Common DeFi Exploits

Note: You can take this lesson, but to earn rewards, please login or register.
Course Lessons



Lesson Image

Flash Loan Attacks

Picture this: You walk into a bank, borrow a billion dollars without collateral, use it to manipulate the stock market, profit handsomely, and repay the loan; all within the blink of an eye. This impossible scenario is the real-world equivalent of a Flash Loan attack.

Flash loans are a legitimate DeFi innovation allowing users to borrow massive sums without collateral, provided the loan is repaid within the same blockchain transaction. Attackers can exploit flash loans in four steps:

  1. Borrow a huge sum via a flash loan.
  2. Use this capital to manipulate prices on a decentralized exchange or through an oracle.
  3. Exploit another DeFi protocol that relies on that manipulated price feed.
  4. Repay the flash loan and walk away with the profit, all within a single, atomic transaction. If any step fails, the entire transaction reverts, so the attacker loses nothing but a small gas fee.
Fun Fact: The first major flash loan attack happened on the bZx lending platform in February 2020. An attacker brilliantly used a massive, uncollateralized flash loan to manipulate prices and profit $370,000 in a single, lightning-fast transaction.

Reentrancy Attacks

This is an oldie but a notorious goodie, famously responsible for the infamous DAO hack in 2016. It led to the split of Ethereum into ETH and ETH Classic.

A reentrancy attack occurs when a smart contract calls another external contract before fully updating its own internal state. A loop is created if the external (malicious) contract can then call the original contract again before the first call is finished and balances are updated. The attacker can repeatedly withdraw funds, draining the contract dry before it realizes the money is gone. It's like a faulty ATM that dispenses cash but doesn't deduct from your balance until the end of the day, allowing you to withdraw repeatedly.

Oracle Manipulation

Many DeFi protocols rely on "oracles," i.e., third-party services that feed real-world data like asset prices into smart contracts. If an attacker can corrupt this data, they can trick the smart contract into making bad decisions. Attackers might feed incorrect data to a centralized oracle or manipulate a single, low-liquidity DEX pool that a protocol uses as its sole price source.

Once the oracle provides a false price, the attacker can exploit lending platforms to borrow against overvalued collateral, trigger unfair liquidations, or execute trades at manipulated prices, all at the expense of the protocol and its users.

Rug Pulls & Exit Scams

These are perhaps the most heartbreaking, as they directly target unsuspecting investors. A rug pull happens when the developers of a new crypto project suddenly abandon it. They typically withdraw all the liquidity from a decentralized exchange pool and leave investors with worthless tokens.

The most common form of rug pulls is liquidity removal, where developers remove the funds that were paired with their newly created token. Some other forms of exit scams include dumping and malicious code.

In general, these scams often involve aggressive marketing, anonymous teams, and unrealistic promises of sky-high returns.

Front-Running (MEV)

While not always a "hack" in the traditional sense, Maximal Extractable Value (MEV) allows blockchain validators or sophisticated bots to profit by strategically ordering transactions within a block.

Imagine you place a large buy order for a token, expecting its price to go up. A "front-running" bot might detect your pending transaction, execute its own buy order before yours, wait for your large order to push the price up, and then immediately sell for a profit. This causes slippage for legitimate users and can subtly drain value over time.

Top Historical DeFi Attacks

  1. Ronin Network Hack (March 2022): $625 million was stolen from the Axie Infinity sidechain bridge due to compromised validator keys, making it one of the largest crypto hacks to date.
  2. Poly Network Hack (August 2021): A white hat hacker was able to drain $611 million from this cross-chain bridge due to a smart contract vulnerability. Most of the funds were later returned by the hacker.
  3. Binance BNB Bridge Exploit (October 2022): An attacker exploited a bug in Binance's cross-chain bridge, minting and withdrawing 2 million extra BNB tokens, with approximately $100 million in user funds affected.
  4. Wormhole Bridge Hack (February 2022): $325 million in Wrapped ETH was stolen from the Solana-Ethereum bridge due to a smart contract exploit.
  5. Euler Finance Hack (March 2023): $197 million was lost in a flash loan attack that exploited a vulnerability in the lending protocol, even though the majority of funds were subsequently returned.
  6. Nomad Bridge Hack (August 2022): A critical smart contract bug that allowed a "decentralized mob" to loot $190 million from Nomad’s cross-chain bridge.
  7. Beanstalk Farms Hack (April 2022): $181 million was stolen when an attacker used a flash loan to gain majority governance control and drain the protocol's treasury.
  8. Wintermute Hack (September 2022): $162 million was compromised from this major market maker due to a suspected private key vulnerability in its DeFi-related operations.
  9. Badger DAO Hack (December 2021): $120 million was lost after attackers injected malicious code into the website's front-end via a compromised API key, redirecting user funds.
  10. Cream Finance Flash Loan Attack (October 2021): Over $130 million was drained from the lending protocol in a flash loan attack that manipulated its price oracle, one of several major exploits it faced.