Q1 2022 was a record year in terms of attacks on blockchain projects and digital asset holders. Hackers managed 78 hacks and stole nearly $1.3 billion.

Axie Infinity and Bored Ape Yacht Club Are Hacked

According to recent findings by Atlas VPN, hackers stole nearly $1.3 billion during Q1 2022 by conducting 78 attacks. During the same time period, the number of hacks was up 136% from 2021 and 500% from 2020.

Data on hacking attacks on blockchain projects was provided by the SlowMist Hacked project, which collects this sort of information from public sources. Monetary losses were calculated based on the value of a particular cryptocurrency at the time of the hack. 

The most popular targets:

  • the NFT sector was attacked 20 times;
  • the Ethereum ecosystem was attacked 18 times;
  • BNB Chain was attacked 14 times.

As of April 4, 2022, Ethereum projects suffered the most losses — hackers managed to steal about $636 million. The Solana blockchain, which has been the subject of 5 hacker attacks, was in second place — around $397 million was stolen from it. BNB Chain saw almost $100 million stolen by attackers.

In late March and early April 2022, there were major attacks on the DeFi segment: the sidechain Ronin, the credit protocol Ola Finance and the lending project Inverse Finance. The attackers also managed to steal NFTs from the Mutant Ape Yacht Club collection, valued at half a million dollars. More details about all of this are below. 

Axie Infinity Game Hacked

The Ronin sidechain, which powers the popular blockchain game Axie Infinity, was hacked on March 23, although the attack was not discovered until March 29. The hacker managed to withdraw 173.600 ETH and $25.5 million worth of USDC stablecoins. 

The overall loss was about $625 million. This incident was the biggest hack of all time in the DeFi segment. It later became known that the hacker began sending stolen assets to the Ethereum mixer Tornado Cash. At the time of writing, at least 500 ETH had been sent to the service. 

The project’s blog claims that the attacker managed to hack the sidechain, gaining control of five of its nine validators. The project team said on Twitter that social engineering was used to gain unauthorized access to the assets.

The Axie Infinity development team is working with Chainalysis to track the stolen funds, and Crowdstrike is conducting a technical audit for Ronin to make sure there are no exploits.

Due to the hack, the Axie Infinity project’s AXS token fell in value by nearly 14%. Still, it regained ground after the developers promised to increase the threshold for validators and make restitution. The Ronin ecosystem’s RON token suffered more — its value dropped almost 20% and has still not recovered.

Bored Ape Yacht Club Community Hacked

In early April, the official Discord of the BAYC & MAYC NFT collections from Yuga Labs was compromised. An unknown hacker managed to post a phishing link on the Discord channel of the Mutant Ape Kennel Club. The attack was also reportedly made possible by the popular Discord bot Ticket Tool, which generates automated support requests. 

The project team said on Twitter that the problem was successfully fixed, but Taiwanese singer Jay Chou was affected by the hack. His Mutant Ape Yacht Club NFT #8662 was stolen, and the amount of damage is estimated at $500.000.

Ola Finance Credit Protocol Hacked

A hacker took advantage of a re-entry error and hacked Ola Finance’s DeFi credit protocol. The attacker managed to withdraw $3.6 million worth of crypto assets, the Chinese crypto analytics company PeckShield reported

Crypto analysts claim that the hacker borrowed funds against his own collateral at Ola Finance and then exploited a re-entry vulnerability in smart contracts and deleted the collateral data. The attacker repeated this process across multiple Ola pools. The money was then withdrawn via the Fuse network bridge into the Ethereum and BNB Chain blockchains. 

Ola Finance said that the investigation is ongoing, promising to reveal all details in the near future. The issuance of decentralized loans on Fuse Network has been suspended, but Ola Finance assured that the incident in no way affected its credit services on other blockchains.

Inverse Finance Lending Project Hacked

A hacker attack on Inverse Finance resulted in removing $15.6 million in assets. The protocol team stated that the attack was carried out by manipulating the Keep3r price oracle. 

According to PeckShield, the hacker exploited a vulnerability in the INV/ETH oracle on SushiSwap, which Inverse Finance uses to monitor token prices. Thus, the hacker managed to artificially inflate INV quotations and use them as collateral in the Anchor Protocol market. Consequently, the attacker managed to withdraw $15.6 million in DOLA, ETH, WBTC and YFI tokens.

Inverse Finance analysts noted that the hacker needed to deposit 901 ETH from the Tornado Cash mixer, where most of the stolen assets were transferred, to carry out the attack.

Inverse Finance suspended all operations on Anchor Protocol, and the developers asked the hacker to return the stolen assets for a fee.

Author: Nataly Antonenko
#Blockchain #Cryptocurrency #Ethereum #Hacking #NFT