[ad_1]
The decentralized financial sector is growing at an alarming rate. Three years ago, the total value locked in DeFi was only 800 million US dollars.By February 2021, this number has increased to 40 billion U.S. dollars; in April 2021, it reached the 80 billion U.S. dollar milestone; now it Standing More than 140 billion U.S. dollars. Such rapid growth in a new market has attracted the attention of hackers and fraudsters from all walks of life.
According to a report by a crypto research company, since 2019, The DeFi department lost approximately $284.9 million Hackers and other vulnerability attacks. From a hacker’s point of view, hacking the blockchain ecosystem is an ideal rich means. Because such systems are anonymous, they can lose money, and any hacking can be tested and adjusted without the victim’s knowledge. In the first four months of 2021, losses amounted to 240 million U.S. dollars. And these are just well-known cases. We estimate the actual loss to be billions of dollars.
related: An overview of crypto hacking, exploits and robberies in 2020
How is money stolen from the DeFi protocol? We analyzed dozens of hacking attacks and found the most common problems that led to hacking attacks.
Misuse of third-party agreements and business logic errors
Any attack begins with the analysis of the victim. Blockchain technology provides many opportunities for automatic adjustment and simulation of hacker scenarios. In order to make the attack fast and invisible, the attacker must have the necessary programming skills and knowledge of how smart contracts work. The hacker’s typical toolkit allows them to download their own complete copy of the blockchain from the main version of the network, and then completely adjust the attack process as if the transaction took place on the real network.
Next, the attacker needs to study the business model of the project and the external services used. Errors in business logic and mathematical models of third-party services are the two most commonly used problems by hackers.
Developers of smart contracts usually need more relevant data when trading than they might have at any given moment. Therefore, they are forced to use external services-for example, oracles. These services are not designed to operate in a trustless environment, so their use implies additional risks. According to statistics for a calendar year (since the summer of 2020), a given type of risk accounts for the smallest percentage of losses-there were only 10 hacking attacks, which caused a total loss of approximately US$50 million.
related: The fundamental need to update the blockchain security protocol
Coding error
Smart contract It is a relatively new concept in the IT world. Despite their simplicity, the programming language for smart contracts requires a completely different development paradigm. Developers usually do not have the necessary coding skills at all, and will make some serious mistakes, which will bring huge losses to users.
Security audits only eliminate some of these risks, because most audit companies in the market do not take any responsibility for the quality of the work they perform, and are only interested in financial aspects. More than 100 projects were hacked due to coding errors, resulting in a total loss of approximately US$500 million. An obvious example is dForce Hacking April 19, 2020. Hackers used a vulnerability in the ERC-777 token standard to combine with reentrant attacks and escaped $25 million.
related: The default audit of DeFi projects is a necessary condition for industry development
Flash loans, price manipulation and miner attacks
The information provided to the smart contract is only relevant when the transaction is executed. By default, the contract is not immune to potential external manipulation of the information contained in it. This makes a series of attacks possible.
A flash loan is a loan without collateral, but it is obliged to return the borrowed cryptocurrency in the same transaction. If the borrower fails to return the funds, the transaction will be cancelled (resumed). This type of loan allows borrowers to receive large amounts of cryptocurrency and use it for their own purposes. Usually, flash loan attacks involve price manipulation. An attacker can first sell a large amount of borrowed tokens in a transaction, thereby reducing its price, and then perform a series of operations with a very low token value before repurchasing.
A miner attack is similar to a lightning loan attack on a blockchain based on a proof-of-work consensus algorithm. This type of attack is more complicated and expensive, but it can bypass some of the protective layers of flash loans. It works like this: the attacker rents mining power and forms a block containing only the transactions they need. Within a given block, they can first borrow tokens, manipulate the price, and then return the borrowed tokens. Since the attacker independently forms the transactions that enter the block and their order, the attack is actually atomic (no other transactions can “wedge” in the attack), just like the case of lightning loans. This type of attack has been used to invade more than 100 projects, with a total loss of approximately US$1 billion.
Over time, the average number of hackers has been increasing. In early 2020, a theft lost hundreds of thousands of dollars. By the end of the year, the amount had increased to tens of millions of dollars.
related: Smart contract exploits are more ethical than hacking…or not?
Developer incompetence
The most dangerous type of risk involves human error. People turn to DeFi to find quick money. Many developers have poor qualifications, but still try to start projects in a hurry. Smart contracts are open source, so they can be easily copied and changed by hackers in small ways. If the original project contained the first three types of vulnerabilities, they would spill into hundreds of cloned projects. RFI SafeMoon is a good example because it Contains a serious vulnerability This has been superimposed on more than one hundred projects, resulting in potential losses of more than 2 billion U.S. dollars.
This article is created by Vladislav Komisarov and Dmitry Mishunin.
The views, thoughts and opinions expressed here are only those of the author, and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Vladislav Komisarov He is the CTO of BondAppetit, a loan DeFi protocol whose stablecoin is backed by real-world assets with fixed regular income. He has more than 17 years of experience in web development.
Dmitry Mishunin He is the founder and chief technology officer of HashEx. More than 30 global projects are running on the blockchain integration designed by HashEx. More than 200 smart contracts were audited from 2017 to 2021.
[ad_2]
Source link

