A ‘white hat’ hacker pulled off the largest single cryptocurrency hack this year, claiming to have done it to expose the security hole in the ‘cross chain’ smart contracts used by the company. The company went on to suspend transactions and fix the bug, even as it negotiated with the hacker and exchanges to freeze the stolen cryptocurrency temporarily. The entire stolen amount was retrieved over the course of a week, with no loss to customers. They offered a job and a reward of $500,000, which the hacker turned down, but later grumbled about getting no reward.Poly Network is a decentralised finance (DeFi) platform that allows users to lend, borrow and trade cryptocurrencies at a profit. Smart contracts are built into a crypto token, with self-executing terms that define what the token should do under different circumstances, for example, sell to entity X at $17.99 if price falls below $18. Cross chain platforms enable users to transact across completely different blockchains, but the technology is still developing, making it an attractive target to hack. A number of recent crypto hacks have targeted DeFi crypto platforms that use cross-chain technology.A stolen private key — the part of the cryptographic pair that is supposed to be kept top-secret — enabled hackers to breach security of two hot wallets belonging to the BitMart crypto exchange. Announcing the discovery of this loss on Twitter, the company said $100 million of the loss was on the Ethereum blockchain, which has been targeted most frequently in the biggest hacks this year. The exchange froze deposit and withdrawal for a couple of days, during which time they announced a security upgrade. BitMart’s CEO Sheldon Xia announced they would talk to crypto project teams to identify solutions, and use the company’s own funding to compensate affected users.Hot wallets are used by crypto exchanges like BitMart, to store the most liquid portion of their digital assets, for faster transactions on behalf of users. A cold wallet, on the other hand, holds digital assets offline with no internet exposure, thus being less vulnerable to hackers.A leaked administrator key lost BXH a large part of their holdings on the Binance Smart Chain (BSC). Withdrawals on their BSC blockchain were suspended the same day, resuming only four weeks later. Their security sweep took a week, with all security loopholes claimed to be eliminated within two weeks of the attack.Their CEO and PeckShield, an independent blockchain security researcher, both speculated that this exploit could be an ‘inside job’. The company offered a reward of upto $10 million to identify the hackers, though no further announcement has been made regarding identification. ‘A reasonable compensation plan’ is held out for users whose digital assets were affected. BXH is a decentralised exchange, with support for trading across multiple blockchains.Hackers helped themselves to the crypto wallet private keys of 96 users, out of a total of 6501 at the time. They went on to steal 9% of all available PYR tokens (4.5 million PYR), leaving a loss of $135 million. Affected users have been promised reimbursement from the company’s own reserves. The CEO Jamie Thomson has said they will use decentralised wallets, to prevent such issues in the future. The company has placed a bounty of $500,000 to identify the hacker, and also coordinated with large exchanges to try and prevent the hackers from selling the stolen tokens.Vulcan Forged calls itself a GameFi game studio that makes play-to-earn (P2E) games such as Vulcan Verse and Vulcan Chess, that operate using their own PYR tokens and NFTs. It runs an NFT marketplace to enable players to cash out, and a decentralized exchange (DEX) to trade cryptocurrency. The studio was planning upgrades for the PYR currency, but the hack dropped its price by 26% lowered its market cap by 35%.Private keys function like digital signatures, proving ownership of a ‘wallet address’ and permitting transactions only by the key holder.In an attack that exploited its flash loan facility, hackers managed to steal all liquid assets the platform owned on the Ethereum blockchain. The company put out a statement that the vulnerability has been patched with the help of the community, and that their other blockchain assets weren’t affected. In less than a month, the company announced compensation for affected users from their own pockets, funded by their team’s allocation of tokens.C.R.E.A.M. Finance, which is a DeFi lending platform, reported three other attacks this year – in September ($18.8 million), August ($29 million), and February ($37 million) – adding up to a loss of $215 million.Hackers pilfered Bitcoin and Ethereum based assets from dozens of user wallets, in a strategically planned attack – malicious code was injected into the platform’s website front-end almost a month in advance. PeckShield, a blockchain security firm identified the single biggest loss, of 896 Bitcoin from one wallet, which is worth $44 million at current prices. The DAO had suspended activity upon learning of the attack, but completed its investigation in a week and returned to normal operation. The Badger community is considering plans to recover lost funds, and solutions for reimbursing losses.The crypto lending platform BadgerDAO is a decentralized autonomous organization (DAO), initially setup by Celsius Network, which is a Centralised Finance (CeFi) for loans on crypto assets.Hackers obtained access to Liquid’s hot wallet, looting Ether, Bitcoin, XRP and 66 other currencies. Ethereum-based assets accounted for over 78% of the loss. The hackers routed a part of their loot through decentralised platforms like UniSwap, while assets transferred to other large crypto exchanges were frozen on Liquid’s request. The Japanese exchange resumed trading after transferring unaffected funds to cold wallets, and upgrading security to implement secure vaults.By the end of August, Liquid had said there would be “no impact on user balances.” To compensate users and cover their own losses, the company raised $120 million as a loan from the FTX crypto exchange.Showing that targeting a person works just as well as targeting a system vulnerability, a hacker targeted the founder’s computing device to get his admin keys and transfer currency to himself. The initial loss was $6 million of stablecoins and $120 million worth of EASY, a token native to the EasyFi project.The impact upon users was limited when the EASY token’s price crashed by 50% in a low-liquidity scenario, making it difficult for the hacker to sell his tokens. Moreover, the token was upgraded to ‘EZ 2.0’ four days later, making the hacker’s holdings useless. In his blog, the founder Ankitt Gaur wrote that affected users would be compensated, 25% in the form of stablecoins and 75% as IOU tokens.EasyFi is a DeFi lending platform for digital assets, operating across three blockchains at the time of writing.Hackers broke into the hot wallet of AscendEX, a Singapore-based cryptocurrency exchange. According to the blockchain security firm PeckShield, almost 77% of the total loss consisted of assets based on the Ethereum blockchain. The exchange confirmed that their cold wallets were not affected, and that any affected users will be “covered completely.” Deposit and withdrawal services were suspended for a security review, but trading services had resumed in a week. The company announced on December 23 that deposits and withdrawals had resumed for most major currencies.Beginning as a simple phishing attack in a Word document, the hackers managed to access private keys of the platform and ‘upgrade’ the smart contracts to transfer funds away. Most losses were on the Polygon and Binance Smart Chain (BSC) networks, while their decentralised infrastructure saw relatively lower losses denominated in Ethereum. On finding out what was happening, the bZx platform alerted other crypto projects and exchanges to freeze the stolen cryptocurrency. The company asked the Kaspersky security firm to investigate, who believe the hackers were the Lazarus Group with links to North Korea.Even as they continue tracking the funds and working with law enforcement agencies, the community has approved a compensation plan to help those who suffered losses as a result of the hack. The bZx DAO (decentralised autonomous organisation) calls itself a DeFi platform for margin-trading and lending.