Exploit Taxonomy
The following taxonomy displays detailed definitions of all the exploits, hacks, and compromises captured in our Steady State Risk Analysis Database (RAD). Each DeFi exploit has a distinct architecture, making them unique to the industry.
Steady State's RAD will include a list of continuously evolving parameters used to understand and evaluate risk. Machine learning implementation will accurately and transparently create risk ratings off-chain.

Types of DeFi exploits and hacks

Rebase Error

Rebase or elastic supply tokens work when the circulating supply of a token is algorithmically adjusted based on the price fluctuation of the token. When a rebase occurs, the supply of the token increases or decreases automatically, based on the token's current price. The supply is not fixed and will return to its pegged price dependent on the protocol's base level; otherwise, the circulating supply is adjusted instead.
A rebase error occurs when the protocol fails to adjust the token supply to the desired level after de-pegging from its base price. A rebase bug was found in YAM Finance's protocol by developers in 2020. An excess of YAM tokens was generated after a 10% sell slippage on YAM Finance's parent protocol, Uniswap.

Smart Contract Exploit

A smart contract is a digital contract that autonomously implements standards, conditions, and terms of agreements stored on a blockchain. Unlike standard contracts, smart contracts do not require third-party intermediaries to enforce conditional agreements between transacting parties. The conditions are enforced by cryptographic code that automatically infringes penalties when the agreement is broken.
Smart contract exploits occur when the contract fails to execute as intended, leading to the loss of funds, and in some cases, very severe and unrecoverable losses. Imperial College London researchers discovered that smart contract vulnerabilities are the precursor to smart contract exploits. Smart contracts can only be exploited if the contracts are deemed to be vulnerable. An attacker must acknowledge vulnerability before exploit execution.
Smart contract vulnerabilities include re-entrancy, unhandled exceptions, locked ether, transaction order dependency, integer overflow, and unrestricted actions. In August 2021, hackers compromised the PolyNetwork smart contract holding massive amounts of cryptocurrencies, seizing over $600 million worth of investor assets across three chains, albeit returning the funds afterward.

Flash Loan Attack

A flash loan is a decentralized, uncollateralized, and unsecured loan typically within the network. The borrower needs little to no security to receive a flash loan making it highly susceptible to attacks.
Flash loan attacks occur when a hacker takes out the flash loan from a lending protocol to perform market manipulation. In May 2021, Pancake Bunny, a Binance Smart Chain protocol, experienced a severe flash loan attack resulting in its $BUNNY token price crashing by >95%.

Fraud "Rug Pull"

These are exit scams occurring specifically in the DeFi industry. The project in question makes unpromised claims and runs off with investor funds.
Compounder Finance garnered over $10 million in investors' funds in 2020. Project developers claimed it to be a replica of Harvest and Yearn Finance farming protocols, but it ended up being a scam, and investors were left short-changed.

Mint Exploit

A mint exploit is a malicious event when a smart contract is broken to mint excess tokens leading to hacker seizure of tokens and rewards (% yield). The hacker mints an exponential amount of tokens, increasing the total supply to extreme levels and then dumping the newly minted tokens- leading to a collapse in token price.
New Balancer protocol was exploited for $4.4 million in a mint exploit attack. The hacker exploited the chain by depositing, then withdrawing funds from the smart contract, and continuously minting rewards.

Infinite Approval

A smart contract implementation in which the smart contract requires authorization for wallet access to an unlimited number of tokens greater than the amount held in the user's wallet. In 2020, Bancor discovered an egregious vulnerability in which an external hacker could drain funds from user wallets using infinite approval, granting them access to user funds.
Last modified 1mo ago