While decentralised finance is poised to disrupt traditional finance with fast secure transactions, smart contracts that govern them are placing the industry at risk with exploitable code. We explore what is being done to mitigate the risk, and what can be done better.
On August 19th, Japanese cryptocurrency exchange Liquid Global had $97 million in cryptocurrencies stolen in a compromised security hack which targeted their multi-party-computation (MPC) wallets, and the currencies were siphoned to four wallets identified by Liquid Global. All in all, the stolen currencies totalled to about 107 Bitcoin tokens, 9 million Tron tokens, 11 million XRP tokens, and almost $60 million worth of Ethereum and ERC-20 tokens.
Yet the amount stolen from Liquid Global did not overshadow the largest hack in Decentralised Finance (DeFi) to date. On August 10th, cross-chain DeFi protocol Poly Network saw a hacker making off with a total of $612 million worth of cryptocurrencies. While the funds were returned by the hacker now known as Mr. White Hat in a reference to ethical hacking, it is undeniable that the protocol had vulnerabilities that could be easily exploited. In a similar fashion, $7 million in USDC coins were stolen from crowdfunding platform DAO Maker, a technology provider that allows DAO token holders to participate in early-stage token sales. All in all, a total of $716 million worth of cryptocurrencies were stolen in August alone.
With over $151.8 billion dollars’ worth of cryptocurrency locked in the DeFi ecosystem at the time of writing, there is no doubt that decentralised finance is here to stay. Each of the top four DeFi applications – AAVE, Curve, InstaDApp, and Compound – have an average locked value of $11 billion, which is why the worrying trend of increased DeFi hacking poses a real threat to the industry being considered as a serious, stable financial alternative to traditional finance.
Over the past three months alone at least 12 instances of financial-related exploits have led to millions of dollars being appropriated – $354.2 million to be exact.
List Of Hacks And Exploits In The Last 3 Months
Spartan Protocol Hack – $30 million
A calculation failure in the SPARTA smart contracts attack allowed the attacker to withdraw an unbalanced amount of assets from a liquidity pool to drain its funds.
Thorchain Decentralised Exchange Hack – $8 million
The attacker manipulated an override loop in Bifrost, which is THORChain’s bridge to the Ethereum network, to withdraw tokens without having to deposit any of their own. This allowed them to extract value from various liquidity pools.
Uranium Finance Hack – $50 million
A calculation error in the second version of the smart contracts allowed the attacker to send a small amount to the contract and extract a much larger one in return, draining the contract’s reserves of value.
Meetbits NFT Exploit – $700k
An exploit in non-fungible token (NFT) platform Meebits allowed a user to keep re-rolling for a rare NFT, and he could cancel the transaction if they didn’t get the desired digital asset. The NFT was then immediately sold for 200 Ethereum.
Rari Capital Hack – $11 million
The hacker took advantage of a loophole in the way Rari Capital’s smart contracts calculated liquidity shares, which made it possible to extract more Ethereum tokens than they initially deposited and ultimately draining the pool of value.
Pancakebunny Protocol Hack – $200 million
Instead of a loophole in the protocol’s smart contracts, the hacker made use of the platform’s inherent function to execute a flash loan attack. By manipulating the prices of both USDT/BNB and BUNNY/BNB in their attack, the attacker received more tokens than they should have when exchanging BUNNY tokens for BNB tokens.
Bogged Finance Hack – $3 million
As a result of a bug in Bogged Finance’s smart contracts that allow users to increase the balance via self-transfer, the attacker made use of flash loans to significantly increase the staking amount, and repeated self-transfers were made to claim the inflated staking profit.
Belt Finance Hack – $6.3 million
An incorrect integration with Venus Finance allowed the hacker to exploit the multi-strategy vault function on the platform. By utilising a flash loan attack, they were able to receive more BUSD tokens than they should have received when withdrawing from the Venus strategy vault.
Alchemix- $6.5 million
Due to the platform’s official alETH deployment script accidentally creating additional vaults, it caused Alchemix to use the wrong index value which calculated a wrong reward value. This caused a reverse-hack of sorts where Alchemix users were able to withdraw their Ethereum collaterals without paying outstanding loans.
Chainswap Hack – $8 million
The hacker exploited a vulnerability in the platform’s smart contracts that allowed them to steal and mint new tokens for various protocols. As Chainswap links the Ethereum and Binance Smart Chain (BSC) together as a bridge protocol, the token value of projects like DeFi perpetual options Antimatter and NFT Marketplace Wilder World that utilised the bridge saw their value drop drastically.
BurgerSwap Hack – $7.2 million
Similar to Belt Finance’s hack, the attacker was able to exploit a flaw in the BurgerSwap contract where it was missing a requirement check which allowed anyone remove any amounts from a pool on the protocol. This allowed the hacker to do a re-entrancy attack and transfer the funds from the pool.
Bondly Finance Hack – $23.5 million
The attacker used the legitimate access granted to the protocol owner’s account to inappropriately mint 373 million tokens and steal them from the protocol.
Are Smart Contracts The Problem?
Hacking attempts can be a result of lax security and phishing attempts on personal keys, but it seems the bulk of Decentralised Finance hacks are attributed to one thing – failure of smart contracts. Whether it is a vulnerability due to internal coding error or external price manipulation, smart contracts are the main targets for attacks in the DeFi space.
What are Smart Contracts? To put it simply, they are self-executing lines of code that run on a decentralized network such as blockchain. By executing automated codes and making transactions trackable and irreversible, they are essential for agreements to be carried out between anonymous parties without the need for a central authority, and they are the reason for blockchain’s speedy efficiency by removing third parties from the transaction process.
Yet smart contract vulnerability is one of the key areas that hackers exploit when stealing funds from DeFi platforms. In the latest 2021 Crypto Crime Report by Chainalysis, the blockchain data platform noted a rise in attacks on crypto exchanges and DeFi platforms with over $170 million being stolen in 2020. Similarly, code exploits and flash loan attacks were the main modes of attack when hacking DeFi platforms such as Lendf.me, bZx Protocol, and Maker DAO.
What is being done to address these Smart Contract Vulnerabilities?
With the cost of code failure being extremely high when it comes to DeFi applications, there are groups of developers and companies who are dedicated to ensuring its continued security, such as implementing secure layers to existing blockchains and conducting code audits.
Smart Contracts Best Practices
As blockchain programming language like Solidity are new and experimental at times, there is a need to maintain best practices while developing blockchain programmes. Developers would have to adopt a different mindset when building with these new coding languages as compared to common ones like Python or C++.
Ethereum software company Consensys has a list of best practices on their Github page which advise Solidity programmers on development recommendations, providing examples of smart contract attacks, and writing software to account for potential failure. 101 Blockchains also provide a whole list of blockchain principles, practices, and advice on risk mitigation for aspiring developers.
Blockchain Security Services
With more and more projects springing up every day, a whole host of companies offering blockchain security services have also stepped forward to address their needs for a secure infrastructure. Such services often include blockchain security assessments and network penetration testing. Anti-virus provider Kaspersky offers Endpoint Protection which secures the entire system at the device level while data security Cocoon Data uses patented technology in their Safeshare product to prevent data breaches and provide file security.
On the other hand, companies like Cybavo forgo the security add-on services and offer all-in-one products that comes with secure regulations, or they may offer both like Fireblocks with Multi-Party Computation (MPC) wallet products and enterprise-grade Multi-layer Security integration services.
Smart Contracts Auditing
Smart contracts security auditing checks a blockchain application’s smart contract for issues before it launches. This includes determining the function of the code, testing for bugs, and looking through the code before green-lighting the blockchain application or providing feedback.
Companies offering blockchain security audits utilise specialised software to review smart contracts. For example, CertiK uses their Skynet Scanning Technologies to create security scores, and Slowmist uses an integrated data system called Blockchain Threat Intelligence. On the other hand, Quantstamp takes a leaf from blockchain technology to create a decentralised smart contracts audit protocol that checks code with validator nodes.
Does Singapore have laws to prevent loss through cryptocurrency hacks or scams?
In Singapore, the Payment Services Act was implemented in January 2019 to provide for the licensing and regulation of payment service providers and payment systems. It provides regulations and safeguards to protect consumers, and was expanded in January 2021 to include companies that facilitates transactions, exchange, and storage of digital payment tokens (DPT), which is the definition for cryptocurrencies by the Monetary Authority of Singapore (MAS).
Previously speaking on behalf of Minister-in-charge of MAS Tharman Shanmugaratnam, current Minister of Health Mr Ong Ye Kung mentioned in the Bill Amendment that “This will help minimise the risk of DPT service providers being exploited by criminals to launder illicit proceeds or hide illicit assets” while highlighting that the revision will “ensure better consumer protection and to maintain financial stability and safeguard the efficacy of monetary policy”.
Yet the downside of the bill is it only addresses cryptocurrency regulation with regards to anti-terrorism measures, money laundering restrictions, or Know Your Customer (KYC) implementation. When it comes to redressing individual loss through cryptocurrency scams or hacks, there is no legislative protection for individuals as Singapore does not consider digital assets to be legal tender, and hence is not regulated by MAS.
Will DeFi Hacks continue to happen?
The DeFi space is an exciting place to be as it continues to upend traditional finance. But the combination of smart contracts as a new concept with its own development paradigm, lack of rigorous testing due to tight timelines for new projects, and unplanned outcomes of code execution mean that DeFi exploits will continue to be the norm for now.
Speaking with local software engineer Joseph Tan about his thoughts on the hack, he thinks that extensive research and qualitative analysis of smart contracts prior to launch can reduce the likelihood of hacking. Unlike traditional code where it can be updated periodically, smart contract programming cannot be changed once uploaded. Yet he feels that many cryptocurrency projects may want to bank on an early-market entry which means that checks on smart contracts may not be well-practised.
Some projects are addressing the vulnerabilities by seeking to re-define the idea of smart contracts, such as that of the Radix Engine. The decentralized ledger has its own consensus mechanism called Cerberus which allow both synchronous and asynchronous communication, and it aims to create its own modular smart contracts called Component for a more secure DeFi application build.
And the role of decentralised exchanges (DEX) in cryptocurrency hacks have yet to be addressed. Envisioned as cryptocurrency exchanges which operates in a decentralized way without a central authority, DEXes like Uniswap are used to liquidate stolen cryptocurrencies which was the case with the latest hack on Liquid Global. While Centralised Exchanges like Huobi, Binance, and Kucoin were able to blacklist or report the hacker’s wallet addresses, the stolen assets were still able to be liquidated on Uniswap.
As DEXes become increasingly complicit in swapping out stolen currencies, should they be made to implement AML and KYC actions? Which begs the next question – How do you implement measures when no one owns the exchange? As more hackers make use of these platforms, the community governing the DEX protocols may have to answer these questions to create a safer DeFi ecosystem.
With the rising popularity of cryptocurrency in 2021, more funds are flowing into DeFi markets than ever and decentralised finance exploits can no longer be ignored. With new all-time highs being set with every new hack, developers need to be more stringent in their approach to building DeFi applications and smart contracts need to start becoming smarter to prevent exploitable outcomes while being more secure at the same time.