Today, the blockchain market as a whole is in its infancy, and the decentralized finance (DeFi) market is its most promising part. According to data from DefiLlama, in 2021, the DeFi market had around $200 billion of liquidity locked in smart contracts. If we see this capital as an initial investment, this market looks like a very promising company. There are not many global companies that can boast such capitalization. But every young market has its initial problems. In the case of DeFi, the main problem is the lack of qualified blockchain developers.
This industry is very young and has a relatively small user base. Most people, at best, have heard of DeFi without having a clue what it is. But as with any promising new venture, a lot of speculative interest quickly builds up. Unfortunately, staff training takes much longer, especially when it comes to such knowledge-intensive fields as blockchain development and smart contracts. This means that some project teams will have to compromise and hire less experienced staff.
This problem inevitably creates an increasing risk of security holes in the code of these projects. And then we have to deal with its consequences in losing users’ capital. To briefly understand the magnitude of this problem, I can say that around 10% of the total locked DeFi liquidity has been stolen by hackers. It should come as no surprise that the general public prefers to stay away from a financial system that poses such dangers to their funds.
How have DeFi attacks changed recently?
Attacks on DeFi have long focused on reentry attacks. We can remember the famous hack of The DAO from 2016 that resulted in the loss of 150 million dollars in investor capital and led to the hard fork of Ethereum. Since then, this vulnerability has been exploited many times in different smart contracts.
The callback function is actively used by lending protocols: It allows smart contracts to check users’ collateral balance before granting a loan. This entire process happens within a transaction, which has given hackers a solution to steal money from such smart contracts. When a loan request is submitted, the callback function first checks the collateral balance, then grants the loan if the collateral is sufficient, and then changes the user’s collateral balance within the smart contract.
To fool the smart contract, hackers call back the callback function to start this process from the beginning. Since the transaction has not been finalized on the blockchain, the feature grants another loan for the same collateral balance. Although the solution to this problem has been on the scene for quite some time, many projects continue to fall victim to it.
Sometimes project teams with little skill in writing smart contracts decide to borrow the base code of another open source DeFi project to deploy their own smart contract. They typically do this with reputable projects that have been audited and have large user bases and are proven to be built securely. But they can decide to make small modifications to the borrowed code to add functionality that they want to have in their smart contract, without even changing the original code. This can break the logic of the smart contract, something developers are often unaware of.
This is what allowed hackers to steal around $19 million from Cream Finance in August 2021. The Cream Finance team borrowed the code from another DeFi protocol and added a callback token to their smart contract. Although reentry attacks can be prevented by implementing the “controls, effects, interactions” pattern that prioritizes changing balance over issuing funds, some teams still fail to safeguard their platforms from these exploits.
Flash loan attacks allow hackers to steal funds in a different way and have been growing in popularity since the DeFi boom of 2020. The main idea behind flash loan attacks is that you don’t need collateral to borrow funds from a protocol because financial parity is still guaranteed by the fact that the loan is taken and repaid in a single transaction. And it will not take place if the loan is not repaid with interest in a single transaction. But attackers have been able to successfully perform flash lending attacks on many protocols.
In doing so, they use multiple protocols to borrow and drag liquidity down to the final act where they amplify the price of a token through oracles or liquidity pools and use it to scam a pump-and-dump and disappear with the liquidity. on a set of a few different major cryptocurrencies like Ether (ETH), Wrapped Bitcoin (wBTC), and others. Some famous flash lending attacks include the Pancake Bunny attack, where the protocol lost $200 million, and another Cream Finance attack, in which more than $100 million was stolen.
How to defend against DeFi attacks?
To build a secure DeFi protocol, you should ideally trust only experienced blockchain developers. They must have a professional team that skillfully leads the construction of decentralized applications. It’s also wise to remember to use secure code libraries for development. Sometimes the least up to date libraries can be the safer option than those with the newer code bases.
Testing is another crucial thing that all serious DeFi projects need to do. As the CEO of a smart contract auditing company, I always try to cover 100% of our clients’ code and stress the importance of decentralized protection of private keys used to call smart contract functions with access restricted. It is best to use the decentralization of the public key through a multisignature that prevents one entity from having full control of the contract.
In short, education is one of the keys that will allow blockchain-based financial systems to be more secure and reliable. And education should be a top concern for DeFi job seekers because it can offer tempting rewards to everyone who can make a viable contribution.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, readers should do their own research when making a decision.
The views, thoughts and opinions expressed herein are solely those of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Dmitry Mishunin is the founder and CEO of the DeFi security and analytics company HashEx and has long experience in the field of blockchain security. He has spent a lot of time on scientific activities, such as research on computer systems, blockchain, and DeFi vulnerabilities. Under Dmitry’s leadership, HashEx has become one of the leaders in the field of smart contract audits.
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the full amount invested may be lost. The services or products offered are not aimed at or accessible to investors in Spain.