Hacker Attacks in DeFi - How To Protect Users?

Security of funds in the decentralized finance (DeFi) sector is a cornerstone of the industry. The spring of 2021 brought several hacks that siphoned off large volumes of user funds: in March, hackers got into PAID and stole 2,000 ETH worth $3 million, in April they stole $50 million worth of tokens from Uranium Finance, and in May $7.2 million in tokens was withdrawn from BurgerSwap и JulSwap. And August saw the biggest hack in DeFi history: a hacker drained $611 million in cryptocurrency from the cross-chain bridge Poly Network, but then returned the stolen funds, saying the hack was not financially motivated.

In the fall, hacks became more frequent, since hackers still need money: in September they pilfered $3.2 million in tokens from Zabu Finance and $12.5 million from pNetwork. But it does not appear that the recurring hacks of decentralized liquidity protocols have made people looking for promising DeFi projects in which to invest their capital any more wary.

How Are DeFi Projects Hacked?

In short, hacks of DeFi projects exploit vulnerabilities that developers have left in their smart contracts. Hackers find these vulnerabilities and use them to withdraw funds, meaning they make use of the toolkit present in the smart contract from the beginning, rather than accessing funds under a smart contract by breaking into it.

For example, in the attack on the decentralized exchange BurgerSwap, the hacker exploited a vulnerability that permitted exchanging tokens again without updating the reserves that are used to calculate what liquidity the user has. The attack also made use of the flash loan protocol. These protocols are created to provide flash loans to DeFi users for arbitrage and swaps. They let you borrow tokens and cryptocurrencies, use them, and return them to the lender in a single transaction, which is why they are called flash loans. Flash loans have repeatedly been used in hacks, since they increase the number of liquidity protocols that can be used in the attack, which increases the likelihood that a vulnerability will be found. 

Another common model for hacking in the DeFi sector is using protocols that let users deposit one coin and withdraw another. This opens up the possibility for hackers to manipulate the token price using non-market methods, washing liquidity out of a given token.

How Can Users Protect Themselves?

Since DeFi is unregulated, all responsibility for keeping smart contract funds secure lies with the project creators and users who deposit their cryptocurrencies and tokens in those projects. Obviously, to be absolutely sure that a liquidity protocol is secure, you would need to independently check that the smart contract’s compiled code is well-formed. To do that, you need to be a data security expert and spend a lot of time studying the code. This method is appropriate only for the few people who have the necessary qualifications.

One more broadly applicable way to check the reliability of a smart contract is to check whether the project has undergone a technical audit. Projects are always eager to show users this information since it gives them an edge over their competition. So it should not be difficult to find. If there has not been an audit, avoid investing money in the project, since it could become the target for the next hack.

You should also pay attention to the project team’s reputation. If one of the team members was involved in a project that lost investor money, that should be a red flag. But if the team only has a positive reputation, you can place more trust in it.

What Does the Future Hold?

As the decentralized finance market grows, attempts to hack into new DeFi projects should only be expected to grow. This is a natural process, dictated by the realities of how our world works. There will be a cryptographic arms race, with projects trying to face threats by building up their defenses and hackers trying to find more and more sophisticated methods of attack.

Dmytro Volkov, CTO at international crypto exchange CEX.IO