One of the biggest in the month, according to DeFi-centric data analytics platform DefiLlama, was the flash loan reentrancy attack on Platypus Finance, which resulted in the loss of $8.5 million in funds.The first was the price oracle assault against BonqDAO on February 1; DefiLlama then listed six further important hacks that occurred in the month.
1. BonqDAO: $1.7 million-
In a post on February 1, BonqDAO informed its followers that an oracle attack on the Bonq protocol had given the exploiter access to control the AllianceBlock (ALBT) token’s price.
The exploiter raised the price of ALBT and made significant sums of BEUR. Afterwards, via Uniswap, the BEUR was exchanged for other tokens. After that, the price dropped to practically zero, which caused ALBT troves to be liquidated.However, it was later discovered that hackers reportedly only cashed out around $1 million due to a lack of liquidity on BonqDAO. PeckShield, a blockchain security company, had estimated the losses to be about $120 million.
2. Orion Protocol: $3 million
Just one day later, on February 2, a reentrancy assault cost decentralised exchange Orion Protocol nearly $3 million. In this attack, attackers employed a malicious smart contract to repeatedly extract cash from their victim.
Orion Protocol CEO Alexey Koloskov confirmed the attack at the time, assuring everyone, "All users' funds are safe and secure."
"We have reasons to believe that the issue was not a result of any shortcomings in our core protocol code, but rather might have been caused by a vulnerability in mixing third-party libraries in one of the smart contracts used by our experimental and private brokers," he said.
3. dForce Network: $3.65 million
Another victim of a reentrancy attack in February was the DeFi protocol dForce network, which suffered losses of almost $3.65 million.The exploit was validated by dForce in a post on February 10; however, in an unexpected turn, all money was restored when the hacker identified himself as a whitehat hacker.On Feb. 13, 2023, the exploited funds were fully returned to our multi-sig on both Arbitrum and Optimism, a perfect ending for all,” dForce said.
4. Platypus Finance: $9.1 million
DeFi protocol Platypus Finance experienced a flash loan assault on February 16 that resulted in the protocol losing $8.5 million.Omniscia, a Platypus auditor, stated in a post-mortem report that the assault was made possible by incorrectly ordered code.On February 23, the team declared that they were aiming to remine frozen stablecoins in order to recover about 78% of the cash from the main pool.The team also identified additional instances two and three, which resulted in an additional $667,000 being misused, increasing the total losses to over $9.1 million.On February 25, French authorities detained two people connected to the breach and seized cryptocurrency holdings worth about $222,000 in total.
5. Hope Finance: $1.86 million
A few days later, on February 20, customers of Hope Finance, an algorithmic stablecoin project based on arbitrum, were the target of a smart contract exploit that resulted in the theft of about $2 million from users.On February 21, the incident was reported by Web3 security company CertiK in response to a tweet from the Hope Finance account warning customers of the fraud.
6. Dexible: $2 million
The selfSwap feature of the multichain exchange aggregator Dexible was the subject of an exploit on February 17 that cost the company $2 million in cryptocurrency.The exchange stated in a statement on February 18 that "a hacker took advantage of a weakness in our newest smart contract. Because of this, the hacker was able to take money from any wallet that contained a contract with an unspent spent authorisation.Following an investigation, the Dexible team discovered the attacker had transferred over $2 million worth of cryptocurrency from users who had previously given the programme permission to transfer their tokens.The attacker transferred the funds through Tornado Cash into unidentified BNB wallets after receiving the tokens into their own smart contract.
7. LaunchZone: $700,000
LaunchZone, a BNB Chain-based DeFi technology, had a $700,000 cash drain on February 27.Immunefi, a blockchain security company, claims that an attacker used an untrusted contract to steal the money.The LaunchZone deployer had given the unconfirmed contract permission 473 days prior, according to Immunefi.
March 2023, CryptoniteUae