Scam Surge: The Top 10+ Vectors of DeFi Attacks

Flash Loans

When carrying out attacks using flash loans, criminals exploit the ability to borrow assets instantly. This option, available in a number of DeFi protocols, allows assets to be borrowed without collateral. Attackers borrow funds, manipulate the market and repay the loan within a single transaction, pocketing profits from price differences.

In April 2023, an attack using Flash Loans was directed at the 0VIX protocol, from which an unknown actor withdrew various assets worth more than $2 million. Analysts determined that price manipulation was possible thanks to vulnerabilities in the GHST oracle.

In May, attackers successfully attacked the Jimbos Protocol. To do this, they took a flash loan, which they used to manipulate the protocol’s own token price, followed by draining liquidity pools.

Read more about the strengths and weaknesses of flash loans here.

Reentrancy Attack

For this type of exploit, hackers repeatedly call a vulnerable contract before the previous execution finishes. Thus, for the Cream Finance protocol exploit, attackers used the following algorithm:

• took out a flash loan of 500 ETH;
• used this amount as collateral to borrow 19 million AMP tokens;
• used the reentrancy vulnerability to borrow 355 ETH during a token transfer;
• self-liquidated the loan.

Thus the hackers conducted 17 transactions. Losses to the platform from the criminals’ actions amounted to more than $18 million.

Reentrancy exploits gained wide notoriety in 2016, when attackers drained Ethereum from The DAO fund for $70 million. The same type of attack was used in the recent breach DEX Curve Finance. 

Front-running

This tactic entails manipulating the order of transactions in the mempool to profit from price changes before they are executed. Those who resort to front-running monitor large pending transactions and quickly include their trades in a block, gaining priority in execution. A large order from Trader A pushes the price up; Trader B buys at a lower price and sells at a higher price, extracting profit for themselves.

In April, similar actions by fraudulent validators caused traders losses totaling about $25.4 million.

A related issue is MEV. This is the practice used by miners and stakers to extract extra profit by exploiting information about forthcoming transactions. Attackers can manipulate the order of operations to gain an unfair advantage and exploit price differences.

In the spring this year, more than 30 Ethereum projects introduced the MEV Blocker tool, designed to protect users from such manipulation and from “sandwich attacks.” Read about how this vulnerability arose in DeFi in an article by Alex Kondratyuk.

Oracle Manipulation

To obtain price information, DeFi protocols rely on external data sources—oracles. Manipulating these tools implies exploiting vulnerabilities to provide false data. 

This is a very common exploit. In July, the Conic Finance protocol was hacked, from which 1700 ETH (~$3.26 million at the time of the attack) were withdrawn. Earlier in the same month, Rodeo Finance on the Arbitrum network was subjected to a similar exploit. The damage amounted to 810.1 ETH (~$1.5 million).

For details on which oracle vulnerabilities criminals exploit, read an article by Vladimir Menaskop.

Governance System Flaws

Attackers appeal to various vulnerabilities to change rules, redirect funds or perform other malicious actions. In particular, they may accumulate governance tokens or exploit loopholes to alter protocol parameters and decisions, leading to financial losses.

Exploitation of governance tokens involves exploiting weaknesses in delegation mechanisms. Attackers can manipulate their distribution, create artificial voting power, or influence governance decisions in their favour.

Vitalik Buterin, in the article “Governance: Not Just a Token Vote” also notes that one of the threats to decentralized autonomous organisations is the risk of corruption within the community. According to the Ethereum founder, when governance rules are poorly written, the human factor allows attackers to manipulate even the most well-intentioned community members.

Read about how to structure the legal wrapper of a DAO in an article by DAObox co-founder Sergey Ostrovsky, and listen to the ForkLog podcast DAO Politics.

Cross-Chain Attacks

Hackers may exploit vulnerabilities in cross-chain bridges, enabling assets to move between different blockchains. Attackers manipulate transactions, steal assets or exploit cross-network discrepancies for their own benefit.

According to a Beosin report, in 2022 there were 12 attacks on cross-chain bridges. Losses from hackers amounted to $1.89 billion — more than half of all crypto-industry losses in that period.

More on how cross-chain bridges are broken can be learned from the dedicated topic episode of ForkLog podcast “Pirates and Corporations” at episode.

Sybil Attack

It involves creating a large number of fake identities or accounts to gain control over the protocol. This allows attackers to manipulate voting systems, consensus mechanisms or other governance processes.

This strategy is regularly used by unscrupulous airdrop-hunters. Major platforms are currently trying to curb such actions by excluding such opportunists from airdrops. However, that is not always successful. Analysts estimate that up to 20% of the Arbitrum airdrop went to hackers who used a Sybil attack.

Liquidity Pool Manipulations

These schemes involve exploiting vulnerabilities in liquidity pools on decentralized exchanges to manipulate prices, execute profitable trades or withdraw funds. Attackers can use flash loans, complex trading strategies or pool imbalances to their advantage.

A recent example is the April attack on the cross-chain Allbridge bridge. According to PeckShield analysts, an unknown actor manipulated the swap price to drain tokens from a pool on the BNB Chain network. The attack was possible due to an error in the liquidity calculation formula and the public nature of the smart-contract code base.

This category also includes deliberate impermanent losses. They occur when liquidity providers lose funds due to price imbalances between the provided assets.

Liquidity crunch can be deliberate or inadvertent — caused by market manipulation, FUD or technical faults.

Scam Projects

As in traditional finance, the DeFi ecosystem hosts many projects created solely to deceive users. These scams often involve fake teams, false promises or misleading information, leading to substantial losses for inexperienced investors. In addition, attackers frequently issue fake stablecoins or uncollateralised tokens.

In the most sophisticated cases, criminals imitate active project activity — for example, by creating a functioning app. A common exit-scam is rug pull, where the project team suddenly stops work and withdraws all investor funds, leaving them with devalued tokens.

News of such frauds arrives regularly. For example, on August 16 it emerged that a rug pull was carried out by SwirlLend protocol developers, who stole around $460,000 in client deposits.

These incidents constantly remind of the risks of DeFi investment and the importance of thorough due diligence before participating in any project that requires funds.

Pump & Dump

The “Pump and Dump” schemes involve artificially inflating a token’s price through coordinated buying, creating investor hype, and then quickly selling the asset. Investors are left with devalued tokens.

According to Chainalysis, in 2022 investors poured about $4.6 billion into assets believed to be part of Pump & Dump schemes. Analysts concluded that in the networks of BNB Smart Chain and Ethereum, more than 9,900 tokens launched last year were created solely for pumping and dumping.

Malicious Wallets and Phishing

The use of these tools aims to steal private keys, seed phrases or user credentials. Attackers create fake wallet apps or sites that resemble legitimate platforms, tricking users into revealing confidential information.

Victims are typically large platforms with recognizable brands and their users. For example, in autumn 2022 Binance CEO Changpeng Zhao noted that Google labels links to fake crypto-exchange sites as ads. The exchange chief warned that less careful users may add scammer addresses to MetaMask.

Even in trusted wallets there can be vulnerabilities that put users at risk. Weak encryption, insecure key storage or software bugs can lead to unauthorized access and loss of assets.

For some simple rules to help secure your wallets, read in a separate ForkLog article.