DeFi has been a dynamic component of the cryptocurrency industry with approx $80 billion in assets locked into protocols in March 2021. As the saying goes, however, problems accumulate where the money is.
Projects in DeFi have been forgery and scams, and the loose bolt in such activities have been badly constructed smart contracts. This becomes evident if you look into the scams in the recent months.
Poly Network attack
Developed to address the interoperability of blockchains, Poly Network grew rapidly and locked up around one billion US dollars worth of crypto assets. However, stakeholders were left in shock when more than $600 million USD of cryptocurrency was stolen in a single attack. This left the protocol’s assets under management (AUM) more than cut in half.
For the success of the hack, the perpetrators owned thanks to a vulnerability in the smart contract used in the protocol for cross-chain asset transfers. The hackers substituted their own wallet address for the address normally used by the smart contract. The modus operandi was replicated across Polygon, Ethereum and BSC blockchains to get hold of cryptocurrencies, leaving tens of thousands of protocol users out in the cold.
Security team at Poly Network was able to dig down to email, IP, and other details of the hackers. Under pressure, they returned a large chunk of the stolen stuff! But all protocols aren’t that lucky.
In May 2021, the PancakeBunny protocol faced an attack when hackers made a booty of crypto assets worth $45 million. They used a flash loan exploit for the purpose. Worse, hackers exchanged BUNNY tokens for Binance coins, making the price of BUNNY tokens sink to $6 from $146.
Worse, another attack followed in quick succession. Despite the attack, the developers at Bunny Finance failed to prevent the attack on PolyBunny, the company’s Polygon blockchain fork. The attackers minted $2.1 million worth of POLYBUNNY. Price of POLYBUNNY tokens sank to $2 from $10.
The flash loan involves a smart contract that allows anyone to borrow and repay in a single transaction. They manipulated the price of BNB using a vulnerability in BNB-USDT liquidity pool of PancakeBunny, successfully minting almost seven million BUNNY in a six-stage process.
On 28 May 2021, BurgerSwap on the BSC blockchain suffered a flash loan attack. Hackers stole $7.2M in 14 transactions. Again, the culprit was a flash loan exploit.
What attackers did was to create their own fake coin (non-standard BEP-20 tokens) and created a new trading pair with $BURGER. Using $WBNB routing, hackers re-entered BurgerSwap through fake coins and manipulated reserves in the pair’s contract, triggering the price to change and making their money.
The role of contract
DeFi projects are self-governed by smart contracts, so any failure becomes a major concern for stakeholders. A smart contract involves an array of software codes designed to automate execution and settlement. It is this layer which makes automation in blockchain protocols a reality. Smart contracts have a defined start and end events, based on an event that is happening externally.
Multiparty signature controls access to the contract. Access to external and internal data sources triggers the execution of terms. Smart contracts can access the distributed databases where the assets are stored. They also contain embedded information on ownership of assets and parties involved.
Why making smart contracts really smart is so important
Smart contracts are the mind and soul of DeFi protocols. Protocols behave exactly the way the smart contracts powering them are programmed. A bug could result in huge losses to the protocol. Worse, it might lead to an irreversible shutdown.
The onus of making flawless smart contracts is on the developers. Contract design flaws lead to bugs which might be severe, medium, or moderate. Developers should be able to create contracts that are secure and function as expected. There should be no backdoors that the hackers can take advantage of. Once the contract is full of cryptocurrency, unscrupulous elements might try to drain the contract.
The role of audits
Smart contract audits are imperative to discover errors, loopholes and security vulnerabilities in the code and suggest improvements. While blockchains are practically a secure ecosystem, a poorly written smart contract creates a vulnerability. Developers cannot be trusted fully for creating flawless contracts for two reasons.
First, it is not humanly possible for a single developer or a team of them to ensure all parameters regarding vulnerabilities are met. Secondly, developers may deliberately leave a backdoor to drain the contract at the time of their choice. To negate both these hindrances, a thorough audit is required.
Security auditing of smart contracts involves a thorough analysis of the code running the application with the objective of correcting design issues, errors in the code, or security vulnerabilities. You need to zero in on a security audit firm that you can trust with the audit. The process typically involves the steps like Agreeing on a set of specifications, Executing tests, Running automated execution tools, Manual analysis of the code, and Report creation.
Hacks such as Poly Network, PancakeBunny, and BurgerSwap underline how critical smart contract auditing is for the success of a blockchain project. Audits help discover errors, issues, and security vulnerabilities, helping to plug the loopholes before any damage is done.