The “hack” of the DAO runs deep into the collective memory of the cryptocurrency community. After an extremely successful crowdfund in May 2016, the DAO lasted a little over a month before an attacker started to drain funds from the smart contract, taking around $70 million worth of Ether (ETH).
However, as some pointed out at the time, the DAO incident was not a hack at all. The attacker simply exploited a vulnerability in the underlying smart contract code to make it behave in a way that the programmers didn’t expect. Nevertheless, the incident divided the Ethereum community after a decision was made to implement a hard fork that would return the funds.
Fast-forward to early 2020, and there was over $1 billion worth of crypto tied up in decentralized finance. That’s $1 billion under the management of smart contracts. So, in light of the history, it was perhaps inevitable that someone would eventually find ways of making these applications perform in a manner that nobody had anticipated. The first came in February 2020, with two separate attacks on the bZx decentralized trading platform. More recently, a hacker made off with $25 million from Chinese lending platform Lendf.me, operated by dForce.
Even when hackers aren’t involved, DeFi applications have shown other vulnerabilities. During crypto’s “Black Thursday” in mid-March, MakerDAO liquidated over $4 million worth of loans as the price of ETH plummeted. The crash resulted in a speedy governance vote and a debt auction to remedy the damage.
Much of the commentary has focused on whether or not DeFi can recover from these setbacks. Based on the history of The DAO incident, it seems inevitable that DeFi will make a recovery. Perhaps the more pertinent question is, what can DeFi DApp operators learn from such incidents to help avoid them happening in the future?
Easy winnings from dForce
The most recent incident involving the Lendf.me hack offers some easy wins. The platform is China’s biggest lending DApp. However, it turns out that the hack was performed as a result of dForce having copied code from an earlier version of Compound, another decentralized lending application. Compound’s old code wasn’t able to guard against the type of attacks known as “reentrancy” specifically for ERC-777 tokens.
Due to this issue, Compound didn’t support ERC-777 tokens. However, it seems that when dForce copied the code, it didn’t really understand this vulnerability, as it didn’t put the same measures in place, allowing ERC-777 tokens to be used on Lendf.me. Consequently, the attacker exploited the vulnerability, using the ERC-777 imBTC token to drain $25 million from the platform.
The hacker has since returned the funds, but this is hardly a defense in itself. As reported by Cointelegraph, dForce has faced criticism for failing to take sufficient measures to prevent such an attack. So, if assuming that dForce simply didn’t know about the issue, how could they have avoided it? Alex Melikhov, CEO and co-founder of Equilibrium — issuer of the EOS-based stablecoin EOSDT — is a big fan of the idea of peer reviews. He told Cointelegraph that a “code review by a third party could’ve prevented the incident,” adding:
“An important aspect here is building a testing framework and code audits. The four-eyes principle is perfectly applicable to code development and certainly mitigates vulnerability risks. Despite dForce’s partnership with PeckShield (who has publicly audited its USDx and Yield Enhancing protocol), it seems like auditors haven’t examined the code of its lending protocol LendfMe.”
Dan Schatt, CEO and co-founder of centralized lending platform Cred, agrees, even suggesting that the community could play a role here. He stated to Cointelegraph, “Bug bounties can help incentive the community to look for the type of vulnerabilities that can lead to attacks and an exploitation of these types of vulnerabilities.”
At the time of publication, dForce had confirmed that 100% of users affected by the attack had been refunded via its asset redistribution effort. For its part, dForce did respond to Cointelegraph’s request for comment. Mindao Yang, founder of dForce, stated that upon reflection:
“A similar attack took place on the Uniswap/imBTC pool hack prior to the [Lendf.me] incident. The Uniswap vulnerability, related to the ERC777 token, had been known since late 2018, but the combination of ERC777 token and the Compound V1 code introducing a reentrancy attack surface only came to our attention after the incident. We could have been more alert when the Uniswap/imBTC pool hack happened and could have been more careful when onboarding new assets.”
Yang continued by saying that the platform plans to avoid similar attacks, and will onboard some external experts in the future:
“We will engage best-in-class, third-party security consultants to assist with a full audit and to help us with fortifying our future security practices. We will find a right time to redeploy a new decentralized money market protocol and other protocols. Moving forward, with their help, we will introduce a rigorous, audited integration process when introducing assets into the dForce ecosystem.”
The spokesperson confirmed that further details of the actions taken in this regard will be shared in a future blog post.
BZx — a more complicated issue
Before the recent dForce incident, DeFi trading platform bZx was hit twice in the space of a week. These attacks were less down to buggy code than the immaturity and relatively low liquidity of the cryptocurrency space overall. Derivatives exchanges — whether centralized or decentralized — rely on price oracles. These are usually taken from the spot markets, using an average price from multiple exchanges.
In the case of DeFi platforms, the price feed comes from decentralized exchanges such as Uniswap and Kyber. The issue is that due to some tokens having low liquidity on these platforms, it’s relatively easy to manipulate the price.
BZx handled the incident well, covering $900,000 of users’ losses from an insurance fund. Deribit researchers Su Zhu and Hasu have previously explained how price oracles are vulnerable to manipulation even on centralized exchanges such as BitMEX. In DeFi, where decentralized exchanges are relied on for price oracle data, one could say that this accident was on the cards.
However, it presents an intriguing conundrum — the only way to solve the challenge is to bring in more users to inject liquidity into DEXs to mitigate the vulnerability to manipulation. However, as long as there is a risk that funds could be drained, DeFi will struggle to attract users.
The key vulnerability
Finally, turning to the recent Black Thursday event, which caused mass liquidations on MakerDAO: As much as the price crash was completely beyond Maker’s control, are there any lessons that can be taken away from it?
The March crash and subsequent liquidations resulted in a vote to change the Maker’s auction parameters and introduce USDC, a collateral asset type uncorrelated with the crypto market. DeFi detractors will no doubt scoff at the irony of a crypto-backed stablecoin needing to be collateralized by a centralized equivalent.
However, perhaps Maker’s introduction of USDC shows a certain maturity in the community’s recognition that the young age of the DeFi market means it needs to follow the example of its relatively stable, centralized counterparts until it can stand on its own two feet. After all, Maker founder Rune Christensen recently told Cointelegraph in an interview that he believes DeFi will eventually merge with CeFi, illustrating that perhaps Maker’s use of USDC is an early predictor of this move.
Having hit the $1 billion milestone this year, it’s a question of when (rather than if) DeFi will recover from these setbacks and reclaim that number once more. However, the fact that these setbacks took place at all illustrates that DeFi founders shouldn’t focus on how far the sector has come, but rather how far it still has to go. By learning from recent incidents, there’s a chance of speedier recovery.