DeFi Attacks And Ways To Avoid Them

Do repost and rate:

Two things are distinctive for the DeFi segment right now: it’s soaring to unprecedented heights; it’s poorly regulated, and barely anyone with resources or some tech skills can run a smart contract and attract the audience. These two make the field overly alluring to attackers: almost $300 has been stolen in DeFi since 2019, of which around $150 in 2021 alone.

How exactly do these attacks happen and how to protect yourself? We will look at the mechanics and bring examples of the biggest attacks in DeFi so you could see what protocols to be particularly cautious with.

The shortest possible DeFi overview

DeFi gives access to blockchain-based financial services such as borrowing, lending, and interest-earning. The key thing is that DeFi is inclusive and permissionless — anyone irrespective of their citizenship, social status, and credit history can take advantage. DeFi is trustless as it runs on smart contracts — all the terms & conditions have been described beforehand, written in code, and now execute without human intervention. The only thing you are left to trust here is the protocol team’s ability to write good code. This, in turn, is commonly checked by audits and by the community as most of the projects are open-source.

If this makes no sense to you, consider reading these first: 8 perks of decentralized finance and 7 biggest DeFi projects in 2021.

How does this leave room for manipulation, though?

How do attackers take advantage of the insecurities in DeFi?

A hack in DeFi is when someone uses the vulnerabilities of a protocol to gain access to the funds locked in it. Here are the three main “strategies” of how this is done:

  1. DeFi projects are made very fast, and the team doesn’t always have time to thoroughly review their code. Hackers exploit these vulnerabilities.
  2. Every protocol in DeFi has its own mechanic of how users lock their funds and how they get rewarded in return. Sometimes protocol founders don’t see how some of these mechanics can be abused and become loopholes for big money-making.
  3. Some teams cause problems intentionally — they misuse their huge influence in the project (which the community didn’t notice) by selling their stakes and dumping the token.

Two most used attack schemes in DeFi

Let’s consider the two most widely used mechanics in DeFi — Rug Pulls and Flash Loan Attacks.

Rug Pull — withdrawing liquidity when no one is expecting

In a rug pull, owners or developers suddenly withdraw their liquidity from a pool, provoking panic and making everyone sell the asset. Basically, this is an exit scam. The higher is the founders’ stake in a project, the more suspicious it is: rug pull is exactly one of those centralization risks discussed in DeFi.

Here’s how it goes from the beginning: the founders announce a new platform with its native token that offers some cool incentives. Then, the team creates a liquidity pool on a decentralized exchange like Uniswap where the token is paired with ETH, DAI, or other major coins. Users are incentivized to bring in more liquidity as it will bring them high yields. As soon as the token’s price pumps, the founders withdraw their liquidity and vanish.

Developers’ big stake is not a great thing, but even if there is one, there’s a way to protect the project: devs can set the program in a way that won’t allow them to withdraw before a certain day in the future. This adds much to trust in the project.

Flash loan attacks — pumping and removing liquidity

What is a flash loan? It allows you to borrow unlimited amounts of money without collateral for a very short time — during one single transaction. You have to repay the loan plus interest before the next block is mined, which happens in mere seconds. If you don’t repay the loan, the transaction will not settle and the borrowed funds will be taken away from you.

One of the key use cases of flash loans is arbitrage: taking profits from price differences of an asset at different platforms. Say, Ethereum costs $2,000 on Exchange A and $2,100 on Exchange B. You can take a flash loan worth $2,000, buy ETH on Exchange A, sell it on Exchange B, and your profit will be $100 minus gas and loan fees.

The limitless nature of flash loans paves the way for exploits. Here’s a general scheme of a flash loan attack:

  • An attacker borrows 200 Tokens A worth $100,000 (one Token A costs $500).
  • Then, he aggressively buys Token B in an A/B liquidity pool. This pushes the price of Token B up, while Token A dumps and is now worth only $100.
  • When Token B skyrockets, the attacker sells it back for Token A at $100. Now, he can afford 1,000 Tokens A compared to the initial 200 (after a 5X decrease in price).
  • The attacker collapsed the Token A price in this smart contract only, however. The lender of the flash loan still takes Tokens A at $500. Hence, the attacker repays the loan with his 200 Tokens A, and takes the remaining 800.

As you can see, flash loans exploit the decentralized exchanges’ nature with no actual hacks. They simply dump Token A and remove a considerable part of the pool’s liquidity, which is basically stealing the liquidity providers’ funds.

The major DeFi attacks in 2021

1. Meerkat Finance hack

This is a classic example of a rug pull, performed, however, with exceptional cynicism. Meerkat Finance was a yield farming protocol where the owners didn’t even have access to the pooled funds. Shortly before the attack (and one day after the project’s launch!), they upgraded the protocol to gain this access, deleted all Meerkat Finance social media accounts and their website, and escaped with $13 million in stablecoins and $17 million in 73,000 BNB.

2. Alpha Homora flash loan attack

Stakes are rising! $37 million was stolen in the Alpha Homora attack this February. This borrowing and lending platform launched in October 2020 and recently, upgraded to a V2 version. In one of the Alpha Homora V2 pools, an attacker borrowed and lent out millions of stablecoins, which inflated their value, allowing the attacker to make huge profits.

3. EasyFi private keys theft

One of the most severe DeFi hacks happened this April with EasyFi, a Polygon-based lending protocol. In a hack, a network administrator’s private keys were stolen, which gave the attackers access to the company funds. 3 million EASY tokens worth $75,000,000 were stolen. On top of that, another $6,000,000 in stablecoins was taken from EasyFi’s vault.

4. Saddle Finance arbitrage exploit

This is another flash loan attack on our list, especially illustrative this time. Saddle Finance, a Curve-like protocol for trading wrapped assets and stablecoins, was attacked on January 21, 2021 — one day after its launch. By performing a series of arbitrage exploits, attackers managed to take almost 8 BTC of liquidity in mere 6 minutes. This was possible due to a vulnerability in a pool’s smart contract — the attackers stretched out the stablecoins’ prices so much that one of the tokens worth 0.09 BTC was swapped for another one worth 3.2 BTC.

How to avoid vulnerable protocols susceptible to attacks?

Flash loans always happen unexpectedly, and one can’t always see the probability of a rug pull in advance. However, following these tips will help you draw more attention to suspicious signs and may help you avoid money loss. We recommend you pay specific attention to:

  1. The team and its reputation. Who are the founders and the developers? Is the team public? Has it ever been involved in any trustworthy project in crypto? If it hasn’t, this is not necessarily bad but should be a point of concern.
  2. Access to vaults. Does the team have it? To what extent? If the share of the founders in the pool is too high, this is not a red flag.
  3. Multisig access to company funds. If developers have enabled multi-signature access to vaults and someone outside the team holds some signatures, this may help prevent a rug pull.
  4. Time-locked liquidity. If developers have time-locked their funds for a year or so, the users can rest assured that the team won’t exit-scam at least before this period ends.

What measures could protect DeFi from attacks?

  1. Considerable amounts of liquidity in pools as DeFi matures could be the main factor for lowering the susceptibility to flash loan attacks.
  2. Flash loan maximum limits would not allow for attacking.
  3. Security audits for smart contracts would clear the space from vulnerable and misconfigured ones.
  4. Better regulation would help not to release knowingly vulnerable protocols.
  5. Community bug bounties already carried out by some projects help users get rewarded for finding bugs and backdoors in protocols.

Final word

DeFi revolutionized finance with permissionless and trustless tools for raising considerable income in a short time. However, its numerous vulnerabilities are often used by attackers and malicious developers. Each attack urges protocols to raise their security, and this is the way how DeFi hacks help the industry grow. But until it’s safer, research well the projects you plan to invest in. Put your money only where you trust and remember there is always some risk.

 https://www.publish0x.com

Regulation and Society adoption

Ждем новостей

Нет новых страниц

Следующая новость

All content provided by the site, hyperlinks, related applications, forums, blogs, social networks and other information is taken from third-party sources and is intended for reference only. We make no warranties with respect to our content, including but not limited to accuracy and timeliness. No part of the content we provide is financial advice, legal advice or any other form of advice intended for any of your personal purpose. Any use of our content is entirely at your own risk. You should conduct your own research, review, analysis and verification of our content before relying on them. Trading is a very risky activity that can lead to large losses, so consult your financial Advisor before making any decision. No content on our site is a public offer or invitation to action.

This resource may contain 18+materials

© 2016-2024