• How are DeFi protocols compromised?

  • The decentralized finance sector is expanding at an alarming rate. Three years ago, DeFi’s total value was only $800 million. By February 2021, the figure had risen to $40 billion; by April 2021, it had risen to $80 billion; and it now stands at more than $140 billion. Such rapid growth in a new market could not help but attract the attention of hackers and fraudsters of all stripes.

    According to a report by a crypto research firm, the DeFi sector has lost approximately $284.9 million to hacks and other exploit attacks since 2019. From the standpoint of hackers, blockchain ecosystem hacks are an ideal means of enrichment. They have money to lose because such systems are anonymous, and any hack can be tested and tuned without the victim’s knowledge. Losses totaled $240 million in the first four months of 2021. And these are just the cases that have come to light. We estimate that real losses will be in the billions of dollars.

    What is the method by which money is stolen from DeFi protocols? We examined several dozen hacker attacks and identified the most common issues that result in a hacker attack.

    Misuse of third-party protocols and errors in business logic

    Any attack begins with a thorough examination of the victim. Blockchain technology opens up numerous possibilities for automated tuning and simulation of hacking scenarios. An attacker must have the necessary programming skills and knowledge of how smart contracts work in order for an attack to be fast and invisible. A hacker’s typical toolkit enables them to download their own full copy of a blockchain from the network’s main version, and then fully tune the process of an attack as if the transaction were taking place in a real network.

    The attacker must then research the project’s business model as well as the external services that are being used. Errors in mathematical models of business logic and reliance on third-party services are two of the most common vulnerabilities exploited by hackers.

    Smart contract developers frequently require more data relevant at the time of a transaction than they may have at any given time. As a result, they are forced to rely on third-party services, such as oracles. Because these services are not intended to operate in a trustless environment, using them entails additional risks. According to calendar-year statistics (since the summer of 2020), the given type of risk accounted for the smallest percentage of losses — only 10 hacks, resulting in losses totaling approximately $50 million.

    Coding errors

    Smart contracts are a relatively new concept in the world of information technology. Despite their simplicity, smart contract programming languages necessitate a completely different development paradigm. Developers frequently lack the necessary coding skills and make egregious errors that result in massive losses for users.

    Security audits eliminate only a portion of this type of risk because the majority of audit companies on the market bear no responsibility for the quality of their work and are only concerned with the financial aspect. More than 100 projects were hacked as a result of coding errors, resulting in a total loss of around $500 million. The dForce hack, which occurred on April 19, 2020, is a prime example. The hackers stole $25 million by exploiting a flaw in the ERC-777 token standard in conjunction with a reentrancy attack.

    Price manipulation, flash loans, and miner attacks

    The information provided to the smart contract is only relevant at the time of transaction execution. The contract is not immune to potential external manipulation of the information contained within by default. This opens the door to a wide range of attacks.

    Flash loans are loans without collateral that require the borrower to return the borrowed cryptocurrency within the same transaction. The transaction is canceled if the borrower fails to return the funds (reverted). These loans enable the borrower to receive large amounts of cryptocurrency and use them for their own purposes. Price manipulation is common in flash loan attacks. An attacker can sell a large number of borrowed tokens in a single transaction, lowering their price, and then perform a variety of actions at a very low token value before buying them back.

    A miner attack is analogous to a flash loan attack on blockchains that use the proof-of-work consensus algorithm. This type of attack is more complex and costly, but it can circumvent some of the security layers of flash loans. Here’s how it works: The attacker rents mining capacity and creates a block that contains only the transactions required. They can borrow tokens, manipulate prices, and then return the borrowed tokens within the given block.

    Because the attacker creates the transactions that are entered into the block independently, as well as their sequence, the attack is atomic (no other transaction can be “wedged” into it), as in the case of flash loans. This type of attack has been used to hack over 100 projects, resulting in losses of approximately $1 billion.

    The average number of hacks has risen over time. One theft totaled hundreds of thousands of dollars at the start of 2020. The sums had risen to tens of millions of dollars by the end of the year.

    Incompetence of the developer

    The human error factor is the most dangerous type of risk. People turn to DeFi in order to make quick money. Many developers are underqualified, but they still attempt to launch projects in a hurry. Because smart contracts are open source, hackers can easily copy and modify them in minor ways. If the first three types of vulnerabilities exist in the original project, they will be replicated in hundreds of cloned projects. RFI SafeMoon is a good example because it contains a critical vulnerability that has been superimposed across a hundred projects, potentially resulting in over $2 billion in losses.

    What's your reaction?