Top 5 DeFi & NFts hacks in 2021 {Complete diagnosis and solution}

Table of Contents

Read Time: 6 minutes

DeFi & NFTs hacks in 2021 have taken over the world by storm. Even for the ordinary meme creator, NFTs have empowered them to explore a global platform and get true value for their creativity. 

DeFi or decentralized finance is a collection of smart contracts deployed on top of the immutable ledger of Blockchain allowing direct financial interactions between the users. DeFi can be thought of as an online decentralized banking system providing frictionless and transparent transfers. Protocols like Aave and Compound are the most prominent examples of DeFi money markets. 

NFTs or Non Fungible Tokens are the representation of a unique asset on top of Blockchain. NFTs are used to provide uniqueness to an asset in the digital ecosystem. It can represent a physical as well as a digital asset with the only condition being that the asset should have unique properties, should be indivisible, and indestructible. Even for the digital assets, NFTs do not store the actual asset on the Blockchain but just the metadata carrying the unique set of features for the asset along with its ownership details. 

In essence, NFTs act as proof of ownership for an asset as the buying and selling of NFTs represents the trades being done on that asset. NFTs are platform-specific. The most common platform used to create NFTs is Ethereum while others include Flow, Wax, Binance, Tron, Tezos, Polkadot, and Cosmos, among others. 

DeFi and NFTs hacks in 2021

The exponential growth of DeFi comes with a price. While more and more people are getting into the DeFi space, lack of knowledge and awareness about the best practices has resulted in a vulnerable ecosystem. 

Adding more weight to this view is the growing hacks in the NFT space. 2021 is being called the NFT year the same way 2017 was called the ICO year. While NFTs are much different and sustainable than ICOs, their unprecedented growth seems to be a bubble. 

Last year, DeFi resulted in more than $150 million loss due to thefts and hacking attacks. Therefore, the vulnerable ecosystem of DeFi was responsible for 21% of the total hacks and thefts in the previous year. The most popular hacks were the loss of 8.3 million USD due to the attack on Maker, the $2 million loss by Acropolis, and the well-known DeFi platform Balancer losing almost $500,000. 

There were as many as 17 major DeFi attacks in 2020.

It can be observed that the attack on Maker took place on 12th March which can also be called the first most significant attack in the DeFi space. Following this, the rest of the year seemed to have initiated a trend of such hacks. 

In a parallel sense, while DeFi continues its popularity streak, NFTs have been extremely popular this year. With the end of the first quarter of 2021, NFTs have seen interesting and sustainable applications such as the NBATopShots and the Toppsmlb

Artists, content creators, influencers, players, everyone seems to be leveraging NFTs to get more value for their digital assets. 

It is only natural that this growth of DeFi and NFTs has attracted the interest of many malicious people, resulting in the growing number of hacks in these spaces. 

Mentioned below are the top hacks that the DeFi and NFT communities have already witnessed till the month of May 2021.

Top 5 DeFi and NFT attacks in 2021

The yDAI exploit

The first DeFi attack of this year happened in the first week of February when Yearn.Finance, one of the major DeFi projects suffered a loss of $11 million. It was a flash loan attack which has become a frequent attack in this space. 

Hacker deposited a large sum in the Curve 3pool and manipulated the price of DAI. He found that the vault of Yearn.Finance was dependent on the DAI price of this pool and hence he manipulated the price to withdraw funds from the pool at a significantly lower rate. He repeated flash-borrowed funds a number of times before the Yearn team intervened. From the $35 million supply, $24 million was secured. 

The Nifty Gateway NFT attack

Nifty Gateway is a popular marketplace for Non-Funhible Tokens. On the 16th of March, 2021, many users of the Nifty Gateway reported that either their NFTs were being stolen or that their credit card information was being used to buy new NFTs and then they were being stolen. 

Once an NFT has been transferred, it can not be retrieved without the explicit permission of the current owner as the proof of ownership of the NFT is stored in the immutable ledger of Blockchain. This characteristic of NFT is both the reason behind its popularity and the reason behind its biggest vulnerability.

This comes as one of the first heists in the NFT space. 

The reason behind this heist was the absence of 2FA. All the users who reported stolen NFTs had not turned on their 2FA or two-factor authentication which is an additional security layer for authorizing access to an account. 

DODO DEX exploit

DODO is a decentralized exchange that runs on Ethereum and Binance Smart Chain. It is the ninth-largest exchange by value locked which is why the exploit of DODO comes as a reminder that DeFi space is as vulnerable as it is rewarding. 

The hack amounting to a loss of almost $3.8 million worth of tokens was a result of a vulnerability or bug inside the DODO’s smart contracts.

The bug allowed hackers to create counterfeit tokens and transfer them to their wallets using flash loans. 

EasyFi attack

EasyFi, a layer two DeFi protocol based on the Polygon network, was targetted with a mnemonic hack. The personal computer of Ankitt Gaur, the founder and CEO of the protocol, was hacked using a planned remote attack and accessing MetaMask.

What this attack showed is that despite the smart contracts being secured, the ecosystem is not safe from attacks such as the mnemonic attack in this case. 

The attack happened on April 19 and resulted in the loss of 3 million EASY tokens but this was just the initial loss. As soon as the news came out, the token price dropped to 50%. In just 24 hours, it went from $26 to %13.50. 

Value Defi exploit

Yield aggregators have been extremely popular in the DeFi world. In essence, yield aggregators automatically allocate your funds in different lending protocols to provide optimized yield. 

Value DeFi believed that their flash loan smart contracts are quite secured but it was not even a day after they bragged about their security that on November 13th, Value Defi’s multi-stablecoin vault incurred a loss of almost $8 million worth of the stablecoin DAI. The attacker was able to exploit a vulnerability in the smart contract and returned $2 million to the protocol leaving a message, “do you really know flash loan?”


Considering authorization security has become a common implementation in the IT industry, the heist mentioned in the third point above shows that the NFT space is nascent and needs to be developed by adhering to the best practices in the industry. 

It also displays a bigger vulnerability which is the lack of knowledge in the NFT space. The growth of NFTs has been attracting a huge number of people but these people are unaware of the concept behind cryptocurrencies and decentralization. 

Other hacks such as the EasyFi mnemonic attack show that the DeFi ecosystem needs to follow the basic security protocols even if they have had the best security audits. 

However, most of the hacks in DeFi and NFTs are still due to the unaudited smart contracts. If DeFi is to become the future of finance and NFTs to become more sustainable, smart contract audit needs to become the highest priority. Reach out to the experts at Quillhash to get free consultation about smart contract audits. 

Reach out to QuillHash

With an industry presence of years, QuillHash has delivered enterprise solutions across the globe. QuillHash with a team of experts is a leading blockchain development company providing various industry solutions including DeFi enterprise, If you need any assistance in the smart contracts audit, feel free to reach out to our experts here!

Follow QuillHash for more updates

Twitter | LinkedIn Facebook


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *


$NUWA failed to rug on BSC and was front-run by the MEV bot 0x286E09932B8D096cbA3423d12965042736b8F850.

The bot made ~$110,000 in profit.

Are you concerned about your enterprise's security in Web 3.0? Look no further!

Let's delve deeper into and learn effective solutions to mitigate them. Our experts have covered unconventional approaches, from Zero- Trust Security Model to Bug Bounty Programmes.


Hey folks👋,

Web3 security is like a game of whack-a-mole, except the moles are hackers who keep popping up no matter how hard you hit them. 🤦‍♀️

But fear not; we've got some tips to keep your crypto safe⬇️⬇️

Unlock the power of Web3 for your enterprise with enhanced security measures!

💪🌐 Our latest blog post delves into the world of Web3-powered enterprises and how to ensure maximum security in this new frontier.🔒

Read part 1 of our series now: 🚀


Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+