One article taking stock of the most serious encryption hacking incidents in 2023

Author: Daniel Phillips, coinmarketcap Translation: Shan Oppa, Golden Finance

As 2023 draws to a close, Bitcoin and the overall cryptocurrency market emerge stronger from a brutal bear market Recovery will be remembered as a banner year. Yet cryptocurrency thefts remain common, withnearly $2.4 billion stolen this year alone.

According to a report by blockchain security and analytics company Certik, the third quarter of this year was the most rampant period for cryptocurrency theft, with 184 known cases. A total of nearly US$700 million in losses was caused. In the third quarter alone, the amount stolen exceeded the first and second quarters combined.

While these numbers are staggering, they represent a decrease from last year’s total of more than $3.5 billion.

According to data from SlowMist, 450 cryptocurrency thefts have been confirmed so far in 2023, with decentralized protocols on the Ethereum and BNB smart chains becoming the most common targets.

Many blockchain platforms are built on open source software, and while doing so helps promote transparency and community collaboration, it can also expose vulnerabilities that can be exploited by those with malicious intentions.

In many cases, legal penalties are minimal and there is even the possibility of a reward after the fact, making it more likely that those with technical knowledge will use their skills for illicit purposes.

Unfortunately, this situation makes vulnerable cryptocurrency exchanges, platforms, protocols, and the users who ultimately bear the consequences of these attacks obvious targets. In fact, in the theft incidents listed below, it is likely that most of the stolen funds will never be recovered.

Let’s take a deeper look at the worst hacks of 2023.

Kyber Network: $54.7 million

2023-11 A security incident occurred in March that affected Kyber Network. An attacker successfully stole approximately $54.7 million from KyberSwap Elastic by exploiting liquidity-related vulnerabilities.

The leak targeted KyberSwap’s liquidity pool across multiple blockchain networks, including Arbitrum, Ethereum, Optimism and Polygon. Hackers exploited a reentrancy vulnerability in the new token minting function, resulting in a significant loss of funds and a 90% drop in the total value locked (TVL) of the platform.

Unexpectedly, the hacker offered to return the stolen funds if a series of requirements were met. Among them, the attacker demanded complete control of the Kyber Network company and the complete handover of all on-chain and off-chain company assets.

The hackers have given them until December 10 to meet their demands or the conditions will be void.

Source: Etherscan

It seems that the team behind Kyber does not Giving in to the attackers, it is instead moving forward with a compensation plan that includes financial grants to affected users.

Curve: $73.5 million

Curve is no stranger to hacking, 2023-7 Curve was exploited again in March when attackers exploited faulty recursive locks in multiple of its Vyper 0.02.15 stablecoin pools to drain funds.

The main protocols and pools affected by the attack are Alchemix, JPEG'd, MetronomeDAO, deBridge, Ellipsis, and the CRV/ETH pool.

Things are looking up, with most of the stolen funds being returned to Curve Finance after the hackers accepted a 10% retroactive white hat bounty. Meanwhile, Metronome and Alchemix recovered $6 million and $13 million, respectively, thanks to the efforts of multiple white hat hackers.

Nearly two weeks after the hack, Curve promised to compensate those still affected after assessing the damage to ensure resources are distributed fairly.

Euler Finance: $197 million

In March this year, Euler Finance suffered a $197 million crisis The hacker attack has become one of the most bizarre events in the cryptocurrency world of the year.

The attacker took advantage of a vulnerability in the Euler smart contract and cleverly launched a flash loan attack. In this way, the attackers stole $197 million worth of various cryptocurrencies, including DAI, wBTC, stETH, and USDC, virtually wiping out the protocol's funds.

However, the Euler Finance team successfully tracked the attacker and established a communication channel. This seemed to scare the attackers into making the right choice and quickly returning "all recoverable funds" to the Euler Protocol vault.

The Euler team has since opened the redemption function to the public, allowing users to recover funds lost in the attack. The Euler protocol is currently still inactive, but the team has hinted at the imminent launch of a new modular open lending solution.

Mixin Network: US$200 million

Mixin Network is a decentralized network that aims to Promoting efficient cross-chain transactions of digital assets.

In September 2023, it suffered a catastrophic attack on its cloud service, resulting in the theft of approximately $200 million worth of customer assets. The Mixin network was suspended shortly after the attack.

According to the official announcement, the Mixin team plans to do its best to minimize these losses.

In a subsequent live broadcast, Mixin Network founder Feng Xiaodong said that the platform can only return at most 50% of the stolen assets, and the rest will eventually be passed through "agents" To monetize liability claims, Mixin will attempt to use its future profits.

As is often the case after hacks of this magnitude, Mixin initially offered the hackers a $20 million retroactive vulnerability bounty if they returned the remainder. funds. Unfortunately, this fell on deaf ears as the attackers had exchanged the stolen USDT for DAI to prevent it from being frozen on-chain.

Multichain: $126 million

Multichain was one of the most popular cross-chain bridging protocols at the time. One, was hacked on July 7, 2023, resulting in the theft of $126 million worth of various cryptocurrencies.

One ​​of the largest cryptocurrency hacks on record, the attack involved multiple blockchain networks, including Fantom, Moonriver and Dogechain, as well as multiple cryptocurrencies assets.

To date, the source of the hack remains undetermined, but it is possible that hackers gained control of Multichain's MPC keys. Some suspect the hack may have been the work of an insider (also known as a "rug pull").

Part of the reason for this suspicion is the disappearance of Multichain CEO Zhao Jun in May 2023, and the team’s subsequent inability to perform necessary technical maintenance on the platform.

Amazingly, the multi-chain front-end is still running today. Users can initialize a bridge for their assets, but this transfer never completes. The team behind the platform publicly stated that they were unable to shut down the site or service because they did not have access to multi-chain domain accounts, and warned against using the service.

Atomic Wallet: over $100 million

June 2023, popular at the time Atomic Wallet, a cryptocurrency self-hosted wallet, suffered a major security breach, causing approximately 0.1% of its users to suffer over $100 million in losses.

The attack was reported to have originated from the notorious North Korean hacker group Lazarus, making it one of the most unexpected security incidents this year because self-hosting is often Considered more secure than third-party hosting.

While the specific cause of the vulnerability remains unclear, several possibilities have been raised, including insufficient entropy used to generate the private key (i.e. the private key could be brute-forced cracking) and supply chain attacks.

In the aftermath, at least three lawsuits were filed against Atomic Wallet, its development company Atomic Systems, and owner Konstantin Gladych. The company has been coy about its plans to help affected users and described investigating the root cause of the breach as "complex."

Stake: $41 million

In September 2023, the well-known crypto gambling platform Stake suffered A "well-orchestrated intrusion" resulted in the loss of assets worth a total of $41 million across Ethereum, Polygon and BNB smart chain platforms.

The stolen funds include 6,001 ETH, 3.9 million USDT, 1.1 million USDC and 900,000 DAI. Shortly after the attack, the attackers began moving these funds across chains, with the majority eventually being exchanged for native Bitcoin (BTC).

This attack is once again suspected to have been carried out by the notorious Lazarus hacker group. Unlike other incidents, it did not directly break into Stake’s hot wallet privacy. key. According to Stake founder Edward Craven, hackers gained access to Stake’s internal transaction approval system and were able to process unauthorized transactions.

Unlike many other attacks on this list, this attack on Stake did not affect customer funds. Instead, hackers breached a hot wallet dedicated to paying out huge winnings.

Conclusion

As a decentralized financial sector, the crypto industry lacks a central entity to enforce Fiscal responsibility, therefore, users rely primarily on self-custody solutions and knowledge of the latest cryptographic security practices to protect their assets.

Sadly, there are still a large number of crypto users, including some tech-savvy ones, who have fallen victim to various hacks and scams.