How is the DeFi protocol attacked by hackers?

The analysis of dozens of hacker attacks has identified the main carriers and typical vulnerabilities in the decentralized financial field.

The field of decentralized finance is growing at an alarming rate. Three years ago, the total value locked in DeFi was only $800 million. By February 2021, this number had increased to 40 billion U.S. dollars; in April 2021, it reached the 80 billion U.S. milestone; now, its value has exceeded 140 billion U.S. dollars. Such rapid growth of a new market will certainly attract the attention of various hackers and fraudsters.

According to a report by a cryptocurrency research company, since 2019, the DeFi field has lost approximately $284.9 million due to hackers and other vulnerabilities. From a hacker’s point of view, hacking the blockchain ecosystem is an ideal way to get rich. Because this system is anonymous, they have money to make, and any hacker can test and adjust it without the victim’s knowledge. In the first four months of 2021, the loss reached 240 million U.S. dollars. And these are only publicly known cases. We estimate that the real losses have reached billions of dollars.

How was the money of the DeFi protocol stolen? We analyzed dozens of hacking incidents and identified the most common problems that led to hacking.

Misuse of third-party agreements and business logic errors

Any attack mainly starts with analyzing the victim. Blockchain technology provides many opportunities for automatic adjustment and simulation of hacking scenarios. In order to make the attack fast and concealed, the attacker must have the necessary programming skills and knowledge of the working principles of smart contracts. The hacker’s typical toolkit allows them to download a complete copy of their own blockchain from the main version of the network, and then fully adjust the attack process as if the transaction took place on the real network.

Next, the attacker needs to study the business model of the project and the external services used. The mathematical model of business logic and errors in third-party services are the two most commonly exploited problems by hackers.

The developers of smart contracts often need more relevant data when trading than they may have at any given moment. Therefore, they are forced to use external services-for example, oracles. These services are not designed to operate in a trustless environment, so their use implies additional risks. According to a statistic (since the summer of 2020), established types of risks accounted for the smallest proportion of losses-there were only 10 hacking attacks, and the total losses were about 50 million U.S. dollars.

Coding error

Smart contracts are a relatively new concept in the IT field. Despite their simplicity, the programming language for smart contracts requires a completely different development paradigm. Developers often do not have the necessary coding skills at all, and make serious mistakes, resulting in huge losses for users. 

Security audits can only eliminate part of this type of risk, because most audit companies on the market do not take any responsibility for the quality of their work and are only interested in financial aspects. Due to coding errors, more than 100 projects were hacked, resulting in a total loss of approximately US$500 million. A stark example is the dForce hacking incident that occurred on April 19, 2020. Hackers took advantage of a loophole in the ERC-777 token standard, combined with a reentry attack, and stole $25 million.

Flash loans, price manipulation and miner attacks

The information provided to the smart contract is only relevant when the transaction is executed. By default, the contract is not immune to potential external manipulation of the information contained in it. This makes a series of attacks possible.

A flash loan is a loan without collateral, but the borrowed cryptocurrency needs to be returned in the same transaction. If the borrower fails to return the funds, the transaction will be cancelled. This type of loan allows borrowers to receive large amounts of cryptocurrency and use it for their own purposes. Normally, lightning loan attacks involve price manipulation. An attacker can first sell a large amount of borrowed tokens in a transaction, thereby reducing its price, and then perform a series of actions with very low value before buying back the tokens.

Miner attacks are similar to lightning loan attacks on the blockchain based on the proof-of-work consensus algorithm. This type of attack is more complicated and expensive, but it can bypass some of the protective layers of flash loans. It works like this. Attackers rent mining power to form a block containing only the transactions they need. Within a given block, they can first borrow tokens, manipulate the price, and then return the borrowed tokens. Since the attacker independently formed the transactions entering the block and their sequence, the attack is actually atomic (other transactions cannot be “embedded” into the attack), just like the case of lightning loans. This type of attack has been used to attack more than 100 projects, with a total loss of approximately US$1 billion.

Over time, the average number of hackers has been increasing. At the beginning of 2020, a theft amounted to hundreds of thousands of dollars. By the end of this year, this figure had risen to tens of millions of dollars.

Developer incompetent

The most dangerous type of risk involves human error. People turn to DeFi in search of quick money. Many developers are poorly qualified, but still try to launch projects in a hurry. Smart contracts are open source, so they can be easily copied and altered by hackers. If the original project contains the first three types of vulnerabilities, they will spread to hundreds of cloned projects. RFI SafeMoon is a good example because it contains a critical vulnerability that was copied to one hundred projects, resulting in a potential loss of more than $2 billion.



Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply