A little over $25 million in cryptocurrency was stolen from DeFi protocols at about the same time in mid-May, with Sonne Finance, BlockTower and ALEX Lab experiencing substantial losses. It is not clear if the three cyber attacks are directly connected and the breach points for some of them are different, but all took place on or around May 14.
Sonne Finance took the bulk of the loss, with about $20 million stolen via an exploitable bug. ALEX Lab lost about $4 million in what is suspected to be a private key compromise, and BlockTower Capital saw a loss of about $1.5 million in a hacking incident.
Another rough period for DeFi protocols as thieves exploit vulnerabilities
Sonne Finance is one of the more commonly used DeFi protocols for liquidity markets, and had to suspend its Optimism Market temporarily in the wake of initial losses of $3 million in wrapped Ethereum and US Coin. That loss soon ballooned to $20 million, however, causing a sudden 60% drop in the value of the SONNE token despite the Base blockchain version remaining untouched.
The cyber attack on Sonne is the one that has the most public information available; the hackers exploited an “empty market” bug via a “donation” attack that targeted Velodrome Finance’s VELO, which recently had token markets added. The attack involves time-locking a smart contract to execute in the near future, in this case in two days, and in the interim “donating” large amount of crypto to alter the exchange rate between two tokens. This can trick platforms using specific DeFi protocols into believing that they have more collateral on hand than they actually do, allowing the attacker to extract large amounts of the target coin.
The Sonne loss hit $20 million before developers used a relatively simple trick to prevent the hackers from taking an additional $6.5 million. The prospect of clawing anything back appears to be very limited, however. The attackers had already extracted $8 million of the stolen funds to bitcoin and ether and dumped the funds to new wallets within hours of detection of the cyber attack.
The second largest hit of the activity period was on ALEX Labs, with an estimated loss of about $4.3 million in bitcoin, assorted stablecoins and Sugar Kingdom tokens. This was not the result of a bug or software exploit, however, but rather very likely a compromise of a private key to the Xlink bridge service. It is also possibly an inside job as the developers said that they know the identity of the thief and are offering a 10% “bounty” if they return the stolen funds.
Crypto investment firm BlockTower Capital, which holds some $1.7 billion in assets under management, also reported a partial theft from its hedge fund of about $1.5 million. The company says that it has hired a third-party forensic investigator to trace the source of the breach. BlockTower suffered a similar loss of about $1.5 million a little over a year ago when Dexible, an exchange that ties together multiple DeFi protocols, was hacked due to a software bug.
DeFi world looks to AI as a shield from cyber attacks
The issue of securing DeFi protocols has been front and center since North Korea’s state-backed hacking groups began tearing through them and stealing millions of dollars worth of crypto in recent years. The space as a whole has been struggling to come up with some sort of standardized, reliable way to assure investors and businesses that their money will be safe.
Some have been turning to AI as this solution. That was Sonne’s response after discovery of the cyber attack, as it retained web3 security firm Cyvers.AI to mitigate the damage and investigate. This came after Cyvers spotted the attack in progress four minutes before the first transaction was made, and immediately made contact with Sonne to warn them. With a prior relationship in place and better integration into internal defense systems, DeFi protocols might find that “learning” AI systems of this sort might provide just enough time to cut off an attacker before the funds can be extracted.
DeFi protocols can point to some recent improvements in the market, chiefly a drop from over $53 billion in losses in 2022 to just $1 billion total in 2023. Still, “just” $1 billion would be still quite high of a theft total for anything in the financial realm. And investors would like to see more network-level security built into DeFi protocols before they’ll begin to feel truly comfortable. “Code is law” is a refrain often heard in the DeFi space, and smart contracts will need to display much tighter security before many are comfortable with that as the law of the land.