Major DeFi Hacks: What Went Wrong with Deribit and Team Finance

Major DeFi Hacks: What Went Wrong with Deribit and Team Finance
Photo by Rodion Kutsaiev / Unsplash

The Deribit Hack

On the 1st of November 2022, the Deribit Cryptoccurrency exchange lost approximately US$ 28M in funds from their hot wallets. The attacker withdrew the funds using BTC, ETH, and USDC cryptocurrencies. According to reports, stolen keys were the cause of the attack.

While the hacker did get away with $28M, users of the platform can take comfort in knowing that the exchange kept 99% of user funds in cold wallets and that any funds invested into their platform are safe, according to their official tweets.

Reportedly, the attacker was able to steal the funds due to stolen private keys. While there has been no official statement, Cryptocurrencyt from the exchange regarding the manner in which these keys were obtained, they have asked all their users to re-generate new deposit addresses, leading us to believe that they may have fallen prey to a phishing attack.

A phishing attack is a technique wherein an attacker tricks their victim(s) to reveal sensitive information. They may do this by sending fake emails crafted to look legitimate, manipulating users into clicking malicious links, or by calling their victims and pretending to act on behalf of legitimate service providers.

Phishing attacks are nothing new and have been around for ages. Attackers attempt to steal bank account details, credit card numbers, employee credentials, etc through these attacks, and have now branched over to the Web 3.0 world by trying to steal users' private keys in order to drain money from their victims' crypto wallets.

Such attacks make it evident that one should stay alert and ALWAYS SECURE THEIR PRIVATE KEYS.


The Team Finance Hack

Tezos X Unsplash
Photo by Dylan Calluy / Unsplash

Team Finance is a platform which can be used by upcoming DeFi projects to launch and secure their tokens.

On the 27th of October 2022, the platform lost US$15.8M in funds across 4 projects which were using the platform. Ironically, Team Finance labels itself as the "Industry Leader in Project Security and Automation".

The four tokens affected were:

  • Tsuka
  • Caw
  • Kondux
  • FEG

The funds were stolen due to a vulnerability in Team Finance's Liquidity Lock smart contract.

According to their website, a Liquidity Lock is a smart contract which can be used by token holders to lock their tokens. In order to do this, token holders need to send their tokens to this smart contract. This smart contract allowed projects to migrate their locked positions from Uniswap v2 to Uniswap v3. However, this contract had a vulnerable migrate() function, which could be exploited to transfer to a malicious V3 pair. This effectively allowed the attacker(s) to drain money from these projects.

As a user in the Web 3.0 world, or a cryptocurrency investor, the key takeaway here is that you should always abide by the adage - Don't trust. Verify. Just because a platform claims to be secure, does not mean that it is actually the case.

Choose wisely.

Worried about attackers targeting your smart contracts? Contact DeTaSECURE today for all your smart contract audit needs!