Buyer Beware: Top Recent DeFi Exploits and Hacks

#

DeFi is built for frictionless investments and direct, easy decisions. There are widely known risks, such as immediate impermanent loss. However, one of the biggest risks in decentralized finance startups is an exploit of the underlying technology, which siphons off funds from investment pools. In the past couple of weeks, four high-profile projects erased more than $50M in value, potentially compromising their tokens’ reputation.

Compromised projects manage to survive, but there is no guarantee a complete loss of funds may not happen in any protocol. Over the past week, several high-profile exploits happened, pointing to ongoing weaknesses in decentralized investment. 

Dodo Exchange Pool Exploits

The Dodo Exchange hosts a series of pools similar to Uniswap. As with other similar exchanges, the liquidity protocol is automated by smart contracts, and pricing depends on the availability of tokens and ETH deposited by traders. 

The nature of Dodo’s hack was contained in a smart contract function which could be called by an outside user. This helped the hacker mint fake WCRES tokens, then run the smart contract to drain its remaining liquidity. 

Several other tokens were attacked, including WSZO, ETHA and FUSI. The total loss from the Dodo exploit is estimated at the equivalent of $3.5M.

PSA Regarding Recent Exploit on DODO

On March 8, Several DODO V2 Crowdpools were attacked. WSZO, WCRES, ETHA, and FUSI pools were impacted, while AC pool funds have been fully recovered.

Funds in all other pools, including all V1 pools and all non-Crowdpool V2 pools, are safe.

— DODO DEX (@BreederDodo) March 9, 2021

The Dodo Exchange fell prey to a general problem in crypto space. Most smart contracts deployed are not audited, and deployed before a check whether their functions could affect the token supply. 

Meerkat Finance

Meerkat Finance was a new liquidity mining protocol built on top of Binance Chain. The attack was bigger than that of Dodo, taking away assets worth $31M. The exploit affected BUSD and BNB, without affecting other mechanisms on Binance Chain or the Binance exchange. 

About 8 hrs later The $BSC exploit by MeerKat Finance transferred out over 70k $BNB
I could be reading too much into this, but definitely possible something going on here possibly related 🙂 https://t.co/NHMiK4C4Ig pic.twitter.com/wYatyJV9vB

— cyrii_MM 中国拉盘 (@cyrii_MM) March 4, 2021

The exploit once again hinged entirely on the smart contract controlling the pair liquidity for automated trading. But red flags were raised by the fact that the event happened just a day after the protocol was deployed. 

Additionally, blockchain analysis showed tracks that suggested one of the admin accounts accessed the smart contract. This, plus the fact that Meerkat scrubbed its social media presence immediately, suggests the project most likely performed an exit scam.

But the final message from the team may erase this theory. A Meerkat developer recently contacted the community of investors on Telegram, stating that the exploit was just a test and the funds would be recovered and returned to their rightful owners.

Furucombo

Furucombo was another DeFi related protocol, which relied on automated batching of transactions. The service was available for investors that wanted to communicate with multiple liquidity pools, but wanted to avoid the mining fees. 

The total loss for the protocol was estimated at $14M in multiple digital assets, which the hacker already moved from the initial exploit address. This time, the flaw did not lie with Furucombo directly. Instead, a smart contract communicated with the transaction batching mechanism, managing to re-route the tokens. 

So what happened to Furuсombo👇

An attacker using a fake contract made Furuсombo think that Aave v2 has a new implementation.
Because of this, all interactions with ‘Aave v2’ allowed transfers approved tokens to an arbitrary address. pic.twitter.com/gQVxJqiAmL

— Igor Igamberdiev (@FrankResearcher) February 27, 2021

The exploit underlines the risk that assets not directly controlled by a private key can be diverted, if the protocol uses the right credentials. 

PAID Network

PAID Network was one of the attacks where the underlying token itself was compromised. Once again, the central error is a smart contract that could be called to action by an outsider. 

The PAID smart contract then created 60M new unauthorized tokens, which tanked the asset’s market price. PAID lost most of its value, sinking from a few dollars to a bottom of $0.16. Now, the token hovers around $1.16. 

For a while after the attack, the chief advice is to avoid PAID entirely, due to the uncertainty about the bloated token supply and how assets could be considered legitimate to use.

$PAID just got hacked. Tokens currently being dumped on the market.

Do NOT buy the dip. pic.twitter.com/bojdfNxQP8

— CypherPump (@CypherPump) March 5, 2021

The protocol creators are still figuring out a compensation. The chief advice for investors is to get out of PAID liquidity pools on all decentralized exchanges, to avoid helping the hacker sell more coins. 

One of the chief risks of DeFi is the constant demand for new pools. Enthusiasm and liquidity may be relatively higher for new assets, allowing for a bigger upside. However, new projects are untested both in their honesty and the soundness of their smart contracts.

DeFi is entirely unregulated and decentralized. Unlike exchanges such as Binance and OKEx, the newly created liquidity protocols rarely have insurance. Additionally, decentralized trading and liquidity mining is open to anyone able to pay network gas fees on Ethereum, or simply create a new token and pool through BinanceChain or other protocols.

Exploits in crypto are not new, and have affected token-based startups and smart contracts in the past. 

1/4 The fast growth of the #DeFi sector has outpaced the infrastructure to support it. In 2020 alone over $150M was compromised from a variety of security exploits discouraging risk-averse players from participating in innovative DeFi protocols. pic.twitter.com/jth9pzTUtc

— Lemniscap (@Lemniscap) March 4, 2021

DeFi is simply the new area where malicious actors will try to exploit the new inflow of tokens.

#