As the DeFi sector continues to attract money and users, bad actors from around the world continue to view it as an attractive target that is ripe for the picking and poorly protected.
Over the last several months, I have been keeping track of some of the most notable exploits of DeFi protocols, and at least seven of them seem to be a result of smart contract flaws alone.
For example, hackers hit and robbed Wormhole, stealing over $300 million, Qubit Finance ($80 million), Meter ($4.4 million), Deus ($3 million), TreasureDAO (over 100 NFTs), and lastly, Agave and Hundred Finance which, together, lost $11 million in total. All of these attacks resulted in the theft of rather significant amounts of money, causing major damage to the projects.
Many of the targeted protocols have seen a devaluation of their cryptocurrency, mistrust by users, criticism regarding the security of DeFi and smart contracts, and similar negative consequences.
What types of exploits did occur during the attacks?
Naturally, each of these cases is unique, and different types of exploits were used for tackling each individual project, depending on their vulnerabilities and flaws. Examples include logic errors, reentrancy attacks, flashloan attacks with price manipulations, and more. I believe that this is the result of DeFi protocols becoming more complex, and as they do, the code’s complexity makes it more and more difficult to clear out all the flaws.
Furthermore, I noticed two things while analyzing each of these incidents. The first one is that hackers managed to get away with massive amounts every time — millions of dollars’ worth in crypto.
This “payday” gives the hackers incentive to spend any time necessary studying the protocols, even months at a time, since they know the reward will be worth it. That means the hackers are motivated to spend much more time looking for flaws than the auditors.
The second thing that stood out is that, in some cases, the hacks were actually extremely simple. Take the Hundred Finance attack as an example. The project was hit using a well-known bug that can be typically found in Compound forks if a token is added to the protocol. All that the hacker needs to do is wait until one of these tokens gets added to the Hundred Finance. After that, all it takes is to follow a few simple steps to use the exploit to get to the money.
What can DeFi projects do to protect themselves?
Moving forward, the best thing that these projects can do to protect themselves from bad actors is to focus on the audits. The more in-depth, the better, and conducted by experienced professionals who know what to pay attention to. But, there is another thing that the projects can do, even before resorting to the audits, and that is to ensure that they have a good architecture created by responsible developers.
This is especially important since most blockchain projects are open-source, which means that their code tends to get copied and reused. It speeds things up during development, and the code is free for the taking.
The problem is if it turns out that it’s flawed, and it gets copied before the original developers figure out the vulnerabilities and fix them. Even if they announce and implement the fix, those who copied it might not see the news, and their code remains vulnerable.
How much can the audits actually help?
Smart contracts function as programs that run on blockchain technology. As such, it is possible that they are flawed and that they contain bugs. As I mentioned before, the more complex the contract — the greater the odds that a flaw or two slipped through the developers’ check-ups.
Unfortunately, there are many situations where there is no easy solution to rectify these flaws, which is why developers should take their time and make sure that the code is done properly and that the flaws get spotted immediately or at least as early as possible.
This is where audits come in, for if you test the code and document the progress of its development and the tests adequately, you can get rid of the majority of issues early on.
Of course, even audits cannot provide a 100% guarantee that there will be no issues with the code. No one can. It is not accidental that hackers need months to figure out the smallest vulnerability they can use to their advantage — you cannot create the perfect code and make it useful, especially not when it comes to new technology.
Audits do reduce the number of issues, but the real problem is that many of the projects that get hit by the hackers did not even have any audits at all.
So, to any developers and project owners who are still in the development process is to remember that security doesn’t come from passing an audit. However, it certainly starts there. Work on your code; make sure that it has a well-designed architecture and that skillful and diligent developers work on it.
Make sure everything is tested and well-documented, and use all the resources at your disposal. Bug bounties, for example, are a great way to have your code checked out by people from the hackers’ point of view, and a fresh perspective from someone looking for a way in can be priceless in securing your project.
Guest post by Gleb Zykov from HashEx
Gleb began his career in software development in a research institute, where he gained a strong technical and programming background, developing different types of robots for the Russian Ministry of Emergency Situations.
Later Gleb brought his technical expertise to the IT services company GTC-Soft, where he designed Android applications. He moved on to become the lead developer and afterwards, the company’s CTO. In GTC Gleb led the development of numerous vehicle monitoring services and an Uber-like service for premium taxis. In 2017 Gleb became one of the co-founders of HashEx – an international blockchain auditing and consulting company. Gleb holds the position of Chief Technology Officer, spearheading the development of blockchain solutions and smart-contract audits for the company’s clients.