Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
The way we conduct our finances is changing thanks to blockchain technologies. The concept of decentralised finance (DeFi) is leading this change across the globe. At the same time, like any new development, there are always challenges and there is room for security improvement. In this article, we will look at one of these challenges: the unauthorized hacking of decentralised platforms. But let’s start with a short primer about this emerging industry.
DeFi in a nutshell
Decentralised finance is an alternative to the traditional method of banking and finance used globally. Unlike standard banking, there’s no central authority acting as a middleman between the sender and the receiver of funds. This decentralisation is associated with greater anonymity and lesser transaction fees in some cases.
When it comes to the platform for decentralised finance, the Ethereum blockchain is the clear favorite. The reason behind this preference is the blockchain’s “smart contract” feature. A smart contract is an agreement written in code that executes itself if/when the terms of the agreement are met. For example, a hospital can set up a smart contract for patient data that is only accessible with a code provided to the patient. Each contract exists on the blockchain and can be indisputably traced if needed.
Some well-known DeFi applications include decentralized exchanges (DEXs), lending platforms, yield farms, stablecoins & liquidity miners. DEX crypto exchanges allow users to trade cryptos directly with each other. UniSwap, PancakSwap, and SushiSwap are three popular DEXs. Lending platforms use smart contracts when lending. Yield farming allows crypto holders to earn interest on their holdings. Stablecoins are cryptocurrencies connected to an asset, such as the USD, to stabilize it.
The current state of the DeFi sector
The DeFi segment of the crypto market has seen astronomical growth in the last two years, rising from over $382 million in Apr 2020 to nearly $68 billion in Apr 2021. However, like much of the crypto market, the DeFi segment is volatile: the market shrunk by over $38 billion in May 2021.
Rapid falls in cryptocurrency prices and increasing transaction fees of Ethereum are two of the challenges for DeFi platforms. Another challenge for the DeFi sector is unauthorized hacking. While crime has decreased in the crypto market overall, the DeFi sector has seen an increase.
DeFi hacks and cybersecurity
DeFi crime mostly happens in two ways:
- The people running the project run away with the investor’s money (called a rug pull), or
- Threat Actor Hackers infiltrate the platform and steal funds
So far in the first 7 months of 2021, a record $474 million has been stolen – $361 million to hacking and $113 million to rug pulls. The reasons for these hacks vary from coding and business logic mistakes to a general lack of focus on security.
In April last year, lending platform Lendf.Me and the Uniswap DEX lost $25 million because of coding mistakes. The developers added to the ERC-777 protocol, which made their smart contracts vulnerable to re-entrancy attacks. (A successful re-entrancy attack allows the hacker to withdraw funds multiple times before the system accepts or rejects their transaction.)
In some cases, the hacker takes advantage of bad business logic of the DeFi platform. Take the example of Harvest Finance. In October of last year, the platform lost $24 million after an attacker used a $50 million flash loan for an arbitrage attack. The hacker manipulated prices multiple times using a liquidity pool of the DeFi platform in the process.
Being a new but popular industry, it’s natural that hackers are trying to exploit vulnerabilities. Typically, as an industry matures, so does the security posture. We are already seeing signs of this in the DeFi market: developers are paying greater attention to creating test environments for their projects.
However, scalability is still the major focus of most DeFi developers. Also, upgrades like the Ethereum 2.0 upgrade may expose the sector to new vulnerabilities: researchers found that it will be easier to scale attacks, the pay for network security will be lower, and the network security will rely on the price stability of ETH.
New technologies that are attempting to create the financial market of the future have become a global phenomenon. Unfortunately, hacking attacks on fast growing Defi platforms aren’t expected to slow down soon. In this situation, a regular security audit can help identify protocol vulnerabilities that an attacker may exploit.
Sign up for the Cyber Talk newsletter here.