Report: $2.4B+ Lost in DeFi Exploits and Scams in 2021

Introduction

2021 has been an exciting year for the DeFi space and the cryptocurrency ecosystems it is built upon. Not only have we seen an explosive increase in the amount of funds now in DeFi, from approximately $19 Billion to $258 Billion, but we’ve also seen the largest coins by market cap experience huge price rallies, such as BTC to $69k and ETH to $4.8k.

The Ethereum and EVM ecosystem has seen an equally exciting rise in new technologies as well, with layer 2 solutions such as Polygon, Optimism and Arbitrum rapidly gaining traction, as well as new chains leveraging EVM compatibility to new heights, such as the new Avalanche C-Chain and Fantom chains.

The increase in NFTs and GameFi have also not gone unnoticed — with art being sold for millions if not hundreds of millions of dollars, major brands getting involved and play-to-earn game tokens reaching billions in market cap.

This accelerating and uncontrolled growth of DeFi does come with a few downsides however; the amount of funds lost to scammers, exploiters and hackers has increased exponentially:

With increasingly more money moving into DeFi, scammers abuse users’ FOMO (Fear Of Missing Out) with deceptive marketing and obscure documentation, not to mention hackers that abuse vulnerabilities in new dapps in order to steal as much money as possible. These are even more appealing to exploit than web 2.0 apps due to the ease of which one can remain anonymous when doing so.

The chart above demonstrates the massive increase in usage of TornadoCash in 2021, one of the most popular mixer protocols on Ethereum. These enable privacy-oriented transactions through breaking the connection between two wallet addresses, and while not perfect, can impact the ease of tracking down these exploiters.

An Overview of Losses

De.Fi`s Research Lab has developed our very own Rekt Database, which has been picked up by major news outlets such as Investing.com and Yahoo Finance. Our database makes it is easy to achieve a comprehensive view of all the scams, hacks and exploits that have taken place in 2021. In total, these amount to over $2.5 Billion in funds lost, even when accounting for some funds that have been returned in good faith.

The following are some charts on data compiled by our team that depict these unfortunate REKT events of 2021:

While it makes sense that Ethereum would be the largest share of the above chart due to its market cap and ecosystem size comparatively to other chains, the amount lost on the Binance Smart Chain and Polygon is quite worrying. Due to the chains’ low fees and/or affiliation with popular exchanges, it is likely a lot of users new to DeFi find their way there, leading to these exorbitant statistics of scams and exploits.

When taking into account the difference in current TVL between Ethereum and the other chains displayed above, we see the following:

• Polygon had a 420% higher rate of funds lost.
• Binance Smart Chain had a 370% higher rate of funds lost.
• Avalanche had a 52% lower rate of funds lost.
• Fantom had 40% lower rate of funds lost.

A significant spike in scams and exploits’ activity can be seen in August and September of 2021. At the time, the markets had major downside in the previous months, and was just about regaining strength that ultimately led to new all-time-highs for many coins and tokens in the following weeks/months.

This meant a lot of new money finding its way into the market, as well as many new projects wanting to launch during the long-awaited period of bullishness.

The amount of funds stolen during this period show a slightly different story. We do observe the same peak in August of 2021, but a way better outcome in September, where even though the number of exploits taking place was extremely high, the protocols affected were either protecting themselves better or scammers/exploiters were targeting smaller fish.

In a number of exploits, protocols were able to convince attackers to return a portion of — if not all — funds stolen. This scenario was not the majority of cases as can be clearly be seen above. Regardless, it is comforting to know these cases exist, even if the reason for most to do so would be to avoid criminal persecution for the rest of their lives.

Common Attack Vectors

From this large dataset of scams and exploits in DeFi, we can clearly observe trends in the types of attacks conducted in 2021. These are the following:

• Exit Scam (Rugpulls) — 304 Cases
• Honeypot — 182 Cases
• Platform-Specific Exploit — 91 Cases
• Flash Loan — 25 Cases
• Access Control — 19 Cases
• Abandoned Project — 6 Cases
• Bank Run — 1 Case

It makes sense that exit scams would be at the top of the list for 2021, seeing as it is the least technically challenging attack vector to exploit. This does highlight the need for project research before investing in any given one, seeing as they are by far the most common type of scam.

Even though exit scams are the most common, we can see above that by far the most funds stolen were taken through platform-specific exploits. This means large, trusted platforms were targeted for their large amount of funds.

Largest Incidents

The following is a list of the top 10 incidents in 2021, taken from De.Fi`s Rekt Database, based on how many funds were compromised:

1. Poly Network (August 10, $602M)

The largest incident in 2021 was Poly Network’s, whom had their CrossChainManager contract exploited resulting in funds being drained from multiple chains. Fortunately, all funds were returned after this event.

2. Vulcan Forged (December 12, $140M)

Next on the list is Vulcan Forged, a protocol that kept private keys on behalf of users with new wallets, which were subsequently leaked. The 96 wallets affected were drained of all funds.

3. Boy X Highspeed (October 30, $139M)

At Boy X Highspeed, a leaked administrative private key was compromised, leading to a massive amount of funds being stolen from their many liquidity pools.

4. Cream Finance (October 27, $130M)

A classic flash loan exploit allowed a malicious actor to manipulate asset oracle prices on one of Cream Finance’s vaults with a small amount of TVL, allowing them to steal a large amount of funds.

5. BadgerDAO (December 2, $120M)

Access to BadgerDAO’s front-end was exploited in order to make users approve tokens to be spent by the attacker’s wallet address. Once enough victims had set the malicious approval, the attacker stole all funds from such users.

6. Venus (May 18, $77M)

Due to many issues with Venus’ price oracles during a day of high volatility in the market, mass unexpected liquidations occurred, leaving many in profit and others with a much emptier wallet.

7. Compound Labs (September 30, $71M)

An unfortunate bug on proposal 62’s execution resulted in many users receiving far more COMP tokens than they should from the change in reward distribution percentages. Regardless of pleads to return the funds, the majority of users held on to their recently acquired fortune.

8. AnubisDAO (October 29, $60M)

After a quite successful fundraising event, all funds were transferred to the AnubisDAO owner’s wallet and they were never heard from again. Classic exit scam.

9. EasyFi (April 19, $59M)

Similarly to our 3rd entry on this list, an administrative key was compromised, allowing an attacker to drain EasyFi’s liquidity pools as well as a large amount of EASY tokens.

10. Uranium Finance (April 28, $57M)

A bug in Uranium Finance’s pool contracts allowed an attacker to withdraw almost all tokens through swap events, leading to the project being abandoned shortly after.

It is important to keep in mind that even if a project has had an audit performed by an external auditing firm, it is by no means a guarantee that that project’s contracts are safe. For example:

• The audit may cover only a small portion of the project’s smart contracts.
• If the audit was done prior to the contract’s launch, it might be the case that the deployed contract is not the exact same as the one audited.
• Different auditors have different lists of vulnerabilities they check for, meaning some may not be detected and thus security risks left unnoticed.
• Regardless of how safe a contract is to external users, insiders, admins, owners, etc. can always exploit their contracts for personal gain if there are no measures in place to prevent this.

The chart above displays the auditing firms, which portfolio contains the number of affected projects due to security breaches in 2021. Keep in mind it may be the case that the contract exploited was not part of the auditing scope for any given project.

How Does CeFi Compare?

The world of centralized finance in terms of cryptocurrency is very appealing to newcomers to the space, as well as institutions without proper infrastructure to manage their own funds in private wallets. Surely these centralized infrastructures are safer than the bleeding-edge decentralized technologies, right? Turns out that’s not really the case:

2021 has seen some major breaches in popular centralized finance platforms, as well as a major exit scam; Africrypt. The amount of funds lost in CeFi eclipses that of DeFi this year, by approximately $1.5B. Some CeFi companies of very high regard have seen significant losses this year, such as Fireblocks or Circle — mostly through incredibly alarming lapses of security.

Top 10 Safety Tips

Our team at De.Fi compiled a quick list of simple yet effective tips to help you keep safe in the wild world of DeFi in 2022 and beyond:

• Keep your private keys and seed phrases somewhere safe, offline. Your phone can be stolen, your email can be compromised; that hidden safe or crack in the wall only you know about is a much better place to hide the access to your wallets.
• Always do your own research on any project you intend to invest or allocate some funds into. Never take someone else’s word — it is your money, not theirs. A quick way to find audits and view high or low risk status on various projects is through De.Fi`s Audit Database.
• Check for unverified smart contracts and private code repositories. If a project has both — stay far, far away.
• Check if a project has partially or fully doxxed team members. This means having their identities known and public. If this is the case, it is much less likely to lead to an exit scam or other internal exploits.
• Discussing aspects of a project with members of the team and/or users can help you get a feel for what the project is like. Ask questions about audits, tokenomics or anything else on Twitter, Discord, Telegram, etc. and watch out for any red flags.
• Check for previous project exploits — relevant details include if the project fixed the past vulnerabilities, has any insurance mechanisms, a bug bounty program, or if funds lost in the past were refunded back to users.
• Always double-check forked projects’ code. Just because they advertise the fact that they are a fork of a popular dapp, it does not mean it does not have any glaring differences.
• Be skeptical of social media influencers. Most likely their content is paid for, or they would post anything to achieve more views. Reading a project’s documentation and doing your own research will always net you better results. If video content is what you’re looking for, project reviews or interviews with projects’ founders is a much better way to acquire the information you need. De.Fi`s YouTube channel can be a great place to find some of those.
• Keep track of your token approvals. Getting rid of approvals you no longer need are a great way to increase the security of your wallet. One tool that can be used to to this easily is De.Fi`s Approvals Checker.
• Check smart contracts for known vulnerabilities. This process will be made much easier when we launch our very own Scanner; coming soon!

As DeFi grows, it is increasingly important for us to be knowledgeable and aware of all the risks that come with this new revolutionary financial ecosystem. In order to push it into the mainstream, we need to ensure new users are not fearful of the industry, and thus a lot of work needs to be done to turn it into the safe haven of decentralized finances that we all want it to become.

2021 was an amazing year of major innovation in the space, and we hope 2022 continues to push our standards of security and transparency further than ever before.

We at De.Fi wish you all safe investments and a happy 2022!

Check our guides:

Tezos Ultimate Yield Farming Guide [Infographics]
Solana Network Ultimate Yield Farming Guide [Infographics]
Fantom Network Ultimate Yield Farming Guide [Infographics]
Huobi ECO Chain Ultimate Guide for Yield Farming
Polygon Network Ultimate Guide for Yield Farming
Binance Chain Ultimate Guide for Yield Farming
EOS Ultimate Yield Farming Guide
Arbitrum Ultimate Guide [Infographics]
The Ultimate Yield Farming Guide For Terra Blockchain (Luna) [Infographics]
The Ultimate Guide to Avalanche Network
Ultimate Guide to Yield Farming on Harmony (with infographics)
Ultimate Guide to Tron Network [Infographics]
The Ultimate Yield Farming Guide For Moonriver Network
The Ultimate Yield Farming Guide For Celo
The Ultimate Yield Farming Guide For KuCoin Community Chain
The Ultimate Yield Farming  Guide For NEAR Protocol

And join us on twitter and telegram!

Good luck in farming!