Monthly DeFi Blood Bath report

May had a staggering amount of hacks for DeFi protocols on Binance Smart Chain. I decided to summarize who was hacked, when and for how much. Let’s start as it’s a long list.

Spartan Protocol

When? May 1st
How much? $30M
Where? Binance
Why? The incident was due to a flawed liquidity share calculation in the protocol, which is exploited to drain assets from the pool.
Link: https://www.rekt.news/spartan-rekt/

Value DeFi 1

When? May 5th
How much? $10M
Where? Binance
Why? Reinitialized pool.
Link: https://www.adrianhetman.com/four-hacks-one-week/ &&  https://www.rekt.news/value-rekt2/

Value DeFi 2

When? May 7th
How much? $11M
Where? Binance
Why? Incorrect use of the Bancor formula.
Link: https://www.adrianhetman.com/four-hacks-one-week/ &&  https://www.rekt.news/value-rekt3/

Value DeFi 3

When? May 8th
How much? $3.8M
Where? Binance
Why? vulnerable yield farming contracts
Link: https://www.adrianhetman.com/four-hacks-one-week/ && https://www.rekt.news/rari-capital-rekt/

Rari Capital

When? May 8th
How much? $11M
Where? Ethereum
Why? Composability vulnerability
Link: https://www.rekt.news/rari-capital-rekt/ && https://www.adrianhetman.com/four-hacks-one-week/

XToken

When? May 12th
How much? $25.5M
Where? Ethereum
Why? Flashloan
Link: https://www.rekt.news/xtoken-rekt/ && https://www.adrianhetman.com/is-anybody-safe-from-hackers-in-defi/

Bearn Finance

When? May 12th
How much? $11M
Where? Binance
Why? Withdrawal logic vulnerability.
Link: https://www.rekt.news/bearn-rekt/

PancakeBunny Finance

When? May 19th
How much? $45M
Where? Binance
Why? Flash-loans
Link: https://www.adrianhetman.com/pancakebunny-hacked-for-40m/ && https://www.rekt.news/pancakebunny-rekt/

BoggedFinance

When? May 22th
How much? $3.5M
Where? Binance
Why? Minting vulnerability
Link: https://www.adrianhetman.com/bogged-finance-hacked-for-3-5m/

Autoshark

When? May 24th
How much? $745K
Where? Binance
Why? Flash-loans (PancakeBunny fork)
Link: https://www.adrianhetman.com/autoshark-hacked-for-745k/ && https://www.rekt.news/autoshark-rekt/

Merlin Labs 1

When? May 26th
How much? $680K
Where? Binance
Why? Flash-loans (PancakeBunny fork)
Link: https://www.adrianhetman.com/pancakebunny-exploit-used-for-the-3rd-time/

Merlin Labs 2

When? May 26th (+8h)
How much? $650K
Where? Binance
Why? Mispriced calculation in priceCalculator
Link: https://www.rekt.news/merlin2-rekt/

BurgerSwap

When? May 28th
How much? $7.2M
Where? Binance
Why? Lack of x*y>k check.
Link: https://www.rekt.news/burgerswap-rekt/

BeltFinance

When? May 29th
How much? $13M
Where? Binance
Why? Composability issue
Link: https://www.rekt.news/belt-rekt/

In total, around $173M were stolen from various DeFi protocols in May alone. As a reminder, in whole 2020 DeFi lost ~238M in various exploits. We’re waaaay past that number in the first half the year of 2021. There are various reasons for this. As I stated in one of my previous articles about  State of Security in DeFi
It’s been a while since I saw an original solidity code and idea. Everything is a mix of everything. I’m not saying every project should be an original one. Iterations of an idea are welcomed, but make sure changes are introduced in all places. We don’t want another Uranium Finance hack to happen.
There is an abundance of copy-pasted projects like SafeMoon tokens forks that change only 10-15 lines of code, sometimes not thinking about what the change introduces. ValueDeFi also copied code and unintendedly introduced so many bugs, and three hacks have happened to them in one week.
I’m not saying Binance Smart Chain only has DeFi products like that. Ethereum also has its fair share of crappy projects. But looking at the recent hacks and amounts being stolen, it’s hard to think otherwise.


If you want to keep track of all of the hacks that have happened, not only on Ethereum/BSC, here’s a great list that’s being kept up to date:

openblocksec/blocksec-incidents
A curated list of blockchain security incidents including exchange hacks, DeFi compromises, blockchain attacks, and others. - openblocksec/blocksec-incidents


Also, I can recommend reading ofc my blog 😆 and also https://www.rekt.news

Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I’m currently in the middle of 100 days of blogging challenge. Subscription box below 👇

If the newsletter is not your thing, check out my Twitter  @adrianhetman, where I post and share exciting news from the Blockchain world and security.
See you tomorrow!