According yo Coinmarketrate.com, launched in 2015, the Ethereum (ETH) blockchain is designed to add a level of complexity to cryptocurrencies such as Bitcoin by introducing the concept of smart contracts on the blockchain.
Recall that smart contracts are contracts that automate actions when pre-defined conditions are met. They allowed the development of decentralized applications, the complexity of which has increased over the years.
The DeFi ecosystem currently includes hundreds of financial applications, ranging from stable coins, lending and savings protocols, and ending with decentralized exchange (DEX) protocols. In total, the DeFi ecosystem accounts for more than $258 billion. The Ethereum blockchain alone accounts for 70% of this TVL – $170 billion.
Subsequently, the DeFi ecosystem developed on other blockchains besides Ethereum, such as Binance Smart Chain (BSC), Solana (SOL) or Avalanche (AVAX), to name just a few.
Decentralized, but not necessarily secure
As we have just seen, smart contracts have enabled the development of decentralized applications. These applications are called trustless because they eliminate the need for an intermediary to control the funds. Therefore, they are the opposite of platforms such as centralized exchanges that have full control over their users’ funds.
Unfortunately, that’s not all. Although these applications are decentralized, the smart contracts that make up them have many disadvantages.
Well, think for yourself, because in reality, it is people who encode smart contracts. As a result, they may contain errors, bugs or various shortcomings. Therefore, DeFi users should fully trust the developers of smart contracts to ensure their complete security.
For their part, developers have the opportunity to increase the level of security by entrusting the audit of their applications to specialized companies. Unfortunately, this approach, that should be standard, is too often ignored by developers. Why? So after all, decentralization!
Billions of DeFi out of thin air
If you closely follow the news of cryptocurrencies, it is impossible to miss the repeated hacks of the DeFi ecosystem. In 2021, more than $10.5 billion was stolen from DeFi protocols, according to a report published by Elliptic.
By comparison, hacks and DeFi breaches caused $1.5 billion losses in 2020, which represents a 700% increase between 2020 and 2021.
Of course, not all of these losses have the same origin. In fact, several types of attacks can be directed at DeFi protocols, and new ones are discovered every day.
Different types of attacks
The report published by Elliptic identifies 2 main families of attacks:
- Mistakes and shortcomings;
- Disadvantages related to administration keys.
Errors and flaws in smart contracts can lead to 2 types of attacks.
Firstly, we have vulnerabilities caused by errors in the source code of the protocols. In this case, attackers use a flaw in the smart contract code to perform actions that would normally be prohibited or even impossible.
Elliptic considers the vSwap protocol as an example. He suffered $11 million in losses due to a single line of code.
Analysis of the incident showed that one line of code was missed. The affected contract included the initialize() function, which had to be activated after deployment.
At the second stage, so-called economic attacks can be directed at the protocols. These attacks are aimed at a short-term change in the price of an asset, in order to benefit from the economic conditions of this change.
One of the most common types of economic exploitation is the manipulation of asset prices in order to take advantage of arbitrage opportunities on DeFi services that would not otherwise exist.
There are other parameters that support this type of attack. For example, the open source code of the ecosystem allows anyone to fork the protocol to create a copy of it. As a result, many protocols are created by copying the code of other protocols. And copying the code means copying the errors that could potentially be in it.
Disadvantages associated with administration keys
For many, a hacker is the number one enemy for DeFi. However, in many cases, the protocol developer himself turns out to be the worst enemy.
Indeed, many protocols have administration keys. In short, these are the private keys associated with the deployment of a decentralized application. They can be saved in case of any problems with the protocol.
Unfortunately, in some cases, developers use these keys to conduct a so-called “carpet scam” or “exit scam”. In practice, the developer, using his control over the smart contract, siphons off the funds invested in it, and then disappears into thin air.
In practice, the category of errors and shortcomings is the source of the vast majority of attacks, as a result of which $10.8 billion has been stolen since 2020.
Ethereum – the queen of hacks
Undoubtedly, Ethereum is the queen of the DeFi blockchain. Unfortunately, the size of its DeFi ecosystem leads to another, less honorable title: the most hacked blockchain.
In practice, 71.4% of DeFi hacks occurred on the Ethereum blockchain. This amounts to the total production of intruders in the amount of $8.5 billion. Ethereum is followed by the Binance smart chain with 21.1% of hacks.
Who is to blame for these DeFi hacks?
At first glance, we may be tempted to say that these hacks are just an accident, a classic human error. However, reality tells a different story.
These shortcomings are primarily the result of the incompetence and greed of some developers. Indeed, many protocols are deployed on the network without the slightest audit, worthy of such a name. But the protocol that is being audited is not always verified by competent companies. As a result, users believe that they are safe because the protocol has been audited, whereas in fact an incompetent audit can potentially miss many critical flaws.
In the vast majority of cases of hacks aimed at unaudited protocols, developers could conduct an audit at least because of the profit received by the protocol. But, unfortunately, the temptation of profit turns out to be stronger than the desire to ensure the security of the protocol.
Some hacking stories perfectly illustrate the absurdity of the ecosystem. This is especially noticeable in the example of the Cream protocol, which has been hacked at least 3 times in 9 months. Absolutely absurd situation. Instead of suspending the protocol and completely revising its security with the help of specialized companies, the Cream teams preferred to restart the protocol three times, each time putting users’ funds at risk.
In parallel, many funds and protocols create funds to finance the development of the DeFi ecosystem. For example, Avalanche announced the creation of a $200 million fund last November.
Unfortunately, security doesn’t seem to be a priority for these “DeFi funds”. Instead of promoting development and attractiveness, these funds should be used to increase security and implement security standards on various blockchains.