We have been making copy-paste jokes for years. Remember all the memes of CTRL + C and CTRL + V? Well, they have come to haunt us because we have been using them for the wrong purpose.
Specific to the IT industry, copying and pasting are an old and common form of reusing software. Most people do it to save time and effort, others use it because they don’t want to spend time doing it themselves, both face the consequences eventually.
From a plethora of drawbacks, the most prominent one is duplicating bugs and security vulnerabilities throughout the system when you copy an existing code. Whether the practice of copying and pasting a code should be allowed or not is debatable due to its pros and cons but that fact we can all agree on is that errors introduced by an unmodified copied code can lead to serious situations. The stakes are even higher when it comes to the crypto and DeFi ecosystem.
DeFi is a tangled space. It’s free for all, not just in terms of access but also in terms of technology implementation. Most of the DeFi protocols and ideas are open-source so that anyone can help out but due to this it has become a double-edged sword. One side of the camp is helping out the DeFi projects to become better while the other side is copying the projects and code to develop their own solution.
What made Apple a successful company? Steve Jobs knew that painting the back of the fence is as important as painting the front even if no one else will see it. Not only the quality but also the uniqueness plays a major role to create a loyal fan base.
But even beyond the uniqueness factor, what the DeFi space has failed to realize is that the code they are copying is itself not complete. Every DeFi protocol is evolving rapidly and exploring itself. Therefore, every protocol out there might discover some new bugs. Even if the code is well audited, new bugs can come to light and a protocol can be secured from such bugs only if it has the original concept implemented by a core team.
The Perils of copy-paste in DeFi
Especially for the DeFi space, a copied code can lead to huge financial losses. In addition to that, most copy-paste is of poor quality due to the limited knowledge of the person copying which leads to waste of time, unwanted modifications, and most importantly, hacker attacks.
Some time ago, the DeFi industry was hit by news that Binance Smart Chain DeFi protocol Pancake Bunny has been exploited by a flash-loan attack, as a result, the community was believed to have faced a $1 billion loss.
Before choosing the DeFi product, it’s very necessary to check the quality and uniqueness of the code. One look by a professional in this space can easily identify that the code is copied or not.
It’s very important to understand that by copying a code, the developers not only copy the data but also copy bugs and vulnerabilities. Moreover, when programmers try to copy the code, subtler semantics can emerge. It’s no surprise that the DeFI industry faced so many hacker attacks most of which were successful. Since 2019, hacker attacks have caused a loss of around $285 million.
Hence, the first lesson learned is to “always check the code”. Even if you are a product owner, you must check the code being developed by your team.
Forewarned is forearmed- if you know what you are looking for you can decrease the chances of scammers taking advantage of your product. One of many good things about the DeFi community is that even if you don’t know how to code, the project has an open code around it and if people find it interesting, the community will surely conduct research and share the results with the rest of the people.
Most developers would agree on the fact that copying and pasting codes is a bad practice in general. It is common because changing the code or making a new one will take time, effort, and money.
This doesn’t necessarily mean that code reuse is bad. A code can be reused and should be reused wherever suitable because it saves time and effort. However, this code needs to be audited in a professional manner after modifications.
Reasons to avoid copy-paste in DeFi
Mentioned below are some more reasons why copy pasting should be avoided in the DeFi space:
Every code has its own dependencies. Even if they are generic, the version of the dependencies, libraries, languages and the code itself keeps on updating. This means, even if you copy the latest code, the reuse is going to be poor no matter how good you are at copying.
Inheriting the vulnerabilities
There are always two sides to a coin. If you want to inherit the profits of a project, you will have to inherit the losses too. The most common problem of copying a code is copying the problems inherent in the original code. The worst part is that the copied code is modified for its specific purpose and hence tracking down the bug becomes more difficult. Even from an auditing perspective, a copied code with little modifications becomes even more difficult to be audited.
Introducing new errors
If you are copying a code, chances are that you want a short go to market time so you don’t have the time to understand the code in and out. Any new modification you do will have a very high probability of leading to a new vulnerability that cannot be identified easily as it may have ties with the existing code functionalities.
In other words, the edits are made without understanding the original code making it more prone to errors.
It’s easy to copy and paste codes from open source projects but not understanding the license implications of the copied code can be a problem, even more for embedded devices where the onboard software is considered as new and unique.
Real-World Examples of the copy-paste Menace
DeFi isn’t left untouched by the terrible practices of copy paste. There are DeFi projects that copy & paste smart contract codes of Uniswap, Compound, and other successful protocols. What’s more awful of such practice is that they often copy it with errors – making attackers’ work a piece of cake!
One of the very recent examples of such attack was the BSC based ‘Uranium Finance’, this was a Uniswap V2 fork that was exploited on April 28, 2021 for $57 million. Fulcrum developer – Kyle Kistner pointed out that Uranium developers copied SushiSwap (already a Uniswap clone) code, they replaced number 1,000 with 10,000 everywhere – except in one case:
source : Tweet
Another example of the copy-paste hazard is ‘BurgerSwap’ – hacked on May 28, 2021 with an estimated loss of – $7.2 million.
“According to Uniswap founder Hayden Adams, it could have easily been avoided.”
It also forked Uniswap’s code, but missed on a piece: x*y = k check, it played an important role in calculating the value of each token. Without this, the attacker swapped every small amount by creating a dummy token for thousands of BNB & BURGER.
Copy and paste are not all bad. In certain situations, they can be very useful for a project to quickly implement a certain element that has already been built properly. In other cases, it might also help you stay with the status quo and implement something that is acceptable as a solution.
However, DeFi is not the right space for it. Even if there are just a few lines of codes you have to modify, copy and paste is not recommended. As specialists in smart contract audits we have seen several companies, having good intentions and visions, fail due to such practices. The core reason being not just vulnerabilities but the inability to get the trust of the users. And the whole DeFi space is born out of the need for trust.
Even if you do decide to go for a copy-paste due to certain factors and justifications, getting the code thoroughly audited should be at the top of your priority list. Even if the code was audited, it does not mean that the copy will be as secured as the original code. For instance, the oracle being used in the original code might have shifted to a new version and when you copy the code, that new version of the oracle may not be compatible with the old version of the code, and the vulnerability is introduced. So to ensure that your ambitious idea and vision become a reality through your DeFi code, get it audited before putting millions of dollars at stake.
Reach out to QuillHash
With an industry presence of years, QuillHash has delivered enterprise solutions across the globe. QuillHash with a team of experts is a leading blockchain development company providing various industry solutions including DeFi enterprise, If you need any assistance in the smart contracts audit, feel free to reach out to our experts here!
Follow QuillHash for more updates