DeFi had been the flagbearer of the crypto boom in 2020 and the heat refused to die down through 2021 as well. With more and more people flushing their funds into yield farming, DeFi continues to be in the long run.

You might be knowing many who multiplied their earnings with DeFi. It hasn’t been uncommon in crypto circles to find people who catapulted their funds 7x or 10x with yield farming. Flash loans have been a major tool in their hands, enabling them to move their money quickly between protocols within stipulated time and mint gold.

Role of smart contracts in running the DeFi

Few people, however, realize the role of smart contracts in running these powerful applications in an automated manner. Smart contracts are immutable computer programs stored on a blockchain. These programs would take an action when a predetermined condition is met. Thanks to the smart contract, all stakeholders can be certain about the outcome, without actually getting involved.

What makes smart contracts turn into weak link

Smart contracts have come off as a ground-breaking revelation. However, there is another side of the coin as well. Smart contracts have proven to be the weak link in the DeFi ecosystem. Developers might end up writing bad code, giving the unscrupulous elements loopholes to sneak money and stash away the funds locked in the protocol. Many DeFi projects are forked from the existing protocols. In such cases, the bugs in the existing protocol pass on to the forked one as well.

Often, developers are not experienced and knowledgeable enough to write secure code. Projects tend to hire inexperienced developers to save on costs, without realizing a bundle of bugs churned out by these people might cost them dearly. Sometimes, developers might leave bugs intentionally to divert the funds from the protocol to their own wallets. And then, in many cases, the hackers might be smart enough to spot bugs and vulnerabilities in a seemingly healthy code and strike unawares. Regardless how the bugs have found their way to the code, these may pose an existential threat to the project.

An overview of DeFi leaks in 2021

Glance at the DeFi exploits that happened in 2021 and you will be surprised to find the sheer number of protocols that leaked funds via the smart contract.

Yearn Finance – The perpetrators exploited the protocol’s flash loan feature to bag $11 million worth of user funds via a smart contract exploit.

Alpha Homora – This leverage liquidity protocol became a victim of a $37.5 million exploit. The exploit involved using a feature that released uncollateralized loans for trusted smart contracts.

Meerkat Finance – Smart contract vault of this yield farming protocol on Binance Smart Chain was attacked, resulting in a loss of about 13 million BUSD and 73,000 BNB.

PAID Network – An infinite mint attack on PAID culminated in a loss of around $180 million.

EasyFi – An attack on EasyFi, built on top of the Polygon network, ended up with the attacker taking away assets worth $75 million.

ForceDAO – Hackers targeted ForceDAO to drain 183 ETH from the protocol.

Uranium Finance – While the protocol was conducting its token migration, it suffered an attack taking up to a loss of $50 million.

Spartan – Multiple flash loan attacks on this BSC-based DeFi protocol led to a loss of about $30 million.

RARI Capital – Hackers drained yield vaults and lending pools of Rari Capital to inflict a loss of $11 million.

How funds are stolen from DeFi protocols

There are three ways of siphoning off funds from DeFi protocols –

Smart contract loopholes – It is the smart contracts executing key functionality such as liquidity and staking, making them a perennial target of the hackers. Bugs in smart contracts are the primary cause for the exploits.

Flash loans –  Attackers use massive flash loans to inflate the price feed for a specific stablecoin and multiply their holdings in the process. We cannot do away with flash loans though as they facilitate some highly useful DeFi features like arbitrage, collateral swapping, self-liquidation, and many more.

Oracle manipulation – Decentralized networks can access external data only via oracles. Role of oracle is crucial for getting secure and reliable data. Hackers would try to manipulate oracles to influence things to their advantage. Like flash loans, you cannot do away with oracle, but what you can do is integrate your protocol with a decentralized oracle, which is generally more trustworthy.

Must Read – What not to Forget when Auditing smart contracts in DeFi

Possible ways of attack on smart contracts

There could be several reasons for bugs and vulnerabilities in smart contracts. These include re-entrancy, front-running, unencrypted on-chain private data, irrelevant code, message call with hardcoded gas amount, hash collisions with multiple variable length arguments, unexpected Ether balance, presence of unused variables, typographical error, DoS with block gas limit, arbitrary jump with function type variable, insufficient gas griefing, incorrect inheritance order, requirement violation, lack of proper signature verification, weak sources of randomness from chain attributes, signature malleability, DoS with failed call, use of deprecated functions, unprotected Ether withdrawal, and many more. The developers should be aware of all these instances and their code descriptions.

Audit of smart contract

A smart contract requires thorough audit before deployment. All discoveries are explained in the final report along with the recommendations. Smart contract security levels are measured in line with a set of specifications like critical, high, medium, low, and lowest.

Proper audit involves both automatic as well as manual checks. Automatic audit deploys software that determines the part responsible for each execution and explores where the possible bug might occur. Manual analysis involves a team of seasoned developers examining each code line. They might check against a list of standard vulnerabilities or conduct an exploratory check based on their experience.

Wrapping up

Smart contracts are the engine behind DeFi. To protect a DeFi project from vulnerabilities, conducting a thorough check of the contract is imperative. Automatic as well as manual audit needs to be conducted in tandem to make the audit as thorough and accurate as possible.