{"id":324310,"date":"2021-08-14T14:54:00","date_gmt":"2021-08-14T11:54:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-do-defi-protocols-get-hacked\/"},"modified":"2021-08-14T14:54:00","modified_gmt":"2021-08-14T11:54:00","slug":"how-do-defi-protocols-get-hacked","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-do-defi-protocols-get-hacked\/","title":{"rendered":"# How do DeFi protocols get hacked?"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a292039e6cfa\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a292039e6cfa\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-do-defi-protocols-get-hacked\/#Misuse_of_third-party_protocols_and_business_logic_errors\" >Misuse of third-party protocols and business logic errors<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-do-defi-protocols-get-hacked\/#Coding_mistakes\" >Coding mistakes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-do-defi-protocols-get-hacked\/#Flash_loans_price_manipulation_and_miner_attacks\" >Flash loans, price manipulation and miner attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-do-defi-protocols-get-hacked\/#Developer_incompetence\" >Developer incompetence<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong># How do DeFi protocols get hacked? <\/strong>&#8221;<\/p>\n<div class=\"post-content\" data-v-128018ef>The decentralized finance sector is growing at a breakneck pace. Three years ago, the total value locked in DeFi was a mere $800 million. By February 2021, the figure had grown to $40 billion; in April 2021, it attained a milestone of $80 billion; and now it <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/defillama.com\/home\">stands<\/a> at above $140 billion. Such rapid growth in a new market could not but attract the attention of all manner of hackers and fraudsters.<\/p>\n<p>According to a report by crypto research company, since 2019, the DeFi sector has lost about $284.9 million to hacks and other exploit attacks. Hacks of blockchain ecosystems are an ideal means of enrichment from the point of view of hackers. Because such systems are anonymous, they have money to lose, and any hack can be tested and tuned without the victim\u2019s knowledge. In the first four months of 2021, losses amounted to $240 million. And these are just the publicly known cases. We estimate real losses to be in billions of dollars.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>Roundup of crypto hacks, exploits and heists in 2020<\/em><\/strong><\/p>\n<p>How does money get stolen from DeFi protocols? We have analyzed several dozen hacker attacks and identified  the most common problems which lead to hackers\u2019 attacks.<\/p>\n<figure><img decoding=\"async\" src=\"https:\/\/s3.cointelegraph.com\/uploads\/2021-08\/d668fd91-d999-443f-bf56-eae8d7cf1a98.png\"><\/figure>\n<h2><span class=\"ez-toc-section\" id=\"Misuse_of_third-party_protocols_and_business_logic_errors\"><\/span>Misuse of third-party protocols and business logic errors<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Any attack begins primarily with analysis of the victim. Blockchain <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> provides many opportunities for the automatic tuning and the simulation of hacking scenarios. For an attack to be fast and invisible, the attacker must have the necessary programming skills and knowledge of how smart contracts work. The typical toolkit of a hacker allows them to <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">download<\/a> their own full copy of a blockchain from the main version of the network, and then fully tune the process of an attack as if the transaction was taking place in a real network.<\/p>\n<p>Next, the attacker needs to study the business model of the project and the external services used. Errors in mathematical models of business logic and third-party services are two of the issues most commonly exploited by hackers.<\/p>\n<p>The developers of smart contracts often require more data relevant at the time of a transaction than they may possess at any given moment. They are therefore forced to use external services \u2014 for example, oracles. These services are not designed to operate in a trustless environment, so their use implies additional risks. According to statistics for a calendar year (since the summer of 2020), the given type of risk accounted for the smallest percentage of losses \u2014 only 10 hacks, resulting in losses totaling approximately $50 million.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>The radical need for updating blockchain security protocols<\/em><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Coding_mistakes\"><\/span>Coding mistakes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Smart contracts are a relatively new concept in the IT world. Despite their simplicity, programming languages for smart contracts require a completely different development paradigm. The developers oftentimes simply do not have the necessary coding skills and make gross mistakes that lead to immense losses for users. <\/p>\n<p>Security audits eliminate only a portion of this type of risk, since most audit companies on the market do not bear any responsibility for the quality of the work they perform and are only interested in the financial aspect. More than 100 projects were hacked due to coding errors, leading to a total volume of losses standing at around $500 million. A stark example is the dForce hack that took place on April 19, 2020. The hackers used a vulnerability in the ERC-777 token standard in conjunction with a reentrancy attack and got away with $25 million.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>Default auditing for DeFi projects is a must for growing the industry<\/em><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Flash_loans_price_manipulation_and_miner_attacks\"><\/span>Flash loans, price manipulation and miner attacks<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The information supplied to the smart contract is relevant only at the time of execution of a transaction. By default, the contract is not immune to potential external manipulation of the information contained within. This makes a whole spectrum of attacks possible.<\/p>\n<p>Flash loans are loans without collateral, but entail the obligation of returning the borrowed crypto within the same transaction. If the borrower fails to return the funds, the transaction is canceled (reverted). Such loans allow the borrower to receive large amounts of cryptocurrencies and use them for their own purposes. Typically, flash loan attacks involve price manipulation. An attacker can first sell a large number of borrowed tokens within a transaction, thereby lowering their price, and then perform a scope of actions at a very low value of the token before buying them back.<\/p>\n<p>A miner attack is an analogue of a flash loan attack on blockchains working on the basis of the proof-of-work consensus algorithm. This type of attack is more complex and expensive, but it can bypass some of the protection layers of flash loans. This is how it works: The attacker rents mining capacities and forms a block containing only the transactions they need. Within the given block, they can first borrow tokens, manipulate the prices and then return the borrowed tokens. Since the attacker forms the transactions that are entered into the block independently, as well as their sequence, the attack is actually atomic (no other transaction can be \u201cwedged\u201d into the attack), as in the case of flash loans. This type of attack has been used to hack over 100 projects, with losses totaling around $1 billion.<\/p>\n<p>The average number of hacks has been increasing over time. At the beginning of 2020, one theft accounted for hundreds of thousands of dollars. By the end of the year, the amounts had risen to tens of millions of dollars.<\/p>\n<p><strong><em>Related: <\/em><\/strong><strong><em>Smart contract exploits are more ethical than hacking&#8230; or not?<\/em><\/strong><strong><em> <\/em><\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Developer_incompetence\"><\/span>Developer incompetence<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The most dangerous type of risk involves the human error factor. People resort to DeFi in search of quick money. Many developers are poorly qualified but still try to launch projects in a rush. Smart contracts are open source and thus easily copied and altered in small ways by hackers. If the original project contains the first three types of vulnerabilities, then they spill over into hundreds of cloned projects. RFI SafeMoon is a good example, as it contains a critical vulnerability that has been superposed over a hundred projects, leading to potential losses amounting to over $2 billion.<\/p>\n<p><em>This article was co-authored by <\/em><strong><em>Vladislav Komissarov<\/em><\/strong><em> and <\/em><strong><em>Dmitry Mishunin<\/em><\/strong><em>.<\/em><\/p>\n<p class=\"post-content__disclaimer\"><em>The views, thoughts and opinions expressed here are the authors\u2019 alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.<\/em><\/p>\n<div>\n<div style=\"background: rgb(239, 239, 239); border: 1px solid rgb(204, 204, 204); padding: 10px;\"><strong>Vladislav Komissarov<\/strong> is the chief technology officer of BondAppetit, a lending DeFi protocol with a stablecoin backed by real-world assets with fixed periodic income. He has over 17 years of experience in web development.<\/div>\n<\/div>\n<div>\n<div style=\"background: rgb(239, 239, 239); border: 1px solid rgb(204, 204, 204); padding: 10px;\"><strong>Dmitry Mishunin<\/strong> is the founder and chief technology officer of HashEx. More than 30 global projects are running on blockchain integrations designed by HashEx. Over 200 smart contracts were audited in 2017\u20132021.<\/div>\n<\/div>\n<p><template data-name=\"subscription_form\" data-type=\"defi_newsletter\"><\/template><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">News<\/a> articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/general\/\" target=\"_blank\" rel=\"noopener\">General category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/cointelegraph.com\/news\/how-do-defi-protocols-get-hacked\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;# How do DeFi protocols get hacked? &#8221; The decentralized finance sector is growing at a breakneck pace. Three years ago, the total value locked in DeFi was a mere $800 million. By February 2021, the figure had grown to $40 billion; in April 2021, it attained a milestone of $80 billion; and now it&#8230;<\/p>\n","protected":false},"author":1,"featured_media":324311,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/images.cointelegraph.com\/images\/1200_aHR0cHM6Ly9zMy5jb2ludGVsZWdyYXBoLmNvbS91cGxvYWRzLzIwMjEtMDgvODFmNWYyZGEtMmJkZS00Y2IzLWJkNzMtZWNjMzdlYzU0MjVlLmpwZw==.jpg","fifu_image_alt":"","footnotes":""},"categories":[1],"tags":[74894,74868,74891,74882,75434,70944,4965],"class_list":["post-324310","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-general","tag-blockchain","tag-defi","tag-ethereum","tag-hacks","tag-smart-contracts","tag-hackers","tag-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/324310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=324310"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/324310\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/324311"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=324310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=324310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=324310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}