Coliquidity
Published in

Coliquidity

Hacks in DeFi

Shield Finance is a multi-chain DeFi Insurance Aggregator. Our IDO is coming soon — subscribe to Telegram / Twitter to receive a notification.

There seems to be at least a hack happening every other week in DeFi land. Harvest Finance exploited for over $24m, Alpha Finance faced a multi-transaction attack involving ~$37.5m. These incidents show that yields offered in DeFi are not risk-free and anyone who has capital deposited in lending platforms (centralized or decentralized) should understand the potential risks associated with nascent applications and protocols.

When funds are lost in DeFi, is it always due to hacks? No, sometimes it’s due to plain old scams. Don’t worry if you’re not entirely sure which is which, we’ll explain it further.

Hacks

A code hack is where a bad actor exploits a technical vulnerability in a piece of software.

The code or data used by a hacker to “break” the software is called an exploit. Exploits make a system or software work in an unintended way that benefits the hacker. The DAO attack in 2016, for example, involved an attacker exploiting the so-called reentrancy vulnerability to steal approximately $60 million. A loophole in the Parity wallet contract resulted in a loss of $31 million in July 2017.

There’s another type of hack — an economic manipulation attack which relies on breaking the economic assumptions made by the developers of the smart contract. Its execution leads to economic distortion. An example of economic manipulation is a flash loan. Flash loans are non-collateralized loans used to leverage arbitrage opportunities. This allows borrowers to leverage themselves without risking their own funds. The genius about flash loans is that the borrowed funds must be repaid during the same transaction in which they were borrowed, otherwise the transaction would revert. In November 2020, $3.3 million of USDC/USDT/DAI was drained from Cheese Bank due to an AMM-based centralized price oracle. Peckshield published an analysis identifying the 11 steps involved. This series of attacks emphasises the value of DeFi protocols that use autonomous price oracles. Failure to move to a decentralised oracle, particularly now that this weakness has been widely publicised, may be disastrous for the protocols that still depend on a single DEX for price data.

Scams

Also known as frauds and thefts. Types of scams include fake token sale, fake mixer, Ponzi scheme, blackmail and others. You might also have heard of a “rug pull” which is similar to a pump and dump. Some scammers will liquidate the entire DeFi pool, leaving the remaining token holders with no liquidity and unable to trade, wiping out the remaining value. Compounder Finance DeFi developers are accused of defrauding investors out of $11 million in an exit scam. Approximately $10.8 million in Wrapped Bitcoin (WBTC), Ether (ETH), DAI, and other tokens were moved out of the project after it had received enough funding from eager investors.

Vulnerabilities in smart contracts

It’s important to acknowledge the nuances and technical complexities in Solidity code when contracts introduce new features. In the beginning, things were fairly simple. Who’d thought we would have automated market makers (AMM), algorithmic stablecoins and all kinds of combinations of Money Legos? Let’s take a look at 3 vulnerabilities that can get compromised easily.

Access Control

An attack against the decentralised application CoinDash revealed this weakness for the first time. Unauthorized access to the web application is triggered by a server-side access control failure, which can lead to web page manipulation. The coin buyers would pay the attacker if an attacker breaks into the webserver and replaces the original contract address with the attacker’s own address.

Bad Randomness

Many gambling and lottery contracts choose winners at random, with a pseudorandom number created based on some initial private seed (e.g., block.number, block.timestamp, block.difficulty, or block.hash). However, since miners have complete control over these seeds, a malicious miner can exploit these variables to make himself the winner. This is the reason why contracts need to use an external source with good verifiable random function (VRF).

Re-entrancy

Also known as “race to empty”, “recursive call vulnerability”, and “call to the unknown”. This flaw was discovered as a result of the DAO attack in 2016. The bug exists due to payable fallback functions which are designed to run when value is sent to the smart contract, allowing it to update its internal ledger. External contract calls are allowed to make new calls to the calling contract before the initial execution is complete. dForce was hacked for nearly $25M when a hacker repeatedly increased his ability to borrow all other assets on the dForce’s lending platform, and then exit with all the assets deposited. Solidity now has a noReentrancy guard you can attach to your public functions, but it is only provided on an opt-in basis.

How to cover yourself and recover from hacks

While there are best practices to detect vulnerabilities, not all vulnerabilities can be detected at all times. Audits and attestations are useful for gauging a crypto project but at the same time, they can provide a dangerous false sense of security that attackers can abuse. Strategies to detect and mitigate hacks and scams exist, but they are not always sufficient. As market participants, we can take preventive measures to protect ourselves. When you’ve been hacked as a token holder / liquidity provider / investor, can you recover your funds?

That’s possible if you bought insurance!

The DeFi ecosystem has a safety net in the form of it. Crypto investors can have peace of mind knowing that their assets are covered in the event of a bug or a breach.

Not many people in DeFi realize that there are insurance cover providers as the concept is still new. Even though DeFi insurance is relatively young, the sudden growth in market cap of Nexus Mutual, Bridge, and Cover Protocol demonstrates that there is much demand for insurance in DeFi. Eventually, as the space matures, there will probably emerge an aggregator of insurance protocols. When investors have access to comprehensive insurance in DeFi, we will see a greater unlock of capital flow and confidence in the space from both retail and institutional players.

About Shield Finance

Shield Finance is a multi-chain DeFi Insurance Aggregator that allows users to buy protection against major market crashes due to hacks, exploits, rug pulls, sell-offs, and other black swan events. We are currently integrating multiple insurance providers to provide our users with reduced slippage and expansive coverage.

Shield Finance is hosting a public sale — subscribe to our social media channels to join early.

For any questions about Shield Finance, please reach out to us on:

For any questions about Shield Finance, please reach out to us on:

Website: shieldfinance.io

Telegram: @ShieldFinanceHQ

Twitter: @ShieldFinance

Reddit: r/ShieldFinanceHQ

Medium: @ShieldFinanceHQ

$SHLD token: Uniswap + DEXTools

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store