The decentralized finance sector is growing at a dizzying pace. Three years ago, the total value locked up in DeFi was just $800 million. By February 2021, it had grown to $40 billion, reached $70 billion in April 2021, and is now over $80 billion. Such rapid growth in a new market couldn’t help but attract the attention of all kinds of hackers and scammers.
As of 2019, the DeFi sector has lost an estimated $284.9 million to hacks and other attacks by cybercriminals, according to a report by Messari in April 2021.
In February Messari calculated that over $284 million in DeFi was lost to hacks since 2019
At this point in time, the decentralized insurance industry only covers a fraction of TVL in DeFi. The need is ripe for the picking. pic.twitter.com/WkZVI0TuWb-
Messari (@MessariCrypto) April 28, 2021
From a hacker’s perspective, hacking into blockchain ecosystems is the perfect way to make money. Why? Because such systems are anonymous. In the first four months of 2021 alone, the losses amounted to $240 million. It is worth noting that these are only the cases made public. In fact, these losses can be much higher. In today’s article, we’ll discuss the ways hackers use to break into DeFi’s network.
Abuse of external protocols and business logic flaws
Any type of attack starts first and foremost with victim analysis. For an attack to be carried out quickly and anonymously, the attacker must have the right programming skills and knowledge of how smart contracts work. The hacker’s standard toolkit allows him to download his own full copy of the blockchain from the main network version. He then tunes it so that everything looks as if the transaction is taking place on the real network.
Next, the attacker must examine the project’s business model and the external services used. Errors in mathematical models and external services are two of the most common attack points used by hackers.
Smart contract developers often require more data at the time of a transaction than they may have at any given time. So they are forced to use external services – such as oracles. These services are not designed to operate in a trustless environment, so their use comes with additional risks.
Flash lending and price manipulation
The information provided to a smart contract is only relevant at the time the transaction is executed. By default, the contract is not immuneto potential external manipulation of the information it contains. This makes a whole spectrum of possibilities for launching an attack.
Flashloans are unsecured loans, but involve the obligation to return the borrowed cryptocurrency within the same transaction. If the borrower fails to return the funds, the transaction is cancelled. Such loans allow the borrower to receive large amounts of cryptocurrency and use it for their own purposes. “Flash loan” attacks usually involve price manipulation. An attacker may first sell a large number of borrowed tokens in a transaction, thus lowering their price, and then perform a series of actions at a very low token value before buying them back.
A miner attack is the equivalent of a flash loan, but is carried out on blockchains running on a proof-of-work consensus algorithm. This type of attack is more complex and costly; however, it can bypass some of the security features of flash loans. During a mining attack, the attacker uses computing power to create a block containing only the transactions he needs. Within a given block, he can first borrow tokens, manipulate the price, and then return the borrowed tokens.
Flaws in DeFi’s code
Smart contracts are a relatively new concept. Despite their simplicity, smart contract programming languages require a completely different development model. Programmers often simply lack the necessary skills and make serious mistakes that lead to huge losses for users.
Security audits eliminate only part of the risk. Most auditing companies on the market do not take any responsibility for the quality of work done and are only interested in the financial aspect. Errors in the code were the cause of many attacks. The best example is the dForce hack that took place on April 19, 2020. Hackers exploited a vulnerability in the ERC-777 token standard and grabbed a loot worth $25 million. However, they later returned the funds. A similar situation occurred recently. A hacker broke into the DeFi Poly Network protocol and stole a record amount in the DeFi world – $600 million. At the end, he also returned the entire amount and even got a job offer from the hacked project. However, there were speculations on the web that the hack might have been just a marketing ploy by Poly Network.
The biggest risk comes from the human will. People reach for DeFi because they are looking for an opportunity to make quick money. Many developers lack the right skills and qualifications. However, they still try to launch projects in a hurry. Smart contracts are open source. This means that they can easily be copied and modified by hackers. If the original project contains any attack vector, it means that it will be cloned into hundreds of other protocols. An example of this is the SafeMoon RFI. It contained a vulnerability that, because of the publicly available code, migrated to hundreds of other projects. Ultimately, this led to losses of over $2 billion.
Hacks in the DeFi space are happening more and more frequently and involve larger and larger amounts of money. Moreover, there is no indication that this trend is slowing down. This is why investors should do some in-depth research before investing in DeFi. The field is so young that it carries huge risks. Even if the project exists on the market for a long time and has a solid reputation, it does not mean that the funds blocked in it are 100 percent safe. This is because many times we have already witnessed the collapse of projects with huge TVL.
If you’re interested in the topic of hacks in the DeFi world, feel free to read our other column on the biggest hacks in decentralized finance protocols in 2020.
All information contained on our website is published in good faith and for general information purposes only. Any action taken by the reader in relation to the information on our website is solely at the reader’s own risk.