The decentralized finance space has shown exponential growth over the past year, increasing from a total of $540 million recorded in March last year to more than $47.6 billion at the time of this article's release.
The growth of the DeFi sphere has opened up new opportunities for users, developers, and the industry as a whole, but also brought new risks that investors may not know about, but which, nevertheless, they have to deal with.
Most DeFi protocols are built on the Ethereum blockchain. Ethereum is the second largest cryptocurrency by market capitalization, second only to Bitcoin itself. Thanks to Ethereum, in particular the use of Turing-complete smart contracts, blockchain projects have become more programmable.
Smart contracts are, in fact, self-executing contracts. The code prescribed in these contracts allows you to automatically carry out predefined transactions and agreements between pseudonymous parties within certain parameters and without any risk to the counterparty.
These self-executing contracts were first proposed in 1994 by Nick Szabo, the creator of Bitcoin's predecessor Bit Gold, and allowed the creation of many decentralized applications that opened up new opportunities for cryptocurrency users, whether it was the issuance of stablecoins built according to a given algorithm, the issuance of cryptocurrency loans, or loans with crypto collateral. And this is only a small part.
Decentralized exchanges with decentralized management models became possible only thanks to such smart contracts, as a result of which a new digital world emerged, which resulted in products such as Binance Smart Chain, Polkadot, and Avalanche.
Protocols such as Aave, Compound, Uniswap, and 1 Inch.exchange allows users to earn interest on their investments and trade crypto assets and even complex instruments such as decentralized derivatives.
All these exciting new products have created the DeFi sector mentioned above, which is taking the financial world by storm and enabling traditional financial institutions to make money.
This new territory of possibilities, as already mentioned, is controlled by code written by developers of smart contracts. Most DeFi projects have open source code and even undergo peer review and audit, while others, on the contrary, do not. Often, even in the tested code, vulnerabilities can be found that allow the use of unknown attack vectors, which leads to huge losses for companies and ordinary users.
How Do Smart Contract Vulnerabilities Affect Users?
To guarantee the security of smart contracts, you can only analyze all the options for its execution. When executing smart contracts in Turing-complete languages, you need to be sure that the computer program does not contain bugs, which is almost impossible. Therefore, when working or creating smart contracts, you will have to audit them.
Vulnerabilities in Ethereum smart contracts can have catastrophic consequences. Even though protocols like Aave are managed by professionals and regularly checked, security vulnerabilities still pose the risk of a hacker attack with the loss of crypto assets for huge amounts, thereby negatively affecting investor confidence in the protocol and subsequently causing financial losses for users/companies and price volatility.
These vulnerabilities stem from the complexity of Ethereum's native smart contract language and its accounting system, which, unlike Bitcoin's UTXO system, is much more flexible and thus more susceptible to additional vulnerabilities and attack vectors.
Since Solidity and other smart contract languages are new and extremely complex, it would be incorrect to blame these vulnerabilities on developers.
There are more than 80 DeFi platforms built on Ethereum, with new projects being launched every week. The smart contracts they use are bound to have vulnerabilities, especially if they are not properly written and tested.
An investigation conducted by CyberNews revealed that almost 3,800 Ethereum smart contracts had vulnerabilities that would allow attackers to steal at least $1 million worth of crypto assets. The study also showed that there are a total of 13 different types of vulnerabilities, and four of them are highly likely to be exploited by hackers.
The popular Avalanche platform discovered a vulnerability earlier this year. So, during the launch of the new decentralized Pangolin exchange and network overload, an error occurred that led to a failure of the issue, which caused widespread panic. Other well-known platforms, including Solana, Flow, Zilliqa, and Fantom, as it turned out, also had errors in their contracts.
DAO and Re-Entry Attack
Re-entry is a common vulnerability of smart contracts. Although it can exist in smart contracts on various blockchain platforms, it is most often associated with the Ethereum blockchain.
Re-entry attacks are best known for the famous hacking of the DAO in 2016 on the Ethereum blockchain.
The first and most catastrophic mistake in a smart contract occurred in 2016. The decentralized autonomous organization (DAO) worked on smart contracts and collected more than $150 million at that time.
An unknown attacker managed to withdraw the ether (ETH) collected through crowdfunding. The amount of damage has amounted to more than $ 150 million.
This case is the most famous example of a Re-entry attack. A repeat attack means that the attacker sends a transaction, as a result of which the contract is executed repeatedly until the resources of the contract account are exhausted.
If the project that requested funding received sufficient support from the DAO community, the Ethereum address of this project could withdraw ether from the DAO. Unfortunately for the DAO, the transfer mechanism transferred the ether to an external address before updating its internal state and noting that the balance has already been transferred. This allowed the attackers to output more ether.
In total, 3.6 million ETH were withdrawn from DAO wallets. Now, these tokens are worth more than $ 6.4 billion. The hack led to a hard fork that divided the network into two parts: Ethereum and Ethereum Classic.
While some agreed that it was best to mitigate the damage and move funds to addresses that their original owners could access, others argued that the immutability of the blockchain should not be violated, otherwise it leads to a technological and ideological split within the community.
The original Ethereum blockchain, now known as Ethereum Classic, left the tokens stolen from the DAO in the hands of a hacker, choosing immutability, while Ethereum allowed the community to vote and returned the funds to their original owners, putting the blockchain consensus first.
Other Examples of Re-entry Attacks Except DAO
However, these vulnerabilities have also been found in numerous hacks of smart contracts, including several DeFi protocols.
Some examples of recent DeFi hacks involving re-entry vulnerabilities include:
- Fei Protocol: In April 2022, the Fei protocol fell victim to a ~$80 million hack made possible by using third-party code containing re-entry vulnerabilities.
- Paraluni: The hacking of the Paraluni smart contract in March 2022 used a re-entry vulnerability and poor verification of unreliable user data to steal tokens worth ~$1.7 million.
- Grim Finance: In December 2021, the vulnerability of re-entering the Grim Finance safeTransferFrom function was used to obtain tokens worth ~ $ 30 million.
- The SIREN Protocol: The vulnerability of re-entry into the smart contracts of the AMM pool of the SIREN protocol was used in September 2021 for tokens worth ~ $ 3.5 million.
- CREAM Finance: In August 2021, an attacker used a re-logging exploit to get into the AMP CREAM Finance token integration system to steal tokens worth about $18.8 million.
These are far from the only examples of DeFi hacks that exploited vulnerabilities during re-entry. Although this is an old and widely advertised risk, re-entry vulnerabilities still appear in new smart contracts today.
The trust of both ordinary users and large investors in the very concept of DeFi will depend on how the crypto industry will cope with challenges of this kind.
What is happening now is natural and will lead to an increase in the security level of blockchain projects soon, but periodically we will still see news about successful hacker attacks.