Analyses of many hacks show the main vectors and existing vulnerabilities in the decentralized finance (DeFi) industry. The DeFi world is growing at a rapid pace. About three years ago, the total value locked in decentralized finance was just $800 million.
By February this year, this figure had surged to reach $40 billion and in April 2021 it had reached the $80 billion milestone. Currently, it is believed that this figure stands at above $140 billion. This rapid and massive growth in a nascent market also attracted a lot of attention from all sorts of hackers and fraudsters.
Based on a report by a cryptocurrency research firm, since 2019, the DeFi industry has lost nearly $284.9 million to hacks and many other exploit attacks. Hacks of the blockchain ecosystems are a perfect means of enrichment from the point of view of the hackers. Since all these systems are anonymous, they have some money to lose, and any hack can be tuned and tested without the victim’s knowledge.
Within the first four months of this year, losses had soared to reach $240 million and these are the publicly known cases. It can be estimated that the real losses could reach billions of dollars.
How is all that money stolen from decentralized finance protocols? Various hacker attack strategies exist and experts have now determined the most common challenges that result in successful hacker attacks.
Misuse Of Business Logic Errors And Third-Party Protocols
Any attack starts mainly with an analysis of the victim. Blockchain technology offers a lot of opportunities for automatic tuning and the simulation of hacking scenarios. For such an attack to be fast and relatively invisible, the attacker needs to have the needed programming skills and knowledge of how smart contracts work.
The normal toolkit of a hacker enables them to download their full copy of a blockchain from the main version of the network. They can then fully tune the entire process of an attack as if the transaction was happening in a real network.
After that, the hacker needs to study the involved business model of the project and the external services used. Errors that arise in the mathematical models of business logic and third-party services are two of the issues that are mainly exploited by these hackers.
Developers of these smart contracts normally need more data that is relevant at the time of a transaction than they may have at any other given moment. They are thus compelled to use external services, for instance, oracles. These services are not designed to operate in a trustless environment, which means that their use implies extra risks.
Based on statistics for a calendar year, since the summer of 2021, the given type of risk involved accounted for the smallest percentage of losses, just 10 hacks, resulting in losses that totaled nearly $50 million.
Coding Mistakes And Issues
Smart contracts are still a new concept in the IT space. Despite the simplicity, the programming languages for smart contracts need an entirely different development paradigm. The developers sometimes just do not have the needed coding skills and make costly mistakes that result in massive losses for the users.
Security audits get rid of only a few of this type of risk since most of the audit firms on the market do not bear any responsibility for the quality of the work they do and are just interested in the financial aspect.
Over 100 projects were hacked as a result of the coding errors, resulting in a total volume of losses that stand at nearly $500 million. A good example is the dForce hack that happened on April 19, 2021. The hackers managed to use a vulnerability in the ERC-777 token standard together with a reentrancy attack and managed to steal $25 million.
Price Manipulation, Flash Loans, And Miner Attacks
All the information that is supplied to the smart contract is quite relevant just at the time of execution of a transaction. Notably, the contract is not immune to possible external manipulation of the information that is contained within. That makes an entire spectrum of attacks possible.
Flash loans are loans without collateral but comprise the obligation of returning the borrowed cryptocurrency within a similar transaction. In case the borrower fails to return the borrowed money, the transaction is reversed or canceled. These loans enable the borrower to get huge amounts of cryptos and use them for their purposes.
Normally, flash loan attacks involve price manipulation. An attacker can first sell a huge number of borrowed tokens within a transaction, thereby lowering their price, and then do a scope of actions at a low value of the token before buying them back.
A miner attack is an analog of a flash loan attack on blockchains working based on the proof-of-work consensus algorithm. Notably, this type of attack is more complex and expensive, but it can bypass some of the protection later of flash loans. This is the way it works: the attacker rents mining capacities and capabilities forming a block that has just the transactions they require.
Within a given block, they can first borrow tokens, manipulate the prices and then return the borrowed tokens. Since the attacker forms the transactions that are entered into the block independently and their sequence, the attack is normally atomic as is the case of flash loans. There is no other transaction that can be ‘wedged’ into the attack.
That type of attack has been used to hack more than 100 projects, with the losses totaling nearly $1 billion. The average number of hacks has been increasing over some time. At the start of 2021, one theft accounted for hundreds of thousands of dollars. By the end of last year, the amounts had surged to tens of millions of dollars.
The most dangerous type of risk is the one that involves the human error factor. People resort to decentralized finance in a search for quick money. Most of the developers are poorly qualified but they still strive to launch projects speedily. Smart contracts are open source and therefore they are easily copied and changed in small ways by hackers.
In case the original project has the first three types of vulnerabilities, it might spill over into hundreds of cloned projects. RFI SafeMoon is a great example since it contains a crucial vulnerability that has been superposed over around a hundred projects, which led to a possible loss of more than $2 billion.