The DeFi ecosystem lost $1.22 billion dollars to hackers in the first three months of 2022 – a massive sum that threatens the sector’s very existence.
Decentralized Finance protocols are harder to run than they look. There are multiple points of failure for platforms including smart contract exploits, flash loan attacks, and rug pulls by anonymous employees. In the last week, three DeFi protocols have been hacked for a total of ~US$103.4 million. This article looks at what went wrong in these hacks, and the broader security issues that threaten the nascent DeFi sector’s survival.
1. Saddle Finance
On April 30th, the decentralized stablecoin exchange Saddle Finance was hacked for around US$10 million in Ethereum (ETH). The exploit was picked up by smart contract auditing firm Blocksec. The firm’s internal system can front-run attempted hacks using off-chain arbitrage bots called flashbots. Blocksec notified Saddle of the exploit and was able to capture US$3.8 million of Ether from the hackers but in the end, Saddle still lost over US10 million.
Saddle has said that it is tentatively planning to reward the firm with ~US$380,000 for their white hat services, pending a community governance vote.
Saddle reports that the attack has now been mitigated but that all asset pools affected by the exploit have been paused. A remuneration plan will be considered for liquidity providers but this will also depend on a community governance vote. Saddle says it is trying to reach the attacker to negotiate a bounty.
2. Rari Capital
Also on April 30th, the multi-purpose DeFi protocol Rari Capital was hacked for more than US$80 million. The hacker specifically targeted the Fuse platform built on top of Rari Capital. Fuse enables DeFi developers to create their own lending markets. BlockSec has said that the attack occurred because of a reentrancy vulnerability in one of the protocol’s Ethereum smart contracts.
One of the big losers in the hack was the Fei protocol which is attached to the Fei USD stablecoin. The Fei Protocol has sent out a plea to the attacker, asking them to accept a US$10 million in bounty ‘and no questions’ if they return the user funds. Borrowing remains closed on all Fuse platform pools. The day after the hack, a smaller hack occurred on one of the project’s Arbitrum pools.
In a damning thread Security consultant Hacxyk explained that while the relevant Rari Capital pools had been audited, auditors Quantstamp had been looking at a non-vulnerable version of the project’s code. Hacxyk explains that one month after the completion of the audit, a user had decided to replace a completely safe function with a vulnerable one. The blame is put squarely on Rari Capital and not Quantstamp.
“A protocol can be audited by the best in the industry, but after that point, there’s no safety guarantee. Contracts can be misconfigured during deployment / changed in (the) last second,” says Hacxyk. The consultant points to a recent exploit on Aave as another example of a smart contract being changed post-audit and then being attacked.
3. Deus Finance DAO
On April 28th, DEUS finance DAO lost US$13.4 million in a flash loan attack. DEUS is a decentralized OTC derivatives platform that operates across multiple chains including Ethereum, BNB Chain, Fantom, and several other platform blockchain networks.
The attack occurred through a flash loan exploit that targeted the DEUS liquidity pool on Fantom. Blockchain security firm Peckshield laid out a post-mortem of the attack on Twitter and explained that a flash loan was used to exploit a price oracle that read from the USDC/DEI pair on the platform. The price of DEI, a US dollar stablecoin was manipulated, and then borrowed and used to drain the pool.
Flash loans are a DeFi financial instrument that allow users to borrow an unlimited amount of capital, without putting up any collateral, as long as they pay back the loan in the same transaction. Flash loans are an example of innovative DeFi product innovation, however, they have created a cheap, easy way for exploiters to collect capital and attack protocols.
The DEUS project has posted an update since the attack explaining that user funds are safe and no users were liquidated as a result of the attack. It also noted that DEI lending would be temporarily halted. Since the attack, the DEI peg with the US dollar has been restored.
In a more recent tweet, DEUS said that they “are closing in on the hacker”. They say mega-exchange Binance has frozen the assets of the suspected hacker and that a case has been opened with England’s Cyber Action Fraud Police.
It has, however, been reported that the hacker has used Ethereum based privacy-preserving protocol, Tornado Cash, to move the funds to a clean address that may be difficult to track. Tornado Cash has stated in the past that it uses the Chainanalysis oracle contract to block addresses sanctioned by the US government, suggesting it may be willing to work with regulators to track down criminals. The market will have to wait and see if DEUS is able to recoup the lost funds.
Software hacks targeting the Decentralized Finance Sector soar
According to crypto-security firm Immunefi, the DeFi ecosystem lost US$1.22 billion to hackers in the first quarter of 2022. The firm reports that this is nearly eight times more than the US$154 million that was lost just a year earlier in Q1 2021.
99% percent of the losses came from smart contract breaches with fraud accounting for a tiny portion of attacks. The hacks of the Wormhole and Ronin Bridges, worth US$320 million and US$650 million respectively, were major factors for why Q1 2022 was such a big three months for DeFi exploits.
With tools like the Wormhole bridge, users can natively port digital assets between Ethereum, Solana, and Terra networks with a single unified interface. Bridging technology has helped users shift from incumbent chains like Ethereum to new networks like Solana with a few clicks and through easy-to-navigate portals. Bridges have helped promote the growth of emerging blockchains like Solana.
A major issue with bridges between blockchains, however, is smart contract vulnerability. Bridging between blockchains is a complex operation with many moving parts. There are more points of failure and well-resourced hackers can often move faster than developers. The massive Axie Infinity/Ronin Bridge hack spawned US sanctions against Ether (ETH) addresses alleged to belong to the North Korean hacker group Lazarus. Indications that government-funded hacking groups are targeting DeFi projects are worrying.
Outside of the two large hacks, the rise of cheap, quickly spun-up, undercooked DeFi platforms has also played a role in the rise of software DeFi hacks. Two out of the three DeFi hacks in the last week happened on smaller, newer, less well known DeFi protocols. Preceding this week’s trio of hacks, a hyped Non-fungible token (NFT) project AkuDreams was hit with an exploit that caused US$34 million in proceeds to be locked into a smart contract forever. Major protocols Cream Finance and Compound were also hacked in 2021 (Cream more than once).
Although much continues to be said about the potential of the decentralized finance sector, until such time as it can get its security issues under control, its long term ability to attract the wider mainstream or institutional investor market remains an open question.
