Biggest Crypto Hacks Of 2022 [So Far]

Crypto Hacks
June 13, 2022

A whopping $1.3 Billion USD in crypto was lost to hackers in the first quarter of 2022 according to Certik’s latest report.

Here’s the list of the biggest crypto hacks of 2022 so far:

Ronin Hack ($650M)

Ronin, the popular Ethereum sidechain, used by players of Axie Infinity was compromised in late March 2022. Hackers managed to steal over 173,600 ETH and 25.5 million USDC for a combined value of over $600 million based on ETH prices at the time.

The hack on the Ronin bridge was confirmed by Sky Mavis, the developers behind the popular play-to-earn game, Axie Infinity.

Hackers managed to get access to private keys to validator nodes resulting in the compromise of five validator nodes, which is also the threshold required to approve transactions.

The exploit took place on March 23rd and took almost a week to be discovered!

The funniest thing is that the hackers expected the exploit to be discovered sooner. And thinking they could make even more money in the turmoil, they shorted AXS (Axie Token). Knowing that as soon as the news broke, the tokens would plummet. But… It took over a week for anyone to notice the funds were stolen and in that time the hackers got liquidated!

Wormhole Hack ($325M)

Amongst the largest hacks of all time. In February 2022, Wormhole lost 120k wETH, worth $325M at the time, when a hacker exploited a security flaw.

Wormhole provides a “bridge” between blockchains. A bridge is an escrow system that allows one type of crypto to be deposited and swapped for crypto on a different chain. To carry out the attack, the attacker forged a valid signature for a transaction that allowed them to freely mint 120,000 wETH without first inputting an equivalent amount.

wETH is a “wrapped” Ethereum equivalent on the Solana blockchain.

Beanstalk Farms Governance Exploit ($182M)

Beanstalk is a decentralised credit based stablecoin protocol. In April of 2022 the Beanstalk Farms lost all of its $182M collateral in a flash loan attacked caused by two malicious governance proposals.

The problem for the protocol was seeded by suspicious governance proposals which were issued by the exploiter, who asked for the protocol to donate funds to Ukraine.

The hacker took out $1 billion in flash loans from the Aave protocol and used these funds to accumulate enough assets to take over 67% of the protocol’s governance and approve their own proposals.

Whilst the hacker gained approximately $80M, the total loss to the Beanstalk protocol was $182M according to Peckshield.

Rari Capital and Fei Protocol Hack ($80M)

In April 2022 Rari Capital lost almost $80M when a hacker exploited a reentrancy vulnerability in Rari’s Fuse lending protocol, according to Block Sec.

Rari offered to let the hacker keep $10M if they returned the balance of the funds.

Qubit Finance Hack ($80M)

Another $80M was stolen from Qubit Finance. The hack took place in January 2022, when according to Qubit the attacker was able to steal 206,809 BNB from its wallet using a vulnerability in its QBridge deposit function.

IRA Financial Trust Hack ($36M)

This time a non-crypto native. IRA Financial Trust, a platform providing self-directed digital asset retirement and pension accounts, lost $36 million in crypto assets from customers' accounts via unauthorised withdrawals. The firm’s digital assets were held in Gemini’s custody. And IRA Financial Trust is now suing Gemini for alleged negligence in safeguarding their customer’s digital assets.

Not much is know about how the hacker managed to steal the funds. Especially given that Gemini possesses multiple security features such as two-factor authentication, whitelisting withdrawal addresses and fraud detection algorithms. IRA Financial Trust alleges the existence of a master key for clients' accounts with the ability to bypass all built-in security measures. If true, this raises serious concerns over Gemini as an institutional custodian for crypto assets.

To make events more bizarre, IRA Financial Trust was the subject of a swatting at the time of the hack. Officers responded to reports of an alleged “robbery” in progress at IRA Financial Trust’s offices in the South Dakota city on the afternoon of February 8th 2022.

Cashio Hack ($52.8M)

Cashio, a stablecoin project on the Solana blockchain, lost $52.8M in February 2022 when a hacker used what’s known as an “infinite mint” exploit to steal over $52M in their native token (CASH). An infinite mint attack is when a hacker mints an absurd amount of tokens within a protocol which they themselves then control.

To mint new CASH tokens, a user needs to deposit collateral.  This collateral can be deposited into a collateral account owned by the protocol if the deposit passes a series of checks. In this instance the attacker bypassed the checks with worthless collateral, enabling them to mint an infinite amount of CASH.

Crypto.com Hack ($35M)

In January 2022, the exchange lost $35M in cryptocurrency when hackers learned to outsmart the platform’s two-factor authentication system. A total of 483 of its users were victims of the exploit, which led to unauthorised withdrawals of BTC and ETH worth $35 million.

Optimism Hack ($20M)

A hacker was able to gain control of the Optimism addresses that correspond to various Gnosis Safe multi-sigs on Ethereum that had not yet been deployed to Optimism. The result: over $20M of OP tokens were sent to the hacker by mistake!

After announcing that it would be launching its native Optimism (OP) token on June 1st 2022, the company sent 20 million OP tokens to the wrong blockchain address. The tokens were intended for Wintermute, a crypto market maker. However, when Wintermute accepted the 20m OP token loan, they requested that the funds be sent to an L1 multisig wallet which they believed they could access on L2. Unfortunately, this L2 address was one of the multi-sigs deployed by the attacker.

The exploit was the result of an older version of the Gnosis Safe contracts which were deployed via transactions without a chain ID. Whilst the event is unfortunate, it definitely makes the case for MPC over Multi-Sig.

17 million OP tokens have since been returned by the hacker, who decided to keep 2 million tokens as a bug bounty, and sent 1 million to Ethereum Co-Founder Vitalik Buterin!

Recent posts