Hacks from the world of DeFi are constantly in the spotlight. DeFi protocols should start with the use of risk management rules and tools that are already used in traditional finance, such as Kate Kurbanova of Apostro.
A single vulnerability in a smart contract can cost users of DeFi projects millions of dollars in capital. While technical vulnerabilities and bugs or errors in the code are the first point of attack for hackers, one should not forget that other means are also used to steal funds from DeFi protocols.
Formal audits, stress tests, audits and simulations: DeFi protocols have a long list of possible practices and tools that are always available for technical audits and a thorough check of the code for bugs and hidden vulnerabilities.
But all this does not guarantee the security of the protocol. Some vulnerabilities arise due to errors in the logic of the product and dependence on external markets or DeFi building blocks. These are the so-called economic vulnerabilities, which additionally require economic audits and are generally much more difficult to detect. This is not least the case because the ecosystem is constantly evolving and every upgrade can lead to new potential exploits.
The DeFi ecosystem must therefore go one step further in the area of security. Better risk management procedures should be introduced to protect users and protocols alike from economic threats. These dangers include market or oracle manipulations, the influencing of connected protocols or the continuous search for possible errors caused by upgrades of the code.
Hacks continue to pose a danger
Many protocols have suffered exploits over the years, with the most popular attack points now documented and repaired. Nevertheless, there are still ways to exploit protocols by influencing smart contracts or the business logic of the protocol.
Exploits of this kind can use several protocols when performing. One possibility would be to manipulate the price oracle of the protocol through flash loan attacks. To understand this, let’s look at a specific example.
The exploit of Cream Finance
This happened in November 2021 and resulted in a loss of 130 million USD. The attacker manipulated the price of the yUSD by inflating liquidity, thus abusing the price oracle. The system now believed that 1 yUSD was equivalent to 2 USD. Thus, the attacker’s initial deposit of $ 1.5 billion in yUSD now had a value of $ 3 billion.
Another recent hack took advantage of a vulnerability in the governance of Beanstalk. The hacker used a backdoor in the management of the protocol by acquiring two-thirds of government power through a flash loan. Thus, he was able to carry out a government proposal within a day (usually it takes seven days for this).
The seemingly secure proposal turned out to be a malicious smart contract. He activated himself with the Flash loan and facilitated the protocol by 182 million USD (at the time of the exploit).
Both attacks exploited the logic of the protocols by tricking the underlying economic processes. These types of attacks show the importance of risk management tools and continuous monitoring, as they can easily detect and prevent such opportunities.
In order to ensure additional protection against such attacks, DeFi protocols should start with the use of risk management rules and tools that have proven themselves in the traditional financial system for years.
For example, protocols should introduce time-delayed transactions. Such a function can delay suspicious transactions and alert developers, so that they have time to intervene and prevent possible damage. This could be further expanded by linking a delay to monitoring tools that automatically cancel or postpone transactions that pose a danger to the protocol.
Another option would be liquidity limitation: the limitation of the number of funds that can be transferred in a transaction. Even if this has no effect on the average user, the liquidity limitation can delay or prevent attacks such as the cream finance exploit, as it becomes more difficult and expensive for hackers to carry out the attack.
The DeFi security sector can benefit greatly from the experience of traditional finance in the field of cybersecurity. This would bring in additional expertise and specialists working towards greater security and a stronger infrastructure of the Web3 protocols.
Hacks in DeFi: These are the next steps.
Even though DeFi’s rapid growth is tempting for ordinary consumers and investors, the lack of security practices is still an obstacle to wider acceptance and institutional customers.
The general public needs more assurances when it comes to the safety of their capital. Knowledge and methods from traditional finance can therefore take the DeFi scene to the next level. With the right application, the DeFi sector can greatly benefit from risk management tools, operational security practices, security restrictions, and continuous monitoring.
About the author:
Kate Kurbanova, a blockchain veteran and stock trader, is the founder and COO of Apostro. Apostro is a risk management protocol that protects you from external security threats. This can be a stupid error in the code or an exploit by oracle manipulation.
All information contained on our website is researched to the best of our knowledge and belief. The journalistic articles are for general information purposes only. Any action taken by the reader on the basis of the information found on our website is done exclusively at his own risk.