{"id":54521,"date":"2021-12-11T20:11:52","date_gmt":"2021-12-11T18:11:52","guid":{"rendered":"https:\/\/forklog.com\/en\/?p=54521"},"modified":"2025-09-03T20:52:07","modified_gmt":"2025-09-03T17:52:07","slug":"defi-digest-bug-found-in-the-solana-library-monox-and-badgerdao-hacked","status":"publish","type":"post","link":"https:\/\/u1f987.com\/en\/defi-digest-bug-found-in-the-solana-library-monox-and-badgerdao-hacked\/","title":{"rendered":"DeFi Digest: Bug Found in the Solana Library; MonoX and BadgerDAO Hacked"},"content":{"rendered":"

The decentralised finance (DeFi) sector continues to attract heightened attention from crypto investors. ForkLog has compiled the most important developments and news of the past weeks in a digest.<\/p>\n

Key metrics for the DeFi sector<\/strong><\/h2>\n

Against the backdrop of market correction<\/a>, the total value locked (TVL) in DeFi protocols fell to $246.82 billion. Curve Finance remains the leader, with its TVL rising to $21.26 billion. MakerDAO ($18.16 billion) moved into second, Convex Finance ($15.85 billion) third.<\/p>\n

\"DeFi
Data: DeFi Llama<\/a>.
<\/figcaption><\/figure>\n

Defi Llama includes in the final figure a basket of tokenised Bitcoins. WBTC, with $12.46 billion, ranked fifth. hBTC, with $1.94 billion, ranked 20th. The combined value of \u2018Bitcoin on Ethereum\u2019 amounted to $15.78 billion.<\/p>\n

The TVL in Ethereum applications rose to $163.08 billion. Over the last 30 days the figure is down 11% (11 November it stood at $180.65 billion).<\/p>\n

\"DeFi
Data: DeFi Llama<\/a>.
<\/figcaption><\/figure>\n

Trading volume on decentralised exchanges (DEX) over the past 30 days stood at $127.1 billion.<\/p>\n

Uniswap continues to command dominance in the non-custodial exchange market \u2014 accounting for more than 78% of total turnover. The second-largest DEX by volume is SushiSwap (8.6%), the third is Curve (5.8%).<\/p>\n

The Bank of France proposed establishing oversight of the DeFi sector<\/strong><\/h2>\n

European regulators must establish oversight<\/a> of the DeFi sector. The official spoke on the topic in a speech addressing the challenges for the digital euro.<\/p>\n

The official touched on the topic in a speech addressing the challenges for the digital euro.<\/p>\n

\n

\u201cFurther important changes are needed. In particular, oversight of the DeFi sector, where normal regulatory frameworks are limited. Issuers and service providers are not easy to identify, protocols operate automatically without intermediaries, and there is no fixed jurisdiction for the services offered,\u201d the official said.<\/p>\n<\/blockquote>\n

Omicron token rises more than 900% after new COVID-19 variant emerges<\/strong><\/h2>\n

The Omicron (OMIC) token rose more than 900%<\/a> after the emergence of a new COVID-19 variant. On 26 November the WHO named it \u201cOmicron.\u201d<\/p>\n

The DeFi project Omicron DAO\u2019s token was issued on the Arbitrum One layer-2 protocol and trades on SushiSwap. According to Twitter, the asset launched on 2 November.<\/p>\n

On 27 November OMIC traded around $65, and two days later it reached an all-time high above $689. By 11 December the price had fallen to $63.<\/p>\n

LUNA price hits new high as Terra DeFi inflows surge<\/strong><\/h2>\n

On 5 December the native token of the Terra protocol (LUNA) hit a price high<\/a> above $78 (on Binance). The quotes peaked amid substantial inflows into the project\u2019s ecosystem \u2014 TVL in DeFi apps exceeded $14 billion.<\/p>\n

At the time of writing LUNA trades near $63. The ecosystem TVL stood at $12.86 billion. <\/p>\n

\"DeFi
Hourly chart of LUNA\/USDT on Binance. Data: TradingView<\/a>.<\/figcaption><\/figure>\n

Bug in Solana library allowed theft of up to $27 million per hour<\/strong><\/h2>\n

The error in the Solana SPL protocol library could have allowed funds to be stolen from several major DeFi projects at a rate of roughly $27 million per hour, according to researchers from Neodyme.<\/p>\n

The Tulip Protocol yield aggregator, along with the Solend and Larix lending protocols, were at risk. At the peak, the combined TVL of these projects reached $2.6 billion.<\/p>\n

Experts noted that the bug was publicly disclosed by one of the auditors of the group, who uses the nickname Simon, back in June. On 1 December he found that the vulnerability had not been fixed. Neodyme suspects that perhaps it was considered harmless.<\/p>\n

However, researchers found that the bug allows the theft of \u201chundreds of millions of dollars\u201d via small sums quickly.<\/p>\n

Experts contacted the Solana Foundation and eight projects affected. In some cases the suspicions proved incorrect, and Port Finance had fixed the issue months earlier. In Tulip, Solend and Larix they fixed the issue after the outreach, and the Solana team also updated the documentation.<\/p>\n

Investments in DeFi<\/strong><\/h2>\n

The Panther Protocol, a developer of a privacy-preserving DeFi protocol, raised more than $22 million<\/a> in a public token sale.<\/p>\n

The token sale ended in 90 minutes, and the total funding raised by the project reached $32 million.<\/p>\n

The Panther Protocol solution uses the zk-SNARK<\/a> technology and runs on Ethereum, Polygon, Flare, Songbird, NEAR and Elrond.<\/p>\n

The DeFi platform Earnity<\/strong> raised $15 million<\/a> in a Series A round. It was led by the BitNile mining company, a subsidiary of Ault Global Holdings.<\/p>\n

The round also included the Australia-listed Thorney and the NGC Ventures fund.<\/p>\n

Behind Earnity is Domenic Karosa, founder of Banxa Holdings and cofounder of Apollo Capital. The platform, aimed at \u201cdemocratising access\u201d to digital assets, is planned to launch in early 2022.<\/p>\n

DeFi hacks and scams<\/strong><\/h2>\n

On 30 November a hacker exfiltrated $31 million worth of crypto assets<\/a> from the Polygon-based MonoX platform. The attacker used a swap contract to push the MONO price \u201cto the moon,\u201d and then buy up all the other assets in the pool.<\/p>\n

On 2 December the BadgerDAO project was hacked<\/a> \u2014 the damage exceeded $120 million. PeckShield experts noted that one of the affected addresses lost roughly 900 BTC (about $50 million at the time). A community member on Twitter suggested<\/a> the address was linked to Celsius Network.<\/p>\n

On 10 December the project team announced<\/a> that during the attack hackers used Cloudflare Workers, a service that enables deploying scripts in Cloudflare\u2019s cloud network.<\/p>\n

Hackers gained access to the API<\/span>, which \u201cwas used for legitimate Cloudflare-managed operations.\u201d They then used the interface to inject malicious scripts via Cloudflare Workers into the HTML file of the app.badger.com site.<\/p>\n

Also on ForkLog:<\/p>\n