When building a blockchain, developers work tirelessly to account for any possible contingencies, then tightly incorporate them into their smart contracts. But regardless of the amount of time dedicated to planning, incomplete contracts can still occur because the problem with contracts is not necessarily what's in them, but what's not in them. And let's be honest, nothing is bulletproof. Numerous unanticipated issues can and do arise and sometimes, crafty people can simply find loopholes. At any point, an issue will arise that isn't planned for — allowing for vulnerabilities and exploitation. Below are a few examples:
dForce and Lendf.me
On April 19, 2020, a hacker took $25 million from a decentralized lending platform Lendf.me, which was functioning under the umbrella of the Chinese DeFi platform dForce. The hack used a well-known vulnerability of Ethereum, which was used in the infamous DAO Hack in 2016.
Ethereum’s ERC-777 token standard has a vulnerability enabling an attacker to drain funds from some smart contracts holding them. An imBTC token that represented BTC on Ethereum was the ERC-777 standard, which allowed an attack to occur.
Notably, the hacker returned the stolen funds to Lendf.Me admin, which didn’t save dForce from criticism. The same attack involving imToken occurred on Uniswap around the same time as on dForce, but hackers managed to drain much less ($300,000).
Opyn
A smart contract bug allowed a double-spending attack, causing options protocol Opyn to lose $370,000 on August 4, 2020.
The vulnerability was connected to the protocol’s native tokens called oTokens, which users burn when exercising options contracts. The contract couldn’t correctly exercise a batch of options, not burning oTokens at each closure.
Consequently, an attacker could reuse their oTokens balance and drain funds by exercising options for free. According to PeckShield (a blockchain security company), a person with smart contract programming experience could easily spot the bug.
While the Opyn team couldn’t take down or change the smart contract, it managed to put the protocol on hold and save some of the users’ funds. On top of that, it announced reimbursements along with smart contract audits.
Akropolis – $2 million
Until it was hacked on November 12, 2020, Akropolis provided its users with convenient deposit-and-forget pools, which automatically invested users’ funds and generated yields. When a user deposited their funds in a pool, they got ownership tokens in return.
A hacker noticed that Akropolis smart contracts didn’t have a whitelist for ERC-20 tokens, which can be deposited to the savings pools. To take advantage of this vulnerability, a hacker created a fake ERC-20 token and took out a flash loan of 800,000 DAI on the dYdX lending and trading platform.
By depositing fake tokens and the real DAI, the hacker managed to get twice as many ownership tokens as they normally would. Hence, they withdrew funds they didn’t have access to.
The platform’s smart contracts were separately audited by two blockchain security firms. At the time of writing, Akropolis’ stablecoin pools are frozen.
Final Thoughts
While decentralization is appealing, almost idealistic and utopian in nature, there still remains the need for an abundance of caution because there are simply no safety guarantees in life. Anyone interacting with DeFi protocols and crypto should be vigilant and careful of their activity because no code is flawless and everyone’s wallets are vulnerable. As we've seen so far, the multitude of hacks, vulnerabilities, and exploits sometimes led to irreversible damage. Hopefully, as the technology progresses, we will see more advances in security.
Sources:
Comments