The financial instruments of the crypto ecosystem are nowhere near perfect, and it applies to even some of the best projects in the DeFi space. We see rug pulls almost every day on the Binance Smart Chain, leaving millions of users hopeless. While some companies are trying to compensate, others simply exploit the decentralized finance mechanism associated with smart contracts.
In most of these DeFi exploits, the developers are installing back-door exits so that top auditing firms are having a tough time, and before they know it, they cash out their accounts, leaving zero traces online. The money lost after such exploits is increasing to unimaginable amounts-over $200 million in 2021 alone.
To understand how these attacks happen, we reached out to one of the core developers at Sushiswap, Mudit Gupta, and he shared some insights on this topic and helped us understand the inner workings behind such DeFi exploits. So let us get started!
Common Vulnerabilities in DeFI Protocols
A majority of the DeFi projects are exposed to the same vulnerabilities over and over again. While some use third-party resources, others deploy manipulation attacks to change several aspects of the protocol.
According to Mudit:
“Smart Contracts re-entry and oracle manipulation are two common vulnerabilities observed in the recent DeFi hacks. While The former was used in the infamous DAO hack. The latter is relatively new and usually involves using flash loans to poison the price feed of a token”
What is Flash Loan Attack
As we know, flash loans allow users to gain access to large amounts of assets, given they return the borrowed asset by the end of the transaction. But they can also be used to pair with oracle manipulation attacks.
“Flash loans alone cannot be considered as a vulnerability, but when a hacker uses it to manipulate supply and demand, then it affects the price of tokens”– Mudit.
It is also important to note that the hacker should hold many tokens to have a significant impact on the defi protocol.
How Responsible developers are for these hacks
Bug-free nature is usually not possible when developing software, especially something as complicated as smart contracts. It is better to consider different options available to lower the risk of being hacked.
Mudit Said:
“Developers should follow best security practices to evaluate the protocols, but it is even more important to get external audits to ensure the reliability of the smart contracts.”
That is why we cannot normalize and blame developers for the DeFi exploits. The industry is still growing so we can expect to see better support systems to ensure such hacks never happen.
Common Reasons behind these Hacks
If we see defi cases from a couple of years back, we can only see code exploits being used by the hackers, but that is not the case right now.
“ In the DeFi space, it is crucial for developers to have good enough experience in financial primitives of blockchain and executing code. If they lack in any one of them, their projects can be vulnerable to either economic or code exploits”-Mudit
These hacks and exploits of protocol infrastructure will keep happening because we are still in the early stages of development, so investors should be careful when dealing with such experimental projects.
Major DeFi Hacks Explained
Pancake Bunny
Pancake Bunny has nearly $1.2 billion locked in farming pools, so it is clearly serving its purpose and helping farmers earn yields. The vaults associated with the Pancake Bunny project are unique because they save gas fees and the interest auto-compounds every 24 hours. The staking mechanism is also robust, and users don’t have to follow any complex procedures to set up their account.
What went wrong:
The hack on Pancake Swap is a typical manipulation of flash loan operation prices. The WBNB-BUNNY LP is flawed, and the hacker took advantage of it. The price of tokens in the liquidity pool was inflated, and the smart contract made it easy for the attacker to receive large amounts of BUNNY tokens. Here is a detailed analysis from Slowmist.
Money Lost:
700,000 BUNNY tokens and 114,000 BNB got away, which at the time were valued at $200 million.
BurgerSwap
BurgerSwap is an automated market maker, helping users earn mining rewards and interests on their contributions to the LP. It got great attention from top protocols in the industry for its cross-chain token swaps. It also allows users to participate in the governance. The main reason for people using BurgerSwap is low fees and barriers to entry.
What went wrong:
A flash loan attack caused BurgerSwap to lose millions of dollars, and that too happened in only 14 transactions. The attacker had deployed a fake native coin to form a trading pair with BurgerSwap, leading to an increase in the reserve supply. As the price kept on increasing, the hacker started to accumulate more assets.
Money Lost:
$1.6 million in BNB , $ 3.2 million in BURGER coin, $ 1.4 million in Tether, and $ 152,000 in ROCKS
How can we minimize DeFi hacks and make protocols more reliable?
The DeFi Market has close to $100 billion in locked value so that we can expect more such exploits from different hackers worldwide. Crypto space is now like a fast-moving arena, so we will definitely be at a loss if we don’t keep up with it. This is why developers have to embrace a new philosophy when it comes to smart contract development. Here are some best practices to safeguard security threats:
Careful Rollouts
Comprehensive testing and bug bounty help a great deal in increasing security for smart contracts. It is also recommended to use multiple phases to release the full production of the project. This way, developers can conduct testing after every phase and refine the functionalities of the smart contract.
Easy-to-Manage Code
When things get complex, mistakes pile up, so the best practice to follow is to induce simplicity to your code. The easiest way to do that is- break down the code into modules and differentiate each function. This gives the development team more clarity and assurance on their code’s functionality.
In-depth Analysis on Blockchain
Developers can build one of the best programs ever, but if they don’t understand how smart contracts work in real-time, they will most probably miss some key functions in the execution of the code. So developers need to get familiarized with blockchain, including external contract calls, block gas limits, and timestamps.
Closing Thoughts
We have lost more than $285 million in DeFi hacks in the last three years. So the importance of safeguarding these protocols cannot be more emphasized. New vulnerabilities like Oracle manipulation are also surfacing, and many hackers use them to pump and dump token prices. While there are companies like Chainlink providing promising solutions, the number of attacks seems only to increase. Smart contracts are indeed revolutionary entities, but we should be careful with what project we are dealing with. So keep updating your knowledge base on such projects and do your own research to escape from getting caught in such DeFi exploits.
Born and brought up in India, Karthikeya Gutta is a crypto journalist and freelance contributor for ItsBlockchain. He covers various aspects of the industry with in-depth analysis and research. His passion towards blockchain and crypto ecosystem is mainly because he believes it can really change the world and help millions of people.
Subscribe to get notified on latest posts.
