This article is in the continuation of the post covering security issues in DeFi.
Here we will explore some more DeFi hacks and ways on how new DeFi projects can avoid these security issues.
On 12th Mar 2020, Maker platform incurred over $8M in debt as some of its loans were liquidated for free. The uncertainty around the coronavirus and the erupting oil price war culminated in a severe downturn in capital markets. It resulted in an outright collapse of crypto markets on March 12-13. Transactional activity exploded on the Ethereum blockchain causing network congestion and transaction delays.
Many collateral values on loans on the Maker platform went below thresholds making them undercollateralized. It was because users suffered delays in an attempt to add more collateral. This allows liquidators to participate in an auction to liquidate the loan for some reward.
4,447 auctions were triggered. The congestion in the network throughput on Ethereum caused many liquidators to stop working. The remaining liquidators eventually ran out of Dai liquidity and could not bid until several hours later when it sourced more Dai. Consequently, there was no competition for the auctions. A subset of those auctions won by bidders who submitted bids decimal points above zero (“zero bidders” submitting “zero bids”).
Keepers eventually found liquidity, increased their capacity, and navigated the congestion to successfully challenge later zero bids, which restored a competitive auction space.
The zero-bid events of March 12-13 led to a collateral auction shortfall amounting to approximately 5.4M+ Dai.
DeFi liquidity provider, Balancer Pool fell victim to a sophisticated hack that exploited a loophole, tricking the protocol into releasing $5,00,000 worth of tokens. the attacker had borrowed $23 million worth of WETH tokens, an ether-backed token suitable for DeFi trading, in a flash loan from dYdX. They then traded, against themselves, with Statera (STA), an investment token that uses a transfer fee model and burns 1% of its value every time it’s traded. The attacker went between WETH and STA 24 times, draining the STA liquidity pool until the balance was next to nothing. Because Balancer thought it had the same amount of STA, it released WETH that equated to the original balance, giving the attacker a larger margin for every trade completed. the attacker performed the same attack using WBTC, LINK, and SNX, all against Statera tokens.
According to an analysis by 1inch, The person behind this attack was a very sophisticated smart contract engineer with extensive knowledge and understanding of the leading DeFi protocols.
On 29 Sep 2020, a single tweet caused shock within the DeFi community and ultimately led to a $15M rug pull. The developers conducted a “test in prod” experiment for Eminence Finance, an NFT gaming ecosystem. A hacker exploited it to steal $15M after traders rushed to farm EMN. A tweet by Andre Cronje, the founder of Yearn Finance, led the traders to find the contracts and flood into the protocol, hoping to get in early on the next YFI.
A savvy hacker used a flash loan to drain the pool of all its funds which had not been properly tested and secured. He used the flash loan to mint EMN on a tight bonding curve to increase the price. For every EMN minted, the price would increase incrementally along the curve. As the price increased, the hacker burned EMN for any of the wrapped eTokens—Eminence’s native versions of popular DeFi tokens like Aave – to cause a large supply drop and increase the token price dramatically. This gap allowed the hacker to acquire large sums of EMN and then sell the other tokens to recursively cash in DAI profits.
The hack is explained by Cronje in the following tweets:
1/x First, the data;
1. Yesterday we finished the concept behind our new economy for a gaming multiverse. Eminence. As per my usual methodology, I deployed our staging contracts on ETH so we can continue developing on it.
2. Eminence is at least ~3+ weeks still away
— Andre Cronje (@AndreCronjeTech) September 29, 2020
The DeFi platform suffered a major security breach, hacked for $2M on Nov,12th. The funds were stolen from Akropolis’ Curve liquidity pools connected to the project. The attacker managed to execute a $50,000 exploit 40 times, netting $2 million of DAI in total. Before the attack, Akropolis underwent two security audits performed by CertiK and another unknown security group.
The hacker allegedly created a flash loan to borrow funds with a fake token in the hacker’s own smart contract. As the funds were being transferred, the hacker executed another deposit using $800,000 worth of real DAI borrowed from dYdX. The fake token loan raised the balance of the liquidity pool. When the real loan was initiated, Akropolis minted the same tokens twice, allowing the hacker to withdraw double the intended amount.
Value DeFi Incident:
DeFi protocol was exploited for approximately $7.4M of DAI due to a flash loan attack, a scheme often seen in the DeFi sector. The incident was due to a bug in the way to measure asset price from an AMM-based oracle, Curve.
After a flash loan-based price manipulation on Curve, the exploitation led to unproportional 3crv tokens even from with the same amount of previously minted pool tokens. After the withdrawal, these 3crv tokens were redeemed for DAI. The whole process led to $7.4 million of DAI loss of Value DeFi of which $2 million of DAI was returned back to Value DeFi.
Pickle Finance Hack:
In Nov 2020, Pickle Finance became the latest DeFi project to suffer a high-profile hack. By using design flaws in Pickle contracts, the attacker was able to steal over 19 million cDAI from the DeFi protocol.
DODO DEX Hack:
On March 8, 2021, the DODO DEX experienced a smart contract hack. The attackers were able to steal approximately $3.8 million in cryptocurrency from several of DODO’s crowdfunding pools. Of this, approximately $3.1 million of the stolen assets has since been returned.
The attack against the DODO V2 Crowdpooling smart contract took advantage of a flaw in the init() function of the contract. This flaw allowed the function to be called multiple times with different parameters. With this process, the attacker was able to bypass the liquidity checks used for verifying flash loans. As a result, they were able to drain liquidity from DODO’s pools.
The init() vulnerability exploited in this attack has been around for years and is the cause of several high-profile hacks.
Solutions for DeFi Security Risks
High-quality security audits before the launch of any DeFi project are very much required to detect uneven and unexpected vulnerabilities of smart contracts. It ensures uninterrupted functioning and protection for an asset that is stored in the smart contract. The audit is done by an unbiased third party who reviews the whole code line by line and identifies the potential loopholes.
A thoroughly audited smart contract instills more trust in the investors and other people in the DeFi space. As a result, if the contract is used for an Initial Coin Offering(ICO), Initial Public Offering(IPO), or a Security Token Offering(STO), then these initiatives can be more successful.
A thorough beta phase testing and a full unit test coverage also help in identifying any issues with the functionality of the project. A peer review of code allows for having a fresh perspective on the code. Many DeFi projects launch bug bounty programs to encourage users to report any detected problems before product launch.
Any DeFi smart contract should avoid copy-pasting of code from other protocols. Simply, if it does not fork the whole project, then it tries to “fit in” separate parts of the code, which will often be incompatible with the rest of the code. It may lead to some future exploits.
In order to prevent unnecessary private key access or protect your DeFi protocol in case of key loss, DeFi code should use a multi-sig scheme. So in case of key loss or unwanted access by a third party, the contract will be safe. Moreover, lost keys can be eliminated and/or replaced.
There are a growing number of security and insurance firms in the market to safeguard investors against these attacks.
QuillAudits is a secure smart-contract audits platform designed by QuillHash Technologies. It has launched a specific tool to monitor and troubleshoot smart contracts, QuillMonitor. It helps in tracking the behavior of unauthorized calls in the smart contract. It is used to identify abnormalities in the functions of deployed smart contracts. The whole process creates trust between the Investors and the organizer. Furthermore, this tool can be used to identify unexpected flaws in the contract and monitor the performance of contracts.
Most DeFi audit firms have a waiting list of months as more and more DeFi platforms are developed and require thorough auditing before they are launched.
A crowd testing platform, DVP, is launched to solve the security issues of DeFi. It is an international community of information security professionals (White Hats) that seeks to act as a bridge between the white hats and blockchain projects to provide an efficient and transparent blockchain security information platform, which will help improve the overall security awareness and build a better blockchain ecology.
The bounty program launched by DVP invites white hats to conduct massive testing of blockchain products. Their review will give manufacturers an idea about where the project is heading. In return, they can claim token rewards while the manufacturers save costs, facilitating a win-win situation for both parties. Reputed blockchain vendors like Gate.io, Cobo, F2pool, Vechain, Coinw, Kcash, Contentos, and Neo are some of the platforms to make use of the services offered by the DVP community. In the future, DVP will extend comprehensive support to the BSC (Binance Smart Chain) DeFi ecosystem. Joined by the world’s top security communities like PeckShield and BCSES, DVP has grown into a large technical community with support from more than 15000 White Hats.
OpenZeppelin, a cryptocurrency software, and security firm has just released a software suite for DeFi projects fighting against flash loan attacks and other exploits. Defender is a software suite that provides teams with alerts when an exploit is taking place, as well as automated scripts to respond to that exploit in real-time. Defender is developed in collaboration with Compound Labs, Aave, dYdX, PoolTogether, Balancer, Foundation Labs, and other leading teams. It is expected to reducing the room for human error, making smart contract management simple and safe.
Certora is another protocol that provides formal verification for smart contract code. It writes specifications depending on a set of safety rules provided by the DeFi product and verify the code against these specifications. It has carried out verification for smart contracts in DeFi platforms like dForce lending protocol, Origin OUSD token, Sushi Bentobox, Opyn Gemma protocol, synthetix multi-collateral loans, Aave protocol v2 among others.
MythX is a security product offered by Consensys. It provides smart contract security services for Ethereum. MythX uses SWCRegistry as a database when scanning smart contracts for security issues. SWC Registry is a community catalog of known smart contract vulnerabilities with detailed descriptions, code samples, and remediations.
Advisory to Users
DeFi products require due diligence before making any investment. Users should check a project’s whitepaper, team, community activity, exchange listings, number of security audits. Backing from institutional investors will give users a much clearer idea of whether or not to make an investment.