Wady protokołów DeFi
The decentralized finance industry is growing every day. At the same time, there are hundreds, if not tens of thousands of people who want to get their share of this “pie”. Unfortunately, some people use less honest methods to achieve this goal. Today we will talk about hackers who break various DeFi protocols and how they succeed.
Three years ago, the DeFi sector had a “paltry” $800 million in cash. In February 2021, this figure exceeded $40 billion, and in April doubled the figure, reaching $80 billion. DeFi's current cash flow exceeds $140 billion and is not going to stop!
Along with the growth of indicators, the industry's losses also increased. So, in the first four months of this year, the amount of losses exceeded $240 million. And given the recent $600 million hack on Poly Network, the figure could have been even worse.
The anonymity of this financial sector is extremely attractive to hackers, since it is much easier here to steal tens of millions of dollars and remain in the shadows. After analyzing many hacks, we were able to identify popular "holes" in the protocols, leading to theft, amounting to tens of millions of dollars.
Analysis of victims and business logic errors
Any attack begins with collecting data about a potential victim. Naturally, first of all, a hacker must have the skills of a programmer and know how smart contracts work.
The attackers' toolkit often allows them to download their copy of the blockchain from the main network, and then simulate the attack, presenting its outcome in the real network of a specific DeFi project.
In addition, the hacker closely examines the business model of the project and the external services it uses (for example, oracles) in an attempt to find errors in mathematical models of business logic. They are often the most vulnerable point for DeFi.
According to statistics, from the summer of 2020 to the summer of 2021, due to the inability of oracles to work in an unsafe environment, attackers carried out about 10 hacks worth more than $50 million.
Errors in the code
Smart contracts are still a fairly fresh concept for the IT industry. Despite their simplicity, the programming languages involved in smart contracts require a new development paradigm. Specialists simply do not possess all the necessary skills, making mistakes that lead to the loss of colossal amounts.
A security audit can help them. However, he does not always manage to fix all possible problems, since those who conduct it are only interested in the financial side of the issue and are not always interested in the quality of the work performed.
One example was the case on April 19, 2020, when hackers exploited a vulnerability in the ERC-777 token standard, combining it with a re-entry attack and managed to steal $25 million. At the same time, the total losses due to coding errors exceeded $500 million.
Flash loans and price manipulation
The information in the smart contract is relevant only at the time of the transaction. Unfortunately, it is not protected from possible manipulation by third parties, which expands the possibilities for a whole range of attacks and price fraud.
Fast loans in cryptocurrency allow the borrower to receive large sums and use them for their own purposes. But sometimes flash credits are used for price manipulation attacks.
The attacker sells a huge amount of borrowed tokens as part of a transaction, thereby lowering their price, and then performs a series of pre-planned shenanigans at the minimum price of tokens before redeeming them.
Many attacks on the Binance Smart Chain platform, which we mentioned earlier, were carried out precisely due to flash credits and a sharp change in the value of tokens by hackers.
An analogue of an attack using flash loans on blockchains, which are based on the Proof-of-Work consensus algorithm. This attack is more costly and complex, but it helps bypass many levels of flash credit protection.
The hacker rents mining power and forms a block consisting only of the transactions he needs. In it, an attacker can borrow cryptocurrencies, control their price and return tokens. When such a “maneuver” is performed, other transactions simply cannot “wedge” into the attack, as is the case with flash credits.
Using this type of attack, the hackers left more than 100 DeFi projects in the red, and the total losses amounted to about $1 billion.
Incompetence of the development team
Many developers who came to DeFi for "quick money" are not stopped even by low qualifications and complete ignorance of the fundamental mechanisms of the industry. In a hurry and thirst for profit, which eclipsed consciousness, they are able to ruin any undertakings.
Smart contracts are open source. It can be easily copied and modified by hackers. As an example, we can recall the RFI SafeMoon project, which contained a critical vulnerability in the code, similar to hundreds of other projects that lost more than $2 billion in user funds as a result of the banal irresponsibility of developers.
But even all of the above does not make DeFi any less promising. Rather, it speaks of the need to improve the degree of protection of investors' funds in order to attract even more players to the market.
Coin Shark is not responsible for the content, accuracy, quality, advertising, products or any other content posted on the site. This article is for informational purposes, prepared on the basis of materials and information from open sources. Cryptocurrency is a risky asset, investments in it can lead to losses. Users should do their own research before taking any action.