Blockchain Hacks: DeFi Exploits 2021 Explained
Decentralized Finance (DeFi) is a cryptocurrency movement that makes traditional financial services such as lending, borrowing, saving, and earning interest accessible worldwide without the need for trusting banks and centralized financial institutions. DeFi crypto projects make this possible thanks to smart contracts developed on the Ethereum blockchain and some other crypto networks with smart contract functionalities.
More and more DeFi projects are created every year. Billions of dollars are locked into smart contracts that are part of the DeFi ecosystem. One of the reasons people are drawn to this way of investing is its trustless nature. Once deployed, the dAapps are self-sustainable and don’t require human intervention. The code they run on is publicly available and auditable. DeFi investment isn’t restricted by geographical borders or international law, making it globally usable by everyone, no matter their location.
Nevertheless, the movement is relatively new and still in development. DeFi projects are being targeted by scammers and abusers of all sorts. Something freely available attracts not only the good but also the bad in people. This is all part of the learning curve that the ecosystem is currently going through, which will result in the developers creating more robust and secure platforms in the future.
What Is a DeFi Hack, And Why Do They Occur?
A hack is a security breach where a malicious party manages to take advantage of vulnerabilities in the codebase and/or security systems to gain unlawful access to the DeFi stock kept on that platform. According to data gathered by the research firm Messari, almost $300 million worth of crypto has been lost to hacking incidents in the DeFi ecosystem since 2019. Furthermore, just in 2021 alone, over $150 million has been stolen from some of the best DeFi projects.
Decentralized Finance platforms are lucrative targets because they are autonomous and store billions of dollars in their vaults. The actions of the customers aren’t monitored by humans, and the networks are transparent and open-source. Bugs could be exploited to the advantage of hackers and thieves.
Hacks can happen because DeFi crypto developers didn’t foresee how certain network features can be used as loopholes to earn greater returns. In addition, the interoperability of the systems coupled with large investments can create arbitrage opportunities that shouldn’t have been possible in the first place.
Because the DeFi ecosystem arouses so much interest, new projects want to get involved with it as soon as possible. But, unfortunately, this makes them skip essential security steps such as professional audits of the networks and smart contracts to detect potential vulnerabilities.
The third reason why the DeFi crypto price of many setups was depleted is due to problems intentionally caused by the teams behind the projects themselves. The motives behind these actions are mostly of financial nature. The founders and developers abuse the DeFi stock they hold and decide to dump huge chunks of it on the market, crashing the price and removing the needed liquidity from the pools.
How Are the Best Defi Projects Getting Hacked?
There are various types of exploits that have been observed in decentralized finance in the last couple of years. Two that occur regularly are Rug Pulls and Flash Loan Attacks.
The Rug Pull
A rug pull is a common hack that happens to a DeFi stock when liquidity is suddenly removed from a pool, causing panic and sell-offs within the community. This is an immoral manipulation conducted by the developers and owners of the project. They perform an exit scam in an attempt to steal as much of the investor’s money as possible.
The creators introduce their own native token to perform a rug pull and list it on a decentralized exchange. There it gets paired with a digital asset such as Ethereum or DAI. Liquidity providers are then incentivized with high rewards to provide liquidity and exchange their ETH, DAI, or stablecoins to the new native tokens.
All pooled funds get locked into smart contracts. When enough money has been deposited into them, the developers simply steal the established coins and remove all liquidity. The investors are then left holding bags of the platform’s native tokens. As a result, their DeFi crypto price becomes worthless following the actions of its founding team members and significant sell orders that get created.
Flash Loan Attacks
Flash loans allow anyone to borrow and gain access to large sums of money for a short time without any collateral. These decentralized loans permit market participants to partake in the DeFi ecosystem by swapping between different tokens and taking advantage of arbitrage opportunities. Flash loans must be paid back in the next transaction block. Otherwise, the transactions will be reversed by the smart contract as if they never happened.
Since the time window when an attacker has the funds is very narrow, the borrowed money is instantly swapped and exchanged to other tokens. The fresh inflow of a large volume of capital can be used to manipulate the DeFi crypto price of various assets. This causes the value to go up, so when it’s time to repay the loan, the platform gets tricked into accepting a smaller amount of the borrowed asset due to its increased value. The flash loan attacker pockets the difference.
Flash loans can allow arbitragers to profit from the price differences on two or more lending and borrowing platforms. This is a common occurrence in the DeFi investment field due to a lack of liquidity on the market. Arbitraging is considered an exploit because they cause liquidity providers and yield farmers to lose their investments due to a slippage in the price.
Which DeFi Projects Have Been Hacked in 2021?
By July 2021, we have already witnessed dozens of DeFi hacks and exploits, with damages measured in millions of dollars as a result. Here are some of the most significant cases:
1. The Meerkat Finance Hack
Meerkat Finance was a yield farming DeFi ecosystem that became operational in March 2021. In just one day after going live, the platform suffered a security breach resulting in the loss of $13 million in stablecoins and 73.000 BNB. The total financial damage was over $30 million.
This exploit was, in fact, a rug pull performed by the owners of this liquidity provider who had access to the pooled funds. Originally, that wasn’t the case, but before the attack, the developers performed a code upgrade to access the site’s vault. Since the team deleted all social media accounts of Meerkat Finance and took down the website, it was clear that this exploit was an inside job.
2. Flash Loan Attacks on Alpha Homora
Alpha Homora is a lending and borrowing platform that got subjected to a series of flash loan attacks in February 2021. The V2 version of the network that allows leveraged yield farming was the target of the assault. The attacker borrowed and lent out millions of stablecoins, inflating their value and making enormous profits.
An inadequately set up smart contract was the cause for this successful exploit. Once the exploiter was finished, Alpha Homora V2 suffered a DeFi crypto loss of over $37 million.
3. The EasyFi Private Keys Leakage
The most adverse DeFi stock theft happened to EasyFi in April 2021. This is a decentralized lending protocol based on the Polygon Network. A remote attack compromised the private keys of the network’s administrator that enabled access to company funds.
Around 3 million native EASY tokens were stolen, worth around $25 each. The protocol’s vault was also breached from where the attacker took $6 million in DAI and USDT. EasyFi lost over $80 million in digital assets from this hack.
4. The Arbitrage Exploit of Saddle Finance
Saddle Finance is an automated market maker and a clone of the famous Curve protocol. On the 21st of January 2021, just one day after its launch, three major arbitrage exploits caused liquidity providers to lose almost 8 BTC worth of liquidity. The entire operation took the attackers only 6 minutes.
A poorly configured smart contract allowed the arbitragers to net in huge profits at the expense of early yield farmers and investors. One of the attackers managed to stretch the DeFi crypto price of the platform’s pegged assets so much out of proportion that he successfully swapped a token worth 0.09 BTC for one worth 3.2 BTC.
How Can DeFi Investment Hacks Be Prevented?
Conducting extensive research on the projects you are planning to invest in is the first step to protecting your investment. One individual or a small team of developers should never have sole access to the vaults and wallets where the funds are being kept. That places too much trust in those people.
Some examples of better mechanisms include multi-signature configurations. With those, several parties have to sign and provide access to the locked-in liquidity. If there is a malicious actor, they won’t be able to act alone and perform a rug pull, for example.
Another way to protect customers is by using a time lock on provided liquidity. That ensures that the tokens can’t be removed or stolen from the smart contracts for a set amount of time. This can be anything from a few days to months. Time locks give users the confidence that their investments can’t simply disappear overnight.
Before putting your money into the DeFi ecosystem, do a background check on the team representing the project and those supporting and backing in. Are they well-known in the industry? What previous experience and results can they show, and how reputable are they? A lack of information or anonymous team members isn’t necessarily alarming, but it could be a reason for concern.
Flash loan attacks and illicit arbitraging can be minimized or completely eliminated as the DeFi markets mature and enough liquidity gets locked in to prevent slippages in coin values. Smart contract bugs and misconfigurations could be detected and fixed by conducting security audits of the code and subjecting the networks to extensive beta testing before taking them live. Some projects organize bug bounties where users get paid to test and break the systems to find mistakes and backdoors.
Decentralized finance is a ground breaking technology that has taken the world by storm. It offers new ways of accessing financial services in a decentralized and transparent manner. But as we have seen, some of the best DeFi projects have suffered hacks and exploits in recent times.
Slowly but surely, the industry will improve. We will witness greater security of smart contracts that can cope with all known threats. Until then, do your own research into the projects you are investing in, and consider the DeFi space a somewhat risky investment. But stats don’t lie, and the numbers show that at one point, almost $90 billion was locked in DeFi during 2021. Decentralized finance is expanding, and the community seems to have welcomed it with open arms.