Greatest DeFi Hacks

, Comment regular icon0 comments

We’ve compiled a list of the top 7 DeFi hacks of all time, including the largest-ever DeFi security breach worth over $600 million that, surprisingly, went down without a hitch for all parties involve

Edit Article


In the crypto space alone, approximately $2 BILLION was hacked in 2021. That’s how much DeFi protocols have been claimed to have lost in the last 365 days due to cyber assaults and other vulnerability exploits — a shocking increase of over 1,300 percent over the relatively „little“ $134 million lost the year before, in 2020. To put things in perspective, the biggest DeFi hack of 2020, a $34 million loss suffered by Harvest Finance in a flash loan assault, has now been eclipsed by the top DeFi hacks of 2021.


We’ve compiled a list of the top 7 DeFi hacks of all time, including the largest-ever DeFi security breach worth over $600 million that, surprisingly, went down without a hitch for all parties involved!

Since the dawn of space exploration, DeFi escapades have been the order of the day. It's hardly unexpected that protocols have fallen to exploitation in such a fresh domain. However, the rate at which exploits have been discovered and the amount of them has been worrying. Through the year 2021, monies stolen in hacking set a new high. 2022, on the other hand, is shaping up to be an even worse year, with more than $1.22 billion already taken in less than four months.

So, let’s take a look at the worst crypto hacks of all time and see what each of these well-known breaches entailed.


In early December 2021, Badger, a lending system that employs Bitcoin collateral and runs on Ethereum, suffered a $120 million loss owing to an attack on its user interface functionality. A few dozens of users were affected by the hack, and it appears unlikely that they would be compensated.

Although Badger has a policy with crypto insurer Nexus Mutual that covers some potential hackers, the policy only covers smart contract hacks and not user interface breaches. Nexus has already declared that this attack was classified as „front-end,“ and that as a result, no compensation will be provided under the policy.


Paid Network, a decentralized app (DApplink outside website) on Ethereum that provides businesses with smart contract-based agreement services, was hacked in one of the biggest DeFi hacks ever, with an attacker using a previously leaked private key.

The attacker used the key to replace the platform’s original smart contract with a modified one. They were able to burn the existing PAID tokens and create a significant number of new ones as a result of this. Before the breach was discovered and the PAID/ETH swap pair were blocked, some of the newly minted tokens were traded to ETH on Uniswap.


Cream Finance, a multi-chain lending system, was hit by a flash loan attack in late October 2021, wiping out over $130 million from its Ethereum-based liquidity poolslink outside website. There is no word on whether funds kept at BSC, Fantom, Polygon, or Avalanche are affected.

Given that the platform’s official statement only addressed Ethereum pools, it’s likely that the attack was limited to the world’s largest DeFi chain’s pools.

This was Cream Finance’s third hack this year since the platform had been attacked with a $19 million hack just two months before the $130 million breaches, which also involved a flash loan attack.


Compound Finance, an Ethereum-based loan, and a borrowing system are one of the most well-known DeFi projects, with a total value locked (TVL) of over $10 billion as of this writing.


On September 30, 2021, the protocol paid out large amounts in its native cryptocurrency COMP to some users who had only submitted a small amount of collateral in ETH, USDC, or DAI. The failure was thought to be caused by a bug in the protocol’s smart contract.

It’s still unsure whether the erroneous distribution of COMP tokens was a deliberate attack or a genuine blunder on the part of the protocol’s developers. However, Compound’s CEO, Robert Leshner, did not ponder it for long.

He went on Twitter shortly after the incident, requesting that the monies be returned. Leshner promised a 10% reward for returning the money and threatened to report non-responders to the IRS in the same tweet. It’s unclear how much of the total lost money has been recovered as a result of Leshner’s internet arm-twisting, but it’ll be interesting to see.


There is a rising demand for users to move funds across chains as additional layer-1 blockchains with DeFi are developed on top of them. Cross-chain bridges fill that void, but they also introduce additional risks. Wormhole, a prominent bridge, lost $320 million in Wrapped Ethereum in January 2022, which was the most severe cross-chain event (wETH). WETH is a cryptocurrency that is 1:1 tied to the price of Ethereum. By the way, you can trade with Ethereum with trading companylink outside website.

The hacker went after Solana's leg of the bridge, where customers must first lock Ethereum inside a smart contract to get an equivalent amount in Wrapped Ethereum. The hacker was able to get around this by minting WETH instead of ETH in Wormhole.


Play-to-earn game powered by NFT Axie Infinity is one of the year's largest crypto success stories. It was hacked on March 23, 2022, and an estimated $552 million in cryptocurrency was drained from the bridge to its Ronin sidechain using "hacked private keys."

The sum of the money taken had increased to $622 million by the time the hack was revealed by Axie Infinity creator Sky Mavis a week later.

The attacker exploited "a backdoor through our gas-free RPC node, which they misused to steal the signature for the Axie DAO validator," according to Sky Mavis.

Sky Mavis went to the Axie DAO in November 2021 to distribute free transactions owing to excessive user load, according to the report "Sky Mavis was permitted by the Axie DAO to sign different transactions on its behalf. The allowlist access was not withdrawn when it was deactivated in December 2021."

The attacker was subsequently able to sign transactions from five of the Ronin network's nine validator nodes, including AxieDAO's node and four of Sky Mavis' nodes, using the hack. As a result, the attacker was able to create transactions worth roughly $622 million, comprising 173,600 wETHlink outside website (Wrapped Ethereum) and 25.5 million USDC.


On August 10, 2021, the DeFi industry saw its largest attack so far, which implicated Poly Network, a cross-chain crypto swap provider. The hacker gained access to a smart contract on the site and transferred $610 million to their Ethereum and BSC accounts.


Poly Network’s funds were siphoned from all three chains it used: Ethereum, BSC, and Polygon. Ethereum’s losses were $273 million, with the platform’s BSC and Polygon operations losing $253 million and $85 million, correspondingly.

The hacker was contacted by Poly Network, who pleaded with him to refund the money. The hacker refunded roughly $260 million the next day after the incident, on August 11.

On August 12, the hacker presented himself as "Mr. Whitehat" in an online conversation with Poly Network. Mr. Whitehat promised the platform a day later that he would return all remaining money, explaining his conduct by claiming that he was showing the vulnerability of cryptocurrency platforms.

Mr. Whitehat has refunded all of the compromised money by August 23. The hacker was first offered $500,000 and later a position as a Chief Security Advisor (CSA) on the platform during his online public chat with Poly Network. The mystery author of the largest DeFi hack in history rejected both of the offers.


In comparison to 2020, the year 2021 saw a large spike in DeFi hacks, and the predictions for 2022 are even worse. In 2021, we experienced the largest DeFi hack in history, with that cash being refunded thankfully. Unfortunately, the funds from the majority of the other top attacks were not retrieved since the hackers were not courteous enough. All of this serves as a sobering warning to any DeFi user, developer, or operator that crypto criminals are always on the hunt for platform flaws to exploit.