The decentralized finance market (DeFi) has been one of the most explosive trends in the crypto industry since the ICO boom of 2017. Crypto-assets locked away in DeFi protocols over 2020 have increased by a staggering 1,740%, from $676 million to a peak of $12.44 billion — according to figures from Defipulse.
This dramatic rise in value held on the market coupled with the fact that all DeFi platforms are largely run autonomously has made it a vulnerable, lucrative target for malicious hackers.
The research we’ve conducted at Hacken shows there have been at least 11 high-profile security breaches including the recent Harvest Finance (FARM) hack, since January 1st. The collective amount stolen in US dollars at the time of each cyberattack, excluding recovered funds, now exceeds $78.3 million.
Why are they happening?
While no two DeFi protocol hacks are ever completely the same, they typically occur from one of three recurring issues. Business logic errors, coding mistakes, and problems arising from management override controls. Let’s take a look at the Harvest Finance (FARM) exploit as the most recent example. The ‘hack’ involved a user taking advantage of an unchecked arbitrage opportunity on the platform using a $50 million flash loan. $10m USDT was swapped to USDC via a DeFi exchange liquidity pool named Curve to decrease the value of USDT, and then the following $40m USDT was exchanged for fUSDT at Harvest Finance. The $10m USDC was then swapped back into USDT on Curve to increase the price of USDT, which in turn caused the USDT rate against fUSDT to increase also. The user then simply swapped fUSDT back into USDT and netted an average return of $500,000. After repeating this cycle several times, they were able to generate $24 million before their activities were noticed.
This is a classic example of what we mean by a business logic error, where an exploitable opportunity is created in a platform’s infrastructure mostly because developers lack the necessary financial knowledge to foresee these types of loopholes.
This case is very similar to the two attacks that happened on the bZx exchange within the same week back in February. Again, this was the result of an unchecked arbitrage opportunity that allowed the hacker(s) to make off with around $1 million in ETH — and there was absolutely nothing anyone could do about it. Coding errors also play a major role in creating additional openings for savvy hackers to exploit and drain liquidity pools. These often arise because of a project’s desire to enter the market as quickly as possible to capitalize on the growing demand without passing through a proper security auditing process first. A good illustration of this was the Lendf.me hack on April 20, whereby a flaw in the ERC-777 token standard allowed a reentrancy attack. Over $25 million was stolen as a result of this coding error, however, interestingly all funds were eventually returned after the hacker accidentally leaked their own IP address. Lucky escape for the DeFi protocol! The bZx exchange also fell victim to this type of security breach on September 14 even though they had previously enlisted the services of external auditors. On this particular occasion, hackers made substantially more than the previous two attacks, amassing $8.1 million from a fatal fault in a smart contract that was missed by independent security firms, Peckshield and Certik.
The final recurring issue which contributes to a number of DeFi security breaches is problems caused by management override controls. What we mean by this is when founders take advantage of their position as an initial liquidity provider and dump an enormous amount of tokens on the community. The Sushiswap saga is perhaps the best example of this type of DeFi vulnerability. Chef Nomi, the anonymous creator of the protocol, sparked huge controversy when they decided to dump his/her founder’s tokens on the market in true Charlie Lee-style. The move caused the price of SUSHI to crash 75% in minutes and was immediately labeled by the DeFi community as an exit scam. Not long after, the head chef decided to return the $14 million worth of ETH they had made from the sell-off back to the project’s treasury.
How to prevent these hacks
Business logic errors can be easily fixed by trialing the DeFi protocol properly in a testnet or beta phase before launching, and ensuring that the arbitrage check function has a lower tolerance value than 2%. At Hacken, we also advise that deposit functions should also not be accessible to 3rd party smart contracts, or at least certain value limits should be in place if they are.
As we’ve seen from the most recent bZx hack, getting audited from third-party contractors does not always guarantee that a protocol will be completely free from coding errors, however, it does go some way towards showing the community that you’re taking every step possible to mitigate those risks. Security audits from respected cybersecurity firms should be routinely carried out to reduce the threat of direct protocol vulnerabilities.
Finally, with regards to mismanagement from DeFi founders, the best way for traders to insulate themselves from falling victim to exit scams and fraud is to perform rigorous due diligence prior to parting with any crypto. Checking a project’s whitepaper, team, community activity, exchange listings, number of security audits, and backing from institutional investors will give you a much clearer idea of whether or not to make an investment.
The future of DeFi hacks
With the current rapid rate of new projects entering the space and the exponentially increasing amount of assets being locked away in decentralized finance protocols, our cybersecurity team at Hacken anticipates 2021 will see a noticeable uptick in the 3 aforementioned types of DeFi hacks, and overall, estimate it will take 2–5 years before we see stable and secure DeFi protocols.