DeFi platforms, including well-known and already proven ones, are still susceptible to hacks and attacks, despite passing security audits.
At the end of April, EasyFi lost $ 6 million as a result of a hacker attack, and in February 2021 Yearn.Finance suffered $ 11 million in damage. However, these events are not the only examples of compromised DeFi projects, as a result of which people lost money. The total amount of damage from such attacks can be estimated only approximately, but in 2020 it definitely exceeds $ 1.5 billion, and the number of high-profile hacks is in the tens.
DeFi is a relatively new and very popular approach to organizing blockchain projects, which has been actively developed over the past couple of years. The hallmark of DeFi is full automation and open source. Investors willing to invest in DeFi. attracted by the lack of a human factor: they are sure that none of the founders of the project will be able to steal money by malicious intent, because the management is organized according to a strictly defined algorithm. However, this transparency often only creates a sense of security, which may turn out to be false.
Top Risk Factors for DeFi Projects
Alas, the explosive popularity of DeFi projects has shown that it is easy to lose money on them. And there are several potential risk points here.
1. Errors in the program code
Since the finances in the DeFi ecosystem are run by software code, the reliability of your investment depends on its perfection. For example, YAM was once a very popular project and raised a lot of money in the early days of its work. The audience perceived the project as very promising. But the unreasonably positive attitude and haste have clouded the heads of both creators and investors. The founders created the YAM code in just 10 days, and it has never been audited. Strictly speaking, YAM was not hacked, but critical errors were made in the very program code of the algorithm, which subsequently led to irreparable consequences and the tokens were locked in the program forever.
Protection method: If the project owners ordered a security audit from an external contractor, it is likely that these critical vulnerabilities would have been discovered before the start of the project. Thus, when choosing a project for investment, it is worth paying attention to whether the program code was audited, who conducted it and what were the results. And, although the presence of an audit does not provide 100% security guarantees, its absence increases the risks many times over.
2. Manipulation of external data sources
Another vector of attacks is the openness of the algorithm to external manipulations. For example, Harvest Finance, an excellent and highly popular project, suffered because the program allowed investors to enter and withdraw assets from the platform based on the market prices of cryptocurrencies.
It would seem that this is logical. But the attacker, after examining in detail the algorithm existing in Harvest Finance, found that he could manipulate the market price in such a way as to force Harvest Finance to allow him to withdraw more than he entered into the system. The authors of the algorithm simply did not foresee that someone could manipulate the market price, because it seems too expensive or difficult. But in practice, short-term manipulations are quite easy to organize.
By the way, Harvest Finance, unlike many other projects, has successfully passed a security audit. But he did not identify any problem, because the program was written exactly as intended. The error was contained in the very principle of the project in the algorithm. Such hacks occur with annoying regularity: the Value DeFi project, Cheese Bank and Akropolis became victims of a similar attack.
Protection method: To protect yourself from such attacks, you need to understand in detail how the project algorithm depends on external factors, for example, on the same market prices. It is necessary either to ensure that there are no situations when an attacker can flush out the invested cryptoassets, or create conditions under which the cost of manipulation and risks will be significantly higher than the possible benefit in case of successful manipulation. For example, information about prices in the market can be obtained simultaneously from different sources, forcing a potential attacker to manipulate the price at the same time on different price sources, which will require much more capital and other resources from him. You can also take the average value over a significant period of time so that a fraudster cannot use a quick loan to manipulate and return it immediately.
3. Dependence on third-party algorithms
Investors should be wary of DeFi projects that allow you to deposit capital in one cryptocurrency, and withdraw in another to choose from. The very existence of such a possibility indicates the existence of an algorithm that determines how much other cryptoassets can be withdrawn by the investor. Vulnerabilities in such algorithms are most often exploited by hackers.
For example, the attack on Pickle Finance was complex and confusing. The hacker used a complex chain of actions to create fake tools and vaults. As a result, Pickle Finance, which uses additional services, was hacked. Significantly, the potential for such sophisticated attacks cannot be determined in a security audit.
Protection method: You can trust your money with time-tested programs that have been proven to be safe and have not been hacked until now. You can also give preference to simpler and more understandable algorithms, which, for example, work with one cryptocurrency. They are less likely to overlook the vulnerability.
4. Uncleanliness of the creators of the project
And, perhaps, the most unpleasant thing about DeFi is the deliberate malicious actions of the project founders. Any code for the DeFi platform is created in such a way that it can be changed in the future. This is required to install updates and add new features. New versions of the code are usually released by the development team. And even if we assume that the chosen DeFi project has an ideal and secure code, this does not mean that it is completely safe to invest in it.
The DeFi platform code can be changed at any time by the development team. And if there is a chance to get rich very well, the creators can go to the “dark side”, change the code and steal money from the project.
Method of protection: To prevent such an incident from happening, the concept of governance is usually introduced on quality projects – the rights to manage changes that are distributed among the members of the community. In this case, consensus will be needed to accept the code changes. But given that most of the voting rights are often retained in the hands of the development team, even this does not always guarantee security.
Be critical of DeFi platforms
The DeFi ecosystem itself looks interesting, but investors need to assess the risks that arise when investing in automated blockchain systems. That being said, you shouldn’t think that once the corrected code is immediately reliable. A good example in this case is the bZx project, which has been targeted by hackers many times. At least 3 times, cybercriminals attacked him using different hacking methods: vulnerabilities in the program code itself and manipulation of external parameters.
Unfortunately, it is impossible to guarantee 100% reliability. But at least you need to check for a security audit, assess how long the project has been on the market, whether it has too many functions, how much it depends on third-party services and data sources, and whether its creators can be trusted. Make this decision carefully and consult with experts.
