Curve and BALD Exploits: The Need for Security in Web3
Recent incidents involving Curve and BALD tokens have once again underscored the critical importance of security in the web3 ecosystem.
These incidents serve as stark reminders that while decentralized finance (DeFi), blockchain technologies, and the world of web3 in general offer exciting opportunities, they also come with inherent risks that users must be vigilant about.
In this article, we’ll go over these incidents, analyze how they happened, and how to stay protected from potential similar cases. Being a web3-native gaming studio, Digital Insight Games’ titles such as Cloud Castles are built on blockchain technology, which is why we hold our players’ safety as a top priority. We are building an industry-first security system — Eagle Eye.
Curve Exploit: a Re-Entrancy Bug
Curve is a decentralized exchange (DEX) with a focus on stablecoins. However, despite being one of the most popular and renowned protocols of the DeFi ecosystem, it recently fell victim to an exploit that allowed hackers to drain several stablecoin pools on the platform.
The exploit was attributed to a “re-entrancy” attack in the Vyper programming language, which powers parts of the Curve system. “Re-entrancy” is a type of attack that can occur in smart contracts that allow untrusted external code to be executed within the contract. In Curve’s case, a smart contract is called an external contract, and the external contract then calls back into the original contract, potentially causing an infinite loop. As a result, upwards of $70 million worth of cryptocurrency were put at risk, leaving many users at a significant loss.
The incident once again reminds the DeFi community of the need of accurately writing smart contracts, as they form the backbone of the sector. With smart contracts, you interact with code instead of intermediaries, which can lead to unforeseen vulnerabilities if not adequately audited and tested.
The BALD Token Plunge
Another recent incident involved the newly-launched BALD tokens on the Base blockchain.
Base is Coinbase’s exclusive blockchain network — like BNB Smart Chain is for Binance — which has generated sizable expectations in the community. With mainnet launch coming soon, the BALD token skyrocketed, increasing its value by 30,000 in a matter of hours.
After reaching a peak in value, the token’s developer removed millions of dollars worth of liquidity — a common fraudulent practice known as “rug pull” in the DeFi ecosystem — causing the token’s price to plummet by 90%.
In other words, BALD developers lured investors into what appeared to be a lucrative new project, only to disappear with their funds soon after.
In this case, the episode incident highlights the importance of carefully evaluating new projects in the space. You should always look for transparent teams, clear roadmaps, and evidence of community support before getting involved in a newly-launched token.
Protecting Users in DeFi
While it is challenging to predict exploits, you can take certain measures to protect yourself in the DeFi space.
First and most importantly, you must conduct thorough research on the projects you wish to engage with. Audits by reputable firms can provide valuable insights into a project’s security posture and smart contract integrity; while teams that choose to reveal their identities rather than staying anonymous show that they’re willing to stake their reputation for the project.
In this regard, you should try not to interact with unknown or unverified contracts, but if you absolutely must, you should always exercise caution when doing so.
Secondly, you should be mindful of the amount of funds you deposit in web3 platforms. Only invest what you can afford to lose, as the space remains highly experimental and volatile.
In this regard, diversifying assets across different platforms can mitigate the risk of a single exploit wiping out an entire portfolio. DeFi platforms can differ significantly in their architecture and security practices, so spreading investments can provide some level of protection.
Emphasizing Security in Web3
Both the Curve and BALD incidents underscore the necessity for ongoing efforts to enhance security in the web3 ecosystem. Blockchain projects — fundamentally DeFi platforms, but also other types of applications — should prioritize rigorous security audits, robust testing, and ongoing monitoring to identify and address vulnerabilities promptly.
Moreover, the community and industry stakeholders must foster a culture of responsible disclosure. Users and developers should report potential security weaknesses responsibly to allow for timely fixes without risking further exploits.
Security should not be an afterthought in the development of decentralized applications. By proactively addressing security concerns, the web3 community can create a safer environment for users and build greater trust in the emerging technologies.
Being a web3-native gaming studio, Digital Insight Games’ titles such as Cloud Castles are built on blockchain technology, which is why we hold our players’ safety as a top priority.
In order to ensure a smooth and safe experience, we have set up different security mechanisms that leverage the latest technology to keep our user base protected against common risks of web3:
- DIG Eagle Eye: Eagle Eye is a system designed to make sure the in-game economies of Cloud Castles can run efficiently and safely. It is backed by an evolving machine learning algorithm that dynamically adjusts various key in-game variables using the latest AI technology. DIG Eagle Eye covers all bases, allowing for 24/7 monitoring of distinct aspects of our games — the marketplace, the code itself, individual transactions, and game hand-outs.
- Partnerships with top security firms: To ensure the integrity of our smart contracts, we have selected two of the leaders in the space as auditors: CertiK and Quantstamp. These two organizations have carefully reviewed Cloud Castles code and actively monitor blockchain activity, allowing us to pinpoint even the smallest vulnerabilities to help us prevent exploits and attacks on our platform.
These security measures add to a transparent and well-known team, led by gaming industry veterans such as Jon Van Caneghem, creator of The Might and Magic® role-playing series and the Heroes® strategy series; and Jack Sheng, who served as the Director of International Partnerships at Tencent, the world’s largest gaming company. You can meet the entire DIG team here. At DIG, we’re committed to delivering fresh and engaging gaming experiences, but also to keep our players safe so they can focus on what’s important: having fun.
Join our community to stay up to date on everything Cloud Castles:
- Twitter: https://twitter.com/cloudcastlesgg
- Discord: https://discord.gg/cloudcastlesgg
- Youtube: https://www.youtube.com/@cloudcastlesgg
- Website: https://www.cloudcastles.gg/
