Staying safe from DeFi hacks
The more a user knows about possible vulnerabilities or scam attacks, the safer their assets are.
While DeFi is constantly evolving and blockchain technology is becoming more secure, hackers still succeed in running fraudulent schemes and taking advantage of security vulnerabilities.
However, not every news report about another project suffering from a hacker attack should necessarily be frightening. In many cases, user funds remain safe or possible losses are offset by coverage, while on many occasions, hackers return stolen funds (partially or in full) after negotiations.
In any case, knowing about possible threats can help users to evaluate the risks of using a particular service to avoid losing funds.
A developer’s failure to identify a bug often enables hackers to exploit a vulnerability and eventually withdraw user funds.
Over the past year, we have seen multiple attacks of that kind. For example, a programming flaw that appeared to be a fake minting bug was recently disclosed in the bridge between Optimism and BitBTC. Prompt vulnerability patching prevented extracting 200 bln tokens from Optimism since the flaw allowed for faking tokens on one side of the bridge and exchanging them for real ones.
In another case, the warning of a vulnerability in Opensea’s non-updated contracts prevented many users from losing their funds. The vulnerability facilitated withdrawing users’ NFTs after signing a malicious transaction.
Exploitation of contract vulnerabilities comes in various ways, and a common strategy is based on reentrancy hacks occurring when a contract uses an outer call to interact with another contract whose former state isn’t yet updated. A hacker uses a specially built malicious smart contract to cause withdrawal from the target. Since the program flow is interrupted, the target’s smart contract is unable to update the attacker’s balance. One of the most significant reentrancy attacks ever is the Fei Protocol exploit that caused an $80 mln loss.
The first and primary countermeasure to prevent this type of attack or to disclose it before any damage has been done is to conduct audits.
Code should be audited regularly, and reports should be published to be available to the user. In the auditing process, security companies uncover bugs and simulate hacker attacks. Thus they help to ensure smart contract security and make transactions safe. So, before using any platform, it is worth checking its commitment to safety. This article thoroughly explaining the 1inch Network’s safety measures can help you to get a better idea of what security information should look like.
Flash loan attacks
Flash loans facilitate lending by enabling users to take a non-collateralized loan of any size from a liquidity pool under the condition that it will be repaid within a single transaction. Otherwise, a smart contract cancels the flash loan transaction and returns the funds to the lender.
Flash loans are often exploited by malicious actors to manipulate the borrowed asset’s price.
The Mango Markets trading platform was recently hit by an attacker who borrowed the MNGO token and pumped its price to use overpriced coins as collateral for borrowing BTC and other assets and withdrawing the profit. Hackers always know where to look for a weakness. For instance, New Free Dao’s contract calculating rewards was too simple, which caused a flash loan attack.
In the Crema Finance case, hackers created a fake price change data account to bypass contract checks and then used flash loans to drain the pool. The stolen finds were later partially returned thanks to a successful negotiation.
Meanwhile, other factors may also create an opportunity for attackers. Sometimes, an off-chain component causes a failure of price reporting even while on-chain price aggregation functions correctly.
Nefarious actors mainly target centralized price oracles, pulling data from a single exchange. Decentralized oracles, which focus on diversifying data collectors to the point where violating their quorum becomes too challenging, are therefore less vulnerable to that kind of manipulation.
Call the vulnerable function
Meanwhile, no matter how secure DeFi platforms may be, they are not immune to issues caused by a vulnerable third-party tool. Profanity, which offers vanity address generation and is quite popular among both users and platforms, turned out to be such a vulnerable tool. Earlier this year, 1inch contributors discovered a vulnerability in Profanity and immediately published a blog post and social media posts to warn the service’s users.
Such an event is almost impossible to prevent, but it is still possible to react quickly. Users can at least follow the social media accounts of the projects they interact with and monitor announcements of reputable market leaders. The Profanity case is quite typical, as, despite the 1inch warning, the vulnerability caused considerable losses, which timely reaction to the notification could have prevented.
One of the most common forms of attacks threatening all users is phishing. This cybercrime remains popular with hackers targeting all online services, not specifically DeFi platforms. Users of popular websites, platforms and projects can suffer from progressing phishing attacks.
Frequently, phishing attacks are performed through fake sites and applications of platforms/wallets that can imitate the interface of legitimate websites. However, the site’s domain name often helps to determine whether it is fraudulent. For example, the fake part may contain “com” rather than “io” etc. Essentially, the ultimate goal of phishing is to connect to the user’s device. So hackers trick users in different ways to make them connect their wallets or sign malicious transactions.
The good news is that this threat can be identified and prevented by users without any special knowledge or thorough research. All recent phishing attacks share the common trait of luring users to a fake website. In one case, Etherscan, CoinGecko and DeFi Pulse were attacked via malicious pop-ups offering users to connect their wallets to a phishing site that resembled the famous Bored Apes Yacht Club NFT project.
Another case involved airdropped tokens sent to addresses connected to Uniswap. Those tokens led users to a fraudulent site that encouraged them to sign malicious contracts enabling hackers to empty their wallets.
Phishing links are not necessarily automatically sent to users via emails or wallets. Even someone whom a user knows personally can send them. One of the frequently used methods is a ‘romance scam,’ whereby the victims’ trust is gained by a scammer in order to engage them in fake interest-earning schemes, usually persuading them to invest on suspicious platforms or websites resembling popular projects.
There are some strict rules to follow when interacting with websites, emails and wallets.
First, users should enter website names manually and download updates only via official platforms. Second, if users are taken to a website asking them to perform some action like connecting a wallet, entering a seed phrase or signing a contract, it’s a red flag.
Observe these rules, and stay safe!