2 min read

Monthly DeFi Blood Batch report #2

Monthly DeFi Blood Batch report #2

DeFi didn’t had an easy month. In June we saw China crackdown on Bitcoin and crypto, cryptocurrency market went into bear market and there was staggering amount of hacks/exploits happening in DeFi.

Let’s dive into the last topic. Below you will find a summary of all hacks that had happened. All info was compiled from openblocksec, rekt.news and my blog.


When? Jun-03-2021
How much? ~$88k
Where? BSC
Why? Taking all the wallet balance to create the LP tokens which will later was used for profit calculation and minting. Same bug as PancakeBunny.
Link: https://www.adrianhetman.com/pancakehunny-hacked/

Iron Finance

When? Jun-16-2021
How much? $0
Where? ETH
Why? Weak stabilisation mechanism that lead to panic sell and first crypto bank run. $2B TVL dropped to ~$260M.
Link: https://www.adrianhetman.com/unboxing-how-iron-finance-bank-run-looked-like/


When? Jun-16-2021
How much? $6.53M
Where? ETH
Why? Reward calculation error
Link: https://www.rekt.news/alchemix-rekt/

Visor Finance

When? Jun-19-2021
How much? $500k
Where? ETH
Why? Mishandling of private-keys of the admin account.
Link: https://visorfinance.medium.com/visor-beta-incident-report-1b2521b9266

Impossible Finance

When? Jun-21-2021
How much? $500k
Where? BSC
Why? Removal of x*y>k check in Swap functionality.
Link: https://www.adrianhetman.com/what-are-the-developers-responsibilities-due-to-the-hack-case-study-based-on-impossible-finance-hack/


When? Jun-22-2021
How much? $4.5M
Where? BSC
Why? Double spending of NerveShares.
Link: https://www.adrianhetman.com/how-eleven-finance-got-hacked/


When? Jun-23-2021
How much? $27M+
Where? BSC
Why? Malicious Library implementation. Rug pull.
Link: https://www.rekt.news/stablemagnet-rekt/


When? Jun-27-2021
How much? $250k
Where? Polygon
Why? Flawed logic in reward mechanism
Link: https://www.rekt.news/safedollar-rekt/


When? Jun-29-2021
How much? $330k
Where? BSC
Why? Flawed logic in reward mechanism, testing on production, rug pull?
Link: https://www.adrianhetman.com/what-happened-to-merlin-lab/

Total value lost in June alone is around ~$40M. It’s much better situation from last months ~$173M but still $40M too much.

I will repeat my statement from last month’s report, why we see so many attacks these days.

There is an abundance of copy-pasted projects like SafeMoon tokens forks that change only 10-15 lines of code, sometimes not thinking about what the change introduces. PancakeBunny is the best example of how much a certain project can be forked alongside its issues and exploits.

Most developers of new projects don’t care about security that much. Quick money schemes are the new norm and interestingly enough, they work as we still see money being put into such projects.

If you want to read more about my thoughts on this subject, I wrote separate article.

We will see more hacks like the ones above. Another interesting pattern emerging is not hacks itself, but lost value in TVL of projects due to black swan events. Iron Finance is the best example of that.

There's no any

Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I’m currently in the middle of 100 days of blogging challenge. Subscription box below 👇

If the newsletter is not your thing, check out my Twitter  @adrianhetman , where I post and share exciting news from the Blockchain world and security.

See you tomorrow!