The 5 biggest DeFi hacks of 2023

Ledger was recently exploited for an estimated $610,000 — a reminder that security and privacy remain important priorities for the crypto ecosystem.

According to DeFiLlama, hackers have cost crypto startups and projects more than $1.3 billion in losses this year. Since June 2016, on-chain losses have amounted to an estimated $7.54 billion, with $5.69 billion hacked in DeFi protocols.

Brian Pak, co-founder of Chainlight, told Blockworks that these exploits should be a fundamental reminder that security is still overlooked in much of the DeFi Ecosystem.

“As we enter into another bull market and liquidity starts to pour into the DeFi ecosystem, we can expect to see hacks like this happen more often,” Pak said. “It is of paramount importance that protocols take preemptive measures and are properly audited. Furthermore, builders must place more focus on security if the DeFi ecosystem is to flourish.”

With 2024 just around the corner, let’s look at the five largest exploits that occurred this year.

1. Mixin Network — $200 million

Hong Kong-based decentralized peer-to-peer network Mixin Network was exploited for an estimated $200 million in September this year, making it one of the biggest hacks of the year.

Newsletter

Subscribe to The Breakdown

Mixin has since released a new system with enhanced security features. It has also offered the hacker a bounty of $20 million in return for the stolen assets.

“Most of our platform assets were users, and we hope you can refund them,” the Mixin team wrote. The company added in a post on X that the hacker could reach the team anonymously or through appropriate channels in order to return the compromised assets.

2. Euler Finance — $197 million

DeFi lending protocol Euler Finance was the victim of a flash loan attack that saw $197 million stolen after an attacker tricked the smart contracts into believing there were fewer collateral tokens than debt tokens.

Following the exploit, the Euler team offered a $1 million reward bounty to ensure the attacker was arrested.

After a series of back-and-forth communications, the Euler attacker — who went by “Jacob” — returned all stolen funds to the Euler team.

3. Poloniex — $126 million

The Justin Sun-owned exchange Poloniex saw an estimated $126 million drained after hackers gained access to its hot wallets in mid-November.

Immediately after the hack, Sun wrote in a post on X that “Poloniex maintains a healthy financial position and will fully reimburse the affected funds,” and that the exchange was offering a 5% white hat bounty to the hacker in exchange for the stolen cryptocurrencies.

The hacker was given seven days to consider the offer before Sun would turn to law enforcement.

A month after the attacks, Poloniex has since resumed withdrawal and deposit services for select tokens on the TRON network, including USDT, USDD, BTT, WIN, NFT, SUN, JST, USDJ and USDC.

4. Multichain — $126 million

Cross-chain bridge Multichain saw a total of $126 million being moved from its bridges to an unidentified address after its private keys were compromised.

Stolen funds had been transferred to different addresses and were not withdrawn or put through cryptocurrency mixers.

Soon after the attack, it was revealed that the company’s founder and CEO had been missing for a month, and it was suspected that Chinese authorities had arrested him.

Multichain services have stopped indefinitely, and the team has urged users not to use any multichain bridges.

5. Atomic Wallet — $100 million

North Korean hackers stole an estimated $100 million from Atomic Wallet after an estimated 5,000 crypto wallets were compromised, with one particular wallet losing over $1 million in funds.
After failing to address the incident and downplaying its urgency, a group of investors have since sued the wallet provider.

Get the news in your inbox. Explore Blockworks newsletters: