With DeFi Hacks Dampening Confidence, More Security is Necessary
With nearly US$1 billion lost to fraud already in just a little over the first quarter, we’ve seen exploits from phishing schemes to poorly managed networks, and it all seems to be just the beginning of what could very possibly be the end of our unbridled belief in the security and pioneering character of DeFi.
But we shouldn’t lose sight of potential solutions. The current safeguards were put in place to explicitly address these newer unique risks, and are still being improved upon. It’s now a question of how long we’ll be playing catch up to the prevalence and exposure of decentralized systems.
More hacks expected
The biggest hacks over the past year include Axie Infinity’s Ronin Bridge hack. Ronin, an Ethereum sidechain built for the popular play-to-earn non-fungible token game Axie Infinity, was hacked for over 173,600 Ethereum and 25.5 million USD Coin (USDC) for a combined value of over US$650 million.
Another notable case is the targeting of Yuga Labs, the multibillion-dollar collective behind the infamous Bored Ape Yacht Club non-fungible tokens. This led to the theft of millions of dollars worth of the simian NFTs… begging the question, why does this all seem so easy and unaccounted for? We’re certainly talking about it, but who’s actually doing anything?
The rise in DeFi popularity and attempted hacks isn’t a coincidence. Contingencies for this happening were well expected. Chalk it up to the “lending risks” that everyone seems totally (not) fine with, or maybe it’s the utter lack of thorough auditing processes across the board that attract attackers like bees to a honeypot. The numbers don’t necessarily sugar-coat anything, the facts are that users lost a total of US$1.3 billion across 44 DeFi hacks.
The facts are that users lost a total of US$1.3 billion across 44 DeFi hacks.
Where there are weak points in poorly coded smart contracts, inevitably there’ll be attackers. We’ve identified two prevalent patterns – one sees an attacker carefully constructing a contract at an external address that contains malicious code in the fallback function. And then there are flash loan exploits, where a hacker borrows a large amount of money from a protocol collateral-free and then uses that money to destabilize said protocol.
Amid a larger focus on DeFi platforms by cyber criminals, we’re still struggling to put in place appropriate defenses to curtail these possibilities in the future. As an undeniable omen of things to come, without strengthened perimeters and an emphasis on robust security to reduce these attacks, they will only become more audacious and destabilizing in terms of underlying security.
Where is the underlying liability?
Liability often stems from smart contract developers relying on external auditors as a last line of defense. Additionally, fortifying code manually without extensive resources or the proper tools still does very little to the security of a smart contract when launched unaudited. The common denominator in smart contract exploitation is that the majority of them haven’t undergone security audits.
There’s only so much protection that can be given to a crypto wallet holder susceptible to phishing attacks, but this newer trend highlights how all of this could be avoided by simply not signing potentially dubious smart contracts.
What should we do about it?
Confronted with the very tangible solution of what blockchain project owners can do to run safer projects, all roads lead to conducting smart contract security audits. As a base practice, we recognize that protocols should audit their code closely before launching and for each update.
Tedious as that may be, smart contract analysis programs like ODIN can give some insight into how a code clone detection system can actively minimize vulnerability propagations. ODIN is perhaps the easiest way for blockchain-based companies to improve their level of security and compliance. With ODIN, whenever a known vulnerability is detected in a smart contract, it’s automatically flagged onto a collection database, allowing detection of similar vulnerabilities in other protocols separate to the one flagged.
Similar to how a common spellcheck works, security auditing should be able to identify logical flaws or errors in the smart contract code that go unnoticed during development.
Similar to how a common spellcheck works, security auditing should be able to identify logical flaws or errors in the smart contract code that go unnoticed during development, and suggest useful alternatives to fix and optimize the smart contract before deployment. And just like any machine learning program, it’ll only get more intuitive and act as a better safeguard.
The high level of security is one of the main attractions of blockchain. It is increasingly being used for a range of functions where it is important to transmit data securely.
Smart contracts are automated digital contracts, acting as an intermediary of sorts to reduce accidental exceptions while addressing contractual rules. Smart contract audits focus on the analysis of the programming or code to check whether the code is following its conditions properly. Once the contract is deployed, the code can’t be easily modified. Testing execution before deploying the smart contract makes it so there are no exceptions to possible outcomes. By addressing security loopholes and identified errors, audits consider all possible scenarios to preemptively stop any form of attack by simulating it beforehand. In unleashing the full potential of blockchain, we know of a certainty that central to its success is the auditing process.
To date, ODIN has already been tested and implemented in Fortune 500 companies such as Samsung, LG, and SK. The name of the game is vulnerability detection in standardized code. With ODIN, whenever protocol code is updated, the auditing process starts, lessening the chances of being hacked with each iteration.
Looking ahead
There is some sense of self-actualization when it’s said that we as a community need to do better. Smarter auditing services have the potential to stabilize protocols and rebuild confidence in crypto markets, but that’s so much easier said than done. Higher safety operation standards for DeFi will need to look like a unified front.
Choosing smart auditing services, we believe, will be integral to the learning of implementation of heightened security standards and processes in this arena. As it stands, developers who are writing smart contracts need to have available resources to fall back on for eliminating bugs that otherwise would’ve been ‘low-hanging fruit’ for hackers.
DeFi is here to stay. Unfortunately, so are hackers trying to game the system. We take comfort in the fact that blockchain analysis can help in some instances to freeze or even seize stolen assets in transit. Regardless, the targeting won’t stop until adequate preventative measures are in place. This industry still desperately needs services specializing in security auditing, and greater accountability after the fact.
We aren’t the first to emphasize this point, but certainly hope to be the last. Let’s get auditing!
Jisu Park is the founder and CEO of Sooho.io, a South Korean smart contract auditing firm.