How are DeFi protocols compromised?

According to the most recent study from blockchain security firm CertiK, DeFi and Web3 have already lost $2 billion as a result of breaches and scams in 2022. Falling cryptocurrency values may have turned off both users and hackers, since the rate of losses dropped down in the second quarter.

DeFi protocols are particularly prone to hacking since their open source code is available for cybercriminals to study in search of exploits, and it’s probable that protocols’ motives to enter the market and expand quickly cause them to err on the side of lax security best practices.

The intrusion of crypto-exchange security systems was the most common method of cryptocurrency theft until 2021; currently, DeFi hacks are more common.

The deadliest DeFi attack occurred in March when the Ronin network was breached, resulting in the laundering of more than $650 million in cryptocurrency through the Tornado Cash mixer from the well-liked Axie Infinity NFT (non-fungible token) game. According to Crystal, the service received about 350,000 ether (ETH) in the first half of 2022, more than half of all ETH that has ever passed through Tornado Cash.

The Ethereum blockchain has seen the greatest amount of money theft in terms of dollars, which is likely a result of it being the most widely used DeFi platform overall. It’s followed by Solana, Binance Smart Chain, Fantom and Polygon.

Beginning in January 2022 — hack

The risk monitoring systems of discovered unauthorised activity on a small number of user accounts on Monday, January 17, 2022. Transactions were being approved without the user entering the 2FA authentication control. To ensure that only authorised activity would take place, revoked all customer 2FA tokens and introduced extra security hardening measures. As a result, all customers had to re-login and set up their 2FA token. The implementation of 2FA improves the security of both user credentials and the resources that users can access.When compared to authentication techniques that rely on single-factor authentication (SFA), where the user supplies only one parameter, usually a password or passcode, two-factor authentication offers a better level of security. In order to employ two-factor authentication, a user must provide the password as the first factor and another, distinct element, typically a security token or a biometric factor like a fingerprint or facial scan.The hacker gave back all the funds.

Qubit Finance Hack

Hackers gained access to Qubit Finance, which is built on the Binance Smart Chain, and stole over $80 million from it. From Qubit’s QBridge protocol, the addresses connected to the attack stole 206,809 Binance Coins (BNB).

Using the speed, automation, and security of the blockchain to effectively and securely connect lenders and borrowers, Qubit Finance expresses itself as a decentralised money market platform.

Qubit Finance runs an Ethereum-BSC bridge in addition to providing borrowing and lending services. The exploit’s intended victim was this bridge. In the case of the bridge offered by Qubit Finance, you deposit your ERC-20 tokens to the bridge and in exchange are given BEP-20 tokens, which you may use on the Binance Smart Chain.

Without any ETH linked to this transaction, the attacker used the QBridge contract’s deposit() function. The attacker entered malicious data during the function call. The data parameter must specify how many Ethereum have been deposited before emitting an event with that value. On BSC, a specific quantity of Qubit xETH is minted based on the number of ETH deposited into the Ethereum bridge. It invokes IQBridgeHandler in accordance with the deposit logic of the QBridge contract. The WETH token, which is the original tokenAddress, should be sent to QBridgeHandler, and the transfer should not take place if the user who did the tx does not hold a WETH token.”In conclusion, the deposit function was a function that should not have been used once depositETH was created, yet it was still present in the contract.

The hacker was able to enter fraudulent data and withdraw tokens on Binance Smart Chain while none were placed on Ethereum by taking advantage of a logical flaw in Qubit Finance’s code.

The hacker first minted two billion CASH tokens using two billion of his unidentified tokens. This action was only made feasible because of a bug in Cashio’s coding.

Remember that in order to mint CASH, customers must first deposit collateral with a similar value. Simply said, throughout this deposit procedure, a round of validation will be performed to make sure that the protocol account and the collateral account are both holding the same token types. The transfer will be halted if this is not the case. Sadly, Cashio neglected to establish a foundation of trust for the accounts it utilised. As a result, the validation procedure was rendered ineffective, and the hacker was able to create a network of fictitious accounts and mint the staggering 2 billion CASH tokens that he did.

The hacker essentially drained all of Cashio’s stablecoin deposits by burning a portion of the two billion freshly minted CASH tokens for all of the underlying Saber USDT-USDC LP tokens in Cashio’s deposits via the Cashio platform. The hacker subsequently swapped all of the aforementioned USDT-USDC LP tokens for $16.4 million USDC and $10.8 million USDT via Solana’s Saber protocol.

The hacker then used Saber to swap every last CASH token for $8.6 million UST and $17 million USDC, respectively. This quickly brought the open market price of CASH tokens to zero. Following the theft of USDC, USDT, and UST totaling $52.8 million from Cashio and Saber, the hacker converted $15.3 million in USDC and USDT to 3,773.9737 ETH using the Jupiter liquidity aggregator on Solana. This ETH was then sent in three transactions to an Ethereum address via the Wormhole Bridge. The hacker then used Jupiter to convert another $21 million USDC into $20.5 million UST and then used the Wormhole Bridge to send $29 million UST and the final $7.9 million USDC to the same Ethereum wallet address.

Beanstalk Attack

The majority vote governance scheme of the protocol was exploited by the attacker using a vulnerability that served as the foundation for the entire attack. Simply said, any person with a 2/3 share (a supermajority) of the vote has the ability to pass a BIP at any moment.

Due to the intriguing possibility of making money through arbitrage trading, flash loans have grown in popularity in DeFi. However, DeFi is home to a number of hackers who use these loans to steal substantial amounts of cryptocurrency. (Collateral is not required with a flash loan because the initial loan must be returned at the closing of the transaction.) If the borrower is unable to guarantee repayment, the transaction fails.

The $1 billion flash loan was used to purchase 350 million DAI, 500 million USDC, and 150 million USDT from Aave, 32 million BEAN from Uniswap v2, and 11.6 million LUSD from SushiSwap.

The $1 billion flash loan was used to purchase 350 million DAI, 500 million USDC, and 150 million USDT from Aave, 32 million BEAN from Uniswap v2, and 11.6 million LUSD from SushiSwap. In Curve pools with BEAN for governance voting, these tokens were utilised to increase liquidity. In order to create BEAN3CRV-f, the attacker first minted 3CRV using DAI, USDC, and USDT. Then, a new token, BEAN3LUSD-f, was created due to the deposit of 32 million $BEAN and 25 million $LUSD into another contract.

The attacker then placed the aforementioned assets in the Beanstalk Silo, where they were able to gather enough Stalk and Seed to take control of 70% of the circulation (LP depositors get twice as many Seeds per Bean deposited compared to Bean deposits). With this share, the attacker was able to use the emergencyCommit function and obtain a 2/3 supermajority vote.

A fake protocol improvement proposal (BIP18) was now deployed and approved by the attacker, draining the pool fund and transferring the tokens (BEAN/WETH-BEAN LP/BEAN3CRV-f/BEANLUSD-f) to the attacker. The attacker was able to achieve this by using TornadoCash, a coin mixing tool, to obtain 24,830 WETH in profit (about $76 million; the remaining $106 million was utilized to pay back the flash loan to AAVE).

By leading people to assume BIP18 was exclusively intended to collect donations for the Ukraine donation address, the attacker succeeded in misleading the community. The emergencyCommit function assisted the attacker in executing the plan immediately after voting on it, and just like that, Beanstalk lost over $182 million. Once the attacker gained a majority governance share through the flash loan.

Behind the scenes

A hacker’s standard toolkit enables them to obtain a complete copy of a blockchain from the network’s main version and then completely fine-tune an exploit as though it were happening in a real network. Hackers frequently take advantage of flaws in third-party services and mathematical models of business logic. Smart contract creators frequently need more information that is relevant at the time of a transaction than they may now have. As a result, they are compelled to employ outside resources, like oracles. These services don’t function well in an unreliable environment, therefore using them entails significant risks. Although many developers lack the necessary skills, they still attempt to deploy projects quickly. Due to the open source nature of smart contracts, hackers can easily copy and make minor changes to them.

Price manipulation is a common component of flash loan attacks. An attacker can lower the price of a large number of borrowed tokens by selling them in one transaction, then do a variety of acts with the token while their value is very low before purchasing them back.

Join Coinmonks Telegram Channel and Youtube Channel learn about crypto trading and investing

Tags: , , , ,
Previous Post
Cryptocurrency Invest Profit

Nansen Report: How decentralized is Ethereum?

Next Post
Business Cryptocurrency How to Tips Invest Make Money Resources

How web3 is changing payments

Leave a Reply