Lossless and DeFi: Are hacks approaching extinction? Part I

DeFi is getting bigger each day and is here to stay, perhaps forever. It appears evident as the industry’s staggering growth in 2020 is something to behold, and nothing less is expected going forward.

In July, a year ago, when DeFi was not even a word everyone knows, the whole space was valued at roughly $4B. But today, at the time of writing and during a relatively bearish period, DeFi is an $80B market despite still being in its infancy, counting protocols on Ethereum alone. That’s more than 17 times the increase in one year.

Moreover, the daily number of DeFi users is not only growing but doing so exponentially. According to the recent report on Ethereum’s DeFi ecosystem from blockchain software company Consensys, there are roughly 1.75 million DeFi users, increasing by 50% in the first three months of 2021.

It only shows that the DeFi growth is not stopping here. But, as daily users and total value locked in protocols grow, and new projects continuously enter the markets, the volume of lost funds and attacks on protocols are getting higher as well.

DeFi protocols keep getting hacked

Last year, hundreds of millions of dollars worth were stolen from DeFi products, roughly around $120M in total as a result of 15 attacks on DeFi protocols, most of which originate on the Ethereum network.

Unfortunately, not much has changed since then. During the first half of 2021, we have witnessed several big DeFi hacks. Just a while ago, THORchain suffered an attack when a hacker discovered a vulnerability and tricked the network’s Bifröst protocol to send ETH to the hacker’s address, rounding up $5M in losses.

Back in May, Spartan Protocol on Binance Smart Chain was attacked with multiple flash loans. This time around, the hacker used multiple loans from PancakeSwap to get wrapped BNB tokens, which were then swapped with protocol’s native token SPARTA several times. This allowed an attacker to manipulate the assets’ balances of Spartan’s liquidity pool and withdraw $30M worth of assets.

Another fresh example is the recent hack of yield aggregator Rari Capital that resulted in an $11M loss of ETH. It is believed an attacker used a so-called “evil smart contract” to trick another contract into giving up access to unauthorized permissions. A successful attack drained the protocol’s ibETH yield vaults and lending pools.

Shockingly, these are just a few examples out of a dozen that occurred this past half a year.

“Why is this happening? Aren’t blockchains supposed to be impenetrable?”, one might ask and, at this point, those are fair questions to pose. How can we be confident that another smart contract on Ethereum won’t break tomorrow, considering how many times it has happened before?

The complex nature of Turing-complete smart contracts

First off, Ethereum is safe. The problem is not Ethereum itself but a human being overlooking an important detail while launching a smart contract, in turn creating flaws that can be exploited.

But it’s hardly a developer’s fault. Sometimes, even the auditors fail to identify all the weak spots that the smart contracts or protocols might have. One of the more notable reasons why is because Ethereum Virtual Machine’s programming languages are, by nature, Turing-complete.

Turing-completeness refers to programming languages that can be used to simulate a mathematical model of computation called Turing machine. Ethereum Virtual Machine (EVM) happens to be Turing-complete, which sounds great as, in theory, it gives more flexibility to creators and allows building a vastly broader variety of applications. However, the ability to express every computable algorithm on a blockchain has its drawbacks, compared to the Turing-incomplete variant.

In the earliest days of Ethereum, developers thought that not having Turing-completeness would eventually become a limitation. But, according to this study performed by the Computer Science Institute from the University of Applied Science in Germany, only 6,9% of smart contracts on EVM need Turing-complete coding language, noting that almost all of those could also be coded in a Turing-incomplete environment.

In other words, smart contracts on Ethereum might be purposely made unnecessarily complicated and, therefore, now makes auditing them extremely challenging. Whether it was a right call or not, Turing-complete systems are also inherently more exploitable and vulnerable to various attacks. There are 16 known attack vectors on Solidity alone, which is the most popular programming language for writing smart contracts that also happens to be Turing-complete.

Luckily, Lossless can help deal with several scenarios.

In the second part of this article, we will look at how hackers exploit smart contracts most often and see how Lossless could prove to be a reliable solution in those situations.

To learn more about our project and join the community, follow us on our website and social media platforms below:

Twitter | Telegram | Medium | Website | GitHub

About Lossless

Lossless is the world’s first DeFi hack mitigation tool for token creators. Our protocol halts counterfeit transactions through various methods of fraud identification and reverses any stolen tokens back to the original owner.

With our stake-based reward system, the community is encouraged to explore new ways to detect hackers and fraudulent transactions. Our sleek and fluid dashboard interface also allows users to view transactions at a bird’s-eye view. Check out the Lossless whitepaper.

World’s first crypto hack mitigation tool for trusted and safe DeFi.