Buyer Beware: Top Recent DeFi Exploits and Hacks
#
DeFi is built for frictionless investments and direct, easy decisions. There are widely known risks, such as immediate impermanent loss. However, one of the biggest risks in decentralized finance startups is an exploit of the underlying technology, which siphons off funds from investment pools. In the past couple of weeks, four high-profile projects erased more than $50M in value, potentially compromising their tokens’ reputation.
Compromised projects manage to survive, but there is no guarantee a complete loss of funds may not happen in any protocol. Over the past week, several high-profile exploits happened, pointing to ongoing weaknesses in decentralized investment.
Dodo Exchange Pool Exploits
The Dodo Exchange hosts a series of pools similar to Uniswap. As with other similar exchanges, the liquidity protocol is automated by smart contracts, and pricing depends on the availability of tokens and ETH deposited by traders.
The nature of Dodo’s hack was contained in a smart contract function which could be called by an outside user. This helped the hacker mint fake WCRES tokens, then run the smart contract to drain its remaining liquidity.
Several other tokens were attacked, including WSZO, ETHA and FUSI. The total loss from the Dodo exploit is estimated at the equivalent of $3.5M.
The Dodo Exchange fell prey to a general problem in crypto space. Most smart contracts deployed are not audited, and deployed before a check whether their functions could affect the token supply.
Meerkat Finance
Meerkat Finance was a new liquidity mining protocol built on top of Binance Chain. The attack was bigger than that of Dodo, taking away assets worth $31M. The exploit affected BUSD and BNB, without affecting other mechanisms on Binance Chain or the Binance exchange.
The exploit once again hinged entirely on the smart contract controlling the pair liquidity for automated trading. But red flags were raised by the fact that the event happened just a day after the protocol was deployed.
Additionally, blockchain analysis showed tracks that suggested one of the admin accounts accessed the smart contract. This, plus the fact that Meerkat scrubbed its social media presence immediately, suggests the project most likely performed an exit scam.
But the final message from the team may erase this theory. A Meerkat developer recently contacted the community of investors on Telegram, stating that the exploit was just a test and the funds would be recovered and returned to their rightful owners.
Furucombo
Furucombo was another DeFi related protocol, which relied on automated batching of transactions. The service was available for investors that wanted to communicate with multiple liquidity pools, but wanted to avoid the mining fees.
The total loss for the protocol was estimated at $14M in multiple digital assets, which the hacker already moved from the initial exploit address. This time, the flaw did not lie with Furucombo directly. Instead, a smart contract communicated with the transaction batching mechanism, managing to re-route the tokens.
The exploit underlines the risk that assets not directly controlled by a private key can be diverted, if the protocol uses the right credentials.
PAID Network
PAID Network was one of the attacks where the underlying token itself was compromised. Once again, the central error is a smart contract that could be called to action by an outsider.
The PAID smart contract then created 60M new unauthorized tokens, which tanked the asset’s market price. PAID lost most of its value, sinking from a few dollars to a bottom of $0.16. Now, the token hovers around $1.16.
For a while after the attack, the chief advice is to avoid PAID entirely, due to the uncertainty about the bloated token supply and how assets could be considered legitimate to use.
The protocol creators are still figuring out a compensation. The chief advice for investors is to get out of PAID liquidity pools on all decentralized exchanges, to avoid helping the hacker sell more coins.
One of the chief risks of DeFi is the constant demand for new pools. Enthusiasm and liquidity may be relatively higher for new assets, allowing for a bigger upside. However, new projects are untested both in their honesty and the soundness of their smart contracts.
DeFi is entirely unregulated and decentralized. Unlike exchanges such as Binance and OKEx, the newly created liquidity protocols rarely have insurance. Additionally, decentralized trading and liquidity mining is open to anyone able to pay network gas fees on Ethereum, or simply create a new token and pool through BinanceChain or other protocols.
Exploits in crypto are not new, and have affected token-based startups and smart contracts in the past.
DeFi is simply the new area where malicious actors will try to exploit the new inflow of tokens.
#Uphold makes buying crypto with popular currencies like USD, EUR and GBP very simple with its convenient options to swap between crypto, fiat, equities, and precious metals.
With over 50 coins and an obsession with security, Kraken is one of the safest places to buy and trade crypto.
Kraken has a good reputation for security and protection of your funds and operates across the USA (except NY), Canada, the EU and Japan
Based in Charleston, South Carolina. Serves over 184 countries and has done over $4 billion in transactions. Offers convenient options to swap between crypto, fiat, equities, and precious metals.
What do members of the public think about Crypto in 2021/22? We survey some UK people and look at search data with some surprising results.
The basics of cryptocurrency portfolios and how to get started in tracking your crypto holdings
An early alternative to Bitcoin, LTC aimed to be a coin for easy, fast, low-fee spending. LTC offers a faster block time and a higher transaction capacity in comparison to Bitcoin.
A multi-utility asset, linked to the diverse activities of the Binance Exchange. A token to pay trading fees, as well as participate in new asset sales, BNB now runs on a proprietary blockchain.