What is a DeFi Exploit? A Beginner’s Guide to Managing Risk

Have you ever wondered how exploiters were able to steal millions of dollars in funds, seemingly without a trace? Learn about exploits in this guide.

What is a DeFi Exploit?

Exploits are (usually criminal) attempts to manipulate DeFi protocols by exploiting loopholes and logical errors in the smart contracts on which they’re run, resulting in the theft of user assets. 

Given the speculative nature of blockchain tech, exploits are a major source of risk when it comes to investing in the DeFi space—even for projects that have had their smart contracts audited.

In this article, we’ll be going over the main types of DeFi exploits, some notable examples of DeFi protocols that were exploited, and what you can do to protect yourself from getting completely rekt.

A girl rides her bike into a car and gets rekt.

The Most Common Types of DeFi Exploits

Flash loan

The majority of DeFi exploits involve something known as a flash loan. 

Flash loans allow individuals to borrow large amounts of an asset without collateral as long as that loan is paid back within the same blockchain transaction. 

The Flash zips past the streets, faster than the eye can see.

Just as The Flash uses his superspeed for good, most individuals take advantage of flash loans for perfectly legitimate reasons (i.e. swapping collateral, self-liquidation and legitimate arbitrage opportunities). 

But what happens in an alternate universe where The Flash is a supervillain?

Price oracle manipulation using flash loans

Most DeFi protocols feature in their smart contracts a piece of code called a centralized price oracle—a third-party service that retrieves external price data from asset pairs on a single decentralized exchange (DEX) such as Uniswap. 

A man rubs his magic ball.

Because these protocols rely on a single DEX to feed in their price data, exploiters can manipulate the market (i.e. increase or decrease the price of a token relative to a paired token) by swapping large amounts of said token, courtesy of a flash loan, on the DEX in question.

This ultimately creates an arbitrage opportunity in which the exploiter can withdraw from the protocol a far greater amount of an asset than usually possible. 

Rug pull

Less of an exploit than it is a scam, rug pulls occur when the developers of a protocol “pull the rug” on their investors and run away with their funds. 

A man pulls the rug from an unexpecting bystander.

This is usually accomplished by the developers first listing their protocol token on a DEX. After attracting enough liquidity pool investment for their token pairs, the devs drain the pool, stealing the funds while driving the price of the token down to zero.

In the yield farming world, there are so many rugs—from “soft rugs” that don’t steal all users’ funds, but don’t implement anti-inflationary token measures, to “hard rugs” designed to steal every last BUSD. Check out our guide on hard rugs and exploits here: Exploits and Rug Codes

Notable DeFi Exploits

Value DeFi

Value DeFi is protocol offering a suite of DeFi services, including an automated market maker (vSwap) and a yield aggregator (vSafe). 

It also apparently offers a lot of free money for potential exploiters, because it’s one of the only protocols to have been exploited three times

In the first attack, which occurred on November 14, 2020, an exploiter utilized a flash loan to walk away with $7 million before returning $2 million and a patronizing message to the devs (“do you really know flashloan?”).

"Do you really know flashloan?" message from the hacker of ValueDefi
Image courtesy of rekt

Then, on May 5, 2021, someone exploited a missing line of code that allowed them to re-initialize a pool and set themselves as the owner. They subsequently drained the stake token for vBWAP/BUSD, burned it and converted both coins into $10 million worth of BTC.

Screenshot of the wallet in which the hacker responsible for Value DeFi’s second exploit sent their funds.
Screenshot of the wallet in which the exploiter responsible for Value DeFi’s second exploit sent their funds

Just 3 days later, Value DeFi was exploited again. Like the second attack, the exploiter took advantage of a coding error—this time, the incorrect usage of something called a Bancor formula. This allowed the exploiter to take funds in any pool that didn’t have its liquidity split 50/50, ultimately resulting in $11 million of stolen funds. 

Screenshot of the transaction in which the third hacker stole the funds
Screenshot of the transaction in which the third exploiter stole the funds

What’s that saying they have in baseball? Three strikes and you’re out? Time will tell if Value DeFi can retain the trust of its users after this embarrassing showing at bat. 

Meerkat Finance rug pull

Meerkat Finance was a fork of Alpaca.Finance—itself a fork of Yearn.Finance, a yield aggregator protocol—that operated on the Binance Smart Chain. 

Just one day after its launch on March 4, 2021, it was exploited for 13 million BUSD and 73,000 BNB, totalling roughly $31 million in user funds. 

A meerkat looks on in surprise.

While the team initially played it off as an exploit, it was later discovered that the Meerkat Finance Deployer had upgraded two of their vaults prior to the attack, giving the devs backdoor access and indicating that it was an inside job. 

Interestingly, a day later, a member of the dev team named “Jamboo” surfaced on Telegram and announced that all investors would be refunded—and they were. 

What was the point of it all, then? Apparently, a (very expensive) “social experiment” to test “user greed and subjectivity” in the DeFi space. 

Its results were predictable and the lessons clear: don’t ape into every mouthwatering DeFi project with flashy graphics you see—especially if, like Meerkat Finance, they aren’t audited!

EasyFi 

EasyFi is a lending protocol built on Polygon that holds the unenviable distinction of being victim to the largest exploit in DeFi to date. 

On April 19, 2021, the attacker managed to compromise a computer used for official transactions on behalf of the protocol. They then injected a malicious version of MetaMask (a popular DeFi wallet), allowing them to steal admin keys, drain liquidity pools, and ultimately make away with roughly $6 million in stablecoins and $53 million in EASY tokens. 

A boy takes money from someone.

Harvest Finance 

Harvest Finance, a yield aggregator protocol, was hit by a textbook flash loan price oracle attack targeting their FARM_USDT and FARM_USDC pools on Oct 26, 2020.

A farmer looks on into the distance with the caption, "It ain't much, but it's honest work"

The steps they carried out were as follows (credit @valentinmihov and rekt):

  1. Take a $50 million USDT flash loan
  2. Swap $11.4 million USDC to USDT on the Curve Finance Y pool (causes USDT price to go up)
  3. Deposit $60.6 million USDT into vault 
  4. Exchange $11.4 million USDT to USDC (causes USDT price to go down)
  5. Withdraw $61.1 million USDT from vault ($0.5 million profit)
  6. Rinse and repeat 32 times
  7. Convert to BTC (via renBTC) and withdraw; convert to ETH and withdraw via Tornado.finance, a protocol that allows for anonymous transactions
Screenshot of the wallet in which the hacker deposited $24 million worth of USDC and USDT
Screenshot of the wallet in which the exploiter deposited $24 million worth of USDC and USDT

Pancake Bunny 

Pancake Bunny is another yield aggregator protocol that was hit by a flash loan attack on May 19, 2021, this one to the tune of $45 million. 

By taking out 8 different flash loans, the exploiter was able to manipulate the price on various PancakeSwap pools and mint an unwarranted 6.97 million BUNNY tokens. These were then immediately sold for profit, causing the token’s price to crash from $146 to $6. 

Screenshot of the transaction behind the hack.
Screenshot of the transaction behind the exploit.

Other DeFi Exploits

For a comprehensive list and what to do in case you find yourself victim to a DeFi exploit, check out the following resources:

Protecting Yourself From DeFi Exploits

So what can you do to make sure you don’t get rekt by DeFi exploits?

Well, it’s simple: do your due diligence and don’t just jump into a project because the returns are juicy. 

Indeed, if the returns look too good to be true, chances are they just might be. Just look at the recent Iron Finance fiasco—no, it wasn’t an exploit and it doesn’t appear to have been a rug pull, either, but it was an example of super high APYs blinding people to the poor fundamentals behind the project. 

Check to see if the project is audited. No, this doesn’t guarantee safety, but it does usually protect you from being rug pulled via backdoors and loopholes deliberately written into the smart contract. 

Most importantly, keep in mind the foundational rule of investing: don’t invest what you can’t afford to lose. Blockchain and crypto is a fledgling space with all kinds of risks and unknowns. As such, the possibility of DeFi exploits will always be there, no matter how solid any given project is. 

Search

🟢 For owners who have made impactful changes and would like an update to their farm review:

1️⃣ Use #update at @RugDocChat with your description and proof of changes and it will be forwarded to our scanners.

2️⃣ This does not guarantee a change in your review.

3️⃣ Owners who have difficulty solving the issues can consider our Consultation Package – please contact @BaymaxCrypto on Telegram to discuss.

Our mission here at RugDoc is to screen for hard rug code that results in 100% theft of ALL underlying funds for ALL participants.

This is the ONE part of the due diligence process that most people cannot simply do on their own as it costs thousands of dollars to hire a senior solidity developer to look over a farm for safety.

A project coin with terrible code can go up in price, and a project with good code and a good team can also go down in price.

Do NOT use our ratings to refer to your likelihood in making money if you invest in the project. They are ONLY in reference to code safety.

Everything else beyond code safety is YOUR responsibility to go do research on. We just make sure the casino you’re betting in won’t rob you before you even get to place a bet.

Our reviews for projects are organized into a few colors.

🟢 Least Risk
These projects are the least likely to hard or soft rug. Usually reserved for cornerstone projects of an ecosystem where it makes no financial sense for them to rug in any manner as they make more money just being legit.

🔵 Low Risk
These projects are usually established projects in an ecosystem that have a track record of success or have KYC’d to us or other authoritative sources in the real world. As a result, it is extremely unlikely for them to soft rug or hard rug their projects. The projects can still fail and the token price can go down, but usually more as a result of natural market forces.

⚪️ Some Risk
This is the default rating for projects with unknown teams but have code that is unlikely to have hard rug risk. Since the team is unknown and doesn’t have a track record of success, it’s entirely possible that they may try to soft rug by dumping tokens, abandoning the project, etc. Even a last minute contract swap to a malicious contract is possible. The only thing that is unlikely is a complete hard rug as long as you are 100% sure you deposit into the contract we review.

🟠 Medium Risk
Similar to Some Risk, but the underlying code itself is custom enough or complex enough that it warrants an elevated risk rating that needs deeper research. Make sure you read every point presented to make sure you’re comfortable with that before entering. Still unlikely to hard rug, but more chances of custom code behaving incorrectly and causing other issues.

🔴 High Risk
Project contains code or practices that are HIGHLY LIKELY to lead to catastrophic losses as they are right now. Make sure you read the description carefully as we will always warn what these issues are. If you see the words Hard Rug anywhere in the review, STAY FAR AWAY!

⚫️ Not Eligible
We reserve the right to not review exceedingly complex projects that would require tens of thousands of dollars of senior security analyst man hours. Typically these are projects that deal with leverage, lending, options, derivatives, and anything that is overly complex and which requires tons of peer reviews and audits from top audit companies.