Cream Finance and Bilaxy suffer substantial losses
More than twenty hacker attacks have successfully managed to deprive investors of their assets in the past month, according to SlowMist. The latest in the list – crypto exchange Bilaxy and mortgage lending platform Cream Finance.
With the rise in popularity comes greater responsibility. The DeFi sector has seen an upwards momentum in 2021, despite the price crash crypto tokens saw in March. However, as more dapps become available, not all of them pass the rigorous security requirements to stop hackers from exploiting them.
Bilaxy and Cream Finance are just the latest two hacker attacks. Unfortunately, as the crypto and blockchain space sees more new dapps every second, users can’t know what security measures these dapps use. As we see with Bilaxy, crypto exchanges are also still a hot target for hackers.
Bilaxy Hacker Attack
On August 29th, the official Bilaxy Twitter account announced that a hacker had hijacked one of the exchanges’ hot wallets. This meant that the hacker stole more than $20 million spread among 295 ERC-20 tokens, which the cybercriminal all sent to a single wallet address. A substantial amount of ETH was also hacked.
This hack is just another proof of the vulnerability of hot wallets. While it is true a crypto exchange cannot function easily without using a hot wallet, such attacks continue to happen. Unfortunately, it’s not the exchange that suffers but the users who put their trust and assets in it.
Bilaxy has been quick to take responsibility for the incident, releasing a warning tweet soon after the problem arose. For the moment, there is no resolution as to what caused the exploit. However, Bilaxy is actively communicating with users on Telegram. The most recent update states that the exchange has suspended all functionalities and has taken down its website until they resolved the problem.
What about the hack on Cream Finance
Not even a day after the Bilaxy incident, mortgage lender platform Cream Finance also published a warning tweet. According to it, the Ethereum version of the platform suffered an exploit. Through its attack, a hacker stole more than 418 million AMP tokens and over 1,000 ETH. A bug in the AMP token smart contract had been the vulnerability, and the hacker managed to steal more than $18 million worth of tokens.
The hacked smart contract performed a re-borrowing function. However, the hacker found a re-entrancy vulnerability. This allowed them to borrow $19 million in AMP tokens and then re-borrow about 355 ETH. After successfully re-borrowing, the hacker liquidated the loan, effectively taking the initial loan amount for himself. This process was repeated 17 times, totaling upwards of $18 million in stolen assets.
According to the Twitter thread following the announcement, it looks like Cream Finance has successfully resolved the problem. Blockchain analytics and security company PeckShield had a big role to play in mitigating damages to the platform and isolating the part of code that was exploited.
Why are hacker attacks happening?
As mentioned, Bilaxy and Cream Finance are just the latest in a rather long list of hacks that happened in the past month. Some of the more notable mentions on the list include PolyNetwork, which went through a staggering $600 million exploit.
The blockchain space is one where things move fast. Both users and developers might overlook rigorous security checks in favor of launching quickly, and jumping in early. Unfortunately, this is just what hackers are waiting for. While a new product might be rushed out, hackers have all the time in the world to explore the code and find a vulnerability.
With more than twenty successful hacker attacks in the past month, some people on social media are starting to wonder. Take a look at @abhiinav, who raises a somewhat controversial but still valid question:
Following the wave of hacked projects, the crypto and blockchain community has become more vocal, asking for improved security audits across the board. DappRadar will continue monitoring the space as more projects launch every day across the chains. Hopefully, security will improve just as exponentially as the number of new dapps joining the crypto ecosystem.