This is the age of the Wild West-hackers and vulnerabilities are everywhere.
For participants, it is important to understand the history of Ethereum’s vulnerability attacks. From The DAO to the Parity hacking incident, these protocol-level incidents have affected the security of Ethereum contracts. As more applications are built, the number of attacks has also increased.
This is especially true in DeFi.
In DeFi, we don’t have to give the trust of money to others, but we must trust the code.
We must believe that the design of the code has no flaws-including errors, economic risks, oracle manipulation, and even centralization risks. But it is difficult. We are all human beings, and we make mistakes.
This is our salvation grace: the longer the code is exposed, the more value is locked, and the stronger the code. We call it the Lindy effect. If there is no accident for one more day, we will be one step closer to the vision of trustless finance.
Hugh Karp is an in-depth researcher of hackers and vulnerabilities. (But he himself was hacked by hackers!)
The early development experience of Ethereum inspired Karp to establish Nexus Mutual, a decentralized insurance alternative.
The author of this article is Hugh Karp.
A brief history of DeFi hacking
DeFi provides a place of opportunity. Although all traditional financial professionals call it a “scam” because of its double-digit yield, you can find and create wealth. At the same time, those on the cutting edge have been making money.
Although there are certain risks, the market is still very inefficient, and in an era when banks offer 0% interest rates, it is worth setting aside the old prejudices, at least for a while, and then conducting in-depth research.
In traditional finance, most risks stem from having to use your money to trust people.
Although many people say that DeFi eliminates trust, it actually transfers trust from individuals, institutions, and surrounding legal systems to code. In theory, this means that if we can trust the code to behave as expected, then we can “remove” the trust. Unfortunately, it is difficult to code with 100% accuracy (even after review). Most long-term Ethereum users have experienced at least one pain point during this journey.
To give you an idea of the accuracy of coding, the following is the number of errors per line of code:
The industry averages 15-50 per thousand people
1-25 of every 1,000 software delivered
National Aeronautics and Space Administration (NASA) 0.1/1000
Coding is not easy. Humans are always making mistakes. The problem is that Ethereum and decentralized finance have a lot of risks.
Is this risk better than trusting others? Of course, but it is still too early.
Here are some historical vulnerabilities that can provide you with background information…
One of the first important cases of coding errors on Ethereum is The DAO.
The DAO project was attacked, and then the community was divided on how to “fix” the problem, which led to the fork of Ethereum and the creation of Ethereum Classic (ETC).
The next major vulnerability event is the Ethereum Parity client bug. In this bug, the widely used multi-signature suffered two separate breach incidents, which resulted in the loss of ETH worth millions of dollars at the time, and further consequences from a philosophical point of view.
Together, these bugs are the first major security incidents in the history of Ethereum.
Now, we treat them as code containing logic errors, and they simply do not work as expected.
These two events are also the main source of inspiration for Nexus Mutual’s first product, Smart Contract Cover.
The second major wave of DeFi hacking was caused by the manipulation of on-chain oracles, usually caused by lightning loans.
This type of attack is very complicated to execute, but its model is similar, that is, a system that relies on price feeding will temporarily manipulate the price to distort the internal accounting of the agreement. Then deposit the funds at a preferential interest rate, and then immediately withdraw it in another currency or the same currency after resetting the oracle to the normal value.
Although potential logic errors may have been triggered in most cases, this is not always the case. Then there was a community discussion: Are these incidents hacked, or are the economic logic of the protocol being exploited?
However, in general, if DeFi is to be more successful, these types of problems need to be avoided.
Harvest Finance: A skilled farmer used lightning loans to obtain $33.8 million from the FARM_USDT and FARM_USDC pools
Value DeFi: Loss of 7,000,000. This is another harsh lesson triggered by flash loans.
Cheese Bank: Hackers took away $3.3 million through lightning loan AMM oracle attack
Origin Protocol: Get 8 million US dollars through lightning loan and counterfeit currency re-entry.
Money Lego era
In the past few years, more and more DeFi protocols have been released and continue to rely on each other. This is the beauty of open finance and composability-we can use existing protocols to build new applications. The disadvantage is that this will naturally begin to expand the attack surface.
With a powerful advantage of DeFi, agreements are increasingly being built with each other, but this also increases the risk exponentially.
The third wave of attacks tends to focus on revenue aggregators, which are usually built on many other DeFi protocols.
These protocols tend to have a higher risk than the basic protocol simply because they have a greater attack surface. As a developer, you can easily make assumptions about how another protocol works, but sometimes subtle differences at the edge of integration can cause problems.
This short and interesting history focuses on coding risks. Assuming that DeFi is completely decentralized, coding risks will cover most of the risks. but it is not the truth. Many agreements are still some distance away from decentralization, because many risks in DeFi not only come from smart contract errors, but also from centralization.
The most widespread risk of all DeFi may be related to the failure of stablecoins. This may include the loss of USDT’s pegged exchange rate or USDC confiscation of funds by the government. MakerDAO’s DAI link failure can also cause major problems, but it is more likely to be caused by failure of economic incentives or risk management supervision.
If you participate in DeFi, the general failure of any major stablecoin will be catastrophic. This may be the main risk facing the entire industry, especially when it is still in its infancy.
Going back to the DeFi protocol, when interacting with most newer protocols, there is often a high degree of centralization risk, because the team is usually likely to upgrade the contract, or in the worst case “run the way” and steal the protocol liquidity. So please pay attention to this! Before depositing funds, try to find out if there are any built-in time delays or other protective measures.
Some major DeFi agreements still have lower-level centralization risks. There is always potential for governance attacks, and malicious groups can upgrade the system. We have not seen many such cases, but it is entirely possible.
The more diverse and broad the token holders, the better.
Economic incentive risk
Another major category to watch out for is the failure of economic incentives. Several DeFi protocols are testing new economic games to achieve certain results, which usually requires balancing incentives to encourage correct user behavior.
Many of these incentive games are unproven to have higher risks than others, and I am observing algorithmic stablecoins. Therefore, users should pay attention to the extent to which the agreement relies on economic incentives to work properly.
DeFi is an opportunity
Although this may sound scary, DeFi is rewarding for those willing to take higher risks. The risk-reward ratio in DeFi is huge, but the market efficiency is still very low.
The advantage is that inefficiency corresponds to opportunities for those willing to take further risks.
A major attraction of DeFi is the ability to earn income through stablecoins or existing cryptocurrency holders such as BTC or ETH.
In this use case, the risk range is low. I call the risk comes from the underlying protocol itself: Uniswap, Compound, Aave, MakerDAO and Balancer.
These protocols are much higher than other protocols in terms of decentralization, so the risks are often more limited to smart contract risks, economic incentive failures and potential governance attacks. These protocols have been used on the mainnet for a long time and have a value of billions of dollars, which means that they have been tested to a reasonable extent in actual combat, showing that they are relatively immune to most of these risks Threats, and potential governance attacks have yet to be fully tested.
If you want to move from almost 0% of the gains in your bank account to a higher level (eg 4-10% range), this may be the best starting point.
If you want to protect your money in DeFi, Nexus Mutual can also provide protection against smart contract risks. Even better, starting on April 26, Nexus Mutual will expand to a new product called “Protocol Cover”, which covers smart contract risks, oracle manipulation, economic incentive failures, and governance attacks. This is one of the safest ways to start reaping benefits in DeFi.
There are many things to learn, and you can write a whole book on DeFi risk management.
The key is to start with the amount of loss you can afford and learn gradually over time. To avoid excessive risks, please make sure to manage when you want to allocate larger positions to deal with any kind of scheme or risk.
DeFi is a journey that requires full autonomy, which is dangerous and potentially very profitable. Properly managing your risks will make you more comfortable.
Author/ Translator: Jamie Kim
Bio: Jamie Kim is a technology journalist. Raised in Hong Kong and always vocal at heart. She aims to share her expertise with the readers at blockreview.net. Kim is a Bitcoin maximalist who believes with unwavering conviction that Bitcoin is the only cryptocurrency – in fact, currency – worth caring about.