The development of the blockchain industry and how to defend against attacks on DeFi
Nowadays, the blockchain market as a whole is in its infancy, and the market for decentralized finance (DeFi) is the most promising part. According to DefiLlama data, by 2021 the DeFi market had around $ 200 billion in liquidity locked in smart contracts. If we look at this capital as a start-up investment, this market looks like a very promising investment. Not many global companies can boast of such a capitalization. But every young market has its dental problems. With DeFi, the main problem is the lack of qualified blockchain developers.
This industry is very young and has a relatively small user base. Most people have at best heard of DeFi without having any idea what it is. But as with any new promising venture, it quickly creates a lot of speculative interest. Unfortunately, it takes much longer to prepare personnel, especially when it comes to such knowledge-intensive spheres as blockchain and smart contract development. This means that some project teams will have to compromise and hire less experienced personnel.
This problem inevitably creates an increasing risk of vulnerabilities in the code of these projects. And then we have to deal with the consequences of lost user capital. For just a brief understanding of how big this problem is, I can say that about 10% of Defi’s total liquidity locks have been stolen by hackers. It should come as no surprise that the general public prefers to stay away from a financial system that poses such dangers to their funds.
Related: How are DeFi protocols hacked?
How has DeFi utilization changed recently?
Attacks on DeFi have long been centered around reentrancy attacks. We can remember the famous The DAO notch from 2016 which resulted in a loss of $ 150 million in investor capital and led to Ethereum’s hard fork. Since then, this vulnerability has been exploited many times in various smart contracts.
The repayment function is actively used by lending protocols: it allows smart contracts to check users’ collateral before issuing a loan. All this process takes place within one transaction, which has given hackers a solution to steal money from such smart contracts. When you send a request to borrow funds, the callback function first checks the security balance, then issues the loan if the security was sufficient and then changes the user’s security balance inside the smart contract.
To trick the smart contract, hackers return the call to the callback function to start this process from the beginning. Since the transaction is not completed on the blockchain, the function issues a new loan for the same collateral balance. Although the solution to this problem has been on the scene long enough, many projects still fall victim to it.
Sometimes project teams with little expertise in writing smart contracts decide to lend the code base to another open source DeFi project to distribute their own smart contract. They normally do this with reputable projects that have been revised and have large user bases and have proven to be safely built. But they can decide to make minor changes to the borrowed code to add features they want to have in their smart contract, without even changing the original code. This can damage the logic of the smart contract, which developers are often unaware of.
This is what allowed hackers to steal around $ 19 million from Cream Finance in August 2021. The Cream Finance team borrowed the code from another DeFi protocol and added a callback token to their smart contract. While you can prevent reentrancy attacks by implementing the “checks, effects, interactions” pattern that prioritizes changing balance over issuing funds, there are still some teams that fail to protect their platforms from these exploits.
Flash loan attacks allow hackers to steal funds in a different way and have become increasingly popular since the DeFi boom in 2020. The main idea of flash loan attacks is that you do not need to have security to borrow funds from a protocol because financial parity is still guaranteed by taking the loan and returning it within one transaction. And it will not happen if you fail to return the loan with interest in one transaction. But attackers have been able to carry out successful flash loan attacks on many protocols.
Related: Necessary: A massive educational project to combat hacks and scams
By doing so, they use multiple protocols to borrow and draw liquidity until the final act where they amplify the price of a token through oracles or liquidity pools and use it to swindle a pump-and-dump and get away with liquidity in a series. of some big different cryptocurrencies like Ether (ETH), Wrapped Bitcoin (wBTC) and others. Some well-known flash loan attacks include the Pancake Bunny attack, in which the protocol lost $ 200 million, and another Cream Finance attack, in which over $ 100 million was stolen.
How to defend against DeFi exploits?
To build a secure DeFi protocol, you should ideally only rely on experienced blockchain developers. They should have a professional team leader with skills in building decentralized applications. It is also wise to remember to use secure code libraries for development. Sometimes the less updated libraries may be the safest option than those with the latest code bases.
Testing is another important thing all serious DeFi projects must do. As the CEO of a smart contract auditing company, I always try to cover 100% of customers’ code and emphasize the importance of decentralized protection of the private keys used to call functions to smart contracts with limited access. It is best to use decentralization of the public key through a multi-signature that prevents one entity from having full control over the contract.
Ultimately, education is one of the keys that will allow blockchain-based financial systems to become more secure and reliable. And education should be one of the main concerns for those looking for work in DeFi because it can offer appetizing rewards to anyone who can make a viable contribution.
This article does not contain investment advice or recommendations. All investment and trading movements involve risk, and readers should conduct their own research when making a decision.
The views, thoughts and opinions expressed herein are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Dmitry Mishunin is the founder and CEO of the DeFi security and analysis company HashEx and has long-standing expertise in blockchain security. He has devoted a lot of time to scientific activities, such as research on IT systems, blockchain and vulnerabilities in DeFi. Under Dmitry’s leadership, HashEx has become one of the leaders in smart contract auditing.
