A greedy desire for large gains through fast deployments, coupled with hasty auditing creates a recipe for systemic vulnerabilities, ripe for exploitation, hacks, and other criminal activities. Chock full of testosterone, many under-30 employee companies deploying "new, better than the other guy!" crypto fintech are destined to fail.
In this article we will briefly cover 2023's largest crypto attacks and exploits that resulted in catastrophic damages.
--But before we dive in, here's our assessment of the frequent patterns among these failures:
Key Takeaways
Hasty deployments. In a rapidly developing industry, one of the chief reasons for serious financial attacks on DAO wallets and other blockchain financial instrumentations is hasty decision making.
Poor, hasty auditing. As with any good video game, quality assurance is required to bring the game up to a certain usability threshold. When dealing with large sums of cryptocurrency, quality assurance or 'auditing' is not optional! This requires a very generous amount of time, up to several years. It can be implemented in stages but auditing must be at the root of all new blockchain fintech. As you can see, this is related to the first point 'hasty deployments'.
Youth, greed, testosterone. Greedy pairs and clusters of finance, business, programming and marketing degrees can act as an echo chamber of testosterone. Narrow pools of experience can lead to mistakes that pile on. Unfortunately, it is these innovation circles derived of very small groupings of people with limited fin and product development wisdom who approach the challenges of blockchain fintech innovation. While beneficial to the whole community of fintech, they can hurt those individuals who invested their trust with their leaky projects.
Unscrupulous founders. Names like Justin Sun and FTX are mired in controversy for good reason. Yet these are often supported by mass media as hero poster-boys of crypto, lending their shady practices a covering for criminal, shady ventures. As soon as they grow large enough, they pop their own bubble, so to speak. It is an easy thing to derive money from a name, but often in crypto these names are infamous for criminality and sleeze.
Here are the notable crypto exploit/theft events that occurred in 2023, sourced from Rekt Leaderboard:
Mixin Network - $200,000,000 | 09/23/2023
Mixin Network announced a staggering loss of $200 million due to a hack. The Hong Kong-based platform revealed in a livestream that only 50% of assets were guaranteed, leaving users uncertain. Mixin, claiming decentralization, attributed the losses to a hacked third-party database, though specifics remain undisclosed.
What was compromised? Traditional databases and suspected leaks of user private keys suggest a breach of Mixin's cloud service (Google, SlowMist).
Who did it? Lazarus, a North Korea hacker collective, has been attributed to the attack.
Euler Finance - $197,000,000 | 03/13/2023
The exploit was initially flagged by Peckshield as USDC began nearing its peg, revealing a vulnerability in Euler's system. Despite swift acknowledgment from Euler Labs and ongoing collaboration with authorities, losses mounted rapidly. Euler's Total Value Locked (TVL) from $264 million to a mere $10 million.
What was compromised? The breach stemmed from a flaw in Euler's donation mechanism, allowing the attacker to generate unbacked DToken debt
Who did it? https://etherscan.io/tx/0x539c6fff0fce70e02dddd80a5534acf3df57deafbdc40f41abb20aa8f94a6d0d was contacted. Auditors and smart contract insurance protocol Sherlock has taken responsibility for missing the vulnerability in their review of EIP-14 last year, and will pay a claim of $4.5M to Euler.
Multichain Bridge (Anyswap) - $126,300,000 | 07/06/2023
Multi-chain addresses were drained of $126 million, depleting about 50% of the FTM bridge and 80% of Moonriver bridge holdings. In 2022, Anyswap (the former name used by the troubled project), lost $8 million dollars and $3 million of user deposits.
What was compromised? Approvals draining attack exploiting vulnerabilities 'took the money' from wallets. Suggestions this was coordinated by insiders as this project has a spotted history.
Who did it? Communication around the event was reportedly 'unsettling' indicating a possible back-end breaches and insider action by founders, contractors or employees.
Poloniex - $126,000,000 | 11/10/2023
Justin Sun, a known character in crypto, reported hot wallets drained of funds. Soon after, Poloniex suffered drains. Poloniex was hit at 10:30 AM UTC, losing 4900 ETH ($10M). The attack spread to Ethereum, TRON, and BTC.
What was compromised? A cold wallet, device or insider was compromised.
Who did it? Insider, employee, contractor or devices used such as cold wallets, laptops, cell phones containing private keys.
Atomic Wallet - $100,000,000 | 06/02/2023
Desktop and phone users were targetted on 13 chains. The addresses were drained into a new wallet and the tokens were then swapped and transferred for consolidation in a third wallet.
What was compromised? Possible insider intentionally stealing, or known and reported vulnerability in the wallet application.
Who did it? Atomic Wallet team's irresponsible attitude toward security risk reports brought on by users of their platform. Least Authority published an 'fend for yourselves' type message to users of Atomic Wallet as a result of their negligence with regard to present security concerns. Adding to concerns, Atomic Wallet team downplayed the massive drainage of funds from user wallets.