Hack to the Future: What Are DeFi Hacks & How Do We Stay Secure
A rotten pirate getting away with plunder is always a tale to thrill and outrage the masses. Stories like the repentant hacker of Poly who stole, bargained for, and eventually returned $600 million of stolen funds, captivated both the crypto twitterati and the mainstream press.
Hacks in crypto, just like in technology, are from silicon immemorial. One of the reasons we create blockchain structures and why they’re so important is that by using cryptography, we can squeeze out one of the last access routes to a system’s immediate failure — from the guy at the top who has the key. Blockchains and smart contracts are built on the premise of public, open-source community ledgers.
Yet hacks will never go away as long as we have and use computers. True decentralisation AND hack-proof systems are a twin and abiding goal, and are why when a protocol does fail, it can provoke such horror, fury, and in other cases a sense of glee — if you’re not the one getting rekt, of course.
Although the actual number is impossible to estimate due to stealth attacks, upwards of $2.4 billion and 84 DeFi protocols have been known to be hacked, according to cryptosec at time of writing.
So how do hacks happen? What are some major examples of recent hacks? And what can protocols do today to insulate themselves against these malicious assaults?
Types of Crypto Hacks
On the crypto high seas, many a boat has got shiprekt through the negligence or incompetence of its developers, but others have fallen only to the simple brilliance of the thieves. Sometimes unforeseen innovation suddenly destroys old sturdy protocols, such as with flash loans, and sometimes the developers captaining the ship were on the thieves side all along, and the ship falls from within.
One important note is that, with blockchain technologies, the code is openly viewable by design. This means hackers can test-run any simulations and comb through all code looking for exploits. Yes it adds defences, but it leaves weaknesses on view to anyone who can see them.
Here are some of the main types of crypto hacks. Unfortunately, this is not an exhaustive list. The war is ever evolving, and ever changing.
Price Manipulation: Flash Loans and Miner Attacks
When flash loans first came into being, they were the cause of many early DeFi assaults. This new innovation caught older protocols off guard, and many funds were lost as a result. Flash loans attacks are less common now, but the recent attack on Deus Dao shows they are still a threat. In a flash loan attack, the vast amount of uncollateralized capital the hacker can acquire can be used to manipulate the price on protocols through massive buy or sell orders, before then reselling the asset. A good example is the attack on CREAM Finance, where $130 million was lost.
A mining attack is a Proof of Work equivalent to a flash loan attack. Although harder to set up, mining can be rented for a short period to try and attack and secure one particular block, and commit fraudulent transactions with it. This can also happen as part of a cartel. This is the old school 51% attack, and it’s not as rare as you think, especially in DeFi.
Often, these types of attacks, and others, work through oracle manipulation. Because smart contracts often need external information to execute (or not execute) their contracts, and to set their value, sometimes their source of information is not as secure as their own network might be, or they are interpreting data from the oracle in a way that is poorly coded or lacking in failsafes and thus is open to being hit. By attacking the oracles that protocols rely on, weaknesses can be found. This is why Onomy chose to not rely on any sort of external oracles.
Human Error and The Skill of Thieves
Sometimes we all make mistakes. Treasure DAO was hacked using a simple exploit that wasn’t spotted in the code. The founder has apologised and promised to make up for the loss funds, but errors do happen.
Open-source auditing of code and the decentralised nature of many eyes make this mostly unlikely. Professional audits of code in development or that is private are commonplace. And most smart contracts openly advertise what they do; that’s the point. However, sophisticated attackers can still find vulnerabilities where others could not, or through attack vectors thought not possible.
For example, Solana’s Wormhole has a long-standing development team and billions in total value locked — yet their new Wormhole tech was hacked — with $320m stolen in ETH shortly after it launched. It was an embarrassing failure for the chain, who had touted the tech as its answer to a necessarily cross-chain world.
Solana’s wormhole developer offered $10 million in a bug bounty for pointing out the complex flaw in the code, if they would return the stolen money, asking them to be a ‘white hat’ hacker for Solana. The hacker didn’t respond, and Jump Crypto footed the bill.
A white hat is a hacker who points out flaws in a codebase, either out of goodwill or for a reward. A recent example was a flaw in Coinbase’s code that could have reportedly brought down the retail market, leading Coinbase to offer a $250,000 reward.
Airdrop attacks are a novel and increasingly more frequent way to try and scam crypto users. In short, the attacker sends tokens to random crypto wallets in the hopes that their owners will spend the money. When they do, the trap is sprung, and the ‘token’ reveals what it truly is, a smart contract in disguise with a specific function. In one case, any user who tried to sell their ‘free’ airdropped tokens also had their wallet drained of RUNE tokens.
Beware airdrops when you don’t know the source! Airdrops are an important part of crypto culture, but bad actors lurk in the shadows.
Developer Malfeasance and Incompetence
Although often not quite hacks, sometimes the developer simply rugs the entire protocol. However, modern DeFi investors can be very savvy about a single entity operating a non multisig treasury, or other clearly dangerous lapses in custody.
A new type of attack is inserting innocuous looking code into a DeFi protocol that a rugger already knows how to exploit, or is a timebomb waiting to go off, as was the case with Compounder Finance, where $11.8 million was stolen.
All these things are also possible through developer incompetence, which is a problem, because DeFi hacks have knock on effects, and rogue or poor developers must be spotted quickly.
Why DeFi Hacks Are a Problem for Whole Industry
As evidenced by the recent attack on the Gnosis chain, the intercomposobility of DeFi and the nature of forking protocols and copied code, if a flaw exists in one protocol or on a chain, then often they can exist in others too using the same code or built on that chain.
A central brick in a DeFi pyramid may be attacked, hurting any protocol built on or with its code. On the Gnosis chain, both Agave and Hundred Finance were hurt by the vulnerability, with $11 million lost. The attacker used a reentrancy bug issue with Gnosis where it forced a smart contract to make a call to an unverified third, and malicious, contract.
With DeFi now an endless chain of forks upon forks, developers have to be careful that the code they are using isn’t flawed in some way. One way to go about this is to audit the fork itself, alongside any updates that are made. This benefits both the new protocol using a similar codebase, but also the original creator.
Hacked Off: How to Protect Yourself
Protecting against DeFi hacks is an ongoing war. Yet by protecting against human error, having true decentralisation, and being conscientious in protecting and updating your code base, the risk of DeFi hacks can be minimised to negligible. One way to do this is through TLA+ specs. TLA+ is a high-level conceptual language that helps protocols lay down the blueprints of their software prior to development, thereby ensuring code logic. The TLA+ specs can then be formally verified by entities like Informal Systems. Of course, this does not underestimate the importance of audits, as every new line of code deployed to the mainnet must be verified by independent and well-ranked cybersecurity firms. Onomy is working alongside NCC Group, an enterprise-level cybersecurity firm to audit every line of code prior to public deployment.
While crypto hacks have become more prevalent, every day we close off more avenues of attacker assault, so we open new doors as technology improves. It’s a constant battle, but one the generous community of developers, auditers, white hats and the public are winning.