Blockchain makes DeFi possible. In fact, blockchain is supposed to be secure, so why are so many DeFi platforms and applications getting hacked all the time?
Decentralized finance (DeFi) accounts for more than 75% of all crypto hacks , according to a report by crypto intelligence firm CipherTrace in early 2022. In addition, 54% of all major crypto fraud cases occurred in the DeFi sector, up from 3% in 2020.
First, what is a blockchain?
A blockchain is a distributed shared ledger that stores different types of data. For example, we can use blockchain to record ownership of non-fungible tokens (NFTs) and of course cryptocurrency transactions.
While traditional databases can easily store the same information, blockchain is unique in that there is no centralized authority. It is never maintained by a centralized administrator in one place, such as an Excel spreadsheet, where one person can make changes without oversight.
Instead, multiple identical copies of the blockchain database exist on multiple computers or nodes on the network. To add another “block” to the “chain” and record the underlying transaction in the distributed ledger, consensus is required.
Most nodes must verify the legitimacy of new data blocks before adding them to the ledger. Therefore, in theory, it is almost impossible for anyone to conduct a fraudulent transaction. This is because a threat actor must hack into every node and alter every copy of the ledger to avoid detection.
While this isn’t necessarily impossible, it’s a huge challenge for hackers. Also, when you add a layer of proof-of-stake (PoS) or proof-of-work (PoW) transaction verification methods to the mix, it becomes extremely difficult to trick the system.
POS (popular in Algorand , EOS , and Tezos ) uses randomly selected miners to validate transactions. PoW, on the other hand, uses competing verification methods to confirm transactions. Once the transaction is confirmed, a new block will be added to the blockchain.
Therefore, a decentralized public blockchain can be highly secure, as everyone on the network must verify that transactions are legally executed. So why do crypto hackers make headlines so often? The answer to the question lies in the cross-chain bridge.
What is a cross-chain bridge?
A cross-chain bridge connects two different blockchains and allows users to send, receive or exchange cryptocurrencies, such as cryptocurrencies, from one blockchain without any intermediary or central authority.
While this sounds simple, it’s not. A cross-chain bridge is not like converting dollars to euros (which is easy), an easy analogy would be: trying to convert air miles in your bank account into dollars.
Blockchain bridges exist to provide users with choice in times of high gas or transaction fees, fast transactions, improved privacy, optimized utilities, and enhanced user experience through interoperability.
It also provides users with freedom of choice and encourages fair competition. If one network is faster or cheaper than the other, you can simply switch and move digital assets at a lower cost. As such, cross-chains form the basis of platforms like PancakeSwap , where users can quickly “swap” cryptocurrencies like Ethereum (ETH) for Binance (BNB).
However, cross-chain bridges (and side-chain bridges) can sometimes turn the whole concept of DeFi upside down. Most cross-chain bridges rely on various external validators (eg: wrapped tokens or escrow, which may not be decentralized and trustless) and centralized consortia to facilitate asset transfers.
What makes cross-chain bridges vulnerable?
Cross-chain networking poses significant security risks, and due to the connection of multiple chains developed by different entities, attacks must be effectively guarded against in the wider network.
Essentially, this makes it possible for hackers to steal funds by simply moving coins from one chain to another. Additionally, DeFi platforms are ideal targets for criminal attacks because they offer fast returns, privacy and anonymity, and law enforcement is (still) relatively backward.
However, the reason we had to deal with so many security bugs (like MultiChain , Poly Network, Thorchain, and Wormhole ) boiled down to the founders not taking security seriously and not finding bugs. For example, an exchange from ETH to BNB requires exchange proxies in Ethereum, Binance, and cross-chain bridges, ETH and BNB may be safe, but it doesn’t help if the bridge proxies are the weak link.
When custodians are protecting millions or even billions of dollars through untested security practices and poorly designed systems, protecting user funds is a challenge, to say the least.
Wormhole bridge attack
How did the Wormhole cross-chain bridge attack, the second largest crypto hack ever, cost over $300 million (or 120,000 ETH)?
Wormhole allows users to bridge assets on chains like Avalanche , Binance Smart Chain, Ethereum, Polygon , Solana , and Terra . Thus, users can transfer assets between blockchains, and bridges do so by locking the transaction and minting a wrapped version (e.g. wETH) to the final chain.
Solana’s software features are not up-to-date. Some hackers have discovered and exploited this easily avoidable technical oversight. For example, a threat actor was able to circumvent the “verify signature” process by injecting a malicious “sysvar account” in the directive. As a result, they were able to break this cross-chain protocol by failing to verify all “validator accounts”, allowing attackers to trick validators into signing and minting up to 120,000 ETH out of thin air.
In this case, the root cause of the cross-chain violation was the “verify signature” process, as the contract had an outdated feature that could not verify the legitimacy of the sysvar account. These vulnerabilities are a reminder that DeFi is still in its infancy and that these projects are experimental in nature.
Can We Trust DeFi After Wormhole Bridge Attack? While we cannot fully trust any technology, as DeFi grows and matures, it will become more difficult for hackers to trick nodes or take them offline. This is because cryptography only gets better with each solution to the problem and with each iteration.
How can crypto users protect themselves?
As cryptocurrencies have gone mainstream, cybercrime has also become more prevalent. To improve blockchain security and strengthen the cross-chain environment, crypto novices and veterans alike must strictly follow best practices to reduce risk.
Conduct due diligence
Conducting research is critical. Find out if the blockchain development team has a positive and transparent track record. If past DeFi projects have a history of security incidents, they may have had issues with their internal release process.
Finding this information is not easy. You have to delve into the crypto world and study everyone involved in the project and all the relevant factors that could affect the expected outcome.
Choose protocols that are “audited” by white hat hackers
Make sure they work with established white hat hacking services to identify and correct potential cross-chain vulnerabilities. If the team fails to adequately address internal risks and potential vulnerabilities, you can expect threat actors to “honor” it.
You can find this information by following the protocol’s announcement and keeping in touch with hacker tracking service providers such as Zokyo and Trail of Bit. White hat hackers are making web3 better and more secure every day. By attracting white hat hackers, DeFi platforms can also encourage consensus and protocols within the network to improve security.
View Total Locked Value (TVL)
See how much cryptocurrency is locked in the protocol (or the total value of crypto assets deposited and locked). If the TVL adds up to billions of dollars and the protocol has been active for a long time, the security risk may be relatively low. But as always, be extra careful.
Keep up to date with the latest news
The crypto world is known to change overnight. Therefore, it is crucial to keep up with the latest developments including blockchain security events. Track what founders are doing and whether they are still actively contributing to the project. If the team has “run away”, you must re-strategize based on your findings.
Blockchain security is getting better every day, and DeFi is here to stay
The blockchain itself is highly secure, but vulnerabilities can arise in the interoperation between multiple blockchains. While cross-chain bridges certainly pose many security challenges, they are critical for interoperability, scalability, and enhanced user experience.
Since the DeFi space is still in its infancy, the entire ecosystem is getting better and better with every security incident. We can learn from every crypto hack to make the DeFi space more secure and private.
While security incidents have happened in the past and will certainly happen in the future, DeFi teams should all be proactive, always put smart contract security first and keep themselves out of the headlines. Only the continuous improvement of security can stabilize DeFi’s strong position in the industry.
Posted by:CoinYuppie，Reprinted with attribution to:https://coinyuppie.com/all-say-that-blockchain-is-safe-why-are-defi-hackers-so-rampant/
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.