April’s Defi Hacks: Post-Mortem

4 min readMay 5, 2022


So far in 2022, there’s been over $1.57B lost due to hacks, already more than all of 2021 combined. Of this, $409.2M was lost last month in April.

Here’s a post-mortem of last month:

  • Beanstalk
  • Deus/Dei
  • Saddle
  • Rari/Fei
  • Jewel Unlocks
Cc: @peckshield for the graphic
  1. @BeanstalkFarms: $182M protocol loss, $76M gains for the exploiter: Governance Hack

Beanstalk’s governance is decentralized. Part of the governance contract has an emergencyCommit function that when approved by ⅔ of the vote, can siphon funds out of the contract. The idea behind the function was that if something catastrophic was going to happen, the community could get together and vote to safely store the funds elsewhere with a supermajority vote. What ended up happening was the exploiter created two Beanstalk proposals, (#18 and #19).

After 24 hours, the attacker was able to use a flashloan to deposit millions of dollars to Beanstalk’s Diamond contract. This allowed them to control almost 80% of all governance votes, much more than the 67% needed to invoke the emergencyCommit function. With this power, they siphoned away the funds and closed the flash loan. What’s crazy is this governance hack took place all in one block, anything more and the flash loan would have failed.

1 Minute Recap: https://twitter.com/halbornsecurity/status/1518541453181558784?s=21&t=tUslMbUKC0mzWPuWqpkHSA

In Depth Summary: https://medium.com/@nvy_0x/the-beanstalk-bean-exploit-b038f4d324ea

2) @DeusDaoi: 13.4M loss: Flash Loan & Flash Swap Hack

Deus finance was hacked earlier in March for a few million dollars as well. I won’t be covering that exploit but the team responded very well, refunding everyone that was impacted.

@lafachief reimbursing personally: ​​https://twitter.com/lafachief/status/1503678891386359808?s=21&t=tUslMbUKC0mzWPuWqpkHSA

March exploit post mortem: https://lafayettetabor.medium.com/deus-post-mortem-3c65df12927f

Last week’s exploit was a flash loan attack that manipulated the price oracle that reads from the StableV1 AMM — USDC/DEI pair. The manipulated price of DEI led to a drastic increase in the price and subsequent draining of the borrow pool. Further research by the Deus team found the exploit also included a flash swap which was used to manipulate the VWAP of its Muon oracles and another flash swap in the same tx was used to change the onchain price. All in all, this attack happened over multiple txs and minutes.

The flash loan happened here: https://ftmscan.com/tx/0x39825ff84b44d9c9983b4cff464d4746d1ae5432977b9a65a92ab47edac9c9b5

3) @saddlefinance: ~10M loss: LP Manipulation Exploit

Saddle finance, a Curve fork, was exploited due to a bug in an old version of the MetaSwapUtils library which doesn’t use a VirtualPrice to calculate the value of the LP token during swaps within the metapool. This issue is fixed currently, but the outdated version allowed the hacker to make a series of swaps within the sUSD/saddleUSD-V2 metapool that manipulated the price of the LP token which could then be swapped back for sUSD profit.

@rektHQ article: ​​https://twitter.com/rekthq/status/1520816682155094016?s=21&t=tUslMbUKC0mzWPuWqpkHSA

4) @feiprotocol: $80M loss on @RariCapital pools: Reentrancy Hack

Old Compound pools are subject to reentrancy hacks and many current forks on EVM chains have yet to correct this issue. Reentrancy attacks happen when a smart contract makes a call to an external smart contract, which is responded to by a return call from the external contract that seeks to explore a vulnerability in the initial call’s code. Rari developer @JackLongarzo revealed a total of six vulnerable pools (8, 18, 27, 127, 144, 146, and 156) which they have temporarily paused.

5) @DefiKingdoms: Unlock Jewel Exploit

One of the largest P2E games, DFK, recently found a glitch that allowed users to rapidly unlock locked jewels. Although only 12k jewels were unfairly unlocked, this sent the daily price down 20% to cap off a 90% decline since January highs. This exploit was made possible by transferring all locked jewel between multiple accounts, and then allowing more heroes than intended to mine these jewels at the same time. The mining quest was temporarily paused while a fix was being implemented.

DFK Medium: ​​https://medium.com/defi-kingdoms-official/locked-jewel-mining-announcement-april-28-2022-a27bef24400e

If you’ve been in crypto for a while now, you have most likely fallen victim to an exploit or rug. It’s a horrible feeling and oftentimes easily preventable. Defi is still novice, and the industry is still in its infancy. Everyone always says please don’t invest more than you’re willing to lose; and these past few months have put up a strong argument for that statement. I urge everyone to re-evaluate their risk tolerances and to reposition accordingly.

This was written in partnership with @ReimaginedFi. Special shoutouts to hufhaus9, _iammarkc, and the rest of the Refi team for their immense knowledge and defi expertise.

As always, thanks for your time — Juanbug




Thoughtfully Apeing in DeFi @pennblockchain