Even as advanced as blockchain technology and smart contracts have become, there still exist loopholes and errors vulnerable to exploits, which usually leads to the loss of users’ assets. This is one of the biggest risks you have to consider when becoming an investor in the DeFi space, especially if you’re a crypto beginner. This article will explain the main types of exploits so you can recognize and stay away from them.
The Rug Pull
The rug pull is a general term for exit scams that remove liquidity from the liquidity pool. Scammers can come up with a seemingly attractive and lucrative project, but when investors flock in and increase the price, they pull all the liquidity out of the project, walking away with the funds. This severely damages the capital of the investors, eventually forcing them to sell all their assets.
The rug pull happens quite often in the crypto sphere due to how easy it is to execute. As long as the developer team has access to the liquidity pool, you’re just placing your blind trust in them to not pull off the exploit. Even if they don’t initially have access to the pool, they can update the project to allow themselves permission.
Therefore, research is of utmost importance before investing in a project. Look for projects with transparent and accessible source code, a time lock on the liquidity pool, and a multi-signature system where it takes keys from various individuals to access the pool.
CertiK is a really useful site to examine audited reports and detect projects’ vulnerabilities. Sometimes, the information can be hard to digest for someone without a cyber security background but the site will summarize problems in a readable manner. In addition, rekt.news is a good choice to track where DeFi exploits are happening.
Flash Loan Attacks and Exploits
Flash loan is a special tool of trading where users can borrow a loan without any collateral by using smart contracts. The smart contract forces the borrower to pay back the loan before the transaction ends or it will reverse the process so it’s like the loan never happens. Flash loan is a useful instrument for its speed and collateral-free nature, but it also comes with potential attacks and exploits.
Even though considered an exploit, arbitrage trading is very common and even one of the main reasons why people utilize flash loans. Basically, the same cryptocurrency can have a 1-3% difference in trading price in different exchanges, because of trading volume and time zone.
Arbitrage trading takes advantage of this price difference, borrowing coins for a lower price on one exchange and selling them for a profit on another, then paying back the loan. All of this happens in a matter of seconds, basically earning free crypto. To lessen arbitrage trading, a more stable market is necessary.
Flash Loan Attack
Since flash loans rely solely on smart contracts for security, these smart contracts themselves can be targeted to tamper with their rules and protocols. One such attack is called the re-entrancy attack.
This attack happens when a smart contract makes an external call to another untrusted contract before the next step can take effect. If someone manages to control this untrusted contract, they can create a response to the original function over and over again, thus repeating the same interaction. Perpetual repetition prevents the smart contract from resolving and eventually drains all the ether out of it or make the execution reach its maximum stack size.
Wash trading is as common in stock trading as it is in crypto. It refers to the practice of performing large transactions of, in our case, a coin to create false information to the market and pump up the price of said coin. After that, those behind the scene will sell the coins for increased value.
Wash trading can either be a joined act of both investors and brokers or investors alone acting as both buyers and sellers. This is illegal under US law and the IRS dismisses losses resulting from wash sales, which are defined as those occurring within 30 days of buying the security and resulting in a loss.
Real-life Example of DeFi Exploits
The Value DeFi platform offers a variety of services aiming to bring fairness and innovation to the DeFi community. Unfortunately, it is one of the few protocols to have been exploited over and over again.
The first exploit was a classic flash loan attack happening at the end of 2020. The exploiter managed to steal $7 million but gave back $2 million to the developers with a message: “do you really know flash loan?”
In May of 2021, Value DeFi was exploited twice in a span of 4 days, both times by taking advantage of a coding error. The first attacker managed to set themselves as the owner of a liquidity pool and they walked away with $10 million worth of Bitcoin. The second exploit targeted an incorrect usage of a “Bancor formula”, which let the exploiter steal money from pools that didn’t have a 50/50 split liquidity. $11 million was stolen as a result.
Meerkat Finance is a yield aggregator protocol that, after launching only one day, was exploited for around $31 million. It seemed like just another exploit until people found out the project was updated right before the attack to give developers backdoor access to user funds.
All evidence points towards this being a rug pull disguised as a hack but little did people know there was another twist waiting in store. Immediately a day later, all investors were refunded and it was announced that the ‘rug pull’ was a “social experiment” to test “user greed and subjectivity”. So while it was lucky that nobody lost their money, the Meerkat Finance case demonstrated how easy it was for people to invest in projects without thorough research.
When the devs came up with the name EasyFi, they probably didn’t mean ‘easy-to-exploit’. Still, EasyFi was a victim to the most disastrous DeFi exploit of $6 million in stablecoins plus $53 million in EASY tokens. This was achieved by injecting a malicious version of MetaMask into a computer used for EasyFi official transactions which let the hacker gain access to the admin keys. EasyFi’s founder, Ankitt Gaur, has offered a $1 million payout to the hacker to return the stolen funds but it doesn’t look like they’re biting any time soon.
Harvest Finance is yet another yield aggregator protocol that was attacked by flash loans. The exploiter first took a $50 million USDT flash loan, then swapped $11.4 million USDC to USDT which caused USDT price to increase. Then, they deposited $60.6 millon USDT into vault and swapped $11.4 million USDT back to USDC which made USDT price go down. After that, they withdrew the $60.6 million USDT from vault with a $0.5 million profit from the price arbitrage. They repeated this process 32 times, all in 7 minutes.