DeFi Apps display their soft underbelly – Defi and Crypto deal with another pair of 9-figure hacks

DeFi continues to face serious challenges with smart contract hacks. In the last week, the ecosystem has suffered another US$100 million hack.

“DeFi projects experienced the highest frequency of attacks and the highest amount of losses compared to other project types,” blockchain security firm Beosin, wrote in a global web3 security report for the first half of 2023.

The largest DeFi hack of the year so far is the US$195 million smart contract exploit of Euler Finance. Euler Finance was a composable DeFi protocol that was connected to a number of other Dapps. The attack on Euler lead to over 10 other protocols being affected.

This story, however, has a happy ending. 23 days after the hack, the attacker returned the funds. Despite the return of the funds, the incident still showed that Euler was exploitable and that a number of models within DeFi remain unstable.

Blockchain security firm Certik has reported that US$313,566,528 million was lost to Web3-related hacks and exploits in Quarter 2 of 2023. They write that this amount is nearly identical to the amount in the previous quarter. They do note, though, that this is 58% less than over the same period last year and that the average amount lost per hack has also fallen since last year. A slight improvement – but the DeFi ecosystem continues to bleed.

In the report, Certik explains that the BNB chain recorded the most number of incidents, 119. These incidents lead to US$70,711,385 in losses. The next most exposed chain was Ethereum which suffered from 55 incidents that lead to losses amounting to US$65,999,953.

Certik report that in the last quarter, there was a larger proportion of funds lost to exit scams and rug pulls than usual. Exit scams and rug pulls occur when a protocol or business continues to accept funding or purchases from users and investors knowing that they will either not deliver the product or that they will simply walk away with invested funds.

Source: Ceritk

The month of June closed with the rug pull of the Chibi protocol on the Arbitrum protocol. On June 27th another blockchain security firm Peckshield reported on Twitter that it — “Seems like Chibi Finance has been rugged, US$1 million worth of cryptocurrencies were drained.” It further explains that 555ETH had been bridged from Arbirtrum to Ethereum before then passing through the transaction mixing service Tornado Cash.

It was later revealed that Chibi was exploited by its own deployer account, which points to clear rug pull and exit by the protocol’s creators.

All traces of Chibi were then removed from the internet. The protocol’s user interface came up with a 404, and all social media related to the protocol suddenly vanished.

DeFi Hacks In 2023

Investigating some of the largest DeFi hacks of 2023 in recent months, they evidence how diverse and large Web3 smart contract exploits and hacks have become.

Multichain hack

On July 6th, observers including well-known blockchain security firms noticed unusual asset movements originating from cross-chain bridging protocol Multichain. After initial alarm bells were raised, Multichain (formerly known as Anyswap) confirmed the hack on Twitter, writing “The lockup assets on the Multichain MPC address have been moved to an unknown address abnormally.” The tweet said Multichain was not sure what happened and was investigating. There have been no updates from Multichain since July 7th.

US$102 million worth of crypto had been suspiciously withdrawn from Multichain’s Fantom bridge on the Ethereum side, as well as US$5 million from Kusama DeFi protocol Moonriver and US$666,000 from Dogechain.

Multichain has since recommended that all Multichain users revoke contract permissions and stop using the protocol.

It appears as though there is some silver lining, however, as US$63 million worth of USDC connected to the hack has been frozen.

The total funds lost by Multichain is suspected to be around US$126 million. This would make it the 6th largest DeFi hack ever. Smaller than the hacks of Nomad Bridge and Wormhole Bridge, but larger than the hacks of Horizon Bridge and Qubit Bridge.

Why DeFi Bridges Are Easy To Hack

It does not take much deduction to realize what these hacks have in common. Bridges are applications that allow for transactions between blockchains. By design, blockchains like Ethereum and Avalanche cannot natively communicate with each other. A user cannot send USD-Coin from an Ethereum address to an Avalanche address the same way they would to an Ethereum address, despite the similarities between the two chains. This is a major limitation of the sector overall, and has slowed the growth of DeFi overall.

It can be overcome though. To facilitate the process of moving funds across different blockchains, ‘bridging applications’ will generally be set up with smart contracts on either blockchain and an intermediary that communicates between the two.

With tools like the Wormhole bridge, users can natively port digital assets between multiple blockchains. Bridging technology has helped users shift from incumbent chains like Ethereum to new networks like Metis with a few clicks and through easy-to-navigate portals. Bridges have thus helped promote the growth of emerging blockchains like Metis, Moonbeam, and Optimism.

Writing robust smart contracts across multiple blockchains, however, is no easy task. Bridging between blockchains is a complex operation with many moving parts. There are more points of failure and well-resourced hackers (sometimes even state funded) can often move faster than developers to exploit any sort of smart contract flaw in a permissionless Web3 application. Because of their complexity and high value of fund movement bridges are more prone to attacks than many other DeFi application types.

The massive Axie Infinity/Ronin Bridge hack spawned US sanctions against Ether (ETH) addresses alleged to belong to the North Korean hacker group Lazarus. Lazarus was also suspected to be behind the US$100 million Horizon Bridge hacks in June 2022.

The Atomic Wallet Hack

Another recent, non-bridge-related hack has been tied to the Lazarus group. The Atomic Wallet attack occurred on June 1st, 2023.

Atomic Wallet, a non-custodial decentralized wallet, was hit by an enormous, far-reaching hack that has reportedly led to losses of over US$100 million and compromised over 5000 wallets.

Atomic Wallet supported many different blockchains and assets including Bitcoin, Ethereum, XRP, and Litecoin. The website for the project includes links to real endorsements from noted crypto figures Changpeng Zhao (CEO of Binance), Charlie Shrem, and John McAffee.

This was perhaps one of the worst hacks for individual users because many relied on Atomic wallet’s to store all their crypto assets across multiple chains. Numerous users across Reddit and other social media platforms have reported losing large sums.

Source: Reddit user u/BatyrSengoku

As with the Multichain hack, the investigation of what exactly happened during the hack is ongoing. The reported amount lost during the hack has ranged between US$35 million-US$100 million.

Assets lost in the hack were Bitcoin (BTC), Ether (ETH), Tether (USDT), Dogecoin (DOGE), Litecoin (LTC), BNB (BNB), and Polygon (MATIC). The largest stash lost is expected to be Tron-based USDT.

Atomic says that the hack affected less than 1% of its users. This claim has been disputed by Blockchain forensics firm Elliptic which says the real number is actually much higher.

While the exact source of the hack has not yet been identified, there have been a few possible attack vectors mentioned.

• Insufficient randomness in a key generation – Atomic Wallet would generate seed phrases mapped to a mnemonic using the BIP-39 wordlist. If this seed generation was not random and robust enough it would be possible to brute force into wallets.
• Fault attacks on key-related algorithms – This would allow attackers to potentially enter private accounts using public information like Signatures. The Android version of Atomic was found to have an outdated vulnerability related to this issue that could have been attacked.
• Keys transmitted to centralized servers – It is possible that someone at Atomic may have stored keys on a centralized server. If the attackers managed to gain access to such a server they could access user wallets. This is the attack vector that was used to exploit the Cryptopia exchange, for example.
• Supply-chain attack – This would be an attack where the exploiter gains access to a piece of infrastructure tied to the project. This may be a newly updated website. This type of attack would only target a subset of users. For example, if a website offering the Android APK was compromised, only desktop users or users who downloaded the Android APK from that website would be impacted. On Reddit, Ledger co-founder Nicolas Bacca says he believes a supply chain attack may have been the root of the Atomic attack.

Forensics firm Elliptic has attributed this incident to North Korea’s Lazarus Group. The group is believed to have stolen over US$2 billion from crypto companies since it began targeting them. Elliptic says they are working with international investigators and legal agencies to track down the stolen funds. It has been reported that Sinbad.io, a mixer previously favoured by Lazarus, was used for the hack.

Elliptic says the Russia-based Garantex exchange is being used to launder the stolen assets. Garantex was sanctioned by the US Department of the Treasury in April 2022 for its role in laundering the proceeds of ransomware and darknet markets.

Ethereum Community Pushes For ERC-7265 Circuit Breaker

The continued vulnerability of DeFi to large exploits is pushing the creation of solutions like the proposed ERC-7265 ‘circuit breaker’ specification. The Github for ERC-7625 explains that it will allow for a “temporary halt on protocol-wide token outflows when a threshold is exceeded for a predefined metric.” This will essentially create an automated pause on the operations if hack-like activity is expected to be occurring.

The circuit breaker will allow for two options — delaying settlement and temporarily holding custody of outflows during the cooldown protocol (reverting attempted outflows). This will allow developers to tailor the circuit breaker for specific functionality.

The ERC-7265 project began during a hackathon at ETHGlobal Tokyo in April 2023. It is inspired by the efforts of Cosmos DeFi dapp Umee, which implements rate limiting.

The concept of a fail-safe solution, like a circuit breaker, has quickly gained traction within the DeFi community. It will mitigate against protocol weakness and provide a buffer of support in the instances of Black Swans that may affect multiple Lego pieces within DeFi like the Euler Finance hack. However, a potential flaw in the model is ‘false positives’ and network slowdown, where protocols utilizing ERC-7265 would accidentally be paused during irregular, but not malicious, activity.

Conclusion

The DeFi space has offered unprecedented access to finance. Its short history, however, has been marked by severe growing pains. It’s clear that security remains a significant concern, with repeated multimillion-dollar hacks posing a serious challenge to the trust and adoption of DeFi platforms. These incidents underscore the urgent need for more robust security measures, continuous protocol auditing, and developer education.

It appears that attack types like bridge attacks and rug pulls will keep occurring without any form of ecosystem-wide mitigation. Using a DeFi protocol feels like playing with a ticking time bomb. While many users accept this risk, it is nevertheless a worrying scenario. The introduction of safety measures, however, such as the proposed ERC-7265 "circuit breaker" specification shows promise as a potential defense. If successful, such innovations could provide a safety net against large-scale exploits, helping to secure user funds and stabilize the DeFi ecosystem.