The development of blockchain industry and how to defend against attacks on DeFi

Published at: July 3, 2022

Nowadays, the blockchain market as a whole is in its infancy, and the decentralized finance (DeFi) market is its most promising part. According to DefiLlama data, in 2021, the DeFi market had around $200 billion of liquidity locked in smart contracts. If we view this capital as an initial investment, this market looks like a highly promising venture. Not too many global companies can boast of such a capitalization. But any young market has its teething problems. With DeFi, the main issue is a lack of qualified blockchain developers.

This industry is very young and has a relatively small user base. Most people have at best heard about DeFi without having any idea about what it is. But as it happens with every new promising venture, it quickly creates a lot of speculative interest. Unfortunately, preparing personnel takes much longer, especially when it comes to such knowledge-intense spheres as blockchain and smart contract development. This means that some project teams will have to compromise and hire less experienced personnel.

This problem inevitably creates a growing risk of security loopholes in the code of these projects. And then we have to deal with its consequences in lost user capital. For just a brief understanding of how big this problem is, I can say that about 10% of DeFi’s total liquidity locked has been stolen by hackers. It should not surprise anyone that the mainstream public would prefer to stay away from a financial system that poses such dangers to their funds.

Related: How do DeFi protocols get hacked?

How have DeFi exploits changed recently?

Attacks on DeFi have long been centered around reentrancy attacks. We can recall the famous The DAO hack of 2016 that resulted in the loss of $150 million in investor capital and led to Ethereum’s hard fork. Since then, this vulnerability has been exploited many times in different smart contracts.

The callback function is actively utilized by lending protocols: It allows smart contracts to check users’ collateral balance before giving out a loan. All this process happens within one transaction, which has given hackers a workaround to steal money from such smart contracts. When you send a request to borrow funds, the callback function first checks the collateral balance, then gives out the loan if the collateral was sufficient and then changes the user’s collateral balance inside the smart contract.

To fool the smart contract, hackers return the call to the callback function to initiate this process from the beginning. Since the transaction has not been finalized on the blockchain, the function gives out another loan for the same collateral balance. Even though the solution to this problem has been on the scene long enough, many projects still fall victim to it.

Sometimes, project teams with little skill in writing smart contracts decide to borrow the codebase of another open-source DeFi project to deploy their own smart contract. They normally do so with reputable projects that have been audited and have large user bases and have proved to be securely built. But they may decide to make minor modifications to the borrowed code to add functionalities they want to have in their smart contract, without even changing the original code. This can damage the logic of the smart contract, which developers often do not realize.

This is what allowed hackers to steal around $19 million from Cream Finance in August 2021. The Cream Finance team borrowed the code from a different DeFi protocol and added a callback token in their smart contract. Even though you can prevent reentrancy attacks by implementing the “checks, effects, interactions” pattern that prioritizes the change of balance over the issuance of funds, some teams still fail to safeguard their platforms from these exploits.

Flash loan attacks allow hackers to steal funds differently and have been growing increasingly popular since the DeFi boom of 2020. The main idea of flash loan attacks is that you do not need to have collateral to borrow funds from a protocol because financial parity is still guaranteed by the fact that the loan is taken and returned within one transaction. And it will not take place if you fail to return the loan with interest in one transaction. But attackers have been able to perform successful flash loan attacks on many protocols.

Related: Needed: A massive education project to fight hacks and scams

In doing them, they use multiple protocols to borrow and drag liquidity through until the final act where they amplify the price of a token through oracles or liquidity pools and use it to swindle a pump-and-dump and be gone with liquidity in an array of some major different cryptocurrencies such as Ether (ETH), Wrapped Bitcoin (wBTC) and others. Some famous flash loan attacks include the Pancake Bunny attack, where the protocol lost $200 million, and another Cream Finance attack, in which over $100 million was stolen.

How to defend against DeFi exploits?

To build a secure DeFi protocol, ideally, you should only trust experienced blockchain developers. They should have a professional team lead with skill in building decentralized applications. It is also wise to remember to use safe code libraries for development. Sometimes, the less up-to-date libraries can be the safest option than the ones with the newest code bases.

Testing is another crucial thing all serious DeFi projects must do. As a CEO of a smart contract audit company, I always try to cover 100% of our clients’ code and stress the importance of decentralized protection of the private keys used to call functions of smart contracts with restricted access. It is best to use decentralization of the public key through a multisignature that prevents one entity from having full control over the contract.

In the end, education is one of the keys that will allow blockchain-based financial systems to become more secure and reliable. And education should be one of the key concerns of those looking for employment in DeFi because it can offer mouthwatering rewards to all who can make a viable contribution.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Dmitry Mishunin is the founder and CEO of DeFi security and analytics company HashEx and has long-standing expertise in the field of blockchain security. He has devoted a lot of time to scientific activities, such as research into IT systems, blockchain, and vulnerabilities in DeFi. Under Dmitry’s management, HashEx has become one of the leaders in the field of smart contract audits.
Tags
Related Posts
‘DeFi done right’: Layer-one protocol launches mainnet
A decentralized finance protocol has launched its mainnet — describing it as a crucial step on the journey to a frictionless financial future. Radix, which describes itself as a platform for smart money, is also launching Instapass with its Olympia mainnet — an optional user and developer service that delivers the world’s first single sign-on solution for building compliant DeFi. The Radix mainnet is being positioned as a generational improvement in the history of decentralized ledger computing — and one that delivers 100 times more executional efficiency than the Ethereum Virtual Machine. This comes hot on the heels of the …
Decentralization / July 29, 2021
Don’t blame crypto for ransomware
Recently, gas has been a hot topic in the news. In the crypto media, it’s been about Ethereum miner’s fees. In the mainstream media, it’s been about good old-fashioned gasoline, including a short-term lack thereof along the East Coast, thanks to an alleged DarkSide ransomware attack on the Colonial Pipeline system, which provides 45% of the East Coast’s supply of diesel, gasoline and jet fuel. In cases of ransomware, we generally see a typical cycle repeat: Initially, the focus is on the attack, the root cause, the fallout and steps organizations can take to avoid attacks in the future. Then, …
Technology / May 30, 2021
Bitcoin Ransomware and Remote Working: What the Future Holds
The new work-from-home culture is gaining more traction than ever before as businesses, government departments and schools try to remain afloat while flattening the pandemic curve. This migration to remote working is a double-edged sword that creates a fertile land for cybercriminals to thrive on. There is no way that cyberattacks can be eliminated completely. The best that companies can do is minimize the frequency of the threats. What is ransomware? Cybercriminals use malicious software code to block people or organizations from accessing their computer systems until a ransom has been paid. Cryptocurrencies such as Bitcoin (BTC) have made it …
Technology / Aug. 21, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
Report: GALA token exploit resulted from public leak of private key on GitHub
According to a new post by blockchain security firm SlowMist on Nov. 7, it appears that the last week’s token exploit affecting GameFi project Gala Games resulted from a public leak of applicable security keys on GitHub. As told by SlowMist, pNetwork, the cross-chain interoperability bridge used by Gala Games on the BNB Smart Chain, had three privileged roles in its smart contract pGALA. “The Admin role is used to manage upgrades and changes to the Admin address of the proxy contract. The DEFAULT_ADMIN_ROLE role is used to manage various privileged roles in the logic (eg: MINTER_ROLE ), and the …
Technology / Nov. 7, 2022