3 Most Infamous Hacks in DeFi History

Most Infamous Hacks in DeFi History & Need of Audit

Table of Contents

Read Time: 4 minutes

DeFi has been a dynamic component of the cryptocurrency industry with approx $80 billion in assets locked into protocols in March 2021. As the saying goes, however, problems accumulate where the money is.

Projects in DeFi have been forgery and scams, and the loose bolt in such activities have been badly constructed smart contracts. This becomes evident if you look into the scams in the recent months.

Poly Network attack

Developed to address the interoperability of blockchains, Poly Network grew rapidly and locked up around one billion US dollars worth of crypto assets. However, stakeholders were left in shock when more than $600 million USD of cryptocurrency was stolen in a single attack. This left the protocol’s assets under management (AUM) more than cut in half.

For the success of the hack, the perpetrators owned thanks to a vulnerability in the smart contract used in the protocol for cross-chain asset transfers. The hackers substituted their own wallet address for the address normally used by the smart contract. The modus operandi was replicated across Polygon, Ethereum and BSC blockchains to get hold of cryptocurrencies, leaving tens of thousands of protocol users out in the cold.

Security team at Poly Network was able to dig down to email, IP, and other details of the hackers. Under pressure, they returned a large chunk of the stolen stuff! But all protocols aren’t that lucky.

PancakeBunny attack

In May 2021, the PancakeBunny protocol faced an attack when hackers made a booty of crypto assets worth $45 million. They used a flash loan exploit for the purpose. Worse, hackers exchanged BUNNY tokens for Binance coins, making the price of BUNNY tokens sink to $6 from $146.

Worse, another attack followed in quick succession. Despite the attack, the developers at Bunny Finance failed to prevent the attack on PolyBunny, the company’s Polygon blockchain fork. The attackers minted $2.1 million worth of POLYBUNNY. Price of POLYBUNNY tokens sank to $2 from $10.

The flash loan involves a smart contract that allows anyone to borrow and repay in a single transaction. They manipulated the price of BNB using a vulnerability in BNB-USDT liquidity pool of PancakeBunny, successfully minting almost seven million BUNNY in a six-stage process.

BurgerSwap attack

On 28 May 2021, BurgerSwap on the BSC blockchain suffered a flash loan attack. Hackers stole $7.2M in 14 transactions. Again, the culprit was a flash loan exploit.

What attackers did was to create their own fake coin (non-standard BEP-20 tokens) and created a new trading pair with $BURGER. Using $WBNB routing, hackers re-entered BurgerSwap through fake coins and manipulated reserves in the pair’s contract, triggering the price to change and making their money.

The role of contract

DeFi projects are self-governed by smart contracts, so any failure becomes a major concern for stakeholders. A smart contract involves an array of software codes designed to automate execution and settlement. It is this layer which makes automation in blockchain protocols a reality. Smart contracts have a defined start and end events, based on an event that is happening externally.

Most Read – What not to Forget when Auditing smart contracts in DeFi

Multiparty signature controls access to the contract. Access to external and internal data sources triggers the execution of terms. Smart contracts can access the distributed databases where the assets are stored. They also contain embedded information on ownership of assets and parties involved.

Why making smart contracts really smart is so important

Smart contracts are the mind and soul of DeFi protocols. Protocols behave exactly the way the smart contracts powering them are programmed. A bug could result in huge losses to the protocol. Worse, it might lead to an irreversible shutdown.

The onus of making flawless smart contracts is on the developers. Contract design flaws lead to bugs which might be severe, medium, or moderate. Developers should be able to create contracts that are secure and function as expected. There should be no backdoors that the hackers can take advantage of. Once the contract is full of cryptocurrency, unscrupulous elements might try to drain the contract.

The role of audits

Smart contract audits are imperative to discover errors, loopholes and security vulnerabilities in the code and suggest improvements. While blockchains are practically a secure ecosystem, a poorly written smart contract creates a vulnerability. Developers cannot be trusted fully for creating flawless contracts for two reasons.

First, it is not humanly possible for a single developer or a team of them to ensure all parameters regarding vulnerabilities are met. Secondly, developers may deliberately leave a backdoor to drain the contract at the time of their choice. To negate both these hindrances, a thorough audit is required.

Security auditing of smart contracts involves a thorough analysis of the code running the application with the objective of correcting design issues, errors in the code, or security vulnerabilities. You need to zero in on a security audit firm that you can trust with the audit. The process typically involves the steps like Agreeing on a set of specifications, Executing tests, Running automated execution tools, Manual analysis of the code, and Report creation.

Wrapping up

Hacks such as Poly Network, PancakeBunny, and BurgerSwap underline how critical smart contract auditing is for the success of a blockchain project. Audits help discover errors, issues, and security vulnerabilities, helping to plug the loopholes before any damage is done.


Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *


Due to the fact that Web3 technology is still in its infancy, new types of attacks are possible. Some attacks, like ice phishing, are specific to Web3, while others resemble credential phishing attacks.




The $BEVO NFT Art Token (BEVO) on BSC was exploited, resulting in a $45,000 loss.

The root cause of the exploit is that BEVO is a deflationary token. By invoking function deliver(), the value _rTotal will decrease.

QuillAudits 🤝 Gamestarter

@Gamestarter is a complete Web3 ecosystem including an IDO launchpad, game development studio, accelerator, incubator, and soon NFT marketplace, gaming guild and metaverse.

QuillAudits extends its partnership with Gamestarter.


Thoreum Finance on the BNB chain was exploited on January 18, 2023. The exploit resulted in the protocol losing approximately 2261 BNB (~$680K).

✔ Check out our latest article to learn more about how it happens.👇


#web3 #Security #Audit


phyProxy on BSC was attacked, resulting in a loss of 1.2K BUSD.

The root cause is a forced investment due to the delegate calls unverified input in the public delegateCallSwap function.

Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+