Nowadays, the blockchain market as a whole is in its infancy, and the decentralized finance (DeFi) market is its most promising part. According to data from DefiLlama, in 2021, the DeFi market had approximately $200 billion of liquidity locked in smart contracts. If we consider this capital as an initial investment, this market looks like a very promising adventure. Few global companies can boast of such capitalization. But any young market has its start-up problems. With DeFi, the main problem is the lack of skilled blockchain developers.
This industry is very young and has a relatively small user base. Most people have at best heard of DeFi without having any idea what it is. But as happens with every promising new venture, it quickly creates a lot of speculative interest. Unfortunately, staff preparation takes much longer, especially when it comes to knowledge-intensive areas such as blockchain and smart contract development. This means that some project teams will have to compromise and hire less experienced staff.
This problem inevitably creates an increasing risk of security vulnerabilities in the code of these projects. And then we have to deal with its consequences in terms of loss of user capital. For just a brief understanding of the magnitude of this problem, I can say that around 10% of the total liquidity locked in DeFi has been stolen by hackers. It should come as no surprise that the general public prefers to stay away from a financial system that poses such dangers to their funds.
Related: How are DeFi protocols hacked?
How have DeFi exploits changed recently?
Attacks against DeFi have long centered on reentrancy attacks. We remember the famous The 2016 DAO hack that resulted in the loss of $150 million in investor capital and led to the hard fork of Ethereum. Since then, this vulnerability has been exploited several times in different smart contracts.
The reminder function is actively used by lending protocols: it allows smart contracts to check the balance of users’ collateral before granting a loan. This whole process takes place in a single transaction, which has given hackers a workaround to steal the money from these smart contracts. When you send a request to borrow funds, the callback function first checks the collateral balance, then grants the loan if the collateral was enough, then changes the user’s collateral balance in the smart contract .
To fool the smart contract, the hackers return the call to the callback function to start this process from the beginning. Since the transaction has not been finalized on the blockchain, the function grants another loan for the same collateral balance. Even though the solution to this problem has been around for quite a long time, many projects still fall victim to it.
Sometimes, project teams with little skill in writing smart contracts decide to borrow the codebase of another open-source DeFi project to deploy their own smart contract. They normally do this with reputable projects that have been audited and have large user bases and proven to be built securely. But they can decide to make minor changes to the borrowed code to add features they want to have in their smart contract, without even changing the original code. This can undermine the logic of the smart contract, which developers often don’t realize.
This is what allowed hackers to steal around $19 million from Cream Finance in August 2021. The Cream Finance team borrowed code from a different DeFi protocol and added a callback token in their smart contract . Even though you can prevent reentrancy attacks by implementing the “checks, effects, interacts” scheme that prioritizes changing balances over issuing funds, some teams still fail to protect their platforms from these feats.
Flash loan attacks allow hackers to steal funds in a different way and have been increasingly popular since the DeFi boom of 2020. The main idea behind flash loan attacks is that you don’t need collateral to borrow funds to a protocol because financial parity is always guaranteed by the fact that the loan is contracted and repaid in a single transaction. And this will not happen if you do not repay the loan with interest in one transaction. But attackers have been able to perform successful flash lending attacks on many protocols.
Related: Necessary: a massive educational project to fight against hacks and scams
In doing so, they use multiple protocols to borrow and drag liquidity to the final act where they amplify the price of a token via oracles or liquidity pools and use it to scam a pump-and-dump and leave with liquidity in an array of some different major cryptocurrencies such as Ether (ETH), Wrapped Bitcoin (wBTC) and others. Some famous flash loan attacks include the Pancake Bunny attack, where the protocol lost $200 million, and another Cream Finance attack, in which over $100 million was stolen.
How to defend against DeFi exploits?
To build a secure DeFi protocol, ideally, you should only trust experienced blockchain developers. They must have a professional team leader with skills in building decentralized applications. It’s also wise to remember to use development-safe code libraries. Sometimes less up-to-date libraries can be the safer option than ones with newer codebases.
Testing is another crucial thing that all serious DeFi projects must do. As the CEO of a smart contract auditing company, I always try to cover 100% of our clients’ code and stress the importance of decentralized protection of the private keys used to call access smart contract functions. restricted. It is preferable to use the decentralization of the public key via a multisignature which prevents an entity from having full control of the contract.
Ultimately, education is one of the keys that will allow blockchain-based financial systems to become more secure and reliable. And education should be a top concern for those looking for a job in DeFi, as it can offer tempting rewards to anyone who can make a viable contribution.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.
The views, thoughts and opinions expressed herein are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Dmitry Mishunin is the founder and CEO of security and analytics firm DeFi HashEx and has long-standing expertise in the blockchain security space. He has devoted a lot of time to scientific activities, such as research on computer systems, blockchain and vulnerabilities in DeFi. Under Dmitry’s leadership, HashEx has become one of the leaders in the field of smart contract audits.