Scammers took home a record $14 billion in cryptocurrency in 2021, thanks in large part to the rise of decentralized finance (DeFi) platforms, ****according to new data from blockchain analytics firm Chainalysis.
Losses from crypto-related crime rose 79 percent from a year earlier, driven by a spike in theft and scams.
Scamming was the greatest form of cryptocurrency-based crime in 2021, followed by theft — most of which occurred through hacking of cryptocurrency businesses. The firm says that DeFi is a big part of the story for both, in yet another warning for those dabbling in this emerging segment of the crypto industry.
Many of the new protocols being launched have code vulnerabilities that hackers are able to exploit — 21 percent of all hacks in 2021 took advantage of these code exploits.
While there are third party firms that perform code audits and publicly designate which protocols are secure, many users still opt to work with risky platforms that bypass this step if they think they can get a large return.
Cryptocurrency theft rose 516 percent from 2020, to $3.2 billion worth of cryptocurrency. Of this total, 72 percent of stolen funds were taken from DeFi protocols.
Losses from scams rose 82 percent to $7.8 billion worth of cryptocurrency.
Polygon could have lost almost all of its MATIC tokens worth $24 billion if a severe bug had gone unnoticed.
Polygon undertook a hard fork to fix the bug and save the project, but didn’t disclose details about the vulnerability until Wednesday.
The problem was a "critical" vulnerability in Polygon's proof-of-stake genesis contract, which could have allowed attackers to steal over 9.2 billion MATIC tokens (currently worth over $24 billion). The total supply of MATIC tokens is 10 billion.
The bug essentially could have allowed attackers to arbitrarily mint all of Polygon's more than 9.2 billion MATIC tokens from its MRC20 contract.
The bug in the token could have allowed an attacker to mint an arbitrary number of tokens from the MRC20 contract. That means all of the 9,276,584,332 in MATIC value could have been stolen.
The issue was in the MATIC MRC20 contract.
Gasless MATIC transfers are facilitated by the
transferWithSig()
function. The user who owns the tokens signs a bundle of parameters including the operator, amount, nonce, and expiration. The signature can be later passed to the MRC20 contract by the operator to perform a transfer on behalf of the token owner. This is gasless for the token owner because the operator pays for the gas.The main issue is that
_transferFrom
will call the_transfer
function directly without checking whether thefrom
has enough balance. And we can call thetransferWithSig()
without a valid signature, thanks to the lack of a check to see ifecrecovery
returns the zero address.The fix: Polygon removed the
transferWithSig
functionWhile Polygon was developing and implementing the fix, a second hacker submitted a report on December 4 referencing the same vulnerability. Polygon decided to make a one-time exception and rewarded Whitehat2 with 500,000 MATIC.
Polygon paid a total of about $3.46 million as bounty to two white hats who helped discover the bug. Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.
The Timeline is interesting:
Norton FAQ:
- What is Norton Crypto? Norton Crypto is a feature made available in Norton 360 which you can utilize for mining cryptocurrency when your PC is idle. Currently, Norton Crypto is limited to users with devices that meet the required system requirements.
- **Will Norton 360 mine my device without my permission?**No. In addition to having a device that meets system requirements, you must also turn on Norton Crypto on your device. If you have turned on Norton Crypto, but you no longer want to use the feature, you can disable it through your Norton Crypto dashboard.
- Will I be able to adjust the settings thresholds, or will Norton decide that? For now, Norton will manage the settings. We are continuing to build capabilities and could potentially make the settings adjustable for you in the future.
- Which Cryptocurrencies are currently supported by Norton Crypto? Norton Crypto supports Ethereum crypto mining. We will look at potentially adding other currencies in the future.
- Do I need an Ethereum wallet to mine with Norton Crypto, or will Norton create one? Norton creates a secure digital Ethereum wallet for each user. The key to the wallet is encrypted and stored securely in the cloud. Only you have access to the wallet.
- What platforms can I transfer the crypto to? Norton Crypto supports transfers of Ethereum from your digital wallet to Coinbase.
- The coin mining fee is currently 15% of the crypto allocated to the miner.
Algorand’s DeFi platform Tinyman exploited for $3m
Beginning on the 1st of January 2022, an attack was orchestrated by unauthorized users on some of Tinyman’s pools by exploiting a previously unknown vulnerability in the Tinyman contracts. The exploit resulted in a drain of certain ASAs in the first hours of attack which led to increased volatility in the immediate aftermath.
The attacker exploits an unknown bug in the burning of Pool Tokens and receives two of the same Assets instead of two different Assets. This worked in favor of the attacker since the gobtc asset was significantly more valuable than ALGO, which they immediately swapped against ALGO to receive more funds to continue their attack.
In a series of transactions, the attacker went on to consume the gobtc and goeth (ASA ID: 386195940) pools over 17 transactions and removes a sizable amount of value. This value is estimated to be around 3 million dollars at the time of withdrawal.
As the investigation continues, our findings suggest that there are many wallets that are now exploiting this bug, and we have evidence that those people can be held as culpable as the first attackers. For all the white-hat hackers who are trying to support us, we advise them to simulate their actions on testnet where the funds aren’t real and the operability is completely the same.
Since the contracts are permissionless, not even the Tinyman team has the power to obstruct any kind of transaction on the blockchain. So, as a first step, a formal announcement was made on 02.01.2022 to all Tinyman users recommending to pull out all their liquidity from all Tinyman related contracts. Moreover, all the adding liquidity routes in the web app were deleted and necessary warnings were placed on the website to protect our community.