In Part I of this journey into the dark underbelly of DeFi hacks, I explored what hacking is, why people do it and discussed the recent Poly Network hack in greater detail. Of course there have been several DeFi hacks in the past, and naturally there are a few methods savvy hackers can use to attack unsuspecting protocols. Let’s take a good hard look at the mechanics behind these attacks and find out more about DeFi exploits…
Not the First, Definitely Not the Last
The Poly Network attack may have been the biggest DeFi hack to-date, but it wasn’t the first, and I doubt it will be the last. Yeah, you heard me. We can wish all we want, but hacks and exploits aren’t just going to disappear, and certainly not overnight. This is the Wild West of Crypto, ’member? Maybe the worst thing about hacks and exploits is that many, if not all of them, could have been avoided.
Not the appropriate meme? Close enough…
Obviously none of the hacks could actually have been avoided. We know this because they happened, but what I mean is that…if we could take away human greed, apathy, ignorance, avarice, dishonesty, corruption and treachery, we…oh yeah, we’d probably solve just about every problem almost instantly, right? Seems like we just can’t trust each other, and that’s the problem. But this is exactly why we have security protocols in place to ensure that attacks and exploits are eliminated, or at the very least kept to a bare minimum.
How Does DeFi Get Hacked?
A recent Cointelegraph article by Vladislav Komissarov and Dmitry Mishunin reveals the four primary means by which DeFi platforms get hacked. While the Poly Network hack may be the biggest in DeFi history thus far, as I mentioned, it’s not the first one. In fact, if you want to see a complete list of the major DeFi hacks that took place in 2020 alone, you can find them right here in this CoinGeek article by Patrick Thompson.
While the total amount hacked during 2020 pales in comparison with the Poly Network exploit, the stolen amounts are anything but insignificant. The security of DeFi platforms is an ever-growing concern since the industry has increased in value from a few million to several billion Dollars in recent months. At this rate, the total amount locked into DeFi is only going to increase, and with it, security concerns will continue to mount.
Or men, or woman, or women…you get the point
Now what about those four different ways in which DeFi protocols get hacked? Let’s break it down and explore each of these in a little more detail right now…
Third-Party Protocol Misuse/Business Logic Errors
According to Certik , DeFi protocols like PancakeSwap and Uniswap operate independently, meaning no external third-party protocols are involved. However, other projects such as Yearn take user funds and place them into third-party contracts so that yields may be generated. Similarly, some protocols ‘borrow’ code from existing ones (for example, PancakeSwap references code from Uniswap). In both instances, if the referenced code is vulnerable, it means the borrowing protocol is similarly vulnerable.
A good example of this type of attack is the Value DeFi exploit that took place on May 8th 2021 and resulted in a total loss of $11 million. Simply put, Value DeFi copied the ‘power()’ function from ‘BancorFormula.sol,’ which, as you can guess, comes from the Bancor protocol. Unfortunately due to an oversight by the Value DeFi team, while Bancor’s system only allowed a certain function to occur in a given way, the opposite was true for Value DeFi. Thus the attacker was able to easily exchange a small number of one token for another by sending a ‘crafted payload’ to the function, resulting in the loss of $11 million from the Value DeFi protocol. Ouch!
V is for Value? I’m not sure everyone agrees on that
As Certik explains, these kinds of issues are harder to detect since they are often very nuanced and difficult to identify. Inevitably some things are going to get taken for granted, and that’s the real problem with simply duplicating code: what works in one protocol might not translate so well on another. That said, it takes a highly-skilled hacker (or group) to carry out such an attack, which is why this category only accounts for 10 hacks in total which resulted in a total loss of $50 million from June 2020 to June 2021.
Yup, errors in code account for a substantially higher number of hacks. While smart contracts are typically simple in design, an entirely different approach to development is required. In many cases, developers simply lack the requisite skills to properly code smart contracts and make mistakes that leave thousands of users exposed to a huge amount of risk. Naturally there’s the option to submit smart contracts for security audits, but this isn’t foolproof either. The work carried out by auditing firms isn’t regulated, so there is little or no accountability for any poor work rendered.
According to Komissarov and Mishunin, over 100 projects were hacked as a result of coding errors with total losses amounting to $500 million. They say mistakes are costly, but in crypto, it goes way, way beyond that!
Flash Loans/Price Manipulation
Flash Loans are a great mechanic within DeFi, but unfortunately they can also be used for less than honorable purposes. So in DeFi, these loans have no collateral, but any crypto borrowed needs to be returned within the same transaction. If a borrower cannot return the funds, the transaction gets canceled (or reverted). A flash loan lets any borrowing party gain access to large volumes of crypto that they may use however they see fit. This is generally where the price manipulation part comes in. Here an attacker initially sells a high number of loaned tokens within a transaction. This effectively lowers the price, and a range of actions then occurs at a very low token value before they are bought back.
There are plenty of examples of this kind of hack, but according to a CYBAVO article detailing the biggest DeFi hacks of 2021 (well, up until May at least) mentions the Spartan Protocol and how it was attacked using ‘multiple flash loans,’ resulting in the theft of around $30 million. Zoinks! The attacker (or attackers) apparently took out loans using PancakeSwap in order to acquire wrapped BNB tokens. These were then swapped with Spartan’s native token (SPARTA) five times, effectively manipulating the total value of the assets held within its liquidity pool. The stolen funds were then extracted using two Decentralized Exchanges (DEXes), 1inch and Nerve Finance . Good think King Leonidas isn’t around anymore…
This kind of attack has been employed to exploit over 100 different projects between June 2020 and June 2021 and allegedly accounts for losses around the $1 billion mark.
Lack of Competent Development
To err is human, or so they say. I don’t think this will come as a surprize, but since certain so-called ‘developers’ simply want to make money and/or don’t know how to identify well-written contracts (or how to implement them securely), they take existing open source code, reappropriate it and copy all of the errors and vulnerabilities within that code into their own platforms. This means that many DeFi protocols have transposed common errors into their own offerings, leaving many participants exposed to huge amounts of risk. This is why development takes time and should never be rushed. Incompetent developers have cost various investors a good deal of money with over 100 projects having been hacked due to human shortcomings.
The total lost due to these hacks thus far is over $1 billion. Moreover, with existing vulnerabilities, potential losses that may occur in the not-too-distant future exceed the $2 billion mark.
You can find out more about the different types of DeFi hacks and their attendant security risks via this Certik article
But What Does It All Mean?
It means that it’s important to take care and do your due diligence so that you don’t end up the victim of some kind of nefarious hack. I understand this is easier said than done, and I know there’s no way to know that everything will be OK. DeFi may be in its infancy, but there are some protocols working tirelessly to ensure their platforms are watertight, ironclad, efficient and reliable. The caveat? You gotta find them and ultimately decide for yourself.
When I first got into crypto, I thought it would be pretty much smooth sailing after my first big win, but that was shortsighted at best. I have had to deal with bad actors, scamsters and centralized exchanges, and at times it’s been a real struggle. However, I know better now, so I make better decisions. Have faith my fellow crypto enthusiasts…the show is only just getting started!