Reentrancy, price oracle attacks and exploits across seven protocols caused the decentralized finance (DeFi) space to bleed at least $21 million in crypto in February. According to DeFi data analytics platform DefiLlama, one of the largest in the month was the flash loan reentrancy attack on Platypus Finance, which led to $8.5 million of funds lost. DefiLlama highlighted six other noteworthy hacks in the month, the first being the price oracle attack on BonqDAO on Feb 1. BonqDAO revealed to its followers in a Feb. 1 post that its Bonq protocol was exposed to an oracle attack that allowed the exploiter to manipulate the price of the AllianceBlock (ALBT) token. The exploiter increased the ALBT price and minted large amounts of Bonq Euro (BEUR). The BEUR was then swapped for other tokens on Uniswap. Then, the price decreased to almost zero, which triggered the liquidation of ALBT. Blockchain security firm PeckShield estimated the losses to be around $120 million; however, it was later revealed hackers reportedly only cashed out around $1 million due to a lack of liquidity on BonqDAO. Just a day later, on Feb. 2, decentralized exchange Orion Protocol suffered a loss of roughly $3 million through a reentrancy attack, where attackers used a malicious smart contract to drain funds from a target with repeated withdrawal orders.
To give you an up to date snapshot of the Web3 security, OODA has been compiling a comprehensive Web3 incident database based on our research to categorize what compromises are taking place as well as document the root causes that plague Cryptos, DeFi, NFTs, and Web3 in general. Tracking root causes provides comprehensive insights into how innovators can create robust cyber risk management approaches and reduce the potential for consequential attacks. You can access the OODA comprehensive Crypto Incident tracker here.