The Mirage of Safety: A comprehensive exposition on recent DeFi exploits despite multiple audits
In the ever-evolving sphere of Decentralized Finance (DeFi), the allure of decentralized transactions, financial autonomy, and lucrative yield opportunities continues to draw individuals and institutions alike into a new era of financial engagement. However, as DeFi burgeons, so do nefarious interests in exploiting the nascent protocols that power this financial renaissance. This narrative meticulously dissects the reality of 5 DeFi protocols — Euler Finance, Merlin DEX, Level Finance, Exactly Protocol, and Balancer — these experienced severe financial exploits, despite undergoing a multitude of audits by esteemed auditing firms.
Euler Finance
- Exploit Date: March 13th, 2023
- Financial Loss: A mind-boggling $200 million
- Root Cause: A malignant bug nested within the donate ”ToReserves” function of the “EToken” implementation was the culprit behind this devastating loss. The sinister bug was introduced through Euler Improvement Proposal 14, which was ironically meant to bolster the ecosystem but instead, laid the seeds of its downfall. Despite having the scrutiny of ten extensive audits conducted by reputable firms such as Omniscia, Sherlock, Certora, Halborn, Solidified, ZK Labs, and PenTestPartners.com, this malevolent bug eluded detection, underscoring a perturbing reality of the audited DeFi protocols.
Merlin DEX
- Exploit Date: April 26th, 2023
- Financial Loss: An estimated $1.8 million was siphoned off.
- Root Cause: The exploit transpired during a “Liquidity Generation Event” orchestrated for the launch of its MAGE token. It was a sinister rug pull facilitated by excessive permissions granted to the Feeto address used during deployment, which was a ticking time bomb waiting to detonate. Despite an audit by Certik, a well-regarded auditing firm, this cataclysmic oversight remained unflagged, leaving the protocol and its users at the mercy of malevolent actors.
Level Finance
- Exploit Date: May 1st, 2023
- Financial Loss: Approximately $1.1 million evaporated into thin air.
- Root Cause: At the heart of this exploit was a bug that allowed for multiple referral claims from the same epoch, a seemingly small oversight with monumental repercussions. This bug, despite the protocol undergoing two rigorous audits by Quantstamp and Obelisk, lurked within the codebase like a Trojan horse, waiting for the opportune moment to unleash financial havoc.
Exactly Protocol
- Exploit Date: August 18th, 2023
- Financial Loss: A whopping 4324 ETH, totaling approximately $7.3 million, vanished.
- Root Cause: The root of this exploit lay in a lack of input validation in the DebtManager contract, a chink in the armor exploited mercilessly by the attacker. This blatant oversight allowed the attacker to create a malicious contract that siphoned funds from users and garnered incentives by liquidating their bad debt position. Despite being subjected to four meticulous audits conducted by Coinspect, ABDK, Chainsafe, and Cryptecon, this vulnerability managed to remain concealed, only to surface in the most destructive manner.
Balancer
- Exploit Date: August 27th, 2023
- Financial Loss: Nearly $2.1 million was purloined.
- Root Cause: A nefarious vulnerability was exploited through multiple flashloan attacks that drained the liquidity pools. The attackers took advantage of a flaw that allowed them to borrow significant amounts of money without collateral and manipulate cryptocurrency prices for profit. Despite Balancer having four robust audits by Certora, OpenZeppelin, Trail of Bits, and ABKD, this malignant vulnerability managed to elude detection. Balancer’s team, post detection, made herculean efforts to secure the vulnerable assets, but within two days, the exploit ensued, laying bare the stark reality of the inherent risks.
This narrative, laden with instances of unyielding exploiters and unforeseen vulnerabilities, paints a vivid yet disconcerting picture — the much-revered audits, while quintessential, are not an impenetrable shield. Each protocol had sought the expertise of reputable auditing firms to dissect and scrutinize their codebase meticulously. Yet, the malevolent actors, with a keen eye for exploitation, unearthed the loopholes that the auditors missed.
The exploit of Euler Finance serves as a glaring example of the fallibility entrenched in relying solely on audits for security. Despite being audited on ten occasions, a significant vulnerability was overlooked, leading to catastrophic financial loss. On the other hand, the Merlin DEX exploit, following a single audit, posits the argument for more extensive auditing. However, the subsequent exploits of Level Finance and Exactly Protocol, even following multiple audits, mire this argument in a quagmire of uncertainty.
The Balancer exploit delineates a scenario where even prompt, diligent action by the team, following a vulnerability detection, proved insufficient to stave off an exploit. The malicious actors, always lurking, were perpetually a step ahead, capitalizing on the slightest oversight.
These incidents unravel a poignant message to the DeFi community: audits, while pivotal, are but a part of a comprehensive security framework. The digital ink of smart contracts may dry fast, but the threat landscape is continuously evolving, demanding an ever-adaptive security posture.
The journey towards fortifying the DeFi landscape is a collaborative endeavor — an endeavor that demands the relentless vigilance of auditors, the indefatigable diligence of developers, and the informed engagement of users. The mirage of safety, engendered by audits, needs to be dissipated and replaced with a culture of relentless scrutiny, adaptive precaution, and continuous dialogue amongst all stakeholders.
The lesson imbued in these exploits is clear: the path to a secure DeFi ecosystem is laden with unforeseen challenges and demands a ceaseless endeavor to stay one step ahead of malicious actors. The narrative of audits as a panacea needs to evolve, embracing a holistic, multi-faceted approach to security that is as dynamic and innovative as the DeFi protocols it seeks to protect.
Each of these protocols, despite their diligent efforts to ensure security through multiple audits, fell prey to unanticipated vulnerabilities. The auditors, armed with a plethora of tools and expertise, delved deep into the codebases, yet some sinister bugs managed to slither through the nets. The exploits unravel the quintessential narrative that an audited protocol is synonymous with a secure protocol. The audacious reality is, audits, while indispensable, are not a silver bullet. Each exploit elucidated herein serves as a stark reminder of the tumultuous waters of DeFi that is replete with unseen, unforeseen, and often, unanticipated financial icebergs.
