2022 was a painful year for many in crypto. Alongside a broad market downturn, the year was punctuated by a number of major exploits, collapses, and bankruptcies.
With one major exception, the largest losses of user funds this year resulted from centralized platforms going insolvent, as falling asset prices exposed their unsustainable business practices.
The spark that ignited this fire was also the exception to the trend. When Terra’s algorithmic stablecoin lost its peg in May, the collapse came swiftly. In a matter of days, $45 billion of value was wiped from the market capitalization of TerraUSD and its reserve asset: LUNA.
This all occurred on-chain. It was a spectacularly visible collapse. What wasn’t so visible was the exposure that major centralized organizations had to the Terra ecosystem.
Unsecured loans, opaque use of customer funds, and many allegations of outright fraud combined to create the perfect storm. Now that the dust has settled, at least for the moment, we can take stock of the major players that were wiped out over the course of 2022.
With many billions of dollars now locked up in bankruptcy proceedings, the scale of losses from centralized crypto firms dwarfs the sum lost from decentralized protocols in 2022.
But that doesn’t mean that all is well in the world of DeFi. 2022 has seen approximately $3 billion lost from Web3 platforms, the worst year on record.
Web3 offers fundamental solutions to the underlying causes of centralized meltdowns. Real-time proof of solvency, on-chain transparency, and open-source applications combine to create a free and fair ecosystem. Centralized organizations that do not incorporate these values cannot legitimately be called crypto companies, they’re part of the same old system that Web3 is replacing.
On the one hand, the industry seems to be learning the hard lessons of this year. It’s heartening to see a number of major exchanges adopting cryptographic proof of reserves, which are one way to bring the best of Web3 to centralized platforms.
On the other hand, there’s still a lot of work to be done. Tto deliver on its fundamental promise, Web3 needs to address its security problem. It’s not enough to just lose less money than centralized finance, not when the tally is still in the billions of dollars. Web3 needs to be a safe, secure place for everyone to transact.
In this report, we go through some of the year’s biggest losses and outline the steps Web3 needs to take to reach its revolutionary potential.
Mango Markets is a trading platform built on Solana. It leverages the Serum DEX for spot and margin trading, while perpetual contract trading take place on Mango’s own orderbooks.
As is typical of exchanges that allow for margin trading, users can deposit assets as collateral and borrow against them.
Herein lay the problem: Mango Markets allowed the platform’s governance token – with a relatively low market capitalization and illiquid orderbooks – to be used as a collateral asset.
This exploit was unique in that the attacker came forward to claim credit.
On October 15, Avraham Eisenberg described the exploit as “a highly profitable trading strategy.” The team he was a part of pumped the price of the MNGO token, which then allowed them to borrow against this inflated value until the protocol was left insolvent.
This insolvency was not the result of a smart contract flaw or any other sort of hack. The protocol functioned as it was designed. The designers just failed to take into account the risk of allowing illiquid tokens to be used as collateral.
Eisenberg proposed returning the funds in exchange for a bounty, which is eventually what happened after a vote by the Mango DAO.
Eisenberg and co. were left with a sizable $47 million “white hat” bounty in return for their stress test of Mango Markets.
Since this exploit there have been a number of almost identical incidents in the fourth quarter of 2022, all of which involve illiquid tokens being used as collateral assets.
Moola Markets lost over $8 million in November, and Lodestar Finance lost $6.9 million in December.
These exploits highlight the importance of secure protocol design in addition to secure smart contract code. A contract can function exactly as intended, but if that intention opens the door to a vulnerability the result can be just as costly as any flaw in the code.
Aptos is a Layer 1 blockchain created for safe development, and built with user experience as a core focus.
This audit covers Aptos Core - Move Deps.
Auditing is a complicated and essential step in the security process. At Certik, we review the top DeFi projects to help you better understand the findings from our experts.
The summary describes the audit and the types of analyses used.
Overview shows the programming language, the blockchain used, and a link to the project's codebase. The Vulnerability Summary lists issues that need resolution. Audit Scope displays which contracts were audited.
Findings highlight all issues and ranks them in terms of severity from critical to discussion.
In this audit, we found 2 Critical, 0 Major, 0 Medium, 2 Minor, and 1 Informational issues.
Aptos has resolved 3 of the 5 issues.
Visit CertiK.com for the full report.