
Here is an overview of the high-profile hacks that occurred in the global DeFi space during the month of December 2022.
Hacks in December
- Helio
December 2, 2022: Helio Money was hacked for 19 million due to the previous vulnerabilities from Ankr Protocol. A hacker bought large amounts of depegged aBNB from PancakeSwap and borrowed HAY using aBNB as collateral, profiting 15.5M. Another user profited from a similar method, approximately 3.5M.
Root cause: Oracle Manipulation
Loss: approx. $19M
Reference: Online News
Claimable event: No
- Ankr
December 2, 2022: Ankr Protocol was exploited by an ex-employee through a private key leakage. With the deployer key stolen, the hacker was able to mint a total of 60 trillion aBNBc which was swapped to BNB tokens worth 5 million USDC
Root cause: Private Key Leakage
Loss: $5M
Reference: Twitter Announcement by Ankr
Claimable event: No
- Lodestar Finance
December 11, 2022: Arbitrum-based lending protocol Lodestar Finance was exploited in a flash loan attack. The attacker manipulated the price of PlutusDAO’s plvGLP token, allowing him to drain lending pools for a profit of approximately 6.5 million.
Root cause: Price Manipulation/Economic Attack
Loss: approx. $6.5M
Reference: Twitter Announcement by Lodestar Finance
Claimable event: No
- Polynomial Protocol
December 12, 2022: Polynomial Protocol was hacked due to a flaw in its deposit contract. The swapAndDeposit () function had no restrictions on its input, which resulted in the theft of contract-approved tokens.
Root cause: Smart Contract Vulnerability
Loss: approx. $7K
Reference: Twitter Announcement by Polynomial Protocol
Claimable event: Yes (Smart Contract Cover)
- Elastic Swap
December 13, 2022: Elastic Swap was hacked due to a price manipulation attack. The calculation methods for adding and removing liquidity from contracts was flawed which allowed the attacker to drain liquidity for profit.
Root cause: Smart Contract Vulnerability
Loss: $850K
Reference: Analysis by QuillAudits
Claimable event: Yes (Smart Contract Cover)
- NimbusPlatform
December 14, 2022: NimbusPlatform was attacked due to a flaw in the calculation of its rewards. It only depends on the number of tokens in the pool, which opened up an opportunities for flash loans to obtain more rewards than expected.
Root cause: Smart Contract Vulnerability
Loss: 278 BNB
Reference: Analysis By Slowmist
Claimable event: Yes (Smart Contract Cover)
- Raydium
December 16, 2022: Raydium, a Solana-based AMM lost approximately $4.4M from its liquidity pools. The private key for the pool owner account was compromised which allowed the attacker to drain accumulated protocol fees.
Root cause: Private Key Leakage
Loss: approx. 4.4M
Reference: Twitter Announcement by Pando
Claimable event: No
- Bored Apes
December 17, 2022: A scammer stole 14 Bored Apes from an individual through an elaborate plan which involved posing as a casting director wanting to use those NFTs for an animation. The vicitim was asked to sign a contract which required his crypto wallet. Upon doing so, the smart contract emptied all his NFTs and sold them for over $1 million.
Root cause: Phishing Attack
Loss: approx. 1M
Reference: Analysis by QuillAudits
Claimable event: No
- mgnr
December 19, 2022: mgnr, a quantitative trading company was rug pulled, with the deletion of all tweets and emptying of its wallet. The address mgnr.eth transferred 43.6 million USDC to Coinbase and 8 million USDC to the Genesis Trading address.
Root cause: Rug Pull
Loss: 52M
Reference: Analysis by QuillAudits
Claimable event: No
- Defrost Finance V2
December 23, 2022: Defrost Finance V2 was hit with a flash loan attack. The hacker manipulated the the LSWUSDC share price for a profit for almost $173,000
Root cause: Economic Attack
Loss: $173K
Reference: Twitter Announcement by Defrost Finance
Claimable event: No
- Defrost Finance V1
December 25, 2022: Defrost Finance V1 was also compromised through the addition of fake collateral tokens. Fake collateral tokens were minted and malicious price oracles was used to liquidate current users. Stolen funds have since been returned according to Defrost’s team.
Root cause: Private Key Leakage
Loss: approx. $12M
Reference: Twitter Announcement by Defrost Finance
Claimable event: No
- Rubic
December 25, 2022: The multi-chain exchange protocol Rubic was hacked due to vulnerability in its contracts. The attacker was allowed to create a custom smart contract that could pass malicious input, resulting in unintended behaviour. The attacker has since transferred 1,100 ETH to the Tornado Cash mixing protocol.
Root cause: Smart Contract Vulnerability
Loss: 1.4M
Reference: Online News
Claimable event: Yes (Smart Contract Cover)
- BitKeep
December 26, 2022: BitKeep wallets were hacked through the download of a malicious APK file. The attacker created mulitple fake sites that recommended users to update their wallet apps by downloading the APK file. Their seed phrases were stolen and stolen funds were transferred through 5 other wallets.
Root cause: Phishing
Loss: approx. 77K
Reference: Online News
Claimable event: No
- Dictum Exchange
December 31, 2022: Dictum Exchange was compromised through a rug pull disguised as an airdrop. Liquidity pools were rugged and users have been removing liquidity since the announcement.
Root cause: Rug Pull
Loss: Unknown
Reference: Twitter Announcement
Claimable event: No
- Luke Dashjr
December 31, 2022: One of Bitcoin’s core developer Luke Dashjr has claimed that his wallet was hacked due to a PGP key compromise. Luke’s wallet had multiple ongoing transactions, totalling to approximately 200 BTC.
Root cause: Private Key Leakage
Loss: approx. $3.3M
Reference: Online News
Claimable event: No
The crypto industry has generated a lot of excitement; however, there are a lot of risks attached. Security incidents occur from time to time, all users should enhance their own security awareness to avoid serious losses.
InsurAce.io currently offer insurance protections for:
- Smart contract vulnerability risk: the smart contract of the covered protocol gets hacked;
- Custodian risk: the custodian gets hacked where the user loses more than 10% of their funds, and/or withdrawals from the custodian are halted for more than 90 days;
- Stablecoin De-Peg risk: the stablecoin moves significantly below its pegged price
For details on the coverage and exclusions for each cover, kindly read Cover Wording here.
🛡 Get your investment funds protected with InsurAce.io: Buy Cover