$14 Billion in Crypto Stolen in 2021

Scammers took home a record $14 billion in cryptocurrency in 2021, thanks in large part to the rise of decentralized finance (DeFi) platforms, ****according to new data from blockchain analytics firm Chainalysis.

Losses from crypto-related crime rose 79 percent from a year earlier, driven by a spike in theft and scams.

Scamming was the greatest form of cryptocurrency-based crime in 2021, followed by theft — most of which occurred through hacking of cryptocurrency businesses. The firm says that DeFi is a big part of the story for both, in yet another warning for those dabbling in this emerging segment of the crypto industry.

Many of the new protocols being launched have code vulnerabilities that hackers are able to exploit — 21 percent of all hacks in 2021 took advantage of these code exploits.

While there are third party firms that perform code audits and publicly designate which protocols are secure, many users still opt to work with risky platforms that bypass this step if they think they can get a large return.

Cryptocurrency theft rose 516 percent from 2020, to $3.2 billion worth of cryptocurrency. Of this total, 72 percent of stolen funds were taken from DeFi protocols.

Losses from scams rose 82 percent to $7.8 billion worth of cryptocurrency.

Polygon Hard Fork Follow-Up

Polygon could have lost almost all of its MATIC tokens worth $24 billion if a severe bug had gone unnoticed.

Polygon undertook a hard fork to fix the bug and save the project, but didn’t disclose details about the vulnerability until Wednesday.

The problem was a "critical" vulnerability in Polygon's proof-of-stake genesis contract, which could have allowed attackers to steal over 9.2 billion MATIC tokens (currently worth over $24 billion). The total supply of MATIC tokens is 10 billion.

The bug essentially could have allowed attackers to arbitrarily mint all of Polygon's more than 9.2 billion MATIC tokens from its MRC20 contract.

The bug in the token could have allowed an attacker to mint an arbitrary number of tokens from the MRC20 contract. That means all of the 9,276,584,332 in MATIC value could have been stolen.

The issue was in the MATIC MRC20 contract.

Gasless MATIC transfers are facilitated by the transferWithSig() function. The user who owns the tokens signs a bundle of parameters including the operator, amount, nonce, and expiration. The signature can be later passed to the MRC20 contract by the operator to perform a transfer on behalf of the token owner. This is gasless for the token owner because the operator pays for the gas.

The main issue is that _transferFrom will call the _transfer function directly without checking whether the from has enough balance. And we can call the transferWithSig() without a valid signature, thanks to the lack of a check to see if ecrecovery returns the zero address.

The fix: Polygon removed the transferWithSig function

While Polygon was developing and implementing the fix, a second hacker submitted a report on December 4 referencing the same vulnerability. Polygon decided to make a one-time exception and rewarded Whitehat2 with 500,000 MATIC.

Polygon paid a total of about $3.46 million as bounty to two white hats who helped discover the bug. Despite our best efforts, a malicious hacker was able to use the exploit to steal 801,601 MATIC before the network upgrade took effect. The foundation will bear the cost of the theft.

The Timeline is interesting:


Norton Antivirus Mining Crypto