Binance’s Proof of Reserves gets a security boost thanks to Hacken’s discovery
Hacken researchers identified and helped fix a bug in Binance’s zkSNARK-based Proof of Reserves system related to BasePrice overflow.
🇺🇦 Hacken stands with Ukraine!Learn more
DeFi is the term attributable to decentralized financial systems including, among other activities, decentralized trading of virtual assets. One of the main characteristics of the DeFi system is no need for a middleman and autonomous nature. According to DeFi Pulse, the total value of assets locked in DeFi has reached more than $100 bln. DeFi trading provides a high level of transparency to users and there are also only basic requirements for joining. As a result, the DeFi market is growing rapidly. However, the higher the volume of virtual assets DeFi accumulates, the higher the motivation of malicious actors to conduct cyberattacks on this market. DeFi hacks are becoming a new reality. For the first 7 months of 2021, DeFi hacks accounted for 76% of major hacks in the world of crypto. Totally, DeFi projects lost $361 mln due to Hacks for the first 7 months of this year. Compared to 2020, the scope of DeFi risks has increased by almost 3 times. That is why DeFi safety has become one of the most discussed topics among crypto enthusiasts.
In February 2021, the DeFi project Yearn Finance lost $11 mln due to the exploitation of the project’s yDAI vault. However, due to various fees, attackers earned only $2.7 mln profits. During this attack, the malicious actor took a number of flash loans dYdX and Aave to later use these loans as collateral for the loan on Compound. In April 2021, a DeFi Polygon network-powered protocol EasyFi experienced a hack during which attackers stole more than $81 mln in different currencies. The malicious version of Metamask was injected by a hacker into the target computer. As a result, a hacker succeeded in stealing private keys. The compromised machine was used by the project only for official transfers. One of the most discussed security cases in the list of DeFi hacks in 2021 has been the incident with Poly Network during which more than $610 mln were stolen by a hacker. However, Poly Network was lucky to return all the funds. The DeFi hack was made possible by the compromise of the project’s smart contract by a hacker. The number of DeFi hacks keeps on growing, the DeFi risk scope remains at an unprecedented level.
One of the main reasons behind the intensification of DeFi hacks in 2021 has been the use of a wide range of hacking techniques by malicious actors and the failure of projects to pay enough attention to DeFi safety.
There are generally 3 types of DeFi risks faced by projects that may result in a DeFi hack or make a project experience serious financial or reputational losses including financial, procedural, and technical risks.
Financial risks are related to the failure of projects’ developers to develop the operating model under which the financial risks faced by users would be maximally mitigated and no hidden possibilities for losing assets would appear. Also, interaction with unethical investors such as flippers constitutes a serious financial DeFi risk. Due to the unethical behaviour of investors, DeFi projects can experience a sharp drop in the prices of their tokens and, as a result, lose their competitiveness.
Procedural DeFi risks are the threats faced by users when interacting with a DeFi project or service. An example of procedural risks are phishing attacks. Generally, procedural DeFi risks may be referred to as any technologies used by malicious actors to lure victims to perform unintended actions.
Technical DeFi risks are related to smart contracts, software, and hardware. Due to technical DeFi risks, the functionality of a project as a whole may be compromised.
Let’s take a deeper look at the main types of DeFi risks.
One of the key reasons behind major DeFi hacks is the issues attributable to smart contracts. Smart contracts play a great role in enabling automation, however, they may contain vulnerabilities of different severity levels. The list of smart contracts risks affecting the DeFi safety includes front-running, inadequate gas-griefing, dependency on timestamp, integer overflow or underflow, etc. By compromising projects’ smart contracts, malicious actors can perform successful DeFi hacks.
The list of common hardware risks affecting DeFi safety includes incompatibility, power issues, and sensitivity. Although the majority of activities in the world of DeFi take place in the virtual environment, the failure of projects to guarantee the security of their hardware may result in a DeFi hack since hardware may store sensitive information.
The list of major software DeFi risks includes DDoS attacks, uncontrolled format strings, injections, and overflow. In case a DeFi project fails to address software risks, it may experience the disruption of the normal functioning of its service or app.
Due to a high potential to earn solid financial rewards, some DeFi investors try to victimize others. Often, these unethical investors do not face any penalties or sanctions since DeFi projects operate in a non-regulated environment. Also, by prioritizing high earning over security, some DeFi projects are likely to invest inadequate sums of money in their security. As a result, immediate profits may result in huge long-term losses due to DeFi safety issues.
The most popular type of procedural DeFi risk is phishing attacks. Malicious actors can replicate popular websites or draft emails resembling the ones coming from trusted sources. The key purpose of a hacker is to get victims’ sensitive data such as logins or passwords. Often malicious actors create fake chats or websites of popular DeFi projects to trick their users into sending their virtual assets to the wallets belonging to bad actors. As a result, such DeFi hacks may allow bad actors to earn solid money without any risks of punishment. The other social engineering techniques applied by malicious actors such as baiting, SIM-swapping, and pretexting have similar purposes – gaining access to users’ sensitive information. Procedural risks constitute a serious threat to DeFi safety since they are hard to be addressed and hackers always try to identify new hacking methods.
The reputation of the DeFi projects among investors worldwide heavily suffers from scammers. One of the most widespread forms of scams affecting DeFi security is rug pulls. Rug pull constitutes the situation when developers of a project run away with investors’ money and, thus, abandon a project. Rug pulls are mostly attributable to decentralized exchanges. The key DeFi security issue, in this case, is the absence of the need for developers to apply for security audits of their tokens before listing on decentralized exchanges.
Unaudited smart contracts create a large room for manoeuvre for hackers. They actively target projects that have neglected the importance of passing smart contracts audits. A large share of DeFi hacks is attributable to miner attacks. These attacks are analogies of flash loans but are a bit more complex and expensive. Malicious actors rent mining capacities and form the block containing only transactions they need. They firstly borrow tokens, perform price manipulations, and then return the assets. This type of attack is atomic.
DeFi safety is the responsibility of both projects and investors. The most effective way for investors to address DeFi risks is due diligence. At the same time, to mitigate the risk of DeFi hacks, projects should pass regular security testing and complete the audit of their smart contracts before listing. Also, technological enterprises introduce new updates and patches for DeFi solutions to allow them to eliminate security vulnerabilities before hackers get to know about them. The faster a project applies these security updates, the higher its chances to prevent a DeFi hack.
DeFi safety heavily depends on the quality of interactions established between projects and their investors. One of the main risks faced by DeFi projects in 2021 is the sudden exit of their investors after IDO. That is why, before providing allocations to investors, a DeFi project should check whether they are reliable players by viewing their transactions history.
Malicious actors actively try to create fake websites or media channels of projects to lure their users to transfer assets to hackers’ wallets. To prevent such DeFi hacks, projects should cooperate with security vendors that have enough capacity to block malicious resources. For example, Hacken Foundation project disBalancer has entered into a number of partnerships with DeFi projects and exchanges whereby the solution will protect these players from scammers by blocking fake resources using the testnet.
Projects should realize that the majority of DeFi hacks are caused by mistakes made by the projects’ developers. Thus, when looking for software engineers for their solutions, DeFi projects need to consider such characteristics as the candidate’s portfolio of implemented projects, certifications or recognitions, and whether he/she has enough experience in creating smart contracts. Also, it is important to provide adequate training to developers before delegating them the development of certain elements of the product. Each solution has its own specifics and unless a developer is aware of all peculiarities, there is a risk that some flaws may be overlooked. Generally, by following these recommendations on DeFi safety, projects can significantly increase their chances to prevent serious DeFi hacks.
The most effective measure for DeFi projects to prevent DeFi hacks and address major DeFi risks is a smart contract audit performed by a reputable vendor such as Hacken. During the audit, Hacken experts perform manual and automatic checks for vulnerabilities in smart contracts and provide a detailed report to clients containing specific steps that should be taken to eliminate flaws. However, under the new smart contracts audit methodology developed by Hacken auditors, a huge scope of work should be performed by a client during the pre-audit phase. When the client’s team knows everything about their own project, only then the smart contract audit can bring maximum value to a project.
A high-quality smart contract audit should be performed by at least 2 auditors simultaneously who don’t interact with each other. After that, the role of a lead auditor is to review the process to ensure that all issues have been considered. The role of an auditor is to put a correct severity score on every detected issue so that a client can realize what bugs need to be fixed immediately to prevent DeFi hacks.
Overall, the modern DeFi environment is characterized by the existence of an unprecedented level of DeFi risks. DeFi hacks 2021 were caused both by projects’ mistakes and the application of novel hacking techniques by attackers. Thus, only those projects that contribute enough efforts to ensure DeFi safety are likely to prevent serious DeFi hacks in the coming future.