How do DeFi protocols get hacked?

Published at: Aug. 14, 2021

The decentralized finance sector is growing at a breakneck pace. Three years ago, the total value locked in DeFi was a mere $800 million. By February 2021, the figure had grown to $40 billion; in April 2021, it attained a milestone of $80 billion; and now it stands at above $140 billion. Such rapid growth in a new market could not but attract the attention of all manner of hackers and fraudsters.

According to a report by crypto research company, since 2019, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks. Hacks of blockchain ecosystems are an ideal means of enrichment from the point of view of hackers. Because such systems are anonymous, they have money to lose, and any hack can be tested and tuned without the victim’s knowledge. In the first four months of 2021, losses amounted to $240 million. And these are just the publicly known cases. We estimate real losses to be in billions of dollars.

Related: Roundup of crypto hacks, exploits and heists in 2020

How does money get stolen from DeFi protocols? We have analyzed several dozen hacker attacks and identified the most common problems which lead to hackers’ attacks.

Misuse of third-party protocols and business logic errors

Any attack begins primarily with analysis of the victim. Blockchain technology provides many opportunities for the automatic tuning and the simulation of hacking scenarios. For an attack to be fast and invisible, the attacker must have the necessary programming skills and knowledge of how smart contracts work. The typical toolkit of a hacker allows them to download their own full copy of a blockchain from the main version of the network, and then fully tune the process of an attack as if the transaction was taking place in a real network.

Next, the attacker needs to study the business model of the project and the external services used. Errors in mathematical models of business logic and third-party services are two of the issues most commonly exploited by hackers.

The developers of smart contracts often require more data relevant at the time of a transaction than they may possess at any given moment. They are therefore forced to use external services — for example, oracles. These services are not designed to operate in a trustless environment, so their use implies additional risks. According to statistics for a calendar year (since the summer of 2020), the given type of risk accounted for the smallest percentage of losses — only 10 hacks, resulting in losses totaling approximately $50 million.

Related: The radical need for updating blockchain security protocols

Coding mistakes

Smart contracts are a relatively new concept in the IT world. Despite their simplicity, programming languages for smart contracts require a completely different development paradigm. The developers oftentimes simply do not have the necessary coding skills and make gross mistakes that lead to immense losses for users.

Security audits eliminate only a portion of this type of risk, since most audit companies on the market do not bear any responsibility for the quality of the work they perform and are only interested in the financial aspect. More than 100 projects were hacked due to coding errors, leading to a total volume of losses standing at around $500 million. A stark example is the dForce hack that took place on April 19, 2020. The hackers used a vulnerability in the ERC-777 token standard in conjunction with a reentrancy attack and got away with $25 million.

Related: Default auditing for DeFi projects is a must for growing the industry

Flash loans, price manipulation and miner attacks

The information supplied to the smart contract is relevant only at the time of execution of a transaction. By default, the contract is not immune to potential external manipulation of the information contained within. This makes a whole spectrum of attacks possible.

Flash loans are loans without collateral, but entail the obligation of returning the borrowed crypto within the same transaction. If the borrower fails to return the funds, the transaction is canceled (reverted). Such loans allow the borrower to receive large amounts of cryptocurrencies and use them for their own purposes. Typically, flash loan attacks involve price manipulation. An attacker can first sell a large number of borrowed tokens within a transaction, thereby lowering their price, and then perform a scope of actions at a very low value of the token before buying them back.

A miner attack is an analogue of a flash loan attack on blockchains working on the basis of the proof-of-work consensus algorithm. This type of attack is more complex and expensive, but it can bypass some of the protection layers of flash loans. This is how it works: The attacker rents mining capacities and forms a block containing only the transactions they need. Within the given block, they can first borrow tokens, manipulate the prices and then return the borrowed tokens. Since the attacker forms the transactions that are entered into the block independently, as well as their sequence, the attack is actually atomic (no other transaction can be “wedged” into the attack), as in the case of flash loans. This type of attack has been used to hack over 100 projects, with losses totaling around $1 billion.

The average number of hacks has been increasing over time. At the beginning of 2020, one theft accounted for hundreds of thousands of dollars. By the end of the year, the amounts had risen to tens of millions of dollars.

Related: Smart contract exploits are more ethical than hacking... or not?

Developer incompetence

The most dangerous type of risk involves the human error factor. People resort to DeFi in search of quick money. Many developers are poorly qualified but still try to launch projects in a rush. Smart contracts are open source and thus easily copied and altered in small ways by hackers. If the original project contains the first three types of vulnerabilities, then they spill over into hundreds of cloned projects. RFI SafeMoon is a good example, as it contains a critical vulnerability that has been superposed over a hundred projects, leading to potential losses amounting to over $2 billion.

This article was co-authored by Vladislav Komissarov and Dmitry Mishunin.

The views, thoughts and opinions expressed here are the authors’ alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Vladislav Komissarov is the chief technology officer of BondAppetit, a lending DeFi protocol with a stablecoin backed by real-world assets with fixed periodic income. He has over 17 years of experience in web development.
Dmitry Mishunin is the founder and chief technology officer of HashEx. More than 30 global projects are running on blockchain integrations designed by HashEx. Over 200 smart contracts were audited in 2017–2021.
Tags
Related Posts
Ethereum advances with standards for smart contract security audits
The Ethereum ecosystem continues to witness a flurry of activity that has individuals and organizations deploying token contracts, adding liquidity to pools and deploying smart contracts to support a wide range of business models. While notable, this growth has also been riddled with security exploits, leaving decentralized finance (DeFi) protocols vulnerable to hacks and scams. For instance, recent findings from crypto intelligence firm Chainalysis show that crypto-related hacks have increased by 58.3% from the beginning of the year through July 2022. The report further notes that $1.9 billion has been lost to hacks during this timeframe — a figure that …
Adoption / Aug. 22, 2022
The perfect storm: DeFi hacks will advance the crypto sector moving forward
The rise of decentralized finance, or DeFi, could be paving the way toward a fully decentralized financial ecosystem. Yet, given the innovative nature of DeFi, the sector remains in constant development and is therefore prone to a number of vulnerabilities. Unsurprisingly, one of the biggest challenges currently facing the DeFi sector is security threats. This has become apparent as more DeFi hacks continue to wreak havoc across the crypto community. Most recently, the largest DeFi hack within the crypto industry took place. The Poly Network hack resulted in over $600 million dollars removed, and then returned, from Binance Chain, Ethereum …
Decentralization / Aug. 17, 2021
$pickle in a pickle as attacker swipes $20 million in ‘evil jar’ exploit
In yet another attack on a major decentralized finance (DeFi) protocol, farming project Pickle Finance has been exploited today to the tune of $20 million. The attack transpired roughly two hours ago, and ETH-savvy Twitter users were quick to notice that pickle’s cDAI jar — Pickle’s term for a yield-bearing vault — had been emptied: I think @picklefinance's cDAI jar just got attacked and drained. https://t.co/Lxwi2dWSSZ pic.twitter.com/nUBE1KjEPh — mattyb (@mattybchats) November 21, 2020 Unlike other recent attacks however, this particular exploit did not feature flashloans — an increasingly maligned DeFi tool that allows would-be exploiters additional liquidity with which to …
Blockchain / Nov. 21, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022
​​Cream Finance DeFi platform loses $19M in a flash loan hack
Cream Finance, a major decentralized finance (DeFi) protocol focused on lending, has suffered a severe exploit, with a hacker stealing nearly $19 million from its platform. An unknown hacker has managed to gain $18.8 million in the latest flash loan exploit of the Cream Finance protocol through a reentrancy bug introduced by the Amp token, according to an investigation by blockchain security firm PeckShield. Announcing the news Monday, Cream Finance said that the protocol has stopped the exploit by pausing supply and borrow contracts on the Amp token. “No other markets were affected,” Cream Finance stated. C.R.E.A.M. v1 market on …
Decentralization / Aug. 30, 2021