Blockchain Guidesآموزش دیفای

Billion-dollar bugs; How are defy projects hacked?

Defy, or the “decentralized finance” sector, is growing by the day, and given what projects in this area are doing (ie, removing intermediaries from all financial processes), it is not surprising to see such growth. In fact, getting a loan without going to the bank and doing all the decentralized financial transactions is not something that can be easily bypassed, and maybe in ten years less people will go to the bank to get a loan instead of using Difai.

However, the larger the field, the more important its security becomes. When there is no bank, who guarantees that millions of dollars will not be stolen from the wealth of the users of a project?

In computer science, any network is at risk of being “hacked”, and according to this theory, anything in the digital and online world could be compromised. A diff project is no exception to this rule.

Hacking platforms refers to problems with code and, in general, opportunities that a hacker can exploit to steal users’ capital or platform capital.

In this article with the help an article From the Quintelgraph site, we went to hacking on defy platforms and we are going to investigate why a defy platform is hacked. To answer this question, we will review some of the defa hacks and explain why and how they occur.

Defy security and hacks that have happened so far

The analysis of hacks that have taken place in the field of defense has a significant role in identifying the main axes and vulnerabilities in this field.

The defy sector is growing and developing rapidly. In the last three years, the total amount locked in Defai was about $ 800 million; But now, looking at the growth of this figure, we must take off our hats and believe in this field.

By February 2021, the total amount locked in Difai had reached $ 40 billion; But that growth has not stopped, rising to $ 80 billion in April this year and now to more than $ 140 billion. This rapid growth in an emerging market like Defy can attract the attention of all hackers and fraudsters.

Based on Report Masari Research Company, Defai section, has been witnessing the loss of approx since 2019 $ 284.9 million It has been due to hacking and other profiteering attacks.

Hacking Blockchain ecosystems is an ideal option for hackers and may bring them good fortune. These systems are anonymous, they have a lot of money in them, and any hack or attack can be tested and investigated long ago without the victim’s knowledge.

In the first quarter of 2021, about $ 240 million of users’ funds in Defy protocols went to hackers. Of course, this figure refers to events that have been publicly announced. The real estimate is that the losses amount to billions of dollars.

Let’s move on to the main question. How exactly are defy protocols hacked and how is money stolen from them? To answer this question, we have analyzed several hacking attacks and identified the most common problems and issues that lead to hacking attacks.

As you can see in the image below, most of these hacks can be classified into three general categories: “Development team-related bugs”, “Coding flaws”, and “Misuse of interface protocols and errors in business logic”.

How are defy protocols hacked?

In this section, we will examine each of these categories separately.

Misuse of intermediary protocols and errors in business logic

The attacker always analyzes the victim before attacking. Blockchain technology, because of its transparency, provides many opportunities for hackers to simulate hacking scenarios and synchronize them with the network.

In order for an attack to be carried out quickly and out of sight, the attacker must have strong programming skills and know how smart contracts work. Hacker tools allow you to download a full version of the original blockchain. They then configure and simulate the entire attack process as if the transaction took place on a real network.

In the next step, the attacker must carefully study the business model of the project and the ancillary services used. Errors in the mathematical models of business logic and intermediary services are the two major issues that hackers exploit.

Smart contract developers often receive more data than ever before when doing transactions. So they have to use more ancillary services (like oracles). The design of these services is such that they do not work in an environment without intermediaries; So using them is associated with more risks.

According to available statistics for one calendar year (since the summer of 2020), only 10% of Defy hacks (with about $ 50 million stolen) occurred because of this particular risk, and during these hacks, $ 50 million in capital was stolen. .

Coding errors

Smart contracts are a relatively new concept in the world of information technology. Smart contract programming languages, despite their simplicity, require a completely different development paradigm. So developers sometimes do not have the necessary coding skills and make fatal mistakes that cause users to lose.

Security accounts cover only part of this risk; This is because most existing accounting firms have no responsibility for the quality of their work, and their goal is to do more financial gain.

The results of our study show that more than 100 Defy companies have been hacked due to coding errors, and in the end, users have lost about $ 500 million.

An indisputable example of this hack is the dForce hack that occurred on April 19, 2020. The hackers exploited a vulnerability in the ERC-777 token standard and a reentrancy attack, stealing $ 25 million.

Fast loans, price manipulation and minor attacks

The information provided to smart contracts is only valid at the time of the transaction. By default, a contract is not secure against external manipulation of the information contained within it, which makes various hacking attacks possible.

Flash loans are unsecured loans. Quick loans work in such a way that the user has to return the borrowed digital currency in the same transaction and settle his loan. If the borrower is unable to return the funds, the transaction will be canceled. With such loans, the borrower can receive large amounts of digital currency and use it for its own purposes.

Attacks that occur during quick loans are usually accompanied by price manipulation. what does it mean? That is, the attacker first sells a large number of borrowed tokens in one transaction, thereby lowering the price, and then takes action before the tokens are repurchased while their price is low.

A minor attack is something like a quick loan attack based on a proof of consensus algorithm. This type of attack is more complex and costly; But there is no longer any protection against fast loans.

In this attack, the attacker leases the extraction capacity (or processing power) and forms a block containing only the transactions he needs. In this block, it first borrows the token, manipulates prices, and then repays the borrowed tokens.

Because the attacker has made transactions that have entered the block independently and also specified their order, the attack is so-called “atomic” and, like quick loans, no other transaction can be included in the attack.

More than 100 Defy projects have been exposed to this type of hack, and about $ 1 billion has been stolen.

The average number of these hacks has increased over time. At the beginning of 2020, hundreds of thousands of dollars were stolen for each attack; By the end of 2020, each attack would cost users tens of millions of dollars.

Inadequacy of developers

The most dangerous type of risk is the risk of human error. People enter the realm of defaults to get money fast. Many developers do not have the competencies and skills to develop defa platforms; However, they still carry out projects quickly.

Smart contracts are open source and hackers can easily copy and manipulate them. If the master project has the first three vulnerabilities we mentioned, hackers can easily copy it and generate hundreds of similar projects.

RFI SafeMoon is a good example of this. This project has a major vulnerability that has led to the production of more than 100 similar projects and has caused potential losses of $ 2 billion to users.


Although it may not be possible to hack the Ethereum blockchain itself or other Difa hosts, Difa projects are hacked and this fact cannot be denied; Just as websites are hacked on the internet.

As the scope of Difai grows and more developers become aware of the Blockchain, it will become more and more difficult to penetrate Difai projects; But in any case, there is no 100% guarantee.

So if you are working on a defa project, in addition to market-related risks, you should also consider the risk of hacking the platform itself. Of course, although the developer of a project is not responsible for the hacks, most projects after the hack agree to return the stolen funds.


Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button