The 3 biggest security breaches in 2021

The 3 biggest security breaches in 2021

According to analyst firm Chainalysis, the volume of criminal cryptocurrency transactions reached a new historic high of $14 billion in 2021. However, despite the growth of criminal transfers, its relative share in the total volume of cryptocurrency transactions in 2021 was the lowest ever. These statistics show that cryptocurrency expansion is far ahead of cryptocurrency-related cybercrime, and they also show that security in the industry is also catching up with demand.

And this is good, because there are fewer and fewer scammers in the network relative to ordinary users, as well as the chance to run into them according to statistics. But if you look in isolation, there are many more of them, and their methods have become more sophisticated. So you should not directly believe such statements without going into the heart of the matter.

The most lucrative cyberattacks of 2021

Despite the fact that cryptocurrency saw a decline in the proportion of transactions involving crime in 2021, there were a few cases that were perplexing. Here, I’ll go over some of the most appealing ones.

1. Poly Network – $611 million

The Poly Network hack took place on August 10, 2021, and resulted in the theft of about $611 million in digital assets stolen from three blockchains: Ethereum, BSC and Polygon. The notable detail was that the hacker returned the entire stolen amount, explaining his move as an attempt to point out vulnerabilities in the Poly Network protocol with no profit motive.

Poly Network is a cross-chain network that allows users to perform cross-chain transactions in a decentralized way. For example, transferring funds from one blockchain to another. In order to do this, there must be a large amount of liquidity in the protocol. In Poly Network, this liquidity is controlled by special smart contracts.

EthCrossChainManager and EthCrossChainData contracts were used. EthCrossChainData belongs to EthCrossChainManager and stores a list of public keys that can control this liquidity (custodians).

An attacker took advantage of a vulnerability in the EthCrossChainManager contract and was able to trick it to replace the contract custodians with the attacker’s custodians. The attacker then encrypted the liquidity from the Poly Network protocol, gaining full control over the operation of the protocol.

2. BitMart – $196 million

On December 4, 2021, the centralized cryptocurrency exchange Bitmart was attacked, with $200 million worth of crypto assets stolen from its hot wallet. Attackers stole the private keys to the exchange’s hot wallets.

The Bitmart exchange said it lost $150 million, but blockchain cybersecurity company Peckshield later released a statement saying $196 million was stolen from Ethereum and Binance Smart Chain blockchains in more than 20 cryptocurrencies and tokens. They also showed graphically the path the stolen assets took, excluding the final destination. First, the attacker exchanged the stolen assets for ether using the DEX 1inch aggregator and then flushed the ether using the Tornado Cash privacy mixer. After that, the trace goes blank.

This cyberattack once again showed the vulnerability of storing private keys to multiple addresses with huge amounts on a single server. It exposed all of the exchange’s hot wallets at once.

3. Cream Finance – $130 million

During the December 2021 Cream Finance cyberattack, a hacker or two used multiple protocols-MakerDAO, Aave, Curve, rob Cream Finance of $130 million in tokens and cryptocurrencies.

Evidence suggests there may have been two attackers, I assume so. Two addresses were used in the attack: address A and address B. The first address A borrowed $500 million in DAI from MakerDAO and, sneaking that liquidity through Curve and, used it to mint 500 million cryUSD on Cream Finance. At the same time, address A increased liquidity in the yUSD Vault from to 511 million yUSDTVault.

Then address B flash borrowed $2 billion in ether from AAVE, minted cEther for $2 billion, and invested the borrowed $2 billion in ETH in Cream. Address B then used it to withdraw 1 billion yUSD Vault, exchange them for 1 billion cryUSD and transfer them to address A. Thus, address A received 1.5 billion cryUSD.

After that, address A bought 3 million DUSD from Curve and exchanged them all for yUSDVault, receiving 503 million yUSDVault on his balance. Address A then redeemed 503 million yUSDVault for a base yUSD token and brought the total amount of yUSDVault to 8 million.

Address A then transferred $8 million to’s yUSDVault and doubled the value of the vault. Because of this, Cream’s PriceOracleProxy doubled the cryUSD valuation because it determines the cryUSD price based on (yUSD Yearn Vault valuation) / (total yUSDVault supply), which is $16 million / 8 million yUSDVault. Thus, Cream realized that there was $3 billion in yUSD at address A.

This mistake ultimately cost Cream Finance. The hackers were able to pay back the quick loan with the excess liquidity they had produced and pocket all the liquidity ($130 million) that had been locked up in Cream Finance, using the $1 billion in cryUSD they had left.

Speaking of attacks on smart contracts, the most popular type of attack was a flash credit attack, similar to the one described above. According to The Block Crypto, out of 70 DeFi attacks in 2021, 34 used quick credits, with the December Cream Finance heist being the pinnacle in terms of the amount stolen. A characteristic of these attacks is the use of multiple protocols. On their own, they may be secure, but when it comes to their use, vulnerabilities can be discovered.

Another type of attack on smart contracts, which can be classified as a classic DeFi attack, is a re-entry attack. A re-entry attack can occur if a function that calls an external contract fails to update the address balance before it makes another call to that contract. In this case, the external contract can withdraw recursively because the address balance in the target contract is not updated after each withdrawal. And these recursive calls can continue until the contract balance is exhausted.

And the third common type of attack in 2021 was attacks on centralized exchanges by stealing the private key to the exchange’s hot wallet. This is a very old method of cyberattack in the history of cryptocurrencies, but it is not getting old.

How do you protect your funds in the cryptocurrency space?

When it comes to an individual user’s funds, it’s a good idea to do a due diligence on the platform where you want to contribute your funds: look at the site, look at team member’s social networks, look at the Whitelist. and technical audits. It will also be good to use the functionality in cryptocurrency wallets that allows you to whitelist contracts that the user regularly uses, it is in the Metamask wallet and in specialized online services for secure storage of cryptocurrency Unrekt and Debank. If a switch to an unfamiliar contract has been approved, they will highlight such a contract.

When it comes to the security of the DeFi protocol, it is useful to use the code base of other verified projects. But the founder should still authorize at least one technical audit of the project’s smart contracts. This is especially important for protocols deployed on multiple blockchains and interacting with other protocols. They require especially thorough verification during audits.

My opinion

That was such an interesting year, 2021. We told you about the biggest and most sensational hacks of protocols, but how many stories didn’t come out, because not all developers directly claim to have been hacked. How many stolen money and hacked projects we never knew about…

Save your money, don’t trust anyone and do your own research.


5 1 vote
Article Rating
Written by Kannnaf Mysterious
I am a very innovation-dependent form of life. I'm smart, but I don't wear glasses. I solve the Rubik's Cube in less than a minute. Probably the best beggy cryptomaniac in the world and my hobby is to start the day thinking that bitcoin will rise to $100k. To The Moon!
Notify of
Inline Feedbacks
View all comments