Foot to Foot #4 The Flame That Burns Twice
“The truth is not always beautiful, nor beautiful words the truth.” ― Lao Tzu, Tao Te Ching
Be sure to follow us on Twitter.
Our community contributor wanted to share their view about what they’ve observed about the general landscape of DeFi hacks.
The MetaVerse Has Deep Dark Corners
In these early days of the DeFi experience as we explore new frontiers and develop more of this universe (multi-verse-sub-meta-verse-post-simulation), we are reminded more frequently than we’d like of the vulnerabilities of the products within this space
Drawing from some of the more popular and recent hacks is a good practice to understand some of the common themes behind these “rekt” situations. Further, understanding these themes might enable us to act with a mindful sense of security in our daily DeFi actions. Most importantly, is understanding how these exploited projects can embolden their security posture to prevent such attacks, and in turn the strengthen the base level of security across DeFi.
The most notorious method of exploiting DeFi has become the now infamous flash loans. Rari Capital’s post mortem ($10M on 5/8/21) revealed they were exploited via flash loan vulnerability. Cream most notably experienced this exact exploit three times this year alone, $130M on 10/27/21, $29M on 8/30/21, and $37M in February 2021. Other flash loan exposures were exploited within the Belt Finance hack ($6M on 5/29/21) as well as the Popsicle Finance hack ($20M on 8/3/21).
Interested in learning more about what a flash loan attack is and why they are so commonly exploitable? Halborn’s article on the topic does a great job of that.
Flash Loan Exploit Explained
A malicious actor borrows tokens, leveraging a flash loan and in parallel modifies the price of that token or some other token and in doing so this “tricks” a liquidity pool into seeing a higher price of the token (basically pump and dump), then the actor can capture the arbitrage of the token price manipulation. The key that makes this vicious is it all is executing in a single transaction on the Ethereum network (or which ever other network supports flashloans). This means the attack is over as soon as it starts. One block later all the money is gone.
Despite how complex this kind of attack sounds, they can be avoided through best practices. One common method to thwart such an attack is to position the smart contracts involved to leverage a 3rd party pricing fixture for quotes, better known as an external pricing oracle that would avoid an internal price manipulation to happen in the first place. However, if that oracle is pointing to low liquidity pools or has an unknown error this could also lead to unpredictable liquidations.
Aside from flash loan exploits, another common theme amongst more recent hacks has been around the security of private keys. Paid Network ($27M on 3/5/21) infamously only had their network secured by one private key. When inevitably compromised, possession of the key allowed full access to upgrade the smart contract. With this power the attacker to replace the smart contract with new code enabling themselves to mint their own tokens and later swap them out for other tokens with actual value. Bitmart ($196M 12/4/21) also suffered a private key breach, which exposed funds to two critical wallets, and to add one more to the private key exposure list : Kucoin ($45M on 9/29/21).
What’s interesting about most of the hacks outlined above, all had some degree of auditing performed on their smart contracts. Clearly, auditing alone will not do much in the way of ensuring exploitations won’t happen. Additionally, having insurance won’t always guarantee a full restoration of lost funds. Most of the time, what gets exploited may not have been “covered” by an insurance policy, especially if the piece of the system that was exposed was never audited.
It is possible, though highly unlikely, that funds are recovered or at least partially recovered through special investigations and cooperation with authorities. Depending on where a malicious attacker goes with their money they may actually enable certain decentralized swap shops to share critical information as to the source and destination of those funds as a means to later recover them or even make insurance claims on. In some very rare circumstances the hacker might even give the money back, take a look at the Poly Network ($611M on 8/11/21) in which the individual behind the attack agreed to give the money back in exchange for not pressing charges. They even offered the hacker a position in the company as a “chief security advisor.” The Poly Network was one of the more unique style attacks in that the user was able to exploit the proxy lock contracts of Poly Network on 3 separate chains.
There is also Coinbase who was accused of delaying public response after hackers were able to phish out SIM card information from customers’ phones and use the password reset feature by intercepting the reset option sent in an SMS link to the compromised SIM.
There are a few protocols that have in the long run, benefited from an exploit that forced the protocol to harden its security practices. Showcasing that a project is further working to make their product more secure and even better, shows that the protocol has lot of staying power. After the Popsicle Finance attack, the projects already small marketcap of $26M fell to $14M. Then post hack the marketcap skyrocketed to a peak of $630M market cap position just 2 ½ months later. This sent ICE, the projects token to several valuation multiples higher than its hack lows. The rise in the projects token price allowed them to pay back all the affected users of the exploit. Granted they had a brilliant marketing strategy (forming frog nation) and the promise to relaunch an even more highly audited product with the promise of high yields using UniV3.
There is light at the end of the tunnel if a project is not completely crippled and can actually turn the experience around for their users by enhancing their security, and a doubling down on its original means at driving more value for its users.