The DeFi Hack: What Decentralized Finance Should and Shouldn’t Be

Published at: May 2, 2020

Decentralized finance, or DeFi for short, became a buzzword in 2019 following the valuations of MakerDao and Compound after both companies raised sizable rounds from the elite Silicon Valley-based Venture Capital firm Andreessen Horowitz.

2020 has been a difficult year for the crypto DeFi sector — it’s been going through the wringer. Over the weekend, the dForce ecosystem protocol Lendf.me lost 99.95% of its funds from a hacking exploit. Just days later, the hacker leaked information about his identity that resulted in him returning most of the stolen funds. This news comes following DeFi’s greatest test on March 12, when the Ether (ETH) price sharply fell, causing systems to become overly stressed and fail. The big loser that day was MakerDao, whose poor architecture and infrastructure was exposed due to the limitations of the Ethereum network.

The leading decentralized finance platform MakerDao accrued debt that had to be bailed out by its venture capital firm’s money. A month later, DAI’s dollar peg was experiencing stability issues and a $28.3 million class-action lawsuit was filed against the Maker Foundation in the Northern District Court of California for negligence. Users want their money back.

Back on April 18, $25 million in Ether and Bitcoin (BTC) was stolen from users of the lending protocol Lendf.me. Lendf is a protocol with security issues and is part of the dForce Foundation’s ecosystem. Surprisingly, it was actually able to collect almost all funds back from the attacker who exploited the reentry loophole in its protocol, as he eventually returned almost all of the money he had stolen. After draining $25 million, the hacker returned $24 million of it, keeping $1 million for himself for… you know, gas fees and these difficult COVID-19 times, maybe.

Ironically, the hacker didn’t return the same mix of assets that was stolen, instead returning the $24 million in a different combination of cryptocurrency tokens. This comes immediately following the news that the dForce Foundation closed a $1.5 million round led by Multicoin Capital, with participation from Huobi Capital and CMB International last week. We can assume these funds are going to cover the losses from the hack.

I spoke with two DeFi CEOs of Compound Finance and Kava Labs to ask them about their experience with dForce and what key takeaways the hack can teach the DeFi community.

Brian Kerr, the CEO of DeFi lending platform Kava Labs, spoke to Cointelegraph about what went wrong with dForce that allowed this hack to transpire. In mid-2019, Kava announced its stablecoin USDX. Shortly after, dForce released its own stablecoin ticker name as USDx. The use of Kava’s USDX ticker displays the limited creativity at dForce, which is likely extended to its code and technical talent as well. Robert Leshner, CEO of DeFi lending company Compound Finance, personally spoke with Cointelegraph in an interview, following his tweet about the $25 million hack and claiming that the company stole code that is recognizable as Compound’s.

During the phone interview with Cointelegraph, Leshner explained:

“Building on-chain is merciless; security requires a team’s full attention. When teams redeploy code they haven’t written, it makes it impossible to know how, or why, the code works, or what the risks are… anything less is an injustice to users. And users should demand better.” 

Sadly, dForce has become an example of what DeFi shouldn’t be.

So, what do you need to know?

In the case of both MakerDao and dForce, what started as a disaster is now in the process of being resolved. Though a significant sum of the funds are still unaccounted for, the experience has left users seeking alternative DeFi lending platforms that they can actually trust. Many users have lost funds, and many others feel wary simply from reading DeFi news these days, even if their money hasn’t been compromised by either MakerDao or dForce. As a subfield within the crypto space, DeFi is still very young.

Was it really dForce’s responsibility?

Leshner said that the dForce firm “copy/pasted Compound v1 without changes.” According to Leshner, the company alleges that the Compound v1 code “was not flawed,” but that the group was cautious about the asset it listed, according to his tweets. The dForce team copied code it did not fully understand from Compound and illegally deployed it as its own while changing a few parts without realizing the security issues involved, according to Leshner.

Also weighing in was Kerr. Kava Labs — a DeFi lending platform similar to MakerDao, but while MakerDao only accepts ETH tokens, the Kava platform accepts any asset including Bitcoin, Ripple (XRP), Binance Coin (BNB) and Cosmos (ATOM), which can be used to mint USDX, the platform’s stablecoin. These milestones of the platform’s development came prior to dForce knocking off the ticker name USDX for their own stablecoin. Kerr shared that Kava aims for USDX to become a major player in the global financial system.

Based on Kerr’s account to Cointelegraph and stated in his reply to Leshner on Twitter, dForce heavily marketed Lendf.me to the world without first running very basic audits: “A basic audit from any reputable firm would have caught this — reentrancy is a known issue and easily checked for. Outside of stealing Compound’s code, DForce also stole Kava’s USDX token name and ticker — despite us announcing our token many months before they even had a platform.” Kerr admitted, “It’s a terrible example of what DeFi should not be.”

As trust is the most central and important foundation for a relationship between a person and their money, Kerr believes the responsibility was with “both the dForce team and the application’s users.” He continued: 

“dForce didn’t understand what they were doing and marketed an unsafe product. The users didn’t do their own due diligence on the team or the codebase to determine if the product is safe for use.” 

DeFi shouldn’t be brazen

As previously reported by Cointelegraph, dForce’s hacker used the imBTC token as a “trojan horse” of the attack — as an Ethereum wrapper for Bitcoin. Leshner explained that the security error came from a known reentrancy attack: “This is a followup attack to the imBTC Uniswap attack yesterday.” He went on to say, “imBTC is an ERC-777 token and not a normal Ethereum asset. Smart contracts that include imBTC have to be extra cautious and write additional code to protect against reentrancy attacks.”

This is considered to be a well-known vulnerability of the common ERC-20 standard, especially when used in the DeFi context.

DeFi shouldn’t be on Ethereum

The Ethereum network’s architecture doesn’t meet the scaling and security needs of the DeFi sector, as the level of testing required to achieve all outcomes is infinite in the Solidity programming language, according to Kerr. “For these reasons and many others, leading projects including Binance, Cosmos, and Kava have chosen to leave the Ethereum ecosystem for greener pastures,” he said.

“Building any financial service on the Ethereum Network is problematic for security. Testing the possible outcomes and bugs of Solidity is near impossible as it can do virtually anything as a Turing Complete Language. While powerful, it’s probably the worst environment to build financial infrastructure,” stated Kerr, who sees one of Kava’s value propositions is that it is rooted in security standards as a purpose-built platform for all assets requiring safe DeFi services as a top priority.

DeFi should be safe and secure

Lendf calls itself, “By far the largest fiat-backed stablecoin DeFi lending protocol.” What’s problematic is that Lendf was too focused on raising capital, growth and expansion to maintain its biggest, best and “largest fiat backed stablecoin” claim to fame. Instead of focusing on improving code for security, understanding its codebase, fixing bugs and releasing secure products, the firm was overly focused on profit and perceived status.

Basic audits, for example, were missing completely and hurdles were being jumped too quickly by the team, resulting in a security vulnerability that is yet to be resolved.

The event could have been prevented and users should have seen this coming, according to Leshner, who tweeted details about how the company had stolen Compound’s code: “If a project doesn’t have the expertise to develop its own smart contracts, and instead steals and redeploys somebody else’s copyrighted code, it’s a sign that they don’t have the capacity or intention to consider security.” He later encouraged developers and users to learn a valuable lesson: Don’t give your money to a company you can’t trust.

Kava Labs’ Kerr proceeded to quote Facebook CEO Mark Zuckerberg’s motto of “move fast and break things,” elaborating: 

“It’s a great saying to live by for basic software and start-ups, but definitely the worst advice when building financial infrastructure as this past weekend has shown.”

DeFi should focus on users 

Kerr also shared, “At Kava, all our code is built from the ground up, in Golang, in very discreet modules that are scoped to very specific actions that we can audit and verify. This means that we can fully test the code to a very high confidence for its accuracy and security.” He continued:

“We value the safety of user funds and put it at the forefront of everything we do. We run testnets, conduct 3rd party audits, and have a substantial peer review prior to any code going live on the Kava platform. Furthermore, all new code must be reviewed and voted for by the validator group securing and staking $KAVA which includes technically savvy operators like Binance, OKEx, Huobi, Bitmax, Hashkey, Lemniscap, SNZ, Dokia Capital and Framework Ventures.”

DeFi should verify to trust

It’s not enough to trust a company because they have big-name investors, as we have seen is the case with dForce and MakerDao. However, we often hear “trust and verify” when we should probably hear “verify and trust” from the DeFi community.

While Leshner is the CEO of Compound, he’s also a personal investor for Kava Labs along with other top backers like Arrington XRP Capital. Kava’s excellent technical team and strict adherence to security measures is what has auditors talking about their code. Prior to Kava Labs’ launch, the lending platform ran a professional audit by CertiK — the leading formal verification and audit firm. In a blogpost on the audit’s results, CertiK stated, “Kava is one of the best codebases Certik has seen from a project to date, especially in the Decentralized Finance sector.”

Finally, Kerr took the high ground in concluding, “I highly encourage anyone thinking of using a DeFi protocol to first check the team for technical competence, check for technically diligent investors, and check that audits and peer reviews have been done. Even then, assume there will always be some technical risk and market risk when it comes to DeFi protocols. It’s a young space and there will be more painful learnings like this to come.”

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Andrew Rossow is a millennial attorney, law professor, entrepreneur, writer and speaker on privacy, cybersecurity, AI, AR/VR, blockchain and digital currencies. He has written for many outlets and contributed to cybersecurity and technology publications. Utilizing his millennial background to its fullest potential, Rossow provides a well-rounded perspective on social media crime, technology and privacy implications.

Tags
Related Posts
Will crypto and blockchain shape the future of finance? Experts answer
This is Part Two of a multipart series on blockchain and crypto in China. Read Part One about the digital yuan here. When Satoshi Nakamoto introduced the Bitcoin (BTC) white paper over a decade ago, it was hard to imagine what role the cryptocurrency sector would play in global finance. Some argue that the invention of blockchain technology is comparable to the revolution brought on by the invention of the internet back in the 1980s. Starting as a niche space for tech enthusiasts, in just 12 years Bitcoin has become a serious player in the financial field, with its market …
Decentralization / May 2, 2021
Conquering Decentralized Finance: Enter the Custodians
The future of finance is decentralized. Striving to facilitate that prognosis, decentralized finance — or DeFi — is quickly shaping into an alluring prospect for investors and companies alike. Looking to harness this decentralized ideal, rivals to the Ethereum-centric sector are feeling the fear of missing out and leveraging their own blockchains in order to gain dominance. Reaching an early climax this year, DeFi breached $1 billion in locked assets. For the Ethereum ecosystem, this stood as a significant boon, drastically increasing its value proposition — and leading competitors to turn their heads. With the Ethereum ecosystem intrinsically linked to …
Decentralization / May 31, 2020
DeFi needs real-world adoption, not just disruptive pioneering
Satoshi Natakmoto’s anonymity and powerful mining-incentive mechanism are key examples of what made Bitcoin (BTC) unique and led to its unparalleled success. But for truly democratized money and finance to be achieved, it is worth reminding enthusiasts that Bitcoin was an iteration in a series of trials and errors that go back as far as the 1980s. David Chaum conducted research as early as 1982 that laid the groundwork for the invention of “Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups.” Other cryptographers — including Adam Back, Hal Finney, Nick Szabo and Vitalik Buterin, to mention just a …
Decentralization / Nov. 7, 2020
The Top 5 Trends Defining Crypto in Late 2020
The cryptocurrency field is a place where everything changes in the blink of an eye. New technologies, key market players and trends shift much faster than in any other industry. From the current point of view, many exciting developments seem viable. Still, this chaotic industry can bring more opportunities within the upcoming months, and everything we’ve seen before will be surpassed by something truly outstanding. However, let’s quickly check in. The shift toward a cashless society One of the most society-redefining trends of 2020 came unexpectedly. Right after Christmas, the world seemed safe and sound despite dreadful news from China. …
Decentralization / Aug. 9, 2020
The great unbanking: How DeFi is completing the job Bitcoin started
In a broad sense, 2020 has been the year of the COVID-19 pandemic. As it toward 1 million deaths and over 30 million infections, governments have been found wanting. Our institutions have crumbled, leaders reacted too slowly, and all of the systems both in place and newly created to protect us — healthcare, aged care, testing, protective equipment supply chains, contact tracing, etc. — have collapsed. But 2020 has also very much been the year of decentralized finance, which has come to be known as DeFi. DeFi is crypto To understand why DeFi has captured the imagination of the entire …
Technology / Sept. 22, 2020