In August 2023, the decentralized finance (DeFi) arena bore witness to a series of setbacks, culminating in a total loss of $29,043,560. While the DeFi ecosystem demonstrated resilience in the face of adversity, these figures undeniably underscore the persistent vulnerabilities within the sector. This report delves deep into the month’s incidents, offering insights into prevalent exploit trends, significant losses, and the distribution of these misfortunes across various chains.
As we transitioned from the eventful month of July, August 2023 brought its share of challenges, with a total fund loss of $29.04 million.
This alarming figure, although lower than the previous month, continues to emphasize the inherent risks within the decentralized finance sector. Furthermore, the absence of any recovered funds accentuates the urgency for enhanced security measures and vigilance. On a positive note, this pales in comparison to the 2022 figure of $271m lost.
The figures from August 2023, albeit distressing, serve as a potent reminder of the persistent vulnerabilities within the DeFi realm. As the industry evolves, the need for fortified security mechanisms and heightened user awareness becomes increasingly paramount. Unfortunately, the lack of any recovery in August, with $0 recouped from the vast $29.04 million lost, underscores the challenges the DeFi sector continually faces, even amidst growing interest and development.
DeFi Exploit Trends: August 2023 Overview
The DeFi space in August 2023 witnessed a series of unfortunate events, cumulatively resulting in the loss of $29,043,560. Ethereum emerged as the prime target for malicious actors, with losses on this chain alone accounting for over $10 million.
Following closely in second place was Optimism, with losses amounting to $7,197,240. Other chains, such as Base, Binance, Arbitrum, and Solana, also faced significant losses, emphasizing the pervasive nature of the challenges within the DeFi industry.
The month’s incidents highlight the continuous security challenges within the DeFi sector. Regardless of the scale of these attacks, the implications on investor confidence and the broader DeFi ecosystem are profound. The industry must continually adapt, innovate, and educate to stay ahead of these threats.
In terms of protocols, The Exactly Protocol bore the brunt of these attacks, enduring a loss of over $7 million.
Types of Exploit
The DeFi ecosystem in August 2023 was marred by a series of attacks, with access control issues and rugpulls emerging as the most prolific sources of loss.
While the term might sound casual, its implications on investor confidence and the broader DeFi ecosystem are profound. “Rugpulls” involve developers or project leaders abandoning a project after fundraising, resulting in significant investor losses.
The frequent occurrence of such exploits highlights the importance of thorough project vetting and due diligence for potential investors.
Funds Recovered
In August 2023, the DeFi space witnessed a complete absence of fund recoveries, marking a total of $0 recouped. This stark contrast to August 2022 is alarming, where a substantial sum of $211,020,741 was successfully recovered.
The difference year over year is a testament to the challenges and evolving nature of the DeFi sector.
To compound concerns, July 2023 also saw relatively low recoveries, indicating a continuous trend in the recent months.
The absence of fund recoveries over two consecutive months underscores the pressing need for heightened security measures and robust mechanisms to trace and recover lost assets in the DeFi ecosystem.
Attack Vectors
August 2023 witnessed a diverse range of DeFi categories succumbing to malicious activities, each revealing distinct vulnerabilities intrinsic to their respective operations. Notably, the Borrowing and Lending Protocols bore a significant brunt, with three incidents culminating in a daunting loss of $13,015,419.
In contrast, Tokens consistently emerged as favored targets for attackers. With 35 reported incidents throughout the month, the token category saw an aggregate loss of $7,127,478. This high frequency accentuates the imperative need for reinforced security measures and rigorous due diligence in token interactions, as well as greater education on the part of investors. With the use of the De.Fi Scanner for instance, a large number of these token risks can be identified before one actually buys a particular coin.
Meanwhile, Decentralized Exchanges, or DEX, reported a loss of $4,396,169 stemming from four distinct incidents. These breaches, often exploiting smart contract vulnerabilities or employing traditional attack vectors like phishing, emphasize the persistent risks in decentralized trading platforms. Once again, this underscores the need for sophisticated yet user friendly tools, allowing investors to carry out greater due diligence.
Top Exploits in August 2023Let’s take a look at the top 5 cases this month:
1. Exactly Protocol — $7.2m Lost (Access Control)On August 18, 2023, Exactly Protocol, a lending and borrowing protocol on the Optimism chain, was exploited. The attacker utilized a reentrancy attack to bypass the permit check in the DebtManager contract’s leverage function. By using a fake market address and changing the msg.sender to the victim’s address, the attacker reentered the crossDeleverage function and stole the collaterals.
The stolen amount, 4332.92 ETH, was bridged to the Ethereum mainnet through the Across Protocol and the Optimism Bridge, amounting to a total loss of approximately $7,197,240.
Block Data Reference
Attacker Addresses:
https://optimistic.etherscan.io/address/0x3747dbbcb5c07786a4c59883e473a2e38f571af9https://optimistic.etherscan.io/address/0xE4f34a72d7c18b6f666d6cA53fBC3790bc9da042
Malicious Transactions:https://optimistic.etherscan.io/tx/0xe8999fb57684856d637504f1f0082b69a3f7b34dd4e7597bea376c9466813585https://optimistic.etherscan.io/tx/0x1526acfb7062090bd5fed1b3821d1691c87f6c4fb294f56b5b921f0edf0cfad6https://optimistic.etherscan.io/tx/0x3d6367de5c191204b44b8a5cf975f257472087a9aadc59b5d744ffdef33a520e
Malicious Contract:https://optimistic.etherscan.io/address/0x6dd61c69415c8ecab3fefd80d079435ead1a5b4d
2. Magnate Finance — $5.4m Lost (Access Control)
Magnate Finance, a borrowing and lending platform on the Base chain, was exploited on August 25, 2023. The deployer removed assets from Magnate Finance’s smart contract, which had unverified source code. These funds were subsequently bridged to several chains, including Arbitrum, Ethereum, Optimism, and Binance Smart Chain, through Stargate. They were later swapped for DAI or ETH to prevent potential freezing. The total loss was confirmed at $5,357,862, with an additional reduction in the platform’s total value locked (TVL) by about $6,400,000.
Block Data ReferenceScammer Address: https://basescan.org/address/0xa146dffe1c304a8a3de74c460ffe8dc73e5ce6e1
Malicious Transaction:https://basescan.org/tx/0x39555e75d76b294248a434fdfe9640e0cfe3f22bd7fceb675fd4ef4b5e02f719
3. Zunami Protocol — $2.2m Lost (Rugpull)
On August 13, 2023, Zunami, a Yield Aggregator on the Ethereum chain, was compromised. An attacker employed a flash loan attack, exploiting a price manipulation issue in two transactions. By utilizing a donation method, the price was miscalculated, leading to the theft of assets totaling $2,177,741 or roughly 1,180 ETH. The stolen funds were subsequently deposited into TornadoCash for anonymization.
Block Data Reference
Attacker Address: https://etherscan.io/address/0x5f4C21c9Bb73c8B4a296cC256C0cDe324dB146DFMalicious Transactions:https://etherscan.io/tx/0x0788ba222970c7c68a738b0e08fb197e669e61f9b226ceec4cab9b85abe8ccebhttps://etherscan.io/tx/0x2aec4fdb2a09ad4269a410f2c770737626fb62c54e0fa8ac25e8582d4b690cca4. Balancer — $1.9m Lost (Rugpull)
Balancer, an AMM-based DEX operating on Ethereum, Optimism, and Fantom chains, was exploited on August 27, 2023. The attacker targeted Balancer V2 liquidity pools using a flash loan attack. Despite previous vulnerability disclosures by Balancer and their mitigation measures, the attacker was successful, leading to a loss of $1,898,586 spread across Ethereum, Optimism, and Fantom chains. The stolen assets were predominantly stablecoins, including USDT, USDC, and DAI.
Block Data Reference
Attackers:https://etherscan.io/address/0xEd187F37E5Ad87d5b3B2624C01dE56C5862b7a9Bhttps://optimistic.etherscan.io/address/0xbc794f1ff9ad7711a9d2e69be5b499e290b8fd3chttps://ftmscan.com/address/0x64e08fa89c2bae9f123cc8a293775f0e6cc86760
Malicious Transactions:https://etherscan.io/tx/0x2a027c8b915c3737942f512fc5d26fd15752d0332353b3059de771a35a606c2dhttps://etherscan.io/tx/0x773fa597c4b58f86ee91b2c57d0d4b12014a60b939a6eb186d50ec45300bfa4ahttps://etherscan.io/tx/0x42441d8ed0034e337dad0365a64dd19a57639801dcbf4939863f47bf6c80daa4https://etherscan.io/tx/0x72a655cedf8dca4551db987a8196d5063a768be48cfba64553f0b6087e64686ehttps://etherscan.io/tx/0x85d7aec3f12191f0c0ae5fe8e4442915ac9fc24da96901b9e531af7082b3c2df
5. Steadefi — $1.1m Lost (Reentrancy)
Steadefi, operating on both the Arbitrum and Avalanche chains, was exploited on August 7, 2023. Due to compromised private keys of the deployer, the attacker changed the owner of the pools and withdrew assets including WBTC, WETH, and USDC. These funds were then bridged to the Ethereum chain through the Synapse Bridge, resulting in a total loss of $1,148,309, equivalent to 624.63 ETH.
Block Data Reference
Attacker Address:https://etherscan.io/address/0x9cf71f2ff126b9743319b60d2d873f0e508810dcMalicious Transactions: https://snowtrace.io/tx/0x2425a422d09a229759f1e4e229255944d4ab773e4c9285f43b7c488b43f9fc71https://snowtrace.io/tx/0xd82491c7bea6ca0e6342107cc25c5d73a364f7b117708d77c826b6d01b178cdahttps://snowtrace.io/tx/0xd280f22da697779e7b28690327e117a4d8d344df5d7829e97dcddf1074f130ebhttps://arbiscan.io/tx/0xa193821c30ed2c671b332caef9e217ad2812b7ac7e6901568bc751aaf48f85c4%20-%20
https://arbiscan.io/tx/0x5983968bdffcebaecc1ca56aece3d21767086959ffa883df21c00c378caa9cef%20-%20https://arbiscan.io/tx/0x141119aab391ca22e1f93fb66bfea80f03f5c028032b4292f36a4ead0eecb125Conclusion
The substantial financial losses recorded in August 2023 underscore the critical need for enhanced risk management and vigilance when interacting with the Decentralized Finance (DeFi) landscape. It is incumbent upon investors to acquaint themselves with potential vulnerabilities and to strategize effectively to secure their investments. At De.Fi, we understand the pivotal role that guidance and support play in traversing the complex and evolving DeFi ecosystem. As such, we remain devoted to equipping our users with useful resources and data to empower informed investment decisions in the field.
About De.Fi
De.Fi is an all-in-one Web3 Super App featuring an Asset Management Dashboard, Opportunity Explorer, and home of the world’s first Crypto Antivirus powered by the largest compilation of hacks and exploits, the Rekt Database. Trusted by 600K users globally, De.Fi aims to drive DeFi adoption by making the self-custody transition as simple and secure as possible. Backed by Okx, Huobi, former Coinbase M&A, and used by large companies worldwide, including University College London and Coingecko.Website | Twitter | De.Fi Security | Rekt Database
