Decentralized finance (DeFi) aims to disrupt the traditional financial world with its promise of greater inclusiveness and faster, anonymous transactions, but to do that it will need to overcome a significant challenge. The smart contracts that govern DeFi are littered with exploitable code that has resulted in millions of dollars of user funds being lost.
Back in August 2021, Liquid Global, a leading Japanese cryptocurrency exchange, suffered a hack that resulted in more than $97 million worth of crypto being stolen. It was later discovered that hackers had targeted the exchange’s multi-party computation wallets, siphoning the funds within them to four external wallets. The hackers made off with around 107 Bitcoin, 9 million TRON, 11 million XRP, and almost $600 million worth of Ethereum.
Just one day later, the DeFi industry experienced its largest-ever hack when an attacker made off with a staggering $612 million worth of crypto from the Poly Network protocol. Luckily, the hacker Mr. White Hat returned the funds soon after, saying he was an ethical hacker that just wanted to highlight the vulnerability within the protocol’s smart contract code. It was in any case an extremely close shave, as a less ethical hacker could have easily stumbled across the exploit and made off with a similar amount.
Later that month, yet another attack targeted the crowdfunding platform, DAO Maker. Once again, smart contract code was exploited by an attacker to gain more than $7 million worth of user’s funds. It meant that hackers stole a combined $716 million worth of crypto that month alone.
In December of the same year, hackers stole $30 million from the MonoX DEX platform after hackers exploited vulnerabilities in its smart contract.
Fast-forward to this year and the hacks have kept on coming. The biggest so far in 2022 was the attack on Ronin, a cross-chain bridge used by the popular NFT game Axie Infinity. The hackers found a critical vulnerability in Ronin’s code and stole an incredible 1730,000 ETH and over $25 million worth of USDC, for a total gain of $552 million.
That attack came barely a month after another bridge, Wormhole, suffered an attack that lost more than $300 million. Then, in April, the DeFi protocol Beanstalk fell victim to a $182 million hack that took advantage of the 24-hour execution delay in its flash loan smart contract.
Smart Contracts Are Vulnerable
With more than $40 billion worth of cryptocurrency locked into the DeFi ecosystem at the time of writing, it seems clear that the industry is here to stay, despite the risks it runs. However, with the top four DeFi protocols – namely Oasis, Lido, Uniswap V2, and Aave – all currently home to more than $4 billion worth of user assets, the worrying spate of high-profile hacks poses a major threat to the industry that could derail its ambition of emerging as a viable alternative to traditional financial services.
Although some hack attacks are due to lax security measures and phishing attempts on users’ personal keys, the truth is that the majority of funds stolen in the DeFi industry are due to one thing – vulnerabilities in the smart contracts that power the industry. The vulnerabilities might be due to a coding error or external price manipulation or something else, but the end result is always the same – millions of dollars in value lost, and despair for the victims.
Smart contracts are the self-executing code that underpins DeFi. They run on decentralized blockchain networks and play the role of automating transactions, thereby doing away with the need for a middleman (bank). They allow agreements between anonymous parties to be carried out immediately once certain conditions are met, speeding up transactions and eliminating costly fees.
But as important as smart contracts are, they’re also littered with vulnerabilities that hackers are only too keen to exploit. That’s not a surprise given some of the amounts they have made off with. DeFi is a tempting target and will continue to be one so long as the vulnerabilities persist.
How The Industry Has Responded
The good news is that the DeFi industry is working hard to solve this potentially fatal problem. One way it’s doing so is by maintaining best practices for developers. After all, Solidity, which is the programming language used to create smart contracts on Ethereum, is still new and experimental, so developers can benefit from a helping hand.
Consensys, an Ethereum software developer, has created a list of best practices that are available on its GitHub page. It provides recommendations for Solidity developers, along with examples of common smart contract hacks. It also provides software that developers can use to try and identify vulnerabilities themselves. Another company, 101 Blockchains, has created an extensive list of blockchain principles and advice around risk mitigation that developers can use to tie up loose ends in their code.
The proliferation of smart contract hacks has also led to the rise of a new industry around blockchain security. Companies such as Kaspersky offer blockchain security assessments and network penetration testing, while its Endpoint Protection product can secure entire systems at the device level. Meanwhile, the data security firm Cocoon Data’s Safeshare offering relies on patented technology to ensure file security and prevent breaches.
Also doing good business are the smart contract auditing firms like CertiK, which analyze application codebases for vulnerabilities before they are launched. These extensive audits determine how the code functions, identify bugs, and provide feedback for developers to fix any holes that might be identified.
In the case of CertiK, it uses specialized software called Skynet Scanning Technologies to review smart contract codes. Meanwhile, Slowmist offers an integrated data system called Blockchain Threat Intelligence, and Quantstamp has created a decentralized smart contract audit protocol that any developer can use to check their code against validator nodes.
Rethinking Smart Contracts
Not everyone is throwing in the towel though. A company called Radix, which defines itself as an asset-oriented smart contract purpose-built for DeFi, is instead aiming to reinvent how smart contacts work, in order to minimize the risk of vulnerabilities creeping into code.
To do this, Radix has come up with an alternative DeFi infrastructure that doesn’t rely on Solidity and Ethereum Virtual Machine, but rather an entirely new architecture it calls Radix Engine. Notably, it relies on the concept of finite-state machines. Radix’s use of FSMs has resulted in an entirely new developer paradigm compared to Turing complete smart contracts. With it, the opportunities for hackers can be dramatically reduced.
Rather than using traditional smart contracts, Radix developers instead build their DeFi apps using “components”, which are bits of code that define what their decentralized applications (dApps) can do with “actions”.
In turn, this makes dApps easier to design and analyze, and ensures their behavior is more predictable. The components can be thought of as Lego building bricks – developers can customize them, and link them together with additional components to create the smart contract functionality that powers their dApps.
Because the components are heavily scrutinized by the community and then reused time and again, they’re far more secure than traditional smart contracts that are written from scratch with each and every dApp that’s created.
Radix dApps built using components can be likened to cogs in a machine. Assuming all of the cogs work as expected, the transaction will be successful. However, if one of the cogs (components) fails, the entire transaction will be aborted, ensuring the user’s funds remain safe in their wallets.
A Smarter Future
The rising popularity of cryptocurrency means that funds will inevitably continue to pour into the DeFi space in the coming years. As such, developers cannot ignore the dangers of smart contract vulnerabilities, meaning they cannot persist with the unreliable development paradigms of the past.
The good news is that projects like Radix prove that there are ways to bring greater security to DeFi and ensure proper safeguards for users. It remains to be seen if Radix-based DeFi will take off in the long term, but the fact it is getting traction tells us that developers understand they need to be more stringent as they create their smart contract code.
In conclusion, the industry is slowly waking up to the realization that smart contract code must become smarter if the threat of hack attacks is to subside.