses. The native ETH was then accumulated in another EOA and distributed among five addresses, where the funds remain as of November 23.
Malicious Transactions: https://etherscan.io/tx/0xbb6fe88427c2f3bc179075109d47a805dcfedab0e475eaca0d979311873e131b
3. KyberSwap Flashloan Exploit – $45m
On November 23, 2023, KyberSwap, a cross-chain DEX, was exploited in a flash loan attack that manipulated prices and ticks, leading to an approximate loss of $45 million across several chains. The attacker used a flash loan to deplete pools with low liquidity by executing swaps and strategic position changes. Multiple swap steps and cross-tick operations were initiated to induce double liquidity counting, effectively draining the pools. The attacker also sent an on-chain message, stating that negotiations would start once they were fully rested.
– Attacker: https://etherscan.io/address/0x50275E0B7261559cE1644014d4b78D4AA63BE836
– Malicious Transaction: https://etherscan.io/tx/0x485e08dc2b6a4b3aeadcb89c3d18a37666dc7d9424961a2091d6b3696792f0f3
– On-chain Message: https://etherscan.io/tx/0x7a8912583520304ce2364fa165dafe94461a91ab2dcf45dab942e296594dc40a
4. Binance User Account Compromise – $27m
On November 11, a Binance user lost $27,071,365 USDT and 11 ETH due to private key leakage. The attacker quickly exchanged the stolen USDT for ETH and distributed the funds across multiple addresses, including various exchange services.
Attacker Address: https://etherscan.io/address/0x03C401124DC8f1d04722EB00d4D925bd7d9F37E3
5. HTX Access Control Exploit
HTX, formerly known as Huobi, is a global cryptocurrency exchange that experienced an access control exploit on November 22, 2023. The attacker gained unauthorized access to several of HTX’s hot wallets and transferred funds to multiple addresses. The stolen funds, which included various tokens such as USDT, USDC, LINK, and ARIX, were exchanged for ETH and distributed among different addresses. The total loss amounted to 21,854,944 USD.
Attacker Addresses:
https://etherscan.io/address/0x5A22F867DFCb4F32d25a5Fa365b9D9D78D5515dC
https://etherscan.io/address/0x121A0Ff24027fffCDd0ae008dA82f2789C7945cc
Malicious Transactions:
https://etherscan.io/tx/0xd773f61db2bd693d15b09e790a7c257b48ec926865be68a5f88f451242edbeda
https://etherscan.io/tx/0xae1189773ed6c373e0456ffce3c62c196db768ae99bbef9b2caa1568d6c3af17
https://etherscan.io/tx/0x526d2a00949f71fca0b8fe4c4eac058536e4fbea245103ec94e1a75f3cf66106
https://etherscan.io/tx/0x0bb70d29d46a988c487ed39d10acf572d151cdafd242752bb4fb6db650623503
https://etherscan.io/tx/0xa117dc4ade55c50e279b9b789b9b79468cdeb62bf1bca1d9e456b4b29f6d5a8d
https://etherscan.io/tx/0xa3feab381ffa609692701b2ccb2cb1d5b89b4dd6c7c30a2e345f2810c48c4e1a
6. Onyx Protocol Flash Loan Attack – $2.1m
The Onyx Protocol was exploited on November 1 through a flash loan attack, resulting in a loss of $2,149,772 or 1,161.29 ETH.
The attacker took advantage of a critical vulnerability in CompoundV2 forks, which caused a known rounding issue. To execute the exploit, the attacker took out a substantial flash loan in ETH, swiftly converting it to PEPE tokens and contributing PEPE tokens to a specific pool. Due to precision loss, fewer shares were burned, enabling the withdrawal of assets.
Attacker Addresses: https://etherscan.io/address/0x085bDfF2C522e8637D4154039Db8746bb8642BfF
7. Unknown MEV Bot Exploit – $1.9m
An MEV bot was exploited on November 7, leading to a loss of $1,974,350 or 1,047.16 WETH. The bot, which typically identifies profitable trading opportunities, was manipulated to perform large swaps in Curve pools.
Attacker Address: https://etherscan.io/address/0x46d9B3dFbc163465ca9E306487CbA60bC438F5a2
8. Fake Ledger Live Web3 Phishing – $768k
A fake wallet app, Ledger Live Web3, published on the Microsoft Store on November 5, scammed users out of $768,000 in BTC and ETH. This phishing exploit targeted users’ private keys, redirecting stolen funds to the attacker’s addresses.
Scammer Address: https://etherscan.io/address/0x089Ecf0703B8E85183F29725f87da40AE488b7B9
9. SAI Token Rug Pull – $751k
On November 23, the deployer performed an exit scam by dumping liquidity from the LP pool in two large transactions, selling a significant number of tokens worth 1,753,202 USD. On November 9, 2023, the deployer added 999,962 USDT as liquidity, so the net user loss is 751,627 USDT.
Deployer Address: https://bscscan.com/address/0x7dFeBF01aA57F48B78721E24A72182e18BcEBA2A
10. Custom Lending Pool Approval Exploit – $366k
A custom lending pool running on the Binance Smart Chain was exploited on November 12, 2023, due to an approval issue in the smart contract. The attacker was able to drain approved funds from the victim contract, totaling 366,058 USDT.
The stolen funds were bridged to the Ethereum mainnet via Stargate Bridge and swapped for DAI and WETH. These funds were then deposited into Railgun Relay, a private wallet on the Ethereum network.
Attacker Address: https://bscscan.com/address/0x69e068eb917115ed103278b812ec7541f021cea0
Conclusion
The November 2023 losses in the DeFi sector highlight the ongoing challenges and the need for continued vigilance and enhanced security measures. While there has been some progress in recovery efforts compared to the previous year, the magnitude of losses indicates that the industry still has significant ground to cover in terms of safeguarding assets and building investor confidence. It is essential for investors to stay informed and cautious, and for DeFi platforms to prioritize security to mitigate such risks.
About De.Fi
De.Fi is a pioneering Web3 Super App, featuring all-in-one Asset Management Dashboard, Social Profiles, Opportunity Explorer, and the world’s first Crypto Antivirus. With a trusted user base of 1.5M globally, De.Fi is committed to driving DeFi adoption by simplifying and securing the self-custody transition. The platform is endorsed by prominent partners, including OKX and Huobi, supported by former Coinbase M&A expertise, and trusted by leading institutions such as University College London and Coingecko.
Website | Twitter | De.Fi Security | Rekt Database
December 1 • 10 minutes
In this blog, we'll walk through what Gnosis token approvals are and how you can audit + revoke them using the free De.Fi Shield tool.
April 19 • 7 minutes
During Q1 2024 ... total losses amounting to $414,875,820 across a range of exploits and security incidents.
April 1 • 10 minutes
Among the many options available, Phantom Wallet has emerged as a popular choice for those in the Solana ecosystem, sparking questions about its safety, legitimacy, and features.
March 22 • 17 minutes
A total of $148,690,165 was lost across various platforms and chains due to diverse exploits.
March 2 • 11 minutes
Celo token approvals can go by many names including token permissions, smart contract permissions, token allowances, etc.
February 23 • 7 minutes
The top three largest governance hacks resulted in $414M in losses over the years
February 12 • 5 minutes
© De.Fi. All rights reserved.
