- April saw a record number of crypto hacks.
- Single points of failure are a growing concern.
- Code bugs were the cause of the vast majority of incidents.
April was a bad time for the crypto industry.
Over the past month, 29 crypto projects have suffered hacks or exploits, the highest monthly tally in the industry’s history, per DefiLlama data.
Among them were two standouts: The hacks of Solana-based exchange Drift, and Ethereum-based restaking app Kelp DAO, which resulted in a combined $579 million loss.
The situation has sparked a crisis of confidence among the industry’s most ardent believers and left them questioning whether the tradeoffs inherent in decentralised technology are worth the trouble.
In recent years, the number of crypto hacks — and the amounts stolen — have edged higher.
The fast-moving and experimental DeFi space, once notorious for exploits, was thought to have matured. But now it’s back in the limelight — and not for the right reasons.
“Right now, DeFi seems to be the primary target,” Michael Pearl, vice president of strategy at crypto security firm Cyvers, previously told DL News. “In general, everything has shifted now to hacking humans rather than hacking systems.”
Single points of failure
The problem, according to Michael Egorov, founder of DeFi protocols Curve Finance and Yield Basis, is centralisation.
“We need to reduce the number of single points of failure as much as possible,” Egorov said in a statement shared with DL News. “The goal of DeFi design should be to minimise human-centric points of failure, not add to them.”
The attacks on Drift and Kelp DAO both ultimately came down to centralised weak points.
North Korean hackers compromised two Drift employees through an elaborate social engineering campaign. This gave the hackers the power to make admin changes to the protocol, allowing them to steal some $285 million from users.
As for Kelp DAO, the instance of the LayerZero crypto bridge the protocol relied on was configured to only require a single operator, which hackers exploited to steal $273 million.
Yet centralisation is not the only way DeFi protocols are getting caught out.
Last month, 24 out of the 29 incidents — almost 83% — were caused by code bugs.
Crypto security experts previously told DL News that advances in artificial intelligence are making it cheaper, easier, and faster for hackers to attack DeFi protocols.
Bad actors are now using the large language models that power AI chatbots like ChatGPT and Claude to search through thousands of lines of code a second. Before, they had to do so manually.
Despite code bugs being the root cause of the majority of hacks, they only accounted for $42 million of April’s $635 million in losses — around 6.6%.
Not the biggest loss
Despite a record 29 hacks, April wasn’t the worst month by the amount of funds lost.
In December 2020, hackers reportedly stole some $3.5 billion.
Yet this month is often considered an outlier because the vast majority of that figure came from the hack of wallets belonging to LuBian, a Bitcoin mining company.
Neither LuBian nor the suspected hacker have ever publicly acknowledged the breach, and it remained unnoticed for almost five years.
Arkham Intelligence, the blockchain data platform that discovered the hack, said it was likely due to LuBian's use of a flawed private key generation algorithm that left it susceptible to brute-force attacks.
The next biggest loss came in February last year when North Korean hackers swiped $1.5 billion from crypto exchange Bybit.
Additionally, hackers also stole slightly more than in April in August 2021, March 2022 and October 2022 respectively.
Tim Craig is DL News’ Edinburgh-based DeFi Correspondent. Reach out with tips at tim@dlnews.com.
