Review the 2021 DeFi attack case: How to avoid choosing a vulnerable protocol

Smart contracts have given us many features such as decentralization, no need for trust, and trustlessness. However, after removing human operations, once the smart contract opens the skylight, the assets may be taken by hackers. DeFi penetration rate and adoption rate are rising, and project parties are mixed. How to protect assets with eye-catching attention has become more and more important.

This film analyzes the examples of DeFi attacks since 2021 in a simple way, and proposes ways to prevent it. It is simple and easy to understand.

At present, the DeFi market segment has two characteristics: one is that it is soaring to unprecedented heights: it is not well regulated, and almost no person with the resources or technical skills can operate smart contracts and attract users. These two factors make the field very attractive to attackers.

How did these attacks happen? How to protect yourself? We will study its mechanism and provide examples of the biggest attacks in DeFi in order to understand which protocols require special care.

The shortest DeFi overview

DeFi provides blockchain-based financial services, such as lending and interest generation. The key point is that DeFi is inclusive and permissionless-anyone, regardless of their citizenship, social status, and credit history, can use it. DeFi is trustless because it runs on smart contracts-all terms and conditions are described in advance, written in code, and can now be executed without human intervention. Here, the only thing users can trust is the ability of the protocol team to write good code. In turn, since most projects are open source, audits and the community usually check this.

However, how can this leave room for manipulation?

How can an attacker exploit the insecurity in DeFi?

A hacking attack on DeFi refers to someone using a loophole in the protocol to obtain funds locked in the protocol. Here are the three main “strategies” to achieve this goal:

DeFi projects are produced very quickly, and the team does not always have time to thoroughly check their code. Hackers took advantage of these vulnerabilities.

Each DeFi protocol has its own mechanism, how users lock their funds, and how they get rewards. Sometimes, the founders of the protocol don’t know how these mechanisms are abused, and they become huge loopholes.

Some teams deliberately created problems-they abused their huge influence in the project by selling their shares and dumping tokens (the community did not notice this).

The two most commonly used attack schemes in DeFi

Let’s take a look at the two most widely used mechanisms in DeFi-carpet pull and flash loan attacks.

Review the 2021 DeFi attack case: How to avoid choosing a vulnerable protocol

Pulling the carpet-withdrawing fluidity when no one expects it

In the “carpet pull”, the owner or developer suddenly withdraws liquidity from the pool, triggering panic and forcing everyone to sell their assets. Basically, this is an exit scam. The higher the founder’s stake in a project, the more suspicious the project: “Pulling the carpet” is one of the centralization risks discussed by DeFi.

It started like this: the founder announced a new platform with native tokens and provided some cool rewards. Then, the team creates a liquidity pool on a decentralized exchange (such as Uniswap), and the tokens are paired with ETH, DAI or other major currencies. Users are encouraged to bring more liquidity, because it will bring them high returns. Once the token price rises, the founders will reclaim their liquidity and disappear.

It is not a good thing for developers to have a large number of shares, but even if they do, there is a way to protect the project: Developers can set up a program that does not allow them to quit before a certain day in the future. This greatly increased the trust in the project.

Lightning loan attack-extraction and elimination of liquidity

What is a “flash loan”? It allows users to borrow an unlimited amount of money in a short period of time without collateral-users must repay the loan and interest before the next block is mined, and mining takes only a few seconds. If the user does not repay the loan, the transaction will not end and the borrowed funds will be taken from the user.

One of the key uses of flash loans is arbitrage: profit from asset spreads on different platforms. For example, the cost of Ethereum on Exchange A is $2,000, and the cost on Exchange B is $2,100. Users can get a lightning loan worth $2,000, buy ETH on Exchange A and sell it on Exchange B. The user’s profit will be $100 minus gas fees and loan fees.

Review the 2021 DeFi attack case: How to avoid choosing a vulnerable protocol

The infinite nature of flash loans paves the way for exploits. The following is a general scheme for a quick loan attack:

An attacker borrows 200 tokens A, worth 100,000 USD (a token A is worth 500 USD).

Then, he bought token B aggressively in the A/B liquidity pool. This pushed up the price of token B, while token A fell and is now worth only $100.

When coin B skyrocketed, the attacker sold it back to coin A for $100. Now, compared to the original 200 tokens, it can afford 1,000 tokens A (after the price drops by 5 times).

However, the attacker only lowered the price of token A in this smart contract. The lender of the flash loan still buys Token A at a price of $500. Therefore, the attacker used his 200 tokens A to repay the loan and took the remaining 800 tokens.

As you can see, lightning loans take advantage of the nature of decentralized exchanges without actual hacking. They simply throw off token A and remove a considerable part of the liquidity in the pool, which is basically stealing funds from the liquidity provider.

Major DeFi attacks in 2021

1. Meerkat Finance hacker This is a typical carpet pull, however, it is unusually cynical. Meerkat Finance is a liquid mining agreement, and the owner cannot even use the pooled funds. Shortly before the attack (that is, one day after the project was launched!), they upgraded the agreement, gained access, deleted all Meerkat Finance’s social media accounts and their websites, and carried $13 million worth of stablecoins and 73,000 BNB worth $17 million escaped. 2. Alpha Homora Lightning Loan Attack

Review the 2021 DeFi attack case: How to avoid choosing a vulnerable protocol

The risk is rising! In the Alpha Homora attack in February this year, 37 million US dollars were stolen. The lending platform was launched in October 2020 and was recently upgraded to the V2 version. In an Alpha Homora V2 pool, the attacker borrowed and lent millions of stablecoins to inflate its value and make the attacker obtain huge profits.

3. EasyFi private key theft

Review the 2021 DeFi attack case: How to avoid choosing a vulnerable protocol

In April of this year, EasyFi, the Polygon-based lending protocol, suffered the most serious DeFi hacker attack. In a hacker attack, the private key of a network administrator was stolen, which allowed the attacker to obtain the company’s funds. Three million EASY tokens worth 75 million USD were stolen. In addition, there was a $6 million worth of stablecoins stolen in EasyFi’s vault.

4. Saddle Finance Arbitrage

Review the 2021 DeFi attack case: How to avoid choosing a vulnerable protocol

This is another lightning loan attack, especially this time. Saddle Finance is a Curve-like protocol for trading packaged assets and stablecoins. One day after its release, it was attacked on January 21, 2021. Through a series of arbitrage attacks, the attacker successfully obtained nearly 8 Bitcoins of liquidity in just 6 minutes. This may be due to a loophole in the smart contract of the pool-the attacker pulled the price of the stablecoin so high that one token worth 0.09 BTC was exchanged for another token worth 3.2 BTC.

How to avoid choosing a vulnerable protocol?

“Flash loans” always happen unexpectedly, and people cannot always see the possibility of “pull the carpet” in advance. However, following these suggestions will help users pay more attention to suspicious signs and may help users avoid monetary losses. pay attention:

The team and its reputation. Who are the founders and developers? Is the team public? Has it ever participated in any trusted encryption projects? If not, this is not necessarily a bad thing, but it should be a cause for concern.

Visit the vault. Does this team have it? To what extent? If the founder’s shareholding ratio is too high, this is not a red flag.

Multi-signature access to company funds. If the developer has enabled multi-signature access to the library, and someone outside the team has some signatures, this may help prevent “carpet pulling”.

Life and mobility. If developers lock their funds for a period of about a year, users can rest assured that the team will not withdraw at least until the end of this period.

What measures can protect DeFi from attack?

As DeFi matures, there is a considerable amount of liquidity in the pool, and the large amount of liquidity in the pool may be the main factor in reducing the risk of lightning loan attacks.

The maximum limit of flash loans does not allow attacks.

Security audits of smart contracts will make room for contracts that are vulnerable to attacks and misconfigurations.

Better supervision will help avoid deliberate release of vulnerable protocols.

Some projects have implemented community vulnerability rewards to help users find vulnerabilities and backdoors in the agreement to obtain rewards.


DeFi uses permissionless and trustless tools to increase considerable revenue in a short period of time, thereby revolutionizing finance. However, its many vulnerabilities are often used by attackers and malicious developers. Every attack requires protocols to improve security, and this is how DeFi hackers help the industry grow.


Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Leave a Reply