DeFi is not immune to security risks and vulnerabilities, as with any emerging technology. Several high-profile hacks have occurred on insurance protocols. This exposes weaknesses and highlights the importance of learning from these incidents to strengthen the ecosystem’s resilience. This article will highlight the lessons from defi insurance protocol hacks.
Understanding DeFi Insurance Protocol Hacks
DeFi insurance protocol hacks refer to incidents where decentralized finance (DeFi) platforms or protocols that offer insurance services for various DeFi applications or protocols are compromised, and funds or assets are stolen or drained by malicious actors.
DeFi insurance protocols aim to provide coverage for users against potential losses, hacks, or exploits in the DeFi ecosystem. These protocols typically employ smart contracts on blockchain networks like Ethereum to facilitate insurance policies, premium payments, and claim settlements.
While DeFi protocols existed before 2020, during this year, the DeFi ecosystem saw a significant surge in adoption and the launch of various new protocols, including those focused on insurance services.
Notable DeFi Insurance Protocol Hacks
The frequency and severity of DeFi insurance protocol hacks have been increasing in subsequent years. Notable incidents occurred in 2021, 2022, and even in 2023.
This highlighted the ongoing challenges and the need for robust security measures, continuous auditing, and effective governance mechanisms in the DeFi insurance sector.
Let’s look at the most notable DeFi insurance protocol hacks from 2020.
The earliest Insurance Protocol Hacks: The year 2020
- bZx Hack
- Pickle Finance Hack
- Hegic Hack
- Akropolis Hack
- Cover Protocol Hack
bZx Hack
bZx was a victim of hack attacks three times throughout 2020. This generated $8m in losses, draining an impressive 30% of its funds.
Two of these attacks occurred in February alone. They were executed through flash loans, allowing hackers to use borrowed funds to manipulate DeFi token prices, eventually draining the liquidity pool at the most favorable prices.
The third exploit targeted a bug in its protocol, which let hackers mint unbacked tokens and eventually trade them for DAI, USDT, ETH, and LINK.
Pickle Finance Hack
Pickle Finance, a DeFi protocol offering yield farming opportunities, suffered a hack in September 2020.
The attackers exploited a vulnerability in the protocol’s smart contracts, allowing them to mint excessive amounts of the protocol’s native token and drain funds from the treasury, resulting in a loss of around $20 million.
Hegic Hack
Hegic, a DeFi protocol offering options trading, experienced a hack in October 2020, where attackers exploited a vulnerability in the protocol’s bridge, leading to losses estimated at around $3 million.
Akropolis Hack
Akropolis, a DeFi protocol offering yield farming and lending services, was hacked in November 2020.
The attackers exploited a vulnerability in the protocol’s smart contracts, enabling them to mint excessive amounts of its native token and drain funds from the liquidity pools. The hack resulted in a loss of around $2 million.
Cover Protocol Hack
Cover Protocol, a DeFi insurance platform, faced a hack in December 2020, where attackers exploited a vulnerability in the protocol’s governance system, resulting in the loss of approximately $4 million worth of assets.
In a separate incident from the one mentioned earlier, Cover Protocol experienced another hack in December 2020.
The attackers exploited a vulnerability in the protocol’s token distribution mechanism, allowing them to mint excessive amounts of the protocol’s native token and drain funds from the liquidity pools, resulting in a loss of around $4.5 million.
Insurance Protocol Hacks in 2021
- Alpha Finance Hack
- Primitive Finance Hack
- Rari Capital Hack
- Cream Finance Hack
- InsurAce Hack
Alpha Finance Hack
Alpha Finance, a DeFi platform offering yield farming opportunities, experienced a hack in February 2021.
The attackers exploited a vulnerability in the protocol’s smart contracts, enabling them to mint and transfer excessive amounts of the platform’s native token, resulting in losses estimated at around $37 million.
Primitive Finance Hack
Primitive Finance, a DeFi protocol offering decentralized options trading, was hacked in April 2021.
The attackers exploited a vulnerability in the protocol’s smart contracts, enabling them to manipulate the pricing of options and drain funds from the protocol’s liquidity pools, leading to a loss of approximately $4 million.
Rari Capital Hack
Rari Capital, a DeFi yield aggregator platform, faced a hack in May 2021. The attackers exploited a reentrancy vulnerability in the protocol’s smart contracts, allowing them to drain approximately $11 million worth of cryptocurrencies from the platform’s pools.
Cream Finance Hack
Cream Finance, a DeFi lending platform, suffered a hack in August 2021 that exploited a reentrancy vulnerability in the protocol’s smart contracts.
The attackers were able to drain approximately $18.8 million worth of cryptocurrencies from the platform’s liquidity pools.
Insurance Hack
InsurAce, a DeFi insurance protocol, faced a hack in December 2021. The attackers exploited a vulnerability in the protocol’s smart contracts, enabling them to manipulate the pricing of insurance policies and drain funds from the protocol’s treasury. The hack resulted in a loss of approximately $2.5 million.
Insurance Protocol Hacks in 2022
- Unslashed Finance Hack
- Armor Protocol Hack
- Nexus Mutual Hack
- Cheese Bank Hack
- Umbrella Network Hack
Unslashed Finance Hack
Unslashed Finance, a DeFi insurance protocol focused on protecting users against slashing incidents in proof-of-stake networks, suffered a devastating hack in April 2022.
The attackers exploited a vulnerability in the protocol’s governance mechanism, allowing them to drain over $25 million worth of assets from the protocol’s liquidity pool.
Armor Protocol Hack
Armor Protocol, a DeFi insurance platform designed to protect users against exploitation of smart contract vulnerabilities, ironically fell victim to a hack in October 2022.
The attackers exploited a reentrancy vulnerability in the protocol’s smart contracts, resulting in the theft of approximately $10 million worth of cryptocurrencies.
Nexus Mutual Hack
In December 2022, Nexus Mutual, a popular DeFi insurance protocol, fell victim to a sophisticated hack that exploited vulnerabilities in its smart contracts.
The attackers managed to drain over $8 million worth of Ethereum from the protocol’s pool, leaving policyholders and investors at a significant loss.
Cheese Bank Hack
Cheese Bank, a DeFi protocol offering insurance against impermanent loss on decentralized exchanges, was hacked in June 2022.
The attackers exploited a vulnerability in the protocol’s smart contracts, enabling them to mint excessive amounts of its native token and drain funds from the treasury. The hack resulted in a loss of around $3.3 million.
Umbrella Network Hack
Umbrella Network, a DeFi platform offering decentralized oracles and insurance services, experienced a hack in April 2022.
The attackers exploited a vulnerability in the protocol’s lending contracts, allowing them to mint excessive amounts of the protocol’s native token and drain funds from the liquidity pools, resulting in a loss of around $1.5 million.
Insurance Protocol Hacks in 2023
Omm Finance Hack
The OMM protocol is a cross-chain money market. In January 21, 2023, the protocol lost about $1.9 million on January 21, 2023, due to a smart contract exploit.
The attacker deployed a malicious contract and, over 18 transactions, drained IUSDC, USDS, and bnUSD collateral that wasn’t theirs.
After supplying the stolen USDS as collateral, they took out sICX loans.
Solace Hack
Solace is a DeFi protocol offering coverage for hacked or exploited projects, In February 2023, the protocol fell victim to a hack.
The attackers exploited a vulnerability in the protocol’s smart contracts, enabling them to drain approximately $3.2 million worth of cryptocurrencies from the protocol’s pools.
Yearn Finance Hack
Yearn Finance is a yield aggregator on the Ethereum blockchain, hacked in April 2023 and lost around $11.54 million.
The hack happened because of a mistake in the yUSDT vault. Instead of using the correct token, they used a different one, which let the hacker make lots of yUSDT tokens.
KyberSwap Hack
KyberSwap Elastic is a decentralized exchange’s concentrated liquidity protocol and fell victim to a hack in November 2023.
The attacker exploited a minor precision error in KyberSwap’s liquidity calculations, enabling them to steal approximately $48 million.
Insurance Protocol Hacks in 2024
Gamma Strategies Hack
Gamma Strategies is a decentralized asset management protocol that operates on Ethereum and other blockchains.
In January 2024, gamma Strategies were exploited through attack transactions using flash loans from Uniswap and Balancer. This exploit resulted in a loss of approximately $6.4 million.
Blueberry Protocol Hack
The Blueberry Protocol is a DeFi leverage project. In February 2024, it was vulnerable to incorrect handling of decimal values.
An attacker exploited this vulnerability to steal an estimated $1.35 million. However, c0ffeebabe.eth front ran the hack and returned most of the stolen funds.
Security Vulnerabilities in the Hacked Insurance Protocols
While DeFi insurance protocols aim to mitigate risks and provide coverage against smart contract failures, hacks, and exploits, they are not immune to vulnerabilities and attacks.
These hacks have exposed various security vulnerabilities in DeFi insurance protocols, including:
- Reentrancy Attacks
- Flash Loan Attacks
- Oracle Manipulation
- Governance Vulnerabilities
- Minting or Token Supply Manipulation
- Access Control Vulnerabilities
- Integer Overflows and Underflows
Reentrancy Attacks
Reentrancy vulnerabilities occur when a smart contract’s external call can be interrupted and re-entered before the initial call has been completed. This can lead to unexpected behavior and potential asset theft.
Flash Loan Attacks
Flash loans, a unique DeFi feature that allows borrowing and repaying of funds within a single transaction, can be exploited by attackers to manipulate smart contract logic and drain funds.
Oracle Manipulation
DeFi protocols often rely on oracles to obtain external data, such as asset prices. Compromised or manipulated oracles can provide incorrect data, leading to vulnerabilities in the protocol’s functionality.
Governance Vulnerabilities
Weaknesses in governance mechanisms, such as voting systems or administrative privileges, can be exploited by attackers to gain control over the protocol and execute malicious actions.
Minting or Token Supply Manipulation
Some DeFi insurance protocol hacks have exploited vulnerabilities that allow attackers to mint or generate excessive amounts of the protocol’s native tokens.
This can lead to token inflation, devaluing the token and potentially allowing attackers to drain funds from the protocol’s liquidity pools or treasuries.
Access Control Vulnerabilities
Access control vulnerabilities occur when smart contracts fail to restrict access to critical functions or data properly.
Attackers can exploit these vulnerabilities to gain unauthorized access and execute malicious actions, such as modifying contract states or draining funds.
Integer Overflows and Underflows
Integer overflows and underflows are vulnerabilities that can occur when arithmetic operations in smart contracts result in values that exceed the maximum or minimum representable values for the data type being used.
These vulnerabilities can be exploited to manipulate contract states or cause unintended behavior, potentially leading to fund theft or other malicious actions.
Lessons from DeFi Insurance Protocol Hacks
These case studies underscore the importance of continuous improvement, resilience, and adaptive security measures in mitigating risks and enhancing the security of DeFi insurance protocols.
The case studies of DeFi insurance protocol hacks offer valuable lessons for the industry:
- Code Auditing and Formal Verification to Prioritize security
- Strengthen Governance
- Enhance Risk Management
- Promote Community and User Education
- Regulatory Implications
Code Auditing and Formal Verification to Prioritize security
The importance of rigorous code auditing and formal verification has become increasingly apparent in light of these incidents.
Professional audits by reputable security firms can identify potential vulnerabilities and help mitigate risks.
Additionally, formal verification techniques, which mathematically prove the correctness of smart contract code, can provide an additional layer of security assurance.
Strengthen Governance
Effective governance and risk management are crucial for DeFi insurance protocols.
Decentralized governance models involving community participation and voting can help ensure transparency and accountability.
However, these models also have challenges, such as voter apathy and potential vulnerabilities in the voting mechanisms.
Enhance Risk Management
Risk management strategies, including diversification of protocol assets, implementation of circuit breakers, and robust emergency response plans, can help mitigate the impact of potential hacks or exploits.
Promote Community and User Education
Raising awareness about security risks and promoting best practices among users is essential.
DeFi insurance protocols should prioritize user education, providing clear guidance on safe practices, such as conducting thorough research before interacting with protocols and exercising caution when approving transactions.
Regulatory Implications
The hacks in DeFi insurance protocols have also drawn attention from regulators and policymakers.
While the decentralized nature of DeFi poses challenges for traditional regulatory frameworks, regulators may introduce new guidelines or requirements to enhance transparency, accountability, and consumer protection within the DeFi ecosystem.
Conclusion
As the DeFi ecosystem evolves and matures, the security and resilience of DeFi insurance protocols will remain paramount in safeguarding user funds and fostering trust in the decentralized financial system.
By learning from past security incidents, implementing best practices, and adopting a proactive approach to risk management and security, DeFi insurance protocols can mitigate risks, enhance resilience, and build a more secure and resilient financial infrastructure for the future.
