The potential of blockchain application and cryptocurrencies were largely hypothetical till decentralized finance (DeFi) became a reality. Prior, cryptocurrencies could only be sold, bought, lent, borrowed, or kept for the future when their valuation increased. DeFi unlocked a whole different world of applications that allowed people to transact without the presence of a mediator, either in the form of a broker or bank.
This freedom sparked a series of experimentation in its application, with a great deal centering on open protocols and smart contracts. Developers, token creators, and project owners soon found a way to integrate DeFi components into their tokens and projects. As a result of the increased application rate, the DeFi industry has grown astronomically ― data available on DeFi Pulse shows an increase of over 300%.
We often get so carried away by DeFi’s behemoth growth that we forget it is still in its infancy, and so are the security measures set up by platforms. The sheer volume of funds locked in smart contracts attracts malicious actors who find ways to compromise smart contracts codes and cart away with investors’ hard-earned tokens.
As of November 30, 2021, hackers had looted $1.5 billion across 73 hacks. Ethereum has been the worst hit amongst the chains, leading in first place with 50, Binance Smart Chain with 2, and Polygon and Avalanche getting 2 apiece.
The most recent hack that has got everyone talking is the BadgerDAO hack, where around USD 130 million was stolen. According to the platform’s team, it must have been from the compromise of their UI script.
The fact that simple cracks in the base code of products based on DeFi are being exploited by hackers is becoming worrisome. The intricate framework and infrastructure of smart contracts and DeFi-compatible protocols have not reduced the number of hacks either.
Lossless has grown into the security gatekeeper of the blockchain world. For this reason, we attempt to uncover the WHY behind the increasing attacks on DeFi projects as we lay bare some of the security issues plaguing the space.
Wrong Estimation of the Valuation of Liquidity Pools
One of the most common ways holders gain is by providing liquidity for users who intend to exchange/swap other cryptos for the staked token or borrow. Whenever a user contributes to a liquidity pool, two things happen. First, the user receives a stake confirming the transaction and as an ID for the future extraction of their tokens. And secondly, the liquidity pool recalibrates itself based on the coins that it contains rather than with the help of an external oracle.
Malicious actors typically take advantage of the recalibration process to cause dissimilarities in the reported figures of the liquidity pool using Flash Loans. The difference is further exploited to drain the pool.
Because of the frequency with which investors contribute to liquidity pools, this is one of the most common. It is also the most harmful to DeFi protocols, considering pools’ vast amounts of tokens.
Private Key Theft
Because of the complexity of blockchain networks, users are provided with private keys that enable them to access their wallets without compromising security. The specificity of private keys complicates the hacking process by reducing the hacking footprint. Hackers have resorted to obtaining users’ private keys to remotely access users’ digital assets to make the process easier.
Private keys can be stolen through the use of doctored versions of MetaMask, poor randomness in key generation, and the theft of the seed or mnemonic phrase.
Activities that warrant divulging your private key or its seed phrase should be discontinued. If you are unsure if your seed phrase has been compromised, we advise you to create a new wallet and transfer your assets from the old one.
51% Attacks
These types of attacks are one of the most well-known as it is basically an attack on how the attacked blockchain is designed to work. It is associated with projects based on the Proof of Work consensus.
The majority of votes are essential for platforms based on blockchain to function as it is an extension of the technology’s decentralized nature. The voting power of each node may depend on the amount of tokens held, computational power at their disposal, or some other criterion. But in the case of the Proof of Work consensus, it is the computational power. The attacker holds the majority share of the network’s computational power and creates a blockchain version that suits their selfish interest. However, it becomes increasingly difficult and costly for hackers to take this route as the network grows larger.
For DeFi protocols built on the Proof of Work consensus, the location of the nodes should be kept a secret and constant maintenance processes are a must to rid the computer of any malicious code that may have got in by accident or by an assailant.
Frontrunning Attacks
Frontrunning attacks are opportunistic attacks. It occurs during the lag between the time of transaction and when it is recorded on the distributed ledger.
When a transaction occurs, malicious actors hunt down exploitable transactions via the Miner Extractable Value. They create a different version of the transaction using higher transaction fees and leverage on the transaction fee order in which blocks are arranged. The higher transaction fee of the cloned transaction makes it appear before the original on the block, making the hackers earn more.
Frontrunning attacks on DeFi projects are either used to make profits from the prior knowledge of a transaction or by creating a faux attack and returning tokens back to the protocols from where they were stolen.
Poor Access Control of Smart Contracts
Smart contracts are built in a way only the owner has access and the ability to exert controls should they need to. To streamline access better, the contracts must be managed by one or several addresses from a set of addresses.
The control may be implemented carelessly by the owner which may result in a hack bypass. This scenario can be likened to a bank manager who mistakenly hands the keys of the bank vault to a thief. As smart contracts have tokens locked in them, they are drained.
Final Note
The DeFi space has experienced growth in the past year. So also has it experienced, and still experiencing, hacks and losses in all its different forms. A situation caused by the increased attention it is getting from industry stalwarts and unscrupulous elements alike.
Many of these hacks can be averted if smart contracts are well-audited, users are more careful with storing their private keys, the nodes are kept a secret, or if nodes are maintained as at when due.
Over time, being aware and buffering the security of DeFi protocols by indulging in the best practices will deter hackers because hacks become more expensive with the technicality involved. And Lossless has got the technical side covered.
Visit our website to find out how we can help toughen up the security of your project, and read through our blog for pointers on how to lose less.
About Lossless
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from our known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Our protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Our solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.
Twitter | Telegram | Website | Whitepaper
