CEO of TheAppSolutions Generating billions of value for our customers by building products people love
In 2021, over $10 billion worth of user funds has been stolen as a result of fraud and theft on DeFi products. This translates into a 7x increase from last year.
In 2022, the UK tax authority opened 20 criminal investigations involving digital assets. This action has been prompted by a spike in money laundering and fraud.
According to another report, cryptocurrency-based crime hit a new all-time high in 2021, accounting for $14 billion of value received by illegal addresses.
It seems like the serene existence of decentralized finance has been an illusion, hasn’t it? But while these numbers run counter to the utopia of the crypto world, they still don’t reflect the whole picture of DeFi security and lawfulness.
With that said, let’s get a deep dive into the security issues of decentralized finance and popular scams known to us so far.
Journey into the DeFi past
In case it’s your first time reading about decentralized finance, I’ll take you on a brief tour of the DeFi universe, based on our blog post.
Decentralized finance or DeFi is a set of specialized applications and financial services based on blockchain. It is also often heralded as a movement that aims to make finance decentralized and open to everyone.
That is, DeFi transactions do not require intermediaries like banks or any other kind of centralized processing. On this note, DeFi relies on the use of smart contracts, cryptography, and blockchain to automate processes and protocols, making it more efficient and secure than traditional banking structures. Formally, you become your own bank since you can perform financial services in lending, borrowing funds, insurance, and others, but with no document hassle.
- decentralized exchanges (DEXs),
- peer-to-peer lending platforms,
- prediction markets, etc.
Most of DeFi products are built on Ethereum since this blockchain platform empowers the Solidity programming language which helps create advanced smart contracts.
At the moment of writing, the amount of cryptocurrency held in decentralized finance has climbed to over $80 million, which undoubtedly makes it a viable financial phenomenon with a solid user base. However, the DeFi infrastructure and its regulation is still under development which makes it vulnerable to attacks, ponzi schemes, and other security threats.
Thus, in the best case scenario, smart contracts enable unmatched noncustodial financial services. However, they are as safe as their code. As a result, smart contracts can often be plagued with bugs or gaping security vulnerabilities that allow hackers to drain the wallets. And let’s not forget the power of open-source and composability, which can be both a blessing and a curse.
Top DeFi Hacking Styles
Over the last two years, the cryptocurrency community has been spooked by an assault of phishing schemes, which has many questioning the very foundations on which it was based. As a result, DeFi applications are becoming increasingly associated with the “Wild West” of cryptocurrencies due to the growth of cryptocurrency criminality.
With that said, let’s have a look at some widespread attack types.
Flash loan attack
Flash Loans are a feature in a number of popular DeFi protocols that allow you to borrow cryptocurrency assets without collateral, provided that the loan will be reimbursed in the same block of transactions.
In this case, a cyberthief manipulates the market by taking out a flash loan from a DeFi protocol and then arbitraging it by driving the value of the borrowed token underwater thanks to excess slippage. After that, the hacker quickly returns the loan and keeps the profit to themselves by selling the tokens on other markets for real price.
Let’s revisit Cream Finance and its fatal attraction for hackers. In 2021, the flash loan exploit whipped the company for $130 million worth of liquidity provider tokens. Earlier that year, the hackers pocketed $37.5 million in February and $18.8 million in August in other flash loan exploits.
Rug pulls or ponzi schemes
Rug Pull is a type of DeFi scam when blockchain developers first pump their project’s token and then abandon a project, walking away with investor funds and leaving a valueless token. Main types of rug pulls include liquidity stealing, limiting sell orders and dumping.
This particular type of malicious maneuver resulted in almost $3 billion in lost money for victims in 2021, according to Chainalysis, a blockchain analysis company. OneCoin is one of the biggest rug pulls ever in the crypto market. Thus, the developers got away with more than $4 billion from unsuspecting investors. Squid game token is another ponzi scheme. The token was a play-to-earn token inspired by the Netflix TV series and brought up over 43,000 investors short.
This cyberattack is one of the most destructive ones in Solidity smart contracts since it can completely drain your smart contract of funds. In this case, an attack contract calls a victim’s contract in such a way that it gets more control over code execution, thus disrupting the victim’s contract and gaining unauthorized access. When the victim’s contract fails to update its state, the attacker calls the withdrawal function to make easy money.
The difficulty however is that the re-entrancy vulnerability is tricky to spot since the implementation of smart contract differs and so do possible scenarios. Moreover, since there is no specific pattern in the context of Smart-Contracts, this vulnerability cannot be recognized accurately. And analyzing with a simple and straightforward pattern may produce false positives, whereas rigorous patterns may fail to detect the presence of a re-entrancy vulnerability.
The most famous example of this was the DAO Hack, where $70million worth of Ether was siphoned off.
A 51% attack is a scenario that could play out if a malicious actor gained control of more than half of the processing power of a cryptocurrency network. By having the majority control over the network, the actor could then begin double-spending coins, censor transactions, or even take over the network entirely.
The risk of a 51% attack is real and has already played out against smaller cryptocurrency networks in the past. Additionally, this also allows the attacking node to prevent new transactions from being confirmed, acting as if it was the legitimate network.
It means that the legitimate blockchain grows slower than the malicious one, which allows the attacker to rewrite the contents of the distributed ledger. 51% attacks aren’t widely used since they are expensive to pull off.
In 2020, DeFi platform PegNet suffered a 51% attack where top miners fraudulently created $6.7 million in stablecoins.
And these are just a sliver of security issues that haunt DeFi platforms and applications.
Is DeFi THAT vulnerable?
Now let’s get into more details. Cryptography is the old news in the world of secure monetary transactions. The truly disruptive concept of DeFi is full and complete decentralization, where compromised nodes reappear like the Hydra of Lerma.
And a lion’s share of DeFi vulnerability stems from its decentralized and open foundation as well. Along with limitless potential, we get completely transparent smart contracts where loopholes and vulnerabilities become public knowledge. Also, considering the far-reaching DeFi structure where apps involve multiple smart contracts connecting across multiple protocols, one vulnerability can drag down a myriad of protocols.
But it’s not all doom and gloom. Just like any other new kid on the block, DeFi just needs to grow up and spread its wings. Any new technology is prone to imperfection, and it’s up to you to decide whether the trade-off is worth it. In the case of decentralized finance, security relies on the technology you are using.
And while experts and governments are debating over the DeFi regulation, we should all follow the buyer beware approach - pay due diligence before getting into the field. With that being said, let’s go over some accepted security practices to reduce the vulnerability rate of your DeFi application.
How can you protect your DeFi assets?
Although there is a specific protection measure against each hacking style, I’ve curated the most popular security practices to keep your DeFi assets safe and sound.
Full unit test coverage
Unit tests are a salient testing technique necessary for any high-quality project, including decentralized finance. This type of testing functionality problems in separate parts of smart contracts. Why bother with boring testing? Once deployed, smart contracts are immutable, which means that your code must be bug-free BEFORE it gets on the DeFi platform. Most importantly, contracts require full test coverage, meaning that there shouldn’t be any gray zones.
Smart contract security audit
Full unit test coverage is great, yet it cannot predict unexpected vulnerabilities or all possible interaction paths. Security audit, on the contrary, allows developers to analyze areas that could be manipulated by threat actors. Beside obvious security benefits, audits can also help the team to enhance the efficiency of your DeFi application as a whole. However, audits can guzzle up a lot of financial and time resources, which may scare some companies. Yet, it is a must to thwart reentrancy, oracle, and other types of attacks.
Deploying smart contracts shouldn't be manual copy/pasting. Since the byte code for every contract on the network is public, it’s fairly easy to use it for another contract. However, unless you fork the whole project (which is also not the best scenario), you will end up with separate pieces of code that may not be compatible with the rest. Also, it will be hard to change or add anything even mildly significant in the code. Therefore, copy and paste is extremely detrimental to the security and opens your DeFi app to potential attacks.
The Bottom Line
DeFi protocols are relatively young and complex systems, and so does the blockchain. The duo of immaturity and advancement make both susceptible to exploits. Therefore, before securing a DeFi project, you need to have a holistic and accurate image of possible threats and security policies. Obtaining this accurate image, in turn, requires a comprehensive security audit. When done right, DeFi projects turn from vulnerable systems into unique, transparent and direct transaction applications with no dependency on third-party institutions for oversight.
L O A D I N G
. . . comments &