Outside the crypto world, 2020 was a horrible year. If we consider prices, it was horrible for cryptocurrencies as well. But yet, it was a decent year compared to 2019, in terms of theft and hacks. According to Reuters, the theft cases declined to approximately $1.8 billion compared to 2018. What’s worth noting is that the theft cases on the Ethereum ecosystem rose exponentially.
According to a report by CipherTrace, DeFi was the fuel for most of the hacks on the Ethereum ecosystem in the first two quarters of 2020. It was saved by the KuCoin hack of almost $281 million in the last two quarters. Otherwise, DeFi would be leading the race the entire year. To get a better understanding, we have listed below a few of the DeFi projects and the reason for their hack. Before you start reading, we are assuming you are familiar with the Flash Loan concept and how it works. If not, here’s a good read to understand.
DeFi Hacks in 2020
#1 Harvest Finance
Harvest Finance was hacked for $24 million using Oracle Manipulation technique. The technique is a term used in security engineering where a hacker exploits a weakness and uses it as an “oracle” that signals if he is on the right track or not. The oracle in this case was Flash Loan feature, which the attacker used as an arbitrage attack, artificially pumping the price. The entire attack was completed in just 7 minutes. Somehow the creators were able to recover approximately 10% of the funds, i.e $2.4 million.
#2 The Eminence
Next on the list is The Eminence, which was hacked using the very same technique as Harvest Finance, Flash Loan. The total theft was worth $15 million. The interesting part is that the project creator never announced the project. He deployed the smart contract for testing production readiness and went to sleep. But due to on-chain transactions things caught the limelight and people FOMO(ed) and deposited roughly $15M. By the time the creator wakes up, the hack was completed.
#3 The Uniswap and Lendf.me
Unlike the first two, the attacker used “reentrancy” technique on the ERC-777 token to steal funds. Reentrancy is a way to signal the smart contract to execute certain commands on another untrusted contract. Before any effects are resolved, the attacker gains control flow of the contract, hence able to manipulate funds and steal. The hacker successfully stole $25 million, but his IP address and other personal information were identified, resulting in getting back the entire amount.
#4 The Akropolis
The Akropolis hack is very estranged compared to the above thefts. The creator got the smart contract audited by Certik, a security company specializing in the domain. It seems the security audit wasn’t fruitful as they missed the two loopholes in the system. The attacker used reentrancy along with Flash loans to target funds. But compared to Harvest, which was hacked for $24 million, The Akropolis managed to limit the damage to $2 million.
#5 Origin Dollar
Following the same pattern of reentrancy and Flash loan, Origin Dollar lost over $7 million in the theft. As an after effect of the news, OUSD, native stable coin of the project, dropped to almost $0.50, while it should be equivalent to 1:1 USD. The official statement from the team said they identified the hacker and its wallet and were in process of recovering the funds.
The projects we listed above are just a few out of many DeFi projects that were hacked. Almost all projects were hacked using the same technique. If an exchange is hacked, we can assume that their system had a loophole. That’s not the case with DeFi, because not everyone will code their contract exactly the same way and have the exact same loophole. It may be the Ethereum ecosystem that may be granting too much authority to smart contracts.
Another reason could be that these smart contracts are open-source. We have seen many new startups simply copying the entire project’s smart contract, making some minor changes, and deploying it with their own token name. Saving them cost and time. But what they fail to understand is that they are also copying the security loopholes along with the entire project.
On the other hand, investors and users cannot be spared from their responsibilities. Their greed, limited knowledge, and little research is the reason people come up with projects without proper security implementation. Investors assume that a security audit is enough for them to trust the contract creator. While project creators blame the security auditors as they had done their part.
These hacks also put a question mark on Ethereum. It desperately needs to implement a security feature that doesn’t grant smart contract creators certain privilege, even if they are the creators of the contract. Minting new tokens, automatic withdrawal of tokens through contract, these are highly risky things if not done with proper knowledge.
For instance, we researched an ERC1155 smart contract and found a function “Approve All”. Upon digging deeper we learned that upon calling this function, the smart contract is approved for all and any transaction on the user’s wallet who has clicked the “approve” button. The smart contract can withdraw user’s Ethereum or any other token in that particular wallet without needing any input from the user. Of course, the withdrawal function needs to be triggered by the user. But this loophole coupled with some other bug can cause havoc.
Conclusion
With that said, hope all of you will now think twice before riding the craze. Cryptocurrency industry is very dynamic. If today its DeFi, tomorrow it might be something else. Control the greed and you are safe from losing your funds. Always do your research by checking founders history, checking their source code, understanding the technology, and then invest your money.
