This site uses cookies. Browsing the site, you agree to the use of cookies. If you need more information, please visit the Cookies Policy page
Cryptocurrencies: 6809 / Markets: 47834
Market Cap: $ 2 011 264 444 921 / 24h Vol: $ 103 451 824 210 / BTC Dominance: 41.999765677289%

Н News

How do DeFi protocols get hacked?

840_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjEtMDgvODFmNWYyZGEtMmJkZS00Y2IzLWJkNzMtZWNjMzdlYzU0MjVlLmpwZw==.jpg

An analysis of several dozen hacks identifies the main vectors and typical vulnerabilities in the decentralized finance sector.

The decentralized finance sector is growing at a breakneck pace. Three years ago, the total value locked in DeFi was a mere $800 million. By February 2021, the figure had grown to $40 billion; in April 2021, it attained a milestone of $80 billion; and now it stands at above $140 billion. Such rapid growth in a new market could not but attract the attention of all manner of hackers and fraudsters.

According to a report by crypto research company, since 2019, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks. Hacks of blockchain ecosystems are an ideal means of enrichment from the point of view of hackers. Because such systems are anonymous, they have money to lose, and any hack can be tested and tuned without the victim’s knowledge. In the first four months of 2021, losses amounted to $240 million. And these are just the publicly known cases. We estimate real losses to be in billions of dollars.

Related: Roundup of crypto hacks, exploits and heists in 2020

How does money get stolen from DeFi protocols? We have analyzed several dozen hacker attacks and identified the most common problems which lead to hackers’ attacks.

d668fd91-d999-443f-bf56-eae8d7cf1a98.png

Misuse of third-party protocols and business logic errors

Any attack begins primarily with analysis of the victim. Blockchain technology provides many opportunities for the automatic tuning and the simulation of hacking scenarios. For an attack to be fast and invisible, the attacker must have the necessary programming skills and knowledge of how smart contracts work. The typical toolkit of a hacker allows them to download their own full copy of a blockchain from the main version of the network, and then fully tune the process of an attack as if the transaction was taking place in a real network.

Next, the attacker needs to study the business model of the project and the external services used. Errors in mathematical models of business logic and third-party services are two of the issues most commonly exploited by hackers.

The developers of smart contracts often require more data relevant at the time of a transaction than they may possess at any given moment. They are therefore forced to use external services — for example, oracles. These services are not designed to operate in a trustless environment, so their use implies additional risks. According to statistics for a calendar year (since the summer of 2020), the given type of risk accounted for the smallest percentage of losses — only 10 hacks, resulting in losses totaling approximately $50 million.

Related: The radical need for updating blockchain security protocols

Coding mistakes

Smart contracts are a relatively new concept in the IT world. Despite their simplicity, programming languages for smart contracts require a completely different development paradigm. The developers oftentimes simply do not have the necessary coding skills and make gross mistakes that lead to immense losses for users.

Security audits eliminate only a portion of this type of risk, since most audit companies on the market do not bear any responsibility for the quality of the work they perform and are only interested in the financial aspect. More than 100 projects were hacked due to coding errors, leading to a total volume of losses standing at around $500 million. A stark example is the dForce hack that took place on April 19, 2020. The hackers used a vulnerability in the ERC-777 token standard in conjunction with a reentrancy attack and got away with $25 million.

Related: Default auditing for DeFi projects is a must for growing the industry

Flash loans, price manipulation and miner attacks

The information supplied to the smart contract is relevant only at the time of execution of a transaction. By default, the contract is not immune to potential external manipulation of the information contained within. This makes a whole spectrum of attacks possible.

Flash loans are loans without collateral, but entail the obligation of returning the borrowed crypto within the same transaction. If the borrower fails to return the funds, the transaction is canceled (reverted). Such loans allow the borrower to receive large amounts of cryptocurrencies and use them for their own purposes. Typically, flash loan attacks involve price manipulation. An attacker can first sell a large number of borrowed tokens within a transaction, thereby lowering their price, and then perform a scope of actions at a very low value of the token before buying them back.

A miner attack is an analogue of a flash loan attack on blockchains working on the basis of the proof-of-work consensus algorithm. This type of attack is more complex and expensive, but it can bypass some of the protection layers of flash loans. This is how it works: The attacker rents mining capacities and forms a block containing only the transactions they need. Within the given block, they can first borrow tokens, manipulate the prices and then return the borrowed tokens. Since the attacker forms the transactions that are entered into the block independently, as well as their sequence, the attack is actually atomic (no other transaction can be “wedged” into the attack), as in the case of flash loans. This type of attack has been used to hack over 100 projects, with losses totaling around $1 billion.

The average number of hacks has been increasing over time. At the beginning of 2020, one theft accounted for hundreds of thousands of dollars. By the end of the year, the amounts had risen to tens of millions of dollars.

Related: Smart contract exploits are more ethical than hacking... or not?

Developer incompetence

The most dangerous type of risk involves the human error factor. People resort to DeFi in search of quick money. Many developers are poorly qualified but still try to launch projects in a rush. Smart contracts are open source and thus easily copied and altered in small ways by hackers. If the original project contains the first three types of vulnerabilities, then they spill over into hundreds of cloned projects. RFI SafeMoon is a good example, as it contains a critical vulnerability that has been superposed over a hundred projects, leading to potential losses amounting to over $2 billion.

This article was co-authored by Vladislav Komissarov and Dmitry Mishunin.

The views, thoughts and opinions expressed here are the authors’ alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Vladislav Komissarov is the chief technology officer of BondAppetit, a lending DeFi protocol with a stablecoin backed by real-world assets with fixed periodic income. He has over 17 years of experience in web development.
Dmitry Mishunin is the founder and chief technology officer of HashEx. More than 30 global projects are running on blockchain integrations designed by HashEx. Over 200 smart contracts were audited in 2017–2021.

Source

  • 14.09.20 18:18 Попков С.А.

    Как успехи?

  • 14.09.20 18:24 Попко Колян

    👍👍👍👍👍

  • 14.09.20 18:26 Егор Шетюк

    Понеслась

  • 14.09.20 18:26 Захар Трофимов

    15$. Тюмень рулит😁

  • 14.09.20 18:35 Константин В.В

    Биток и эфир держу до лучших времён)

  • 14.09.20 18:38 Попко Колян

    ​ДОБРОГО

  • 14.09.20 18:43 Даниил

    Рига смотрит

  • 14.09.20 18:46 Вадим Никулин

    Всегда смотрю Вас!

  • 14.09.20 18:55 Захар Трофимов

    Минск на проводе

  • 14.09.20 18:56 Щука А

    Спасибо за ваш труд

  • 14.09.20 19:01 Никита

    Хай

  • 14.09.20 19:06 Вячеслав Левков

    Отложил биток на пенсию

  • 14.09.20 19:13 Попков С.А.

    Отличные эфиры у вас

  • 14.09.20 19:20 Щука А

    Привет из Москвы

  • 14.09.20 19:25 Алексей С.

    Всем РЕСПЕКТ

  • 14.09.20 19:27 Николай

    Вперед криптаны

  • 14.09.20 19:34 КРИПТАН

    Слышно гуд

  • 14.09.20 19:36 Егор Шетюк

    Подарите книгу)))

  • 14.09.20 19:44 Светлана П

    миллионерам привет

  • 14.09.20 19:48 Вячеслав Левков

    Крипта скам=)

  • 14.09.20 19:53 Тоха

    Понеслась

  • 14.09.20 19:57 Носов А.А

    Рига смотрит

  • 14.09.20 20:04 Прокоп

    Донаты принемаете?

  • 14.09.20 20:06 Носов А.А

    спасибо

  • 14.09.20 20:12 Юрий Ник

    Тюмень рулит😁

  • 14.09.20 20:18 Даниил

    миллионерам привет

  • 14.09.20 20:18 Нина

    17$. Биток и эфир держу до лучших времён)

  • 14.09.20 20:24 Никита

    18$. Задонатю вам баблишка)

  • 14.09.20 20:25 Вячеслав Левков

    Поможем парням лайками, я уже свой поставил

  • 14.09.20 20:26 Павел Скоровойтов

    Слава эфиру

  • 14.09.20 20:35 Носов А.А

    Привет, пацаны. Слышно, видно хорошо

  • 14.09.20 20:36 Тоха

    Шалом

  • 14.09.20 20:44 Лена

    Биток и эфир держу до лучших времён)

  • 14.09.20 20:47 Нина

    ​ку-ку)

  • 14.09.20 20:53 Попков С.А.

    Все good. Ростем потихоньку и падаем, как всегда

  • 14.09.20 20:58 Санек

    Всем РЕСПЕКТ

  • 14.09.20 21:01 Славка Орехов

    Спасибо за ваш труд

  • 14.09.20 21:10 Ваня А,

    Привет, пацаны. Слышно, видно хорошо

  • 14.09.20 21:13 Нина

    ​ДОБРОГО

  • 14.09.20 21:20 Никита

    Привет парни!

  • 14.09.20 21:25 Егор Шетюк

    Hello

  • 14.09.20 21:27 Вячеслав Левков

    ​ку-ку)

  • 14.09.20 21:33 Попков С.А.

    Тамбов с вами братва

  • 14.09.20 21:37 Серега Бумер

    Слава эфиру

  • 14.09.20 21:42 Ваня А,

    Подарите книгу)))

  • 14.09.20 21:50 Павел Скоровойтов

    Поможем парням лайками, я уже свой поставил

  • 14.09.20 21:54 Захар Трофимов

    Привет парни!

  • 14.09.20 21:56 Санек

    Отложил биток на пенсию

  • 14.09.20 22:03 Носов А.А

    Привет, пацаны. Слышно, видно хорошо

  • 14.09.20 22:03 Попков С.А.

    14$. Надо изучать Defi , интересно

  • 14.09.20 22:09 Николай

    Поможем парням лайками, я уже свой поставил

  • 14.09.20 22:14 Вадим Никулин

    Я из РБ слежу за вами давно💰

  • 14.09.20 22:17 Николай

    Поможем парням лайками, я уже свой поставил

  • 14.09.20 22:24 Лена

    ​Я снова с вами)))

  • 14.09.20 22:28 Носов А.А

    Отложил биток на пенсию

  • 14.09.20 22:31 Серега Бумер

    Тюмень рулит😁

  • 14.09.20 22:40 Светлана П

    Сморгонь 👍

  • 14.09.20 22:43 Вадим Никулин

    Отложил биток на пенсию

  • 14.09.20 22:46 Николаев

    Круто

  • 14.09.20 22:53 Ваня А,

    Люблю ваши трансляции, вы крутые!

  • 14.09.20 22:58 Вячеслав Левков

    Биток вперед!!!

  • 14.09.20 23:05 Носов А.А

    ​Привет всем с Украины!

  • 14.09.20 23:06 Носов А.А

    12$. ​здарова бандиты

  • 14.09.20 23:09 Константин В.В

    Отложил биток на пенсию

  • 14.09.20 23:14 Прокоп

    Екатеринбург на связи

  • 14.09.20 23:18 Николаев

    Круто

  • 14.09.20 23:25 Тоха

    ​здарова бандиты

  • 14.09.20 23:27 Попков С.А.

    Отличные эфиры у вас

  • 14.09.20 23:33 Лена

    Поможем парням лайками, я уже свой поставил

  • 14.09.20 23:39 Николаев

    Доброе утречко

  • 14.09.20 23:45 Лена

    Как успехи?

  • 14.09.20 23:49 Павел Скоровойтов

    ​ку-ку)

  • 14.09.20 23:51 Ваня А,

    Привет, пацаны. Слышно, видно хорошо

  • 14.09.20 23:57 Попков С.А.

    Хомяки тут

  • 15.09.20 00:01 Лысый Боб

    Привет, пацаны. Слышно, видно хорошо

  • 15.09.20 00:07 Санек

    Слава эфиру

  • 15.09.20 00:12 Щука А

    Екатеринбург на связи

  • 15.09.20 00:14 Нина

    23$. Лайк

  • 15.09.20 00:16 Юрий Ник

    Вперед криптаны

  • 15.09.20 00:25 Лена

    Биток и эфир держу до лучших времён)

  • 15.09.20 00:26 Попков С.А.

    Как успехи?

  • 15.09.20 00:33 Попко Колян

    Я из РБ слежу за вами давно💰

  • 15.09.20 00:40 Даниил

    миллионерам привет

  • 15.09.20 00:50 Константин В.В

    11$. Круто

  • 17.09.20 15:31 Trident

    купил билет на семинар который изначально планировался в субботу.... в пятницу не смогу послушать, гле посмотреть запись?

  • 24.09.20 12:08 Серго1985

    Как бабло зарабатывается??

  • 15.10.20 09:16 Vyacheslav

    отлично зарабатывается !)

  • 15.10.20 09:16 Vyacheslav

    у вас как?

  • 09.02.21 10:40 ave2510

    всем привет! кто то заходил в ю8д...?

  • 10.02.21 12:52 [email protected]

    почему я на юнисвоп не вижу токен NTFI

  • 16.02.21 18:27 Jessikagylu

    Всем привет. А какой интернет вы используете для майнинга? Прочла интересную статью https://hashalot.io/blog/vyjdet-li-majning-za-limit-trafika-kakaya-skorost-interneta-nuzhna-dlya-majninga/ и задумалась над этим. Какие характеристики сети у вашего провайдера?

  • 24.04.21 07:21 [email protected]

    991532991

  • 24.04.21 07:24 [email protected]

    998991532991

  • 24.04.21 07:25 [email protected]

    [email protected]

  • 12.05.21 09:24 Calibr

    Как купить доступ в закрытый чат?

  • 18.06.21 11:05 007ja

    Как войти на выбинар бесплатный в 11:00

  • 13.07.21 19:13 ChicoChalk

    Try changehero: https://changehero.io/

  • 15.07.21 21:57 Alonzo

    ребята нужна помощь не могу завести ton на кошелек ton cristal!

  • 18.07.21 00:04 Alonzo

    ребят мне нужна помощь я не могу зайти в фермы !вроде делаю все как вы обьясняли но что то делаю не так нужна помощь

  • 26.08.21 04:09 Noverlick

    А значит надо оптимизировать алгоритм. Мы в Новерлик это сделали!

To join the Chat, you need a free pro-blockchain.com account. Enter Registration