Beyond the Hack

The DeFi ecosystem was exposed to yet another stress test when one of the largest Decentralised Exchange: Curve Finance was exploited for around $62M by hackers. While, unfortunately, the DeFi sector has historically been plagued by hacks, this recent attack on Curve Finance has exposed larger concerns encountered by industry players. The Q2 of 2023 has already lost more than $204M to scams and hacks revealing the urgency to identify the vulnerabilities and fortify the walls of security to reinstate the dwindling trust of investors in the DeFi sector.  Let’s take a look at the most common attacks afflicting DeFi along with the measures that can be taken to mitigate future exploits.

Dissecting DeFi Exploits

Composability, an open-source network, and quick-paced developments – the foundational characteristics of DeFi – all contribute to a certain degree to the various attacks in the sector. As it is essentially digital money running on code, hackers find various ways to exploit the protocols for personal gains:

smart contract exploit: Smart contract exploits are the most common wherein hackers manipulate behavioral protocol to steal user assets. Reentrancy attacks are the most common type of exploits, yet they continue to emerge now and then.

cross-chain bridge: cross-chain bridges enable interoperability among different blockchain networks. Their functionality makes them virtually indispensable to the growth of the DeFi ecosystem. However, cross-chain bridges present pressing challenges: as a bridge grows in size, any mistakes in its basic smart contract code or vulnerabilities are highly likely to be discovered and taken advantage of by malicious individuals over time.

rug pull: In a rug pull, a hacker creates a counterfeit DeFi project and collects funds and later withdraws all assets leaving investors with valueless tokens.

flash loans: This well-known method enables hackers to borrow a significant chunk of cryptocurrency without any collateral. The hacker then manipulates the DeFi protocol to either siphon off funds from other users or drain the liquidity pools. The protocols on the other hand can be exploited with other methods such as price manipulation of the oracle, exploiting the overlooked logical errors in smart contracts, and re-entrancy attacks by repeatedly calling the withdraw function after an untrusted contract makes a recursive call back to the original function. The recent Curve Finance hack belonged to the last category: re-entrancy hack wherein the vulnerability of the Vyper compiler enabled the hacker to exploit the Curve Finance swap pool to authorize withdrawals.

Aside from the initial blow that projects suffer, the problem is highlighted when one considers the dependencies on external libraries. In other words, most DeFi applications use external libraries and even a single vulnerable or outdated dependency exposes the smart contracts to the same security concern. According to the post-exploit assessment of LlamaRisk, some DeFi projects’ pools were also hacked including Curve DAO: around $24.7 million; Alchemix’s alETH/ETH: $22.6 million; PEGD’s pETH/ETH: $11 million; and Metronome’s msETH/ETH: $3.4 million. This was attributed to a bug detected in one of the older versions of Vyper compiler contract programming language that resulted in a failure in the security feature used by some of Curve’s liquidity pools. Solidity and Vyper are the two languages or compilers that are used to code smart contracts, and Vyper is supposedly for more advanced developers, but unfortunately had this vulnerability in code.

Although the damage seems to be contained for now and a white hacker managed to restore around $5.4M to Curve Finance, it is imperative that industry players dedicate significant effort to mitigate these attacks in order to build a secure and sustainable DeFi ecosystem.

The repetitive nature of hacking incidents in DeFi emphasize the weaknesses in the protocols and stress the importance of meticulous smart contract development, along with increasing user awareness of potential risks associated with DeFi. Here are some best practices that prioritize security:

Security Audits: As risks associated with smart contracts are the most common and dangerous weaknesses of DeFi, regular, thorough, and superior-quality audits of the protocols becomes necessary. This is the foremost requirement for any DeFi projects. At aarnâ, we prioritize the security of our smart contracts by partnering with a top-tier security auditor. We have an unwavering commitment to fortify the DeFi ecosystem through cutting-edge security strategies and state-of-the-art resilience measures. These audits go beyond the ordinary, encompassing a comprehensive assessment of potential vulnerabilities and risks associated with DeFi protocols. With the power of advanced tools and a team of seasoned experts, we meticulously scrutinize every aspect of the smart contracts to identify, address, and mitigate risks efficiently. Stay tuned, as the audit results will soon be publicly accessible, reaffirming our commitment to transparency and robustness.

Crowdsourced Protection: Although auditors strive for optimum protection, there is a chance of them overlooking vulnerabilities. In such a scenario, crowdsourced defense solutions and incentives such as bug bounties add a layer of protection.

Multi-Signature Control: Multi-signature is a wallet that requires several private keys to authorize transactions thereby facilitating the separation of responsibility and security. However, since these can also be exploited by hackers it is essential that the smart contract it is backed on is secure.

Secure Custody Solutions: Whether it is hot storage, cold storage, institutional, or even third-party storage, the custody solutions have to be appropriately tested and audited. When a custody solution is insecure the assets are prone to attacks. Moreover, it’s best to have self custody in one’s own secure cold storage if not actively trading on assets. Here’s a good read on cold wallets.

User Knowledge: User education has always been an indispensable element for evolving the crypto industry. It helps the uninitiated in navigating through the ecosystem and makes them less susceptible to scams.

Despite the vast potential for growth and innovation in the financial world, DeFi's long-term success hinges on effectively addressing its security challenges. By prioritizing security, we not only safeguard assets but also lay the foundation for resilient asset management within a trustworthy and inclusive financial ecosystem. This approach paves the way for a brighter future in finance, where assets are managed with confidence and precision.

The hacker responsible for the Curve Finance breach, who failed to meet the restitution deadline, has prompted the release of a $1.8 million public bounty to encourage their identification and capture.

Coinbase's Base protocol has introduced its mainnet bridge UI for end users and has scheduled its official launch for August 9th.

Seven prominent asset management firms have submitted applications for Ethereum-based ETFs, signaling growing interest in crypto investment products.

top DeFi tweets

@milesdeutscher's deep dive on the Curve Finance hack and the various implications it could have had on the DeFi finance

Here’s a detailed thread by @Cyvers_ on the various stages observed in almost all DeFi hacks

With DeFi hacks becoming a menace, @DefiIgnas writes about DeFi insurance and covers some of the top protocols in this category.

During the past month, aarnâ observed significant advancements across different areas, notably the launch of our beta program, media coverage of our alpha creator program, and more community engagement initiatives. Check out our July update >