New fintech projects are emerging every day in the market to quickly capitalize on the leaning market sentiments towards DeFi. As of today, DeFi products have more than $42B worth of digital assets locked in their smart contracts. This attracts investors and criminal hackers alike to DeFi, resulting in the most DeFi hacks to date. Companies are in a jiffy to launch their new DeFi ideas and earn money that they often forego a proper security verification and validation of the product. This creates a potential of security threats putting hundreds of millions of digital assets in jeopardy. Many projects are just exit scams and fraud. Maneuvering this relative immaturity in the DeFi market, new patterns of DeFi attacks are emerging. Some of the attacks involve draining the liquidity pools, manipulating entire markets with price oracles, and flash loan attacks. According to a report by security analysis firm, CipherTrace, half of the 2020 crypto hacks are from DeFi protocols and exchanges. Stolen funds from the largest hack, KuCoin worth $281M, were laundered through DeFi exchange, Uniswap. According to DeFi Security Synopsis by QuillHash Technologies, since 2020, flash loan attacks alone have filched nearly $150M from DeFi projects. How Secure and Risky is DeFi? DeFi products are built on blockchain which is permissionless and autonomous having no central governance model like traditional financial institutions. Blockchains do not require any KYC of their users in order to maintain their privacy. So most DeFi projects require no to minimal customer verification. This makes them vulnerable and lucrative targets for malicious users. Also, funds once stolen are possible to hide from tracing. With actions being irreversible on the blockchain, it is not possible to revoke transactions containing stolen funds. And there is no stopping any malicious actor to use any protocol. The functionality of DeFi is coded in the smart contracts for digital agreements between participating parties. The rush in the market to launch products and the lack of the necessary financial knowledge sometimes attribute to mistakes in the protocol. These can be errors in coding or could be errors in the business logic where developers fail to foresee any loopholes. Also, some hackers have taken advantage of flaws in the established token standards like ERC-20 and ERC-777 on which these projects are based. This owes to the relative immaturity in the market. The companies are now choosing for proper security testing and auditing to ensure no gaps. Sometimes the founders of the DeFi projects Founders taking advantage of their position. DeFi products use price oracles to feed external data into the smart contracts. It could be weather information or the price of any crypto-asset which affects the decision-making process in the code. Mostly this data is fed directly and used without verification in smart contracts. Any latency or manipulation in the data supplied from the oracle can create errors in the entire system. Sometimes abusive bots are used to manipulate the market. Their strategies are similar to “spoofing”, a practice in which bots are used to enter fake orders only to cancel them. This is aimed at tricking other investors to buy or sell an asset by falsely signaling there is more supply or demand. Some DeFi tokens are exposed as pump and dump scams developed to defraud investors. A small group of influencing investors select and purchase DeFi tokens with a low market capitalization, thereby causing an initial jump in its price. They use their huge followers base on social media to convince unsuspecting DeFi investors to purchase the tokens by providing false information claiming the token is about to experience substantial gains. Once enough investors have been misled into purchasing the token and its price has risen by enough, the initial group of investors sell their holdings to take profit, before the price collapses and all following investors make heavy losses. Famous Hacks DeFi scams commonly referred to as rug pulls by the community have jeopardized the fate of many crypto assets. Here are the examples of the famous hacks: Reentrancy Attack on Lendf.me: In April 2020 a hacker stole digital assets worth $25M from Lendf.me, a market created by dForce by exploiting a reentrancy vulnerability. It exploited an ERC-777 vulnerability in order to drain the funds from the smart contract. The hack took place after dForce allowed imBTC, a synthetic Bitcoin asset following the ERC777 standard, to be used as collateral on Lendf.Me. As a feature, ERC-777 allows the token contract to notify senders and receivers when the tokens are sent or received from their accounts. One possible reaction to such an event is reentering the ERC777 contract and calling another send. When Lendf.Me enabled the use of imBTC as collateral, the enabled ERC777 callback notification made Lendf.Me vulnerable to reentrancy attacks. The attacker first truthfully deposited a substantial amount … Continued
The post An Analysis of Security Risks Associated With DeFi- Part 1 appeared first on Cryptoknowmics-Crypto News and Media Platform.
from Live Crypto News – Cryptoknowmics-Crypto News and Media Platform
