$14 Billion in Crypto Stolen in 2021

Scammers took home a record $14 billion in cryptocurrency in 2021, thanks in large part to the rise of decentralized finance (DeFi) platforms, ****according to new data from blockchain analytics firm Chainalysis.

Losses from crypto-related crime rose 79 percent from a year earlier, driven by a spike in theft and scams.

Scamming was the greatest form of cryptocurrency-based crime in 2021, followed by theft — most of which occurred through hacking of cryptocurrency businesses. The firm says that DeFi is a big part of the story for both, in yet another warning for those dabbling in this emerging segment of the crypto industry.

Many of the new protocols being launched have code vulnerabilities that hackers are able to exploit — 21 percent of all hacks in 2021 took advantage of these code exploits.

While there are third party firms that perform code audits and publicly designate which protocols are secure, many users still opt to work with risky platforms that bypass this step if they think they can get a large return.

Cryptocurrency theft rose 516 percent from 2020, to $3.2 billion worth of cryptocurrency. Of this total, 72 percent of stolen funds were taken from DeFi protocols.

Losses from scams rose 82 percent to $7.8 billion worth of cryptocurrency.

Polygon Hard Fork Follow-Up

Polygon could have lost almost all of its MATIC tokens worth $24 billion if a severe bug had gone unnoticed.

Polygon undertook a hard fork to fix the bug and save the project, but didn’t disclose details about the vulnerability until Wednesday.

The problem was a "critical" vulnerability in Polygon's proof-of-stake genesis contract, which could have allowed attackers to steal over 9.2 billion MATIC tokens (currently worth over $24 billion). The total supply of MATIC tokens is 10 billion.

The bug essentially could have allowed attackers to arbitrarily mint all of Polygon's more than 9.2 billion MATIC tokens from its MRC20 contract.

The bug in the token could have allowed an attacker to mint an arbitrary number of tokens from the MRC20 contract. That means all of the 9,276,584,332 in MATIC value could have been stolen.

The issue was in the MATIC MRC20 contract.

Gasless MATIC transfers are facilitated by the transferWithSig() function. The user who owns the tokens signs a bundle of parameters including the operator, amount, nonce, and expiration. The signature can be later passed to the MRC20 contract by the operator to perform a transfer on behalf of the token owner. This is gasless for the token owner because the operator pays for the gas.

The main issue is that _transferFrom will call the _transfer function directly without checking whether the from has enough balance. And we can call the transferWithSig() without a valid signature, thanks to the lack of a check to see if ecrecovery returns the zero address.

The fix: Polygon removed the transferWithSig function

While Polygon was developing and implementing the fix, a second hacker submitted a report on December 4 referencing the same vulnerability. Polygon decided to make a one-time exception and rewarded Whitehat2 with 500,000 MATIC.

Polygon paid a total of about $3.46 million as bounty to two white hats who helped discover the bug. Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.

The Timeline is interesting:


Norton Antivirus Mining Crypto

Norton FAQ:

Tinyman - $3 Million Hack

Algorand’s DeFi platform Tinyman exploited for $3m

Beginning on the 1st of January 2022, an attack was orchestrated by unauthorized users on some of Tinyman’s pools by exploiting a previously unknown vulnerability in the Tinyman contracts. The exploit resulted in a drain of certain ASAs in the first hours of attack which led to increased volatility in the immediate aftermath.

The attacker exploits an unknown bug in the burning of Pool Tokens and receives two of the same Assets instead of two different Assets. This worked in favor of the attacker since the gobtc asset was significantly more valuable than ALGO, which they immediately swapped against ALGO to receive more funds to continue their attack.

In a series of transactions, the attacker went on to consume the gobtc and goeth (ASA ID: 386195940) pools over 17 transactions and removes a sizable amount of value. This value is estimated to be around 3 million dollars at the time of withdrawal.

As the investigation continues, our findings suggest that there are many wallets that are now exploiting this bug, and we have evidence that those people can be held as culpable as the first attackers. For all the white-hat hackers who are trying to support us, we advise them to simulate their actions on testnet where the funds aren’t real and the operability is completely the same.

Since the contracts are permissionless, not even the Tinyman team has the power to obstruct any kind of transaction on the blockchain. So, as a first step, a formal announcement was made on 02.01.2022 to all Tinyman users recommending to pull out all their liquidity from all Tinyman related contracts. Moreover, all the adding liquidity routes in the web app were deleted and necessary warnings were placed on the website to protect our community.