Two things are characteristic of the DeFi segment at the moment: it rises to unprecedented heights; It’s poorly regulated and hardly anyone with the resources or technical skills can do a smart contract and attract the audience. These two make the field too tempting for attackers: almost $ 300 was stolen in DeFi since 2019, of which around 150 US dollars in 2021 alone.
How exactly do these attacks work and how can you protect yourself? We’ll look at the mechanics and bring examples of the biggest attacks in DeFi so you can see which protocols to be extra careful with.
DeFi provides access to blockchain-based financial services such as borrowing, lending and interest income. Most importantly, DeFi is inclusive and without permission – anyone can benefit from it regardless of their citizenship, social status or credit history. DeFi is trustworthy as it runs on smart contracts – all the terms were previously described, written in code, and are now executed without human intervention. The only thing you can trust here is the protocol team’s ability to write good code. This, in turn, is often verified by audits and by the community as most projects are open source.
If this doesn’t make sense to you, read these first: 8 advantages of decentralized financing and 7 largest DeFi projects in 2021.
But how does this leave room for manipulation?
A hack in DeFi occurs when someone exploits the weaknesses of a protocol to gain access to the funds it contains. Here are the three main “strategies” for doing this:
- DeFi projects are built very quickly and the team doesn’t always have time to thoroughly review their code. Hackers exploit these vulnerabilities.
- Each protocol in DeFi has its own mechanics of how users lock their funds and how they are rewarded in return. Sometimes protocol creators do not understand how some of these mechanisms can be abused and become big money making loopholes.
- Some teams cause problems on purpose – they abuse their huge influence on the project (which the community failed to notice) by selling their shares and throwing the token away.
Let’s look at the two most commonly used mechanics in DeFi – Carpet handles and Attacks on Flash Loans.
In a rug pull, the owner or developer suddenly pulls their liquidity out of a pool, which causes panic and leads everyone to sell the asset. Basically this is an exit scam. The higher the percentage of founders in a project, the more suspicious: rug pull is precisely one of those centralization risks that are discussed in DeFi.
This is how it works from the start: The founders announce a new platform with their native token that offers some cool incentives. The team then creates a liquidity pool on a decentralized exchange such as Uniswap, where the token is paired with ETH, DAI or other important coins. Users have an incentive to bring in more liquidity as this brings them high returns. As soon as the price of the token pumps, the founders drain their liquidity and disappear.
The large percentage of developers is not a great thing, but even if there is, there is a way to protect the project: developers can set the program so that they cannot withdraw until a certain day in the future. This strengthens confidence in the project.
What is a lightning loan? It allows you to borrow unlimited amounts of money without collateral for a very short period of time – in a single transaction. You have to repay the loan plus interest before the next block is dismantled, which happens in a few seconds. If you fail to repay the loan, the transaction will not go through and the borrowed money will be taken away from you.
One of the major use cases of flash credit is arbitrage: Taking profit from differences in the price of an asset on different platforms. Let’s say Ethereum is $ 2,000 on Exchange A and $ 2,100 on Exchange B. You can take out a $ 2,000 lightning loan, buy ETH on Exchange A, sell it on Exchange B, and your profit is 100 US dollars net of gas and credit charges.
The unlimited nature of flash loans paves the way for exploits. Here is a general scheme of a flash loan attack:
- An attacker borrows 200 A tokens worth $ 100,000 (an A token costs $ 500).
- Then he aggressively buys Token B in an A / B liquidity pool. This is driving the price of Token B up while Token A is falling and is now only worth $ 100.
- When Token B has shot up, the attacker sells it back for Token A for $ 100. Now he can afford 1,000 A tokens, compared to the initial 200 (after a 5-fold drop in price).
- However, the attacker only collapsed the Token A price in this smart contract. Flash loan lender still takes Token A at $ 500. Therefore, the attacker pays back the loan with his 200 tokens A and takes the remaining 800.
As you can see, flash loans take advantage of the nature of the decentralized exchanges with no actual hacks. They just give in token A and remove a significant amount of the pool’s liquidity, which is basically stealing the funds from the liquidity providers.
This is a classic example of a carpet train, but it is executed with exceptional cynicism. Meerkat Finance was a profitable farming protocol where owners didn’t even have access to the pooled funds. Just before the attack (and a day after the project started!), They updated the log to get this access, deleted all of Meerkat Finance’s social media accounts and their website, and escaped with $ 13 million in stablecoins and $ 17 million in 73,000 BNB.
The stakes are increasing! $ 37 million was stolen in the attack on Alpha Homora in February this year. This lending and lending platform was introduced in October 2020 and recently updated to a V2 version. In one of the Alpha Homora V2 pools, an attacker borrowed and lent millions of stablecoins, which inflated their value and enabled the attacker to make huge profits.
One of the most serious DeFi hacks happened this April with EasyFi, a polygon-based credit protocol. One hack stole a network administrator’s private keys that gave attackers access to company funds. 3 million EASY tokens worth $ 75,000,000 were stolen. In addition, another $ 6,000,000 in stablecoins was withdrawn from EasyFi’s vault.
This is another flash credit attack on our list that is particularly illustrative this time around. Saddle Finance, a Curve-like protocol for trading packaged assets and stablecoins, was attacked on January 21, 2021 – the day after it was launched. Through a series of arbitrage exploits, attackers managed to steal almost 8 BTC of liquidity in just 6 minutes. This was possible due to a weak point in the smart contract of a pool – the attackers stretched the prices of the stablecoins so far that one of the tokens worth 0.09 BTC was exchanged for another worth 3.2 BTC.
Lightning loans always come unexpectedly, and the likelihood of a rug-pull cannot always be foreseen in advance. However, by following these tips, you can draw more attention to suspicious signs and avoid losing money. We recommend that you pay special attention to the following:
- The team and its reputation. Who are the founders and developers? Is the team public? Has it ever been involved in a trustworthy crypto project? If it doesn’t, it isn’t necessarily a bad thing, but it should be cause for concern.
- Access to vaults. Does the team have that? To what extent? If the percentage of founders in the pool is too high, it is not a red flag.
- Multisig access to corporate funds. Having developers enabled multi-signature access to vaults and someone outside of the team has some signatures can help prevent a rug pull.
- Time-bound liquidity. With developers on hold on their funds for a year or so, users can rest assured that the team won’t stop the scam, at least before that deadline.
- Significant amounts of liquidity in pools as DeFi matures could be the primary factor in reducing vulnerability to flash credit attacks.
- The flash credit limits would not allow an attack.
- Security audits for smart contracts would free the space of fragile and misconfigured contracts.
- Better regulation would help avoid knowingly disclosing vulnerable logs.
- Community bug bounties, already carried out by some projects, help users to be rewarded for finding bugs and backdoors in logs.
DeFi has revolutionized finance with legal and trustworthy tools to generate significant income in a short period of time. However, its numerous vulnerabilities are often exploited by attackers and malicious developers. Every attack prompts logs for added security, and this is how DeFi hacks help the industry grow. But until it’s safer, research the projects you want to invest in. Only put your money where you trust it and remember it is there always some risk.