Famous Hacks Analysis

Module 2 of Security

Why Study Hacks?

The crypto industry has lost over $10 billion to hacks and exploits. Each incident teaches valuable lessons about:

• Common vulnerability patterns
• Security best practices
• The importance of defense in depth

"Those who cannot remember the past are condemned to repeat it." - George Santayana

The DAO Hack (2016)

The Numbers

What Was The DAO?

The first major decentralized venture fund:

• Crowdfunded 11.5M ETH (~$150M at the time)
• Token holders vote on investments
• Largest crowdfund in history at the time

The Attack

// Vulnerable withdrawal function (simplified)
function splitDAO() public {
    // 1. Check balance
    require(balances[msg.sender] > 0);

    // 2. Send ETH (EXTERNAL CALL!)
    msg.sender.call{value: balances[msg.sender]}("");

    // 3. Update balance (TOO LATE!)
    balances[msg.sender] = 0;
}

// Attacker contract
receive() external payable {
    if (address(dao).balance > 0) {
        dao.splitDAO();  // Re-enter before balance updated
    }
}

The Aftermath

• Ethereum community split on response
• Hard fork to return funds (Ethereum)
• No fork chain continued (Ethereum Classic)
• First major demonstration of reentrancy danger

Lessons

1. Always use checks-effects-interactions pattern
2. Consider reentrancy guards
3. Governance for emergency response is crucial
4. Immutability vs. pragmatic recovery trade-off

Mt. Gox (2014)

The Numbers

What Happened?

Mt. Gox handled 70% of all Bitcoin trades:

• Hot wallet compromised over years
• Transaction malleability exploited
• Inadequate internal controls
• Possibly inside involvement

Timeline:
2011: First hack (~80,000 BTC)
2011-2014: Slow drain of funds
2014: Trading halted
2014: Bankruptcy filed
2023: Creditors finally receiving partial refunds

Lessons

1. Not your keys, not your coins
2. Exchanges are honeypots - minimize holdings
3. Proof of reserves matters
4. Centralized custody = centralized risk

Ronin Bridge Hack (2022)

The Numbers

What Was Ronin?

Axie Infinity's Ethereum sidechain:

• 9 validators, 5-of-9 multisig
• Bridged billions in assets

The Attack

Step 1: Social engineering (fake job offer)
        ↓
Step 2: Compromised Sky Mavis employee
        ↓
Step 3: Access to 4 Sky Mavis validator keys
        ↓
Step 4: Axie DAO validator also compromised
        (Sky Mavis had temporary access from Nov 2021)
        ↓
Step 5: 5/9 keys = full control
        ↓
Step 6: Drain bridge contract

Why 6 Days to Detect?

• No automated monitoring
• Manual processes
• Alert only when user couldn't withdraw

Lessons

1. Multisig threshold matters (5/9 too low for this value)
2. Key distribution - don't concentrate with one entity
3. Active monitoring is essential
4. Social engineering is often the weakest link
5. Temporary access must be revoked

Wormhole Hack (2022)

The Numbers

The Vulnerability

// Simplified vulnerable code
function complete_transfer(bytes memory vaa) public {
    // Verify guardian signatures
    // BUG: Used deprecated verification that could be bypassed!
    verify_signatures(vaa);

    // Mint wrapped tokens
    mint(destination, amount);
}

The attacker:

1. Found deprecated "verify_signatures" allowed bypass
2. Forged valid-looking message
3. Minted 120,000 wETH from nothing
4. Bridged to Ethereum, cashed out

Lessons

1. Upgrade carefully - deprecated code is dangerous
2. Signature verification is critical, get it reviewed
3. Cross-chain bridges are high-value targets
4. Quick response - Jump's bailout preserved trust

Nomad Bridge Hack (2022)

The Numbers

What Made This Unique?

First "crowd-sourced" hack:

Normal hack:
  Hacker finds bug → Drains funds

Nomad hack:
  Hacker finds bug → Posts exploit tx
        ↓
  Anyone can copy → Just change address
        ↓
  Hundreds of copycats join
        ↓
  ~300+ addresses drain remaining funds

The Bug

// The fatal flaw (simplified)
function process(bytes memory message, bytes32[] calldata proof) {
    bytes32 root = calculateRoot(message, proof);

    // BUG: Initialization left root as 0x00...00
    // ANY message with empty proof matched!
    require(acceptableRoots[root], "Invalid root");

    // Process message (release funds)
}

After a routine upgrade, the acceptable root was set to 0x00...00, making ANY message valid!

Lessons

1. Upgrade testing must be rigorous
2. Initialization bugs are common and critical
3. Public exploits enable copycats
4. Speed matters - funds drain in hours

Poly Network Hack (2021)

The Numbers

The Attack

Cross-chain protocol vulnerability:

1. Attacker exploits cross-chain message handling
2. Changes "keeper" (admin) to attacker's address
3. With keeper access, drains all funds
4. Poly Network begs for return
5. Attacker claims "for fun" - returns everything
6. Poly Network offers $500K bounty, job offer

Why Did They Return?

Attacker claimed:

• "Hacking for fun"
• "Not interested in money"
• Wanted to expose vulnerability

Reality likely:

• Blockchain traceability
• Difficulty laundering $611M
• Legal pressure

Lessons

1. Access control in cross-chain systems is critical
2. Blockchain transparency deters some attackers
3. Communication channels with attackers can help
4. Bounty programs provide legitimate alternatives

Euler Finance Hack (2023)

The Numbers

The Attack Vector

Complex multi-step attack:

1. Flash loan USDC and DAI
2. Deposit in Euler, mint eTokens
3. Use eTokens as collateral, borrow more
4. Self-liquidate with reserved funds
5. Donate (not repay) tokens to reserve
6. Creates accounting imbalance
7. Drain remaining value

The Recovery

Day 0: Hack occurs
Day 1: Euler offers 10% bounty
Day 7: On-chain messages between parties
Day 20: Negotiations via intermediary
Day 23: 100% returned

Attacker sent message: "I want to make this easy on
all those affected. Not my intention to keep stolen
funds."

Lessons

1. Donation mechanics are attack vectors
2. Self-liquidation edge cases need review
3. Negotiation can work for recovery
4. On-chain messages enable communication

Common Attack Patterns

Smart Contract Bugs

Operational Failures

Economic Exploits

Attack Statistics

By Year

2016: $60M (The DAO)
2017: $500M+ (Parity multisig)
2018: $1B+ (exchange hacks)
2019: $300M+
2020: $500M+ (DeFi summer)
2021: $3B+
2022: $4B+ (bridges)
2023: $2B+

By Category

Bridges: ~50% of funds lost
DeFi protocols: ~30%
Exchanges: ~15%
Other: ~5%

Recovery Rate

• Less than 20% of hacked funds recovered
• Recovery more likely when:
  • Attacker identified
  • Negotiation possible
  • Quick response

Key Takeaways

1. Reentrancy caused the first major hack, still relevant today
2. Bridges are the #1 target - billions lost
3. Social engineering bypasses technical security
4. Multisigs need sufficient threshold AND key distribution
5. Upgrades introduce new risks
6. Monitoring and alerts reduce damage
7. Negotiation sometimes recovers funds
8. Security is never "done" - continuous process

Resources

Hack Databases

• rekt.news - Leaderboard of DeFi hacks
• DeFiYield - REKT database
• SlowMist - Hacked database

Post-Mortems

Reading official post-mortems is invaluable:

• Root cause analysis
• Remediation steps
• Lessons learned