Akropolis

Hackers Paradise: Yet Another Defi Protocol Exploited for Nearly $20 Million in DAI

25/11/2020 by Idelto Editor

Decentralized finance (defi) protocol Pickle Finance was hacked for $19.7 million of the stablecoin DAI over the weekend, as the defi industry appears to be turning into a hackers paradise.

Pickle’s native token (PICKLE) plunged 62% on the news, falling from $23.27 to $8.70 when the hack was first reported on Nov. 21. At the time of writing, the token has since rebound 29% in 24 hours to $18.51, according to Coingecko data.

This is the fourth hack to hit the defi space in just two weeks. Akropolis, Value Defi and Origin protocol were exploited for a combined total of $15.7 million in flash loan attacks.

Pickle Finance is a yield aggregation service that rewards users who provide liquidity to its various pools of stablecoins with interest and token disbursements in ether, other stablecoins or its native digital asset PICKLE.

It is not clear whether Pickle Finance suffered a flash loan attack, but management admitted in a blog post that “this was a very complicated attack and involved many components of the Pickle protocol.” It took the protocol’s dev team of 10 people more than four hours to figure it out.

The hacker targeted Pickle Finance’s DAI pjar product, a concept akin to yearn.finance’s vaults, and drained 19,759,355 of the U.S.-dollar-pegged stablecoin DAI. This specific jar harvests yield from DAI deposits made via the decentralized lending protocol Compound.

Cyber-security expert Dmytro Volkov told news.Bitcoin.com that the defi hacking frenzy was a result of hurried project development.

“Most of the defi projects’ hacks are based on vulnerabilities connected to errors in the source code. Errors in applications occur for various reasons, and it is errors that cause vulnerabilities and subsequent hacks of these applications,” said Volkov, who is also chief technology officer at crypto exchange Cex.io.

“Cybercriminals look for errors in the defi protocols and exploit them for their own ends. As defi projects become more popular and the greater the amount of capital that flows through them grows, the more this field will attract hackers, and the more hacks there will be,” he added.

Pickle Finance said in a Nov. 24 tweet that it has a “small chance” of recovering the stolen money.

What do you think of defi industry’s latest hack? Let us know in the comments section below.

The post Hackers Paradise: Yet Another Defi Protocol Exploited for Nearly $20 Million in DAI appeared first on Bitcoin News.

Defi Protocol That Bragged About Having Flash Loan Attack Prevention Hacked for $6 Million

17/11/2020 by Idelto Editor

A decentralized finance (defi) protocol that bragged about having flash loan attack prevention has been exploited for $6 million in DAI, in a flash loan attack.

Value Defi, a yield aggregating protocol, boasted of having the “highest security” in a Nov. 13 tweet that now appears to have been deleted. The protocol claimed that its technology was capable of preventing flash loan attacks.

Hardly a day later, hackers plundered Value Defi’s multi-stablecoin vault of a total of $8 million of the stablecoin DAI. The attacker returned $2 million to the protocol and pocketed $6 million — and with it left one audacious message stating, “do you really know flashloan?”

Value Defi said it suffered a “complex attack that resulted in a net loss of $6 million.”

The hacker took out a loan of 80,000 ether from the defi lending platform Aave and also borrowed an additional $116 million in DAI from Uniswap. According to Value Defi’s postmortem of the incident, the attacker swapped the ETH loan for stablecoins and deposited part of the flash-loaned DAI into the protocol’s vault.

He then made a series of stablecoin swaps involving USDT, USDC, and DAI — a technique that eventually exploits Value Defi’s vault withdrawal method. Aave developer Emiliano Bonassi exclaimed:

This is the complex exploit I’ve ever seen. It used two flashloans.

Flash loans allow users to borrow money without collateral because the lender expects the funds to be returned within one transaction block, almost immediately. Hackers have used this loophole in defi to steal millions of dollars.

In its postmortem, Value Defi said it was looking at ways to compensate affected users. It stated that users can claim 20% in DAI from the $2 million that was returned by the hackers. The protocol is also hiking transaction fees to generate income for compensation.

“We will create a compensation fund which will be funded by a combination of the dev fund, insurance fund and a portion of the fees that are currently generated by the protocol,” it explained.

The price of Value Defi’s native token, value liquidity, plunged as much as 28% on the day of the attack to $1.99 from $2.76, according to Coingecko data. At press time, the token was trading at $2.05, down 4.9% in 24 hours.

This latest exploit comes just two days after another $2 million heist at defi lending protocol Akropolis.

What do you think about the frequency of flash loan attacks in the defi industry? Let us know in the comments section below.

The post Defi Protocol That Bragged About Having Flash Loan Attack Prevention Hacked for $6 Million appeared first on Bitcoin News.

Hackers Drain $2 Million in DAI From Defi Protocol Akropolis

13/11/2020 by Idelto Editor

Decentralized finance (defi) protocol Akropolis was on Thursday hacked for $2 million in DAI, in the latest flash loan attack to hit the nascent defi industry.

The attacker pilfered the platform’s Ycurve pool in batches of $50,000 in the stablecoin DAI. This particular pool allows investors to trade stablecoins and earn interest.

In a statement on Nov. 12, Akropolis revealed that the hack was executed across a body of smart contracts in its “savings pools”.

“At ~14:36 GMT we noticed a discrepancy in the APYs of our stablecoin pools and identified that ~2.0mn DAI had been drained out of the Ycurve and sUSD pools,” it said.

The pools are said to have been audited by two firms, but the hacker still found loopholes to exploit, wiring his loot to this address. Akropolis explained:

The attack vectors used in the exploit were not identified in either audit. The essence of the exploit in question is a combination of a re-entrancy attack with Dydx flash loan origination.

Others pools were not affected. These include compound DAI, compound USDC, AAVE sUSD, AAVE bUSD, curve bUSD, curve sBTC, it stated. Native AKRO and ADEL staking pools were also left untouched.

Akropolis is a defi lending and savings protocol. Users can take out loans, and they can also earn interest on crypto deposits.

The Akropolis team said it is looking at ways to reimburse affected users “in a way that is sustainable for the project”. All stablecoin pools have been halted for now, it added.

In October, another defi project Harvest Finance was hacked for $24 million. The attacker targeted the protocol’s liquidity pools, performing an arbitrage attack using a large flash loan – a type of uncollatarized loan.

What do you think about the Akropolis hack? Let us know in the comments section below.

The post Hackers Drain $2 Million in DAI From Defi Protocol Akropolis appeared first on Bitcoin News.

Token Projects to Recover $130M from the Kucoin Hack, Devs Condemned for Centralization

29/09/2020 by Idelto Editor

The cryptocurrency community has been discussing the Kucoin hack as a great number of ERC20 projects have frozen, paused, or reversed their smart contracts after the hack. Estimates say that at least $129 million ERC20 tokens affected are considered “safe” from the hacker’s clutches. Additionally, evaluations show the breach may be much larger than originally estimated, as one report says the compromise saw $280 million stolen.

The Kucoin hack has been the talk of the town in crypto land these days, as the exchange was hacked on September 25, 2020. News.Bitcoin.com reported on the initial losses estimated to be around $150 million, the day after calculations were up to $200 million. Today, another analyst has stated that the hacker likely stole nearly $280 million during the Kucoin breach.

“So I did some accounting of the Kucoin hack based on the wallets very likely associated and based on my estimation, there was nearly $280 million of assets stolen, not $150M,” said Larry Cermak the Director of Research at the Block Crypto on Monday morning. “This would make it the third-largest hack in history and [seven] times larger than the Binance hack last year,” Cermak added.

One of the biggest conversations this weekend on social media and crypto forums was mostly about ERC20 projects that had figured out ways to reverse the hack or freeze the funds stolen.

News.Bitcoin.com already reported on the frozen tether (USDT) for $22 million worth of stablecoins from the ETH and EOS chain. Additionally, the Ocean Protocol paused the project’s smart contract as well when the hacker started dumping 10k batches of the Ocean token on Uniswap.

But a bunch more ERC20 projects either restarted, froze, or paused their protocols in order to save the tokens from the hacker’s dumping.

Other token projects that participated in the ‘$129 million re-boot’ included Kardiachain ($9M), VIDT Datalink ($7M), Velo Labs ($76M), Orion Protocol ($8.5M), Aleph token ($510k), Covest ($520k), NOIA Network ($5M) and more. The projects have since been criticized for not being decentralized and executing rollback not seen since the 2017 DAO hack.

“History doesn’t repeat but it does rhyme,” tweeted Jameson Lopp after the ERC20 rollbacks and freezes were revealed. “Fascinating to see how rollbacks have evolved since The DAO.”

The software developer added:

If a ‘decentralized’ project can invalidate stolen tokens then it can invalidate YOUR tokens. Censorship resistance for all or censorship resistance for no one.

It’s also been said that the Kucoin exchange is working directly with the ERC20 project developers. People visiting the exchange’s Telegram channel mentioned that 2 million USDT issued by Tron and Omni Layer was also frozen. Another blockchain project called Akropolis paused all AKRO transfers after the Kucoin hack as well. Estimates say that at least between 50-65% of the Kucoin hacked coins will be recovered due to centralized decision making.

What do you think about the hacked projects that are rolling over or pausing smart contracts due to the Kucoin hack? Let us know what you think in the comments section below.

The post Token Projects to Recover $130M from the Kucoin Hack, Devs Condemned for Centralization appeared first on Bitcoin News.