Subscribe
CryptoWeb.xyz
No Result
View All Result
  • Home
  • News
  • Altcoin
  • Bitcoin
  • Blockchain
  • Ethereum
  • Litecoin
  • Home
  • News
  • Altcoin
  • Bitcoin
  • Blockchain
  • Ethereum
  • Litecoin
No Result
View All Result
CryptoWeb.xyz
No Result
View All Result

DeFi’s Recent, Costly Setbacks Serve as Lessons for the Sector

The “hack” of the DAO runs deep into the collective memory of the cryptocurrency community. After an extremely successful crowdfund in May 2016, the DAO lasted a little over a month before an attacker started to drain funds from the smart contract, taking around $70 million worth of Ether (ETH). 

However, as some pointed out at the time, the DAO incident was not a hack at all. The attacker simply exploited a vulnerability in the underlying smart contract code to make it behave in a way that the programmers didn’t expect. Nevertheless, the incident divided the Ethereum community after a decision was made to implement a hard fork that would return the funds.

Fast-forward to early 2020, and there was over $1 billion worth of crypto tied up in decentralized finance. That’s $1 billion under the management of smart contracts. So, in light of the history, it was perhaps inevitable that someone would eventually find ways of making these applications perform in a manner that nobody had anticipated. The first came in February 2020, with two separate attacks on the bZx decentralized trading platform. More recently, a hacker made off with $25 million from Chinese lending platform Lendf.me, operated by dForce. 

Related articles

Ethereum price at $1.4K was a bargain, and a rally toward $2K looks like the next step

Price analysis 3/22: BTC, ETH, BNB, XRP, ADA, DOGE, MATIC, SOL, DOT, SHIB

Even when hackers aren’t involved, DeFi applications have shown other vulnerabilities. During crypto’s “Black Thursday” in mid-March, MakerDAO liquidated over $4 million worth of loans as the price of ETH plummeted. The crash resulted in a speedy governance vote and a debt auction to remedy the damage. 

Much of the commentary has focused on whether or not DeFi can recover from these setbacks. Based on the history of The DAO incident, it seems inevitable that DeFi will make a recovery. Perhaps the more pertinent question is, what can DeFi DApp operators learn from such incidents to help avoid them happening in the future?

Easy winnings from dForce

The most recent incident involving the Lendf.me hack offers some easy wins. The platform is China’s biggest lending DApp. However, it turns out that the hack was performed as a result of dForce having copied code from an earlier version of Compound, another decentralized lending application. Compound’s old code wasn’t able to guard against the type of attacks known as “reentrancy” specifically for ERC-777 tokens. 

Due to this issue, Compound didn’t support ERC-777 tokens. However, it seems that when dForce copied the code, it didn’t really understand this vulnerability, as it didn’t put the same measures in place, allowing ERC-777 tokens to be used on Lendf.me. Consequently, the attacker exploited the vulnerability, using the ERC-777 imBTC token to drain $25 million from the platform. 

The hacker has since returned the funds, but this is hardly a defense in itself. As reported by Cointelegraph, dForce has faced criticism for failing to take sufficient measures to prevent such an attack. So, if assuming that dForce simply didn’t know about the issue, how could they have avoided it? Alex Melikhov, CEO and co-founder of Equilibrium — issuer of the EOS-based stablecoin EOSDT — is a big fan of the idea of peer reviews. He told Cointelegraph that a “code review by a third party could’ve prevented the incident,” adding:

“An important aspect here is building a testing framework and code audits. The four-eyes principle is perfectly applicable to code development and certainly mitigates vulnerability risks. Despite dForce’s partnership with PeckShield (who has publicly audited its USDx and Yield Enhancing protocol), it seems like auditors haven’t examined the code of its lending protocol LendfMe.”

Dan Schatt, CEO and co-founder of centralized lending platform Cred, agrees, even suggesting that the community could play a role here. He stated to Cointelegraph, “Bug bounties can help incentive the community to look for the type of vulnerabilities that can lead to attacks and an exploitation of these types of vulnerabilities.”

At the time of publication, dForce had confirmed that 100% of users affected by the attack had been refunded via its asset redistribution effort. For its part, dForce did respond to Cointelegraph’s request for comment. Mindao Yang, founder of dForce, stated that upon reflection: 

“A similar attack took place on the Uniswap/imBTC pool hack prior to the [Lendf.me] incident. The Uniswap vulnerability, related to the ERC777 token, had been known since late 2018, but the combination of ERC777 token and the Compound V1 code introducing a reentrancy attack surface only came to our attention after the incident. We could have been more alert when the Uniswap/imBTC pool hack happened and could have been more careful when onboarding new assets.”

Yang continued by saying that the platform plans to avoid similar attacks, and will onboard some external experts in the future:

“We will engage best-in-class, third-party security consultants to assist with a full audit and to help us with fortifying our future security practices. We will find a right time to redeploy a new decentralized money market protocol and other protocols. Moving forward, with their help, we will introduce a rigorous, audited integration process when introducing assets into the dForce ecosystem.”

The spokesperson confirmed that further details of the actions taken in this regard will be shared in a future blog post. 

BZx — a more complicated issue

Before the recent dForce incident, DeFi trading platform bZx was hit twice in the space of a week. These attacks were less down to buggy code than the immaturity and relatively low liquidity of the cryptocurrency space overall. Derivatives exchanges — whether centralized or decentralized — rely on price oracles. These are usually taken from the spot markets, using an average price from multiple exchanges. 

In the case of DeFi platforms, the price feed comes from decentralized exchanges such as Uniswap and Kyber. The issue is that due to some tokens having low liquidity on these platforms, it’s relatively easy to manipulate the price. 

Related: Are the BZx Flash Loan Attacks Signaling the End of DeFi?

BZx handled the incident well, covering $900,000 of users’ losses from an insurance fund. Deribit researchers Su Zhu and Hasu have previously explained how price oracles are vulnerable to manipulation even on centralized exchanges such as BitMEX. In DeFi, where decentralized exchanges are relied on for price oracle data, one could say that this accident was on the cards. 

However, it presents an intriguing conundrum — the only way to solve the challenge is to bring in more users to inject liquidity into DEXs to mitigate the vulnerability to manipulation. However, as long as there is a risk that funds could be drained, DeFi will struggle to attract users. 

The key vulnerability

Finally, turning to the recent Black Thursday event, which caused mass liquidations on MakerDAO: As much as the price crash was completely beyond Maker’s control, are there any lessons that can be taken away from it?

The March crash and subsequent liquidations resulted in a vote to change the Maker’s auction parameters and introduce USDC, a collateral asset type uncorrelated with the crypto market. DeFi detractors will no doubt scoff at the irony of a crypto-backed stablecoin needing to be collateralized by a centralized equivalent. 

However, perhaps Maker’s introduction of USDC shows a certain maturity in the community’s recognition that the young age of the DeFi market means it needs to follow the example of its relatively stable, centralized counterparts until it can stand on its own two feet. After all, Maker founder Rune Christensen recently told Cointelegraph in an interview that he believes DeFi will eventually merge with CeFi, illustrating that perhaps Maker’s use of USDC is an early predictor of this move. 

Having hit the $1 billion milestone this year, it’s a question of when (rather than if) DeFi will recover from these setbacks and reclaim that number once more. However, the fact that these setbacks took place at all illustrates that DeFi founders shouldn’t focus on how far the sector has come, but rather how far it still has to go. By learning from recent incidents, there’s a chance of speedier recovery.

Share122Tweet76Share31
Previous Post

Journeys in Blockchain: William Quigley of WAX

Next Post

ErisX Wins BitLicense, Bitcoin Trading Booms on Silvergate & Square + More News

Related Posts

Ethereum price at $1.4K was a bargain, and a rally toward $2K looks like the next step
Ethereum

Ethereum price at $1.4K was a bargain, and a rally toward $2K looks like the next step

Price analysis 3/22: BTC, ETH, BNB, XRP, ADA, DOGE, MATIC, SOL, DOT, SHIB
Altcoin

Price analysis 3/22: BTC, ETH, BNB, XRP, ADA, DOGE, MATIC, SOL, DOT, SHIB

Ethereum Price Prediction as ETH Rallies 6% in 7 Days – How High Can ETH Go in 2023?
Ethereum

Ethereum Price Prediction as ETH Rallies 6% in 7 Days – How High Can ETH Go in 2023?

MetaMask Institutional unlocks solo ETH staking marketplace
Ethereum

MetaMask Institutional unlocks solo ETH staking marketplace

SpankPay crypto payment service shutters, citing ‘hostile banking environment
Blockchain

SpankPay crypto payment service shutters, citing ‘hostile banking environment

Divergent On-chain Trends Within Ethereum/Bitcoin Network Add to Reasons Why the ETH/BTC Price Might Continue Dropping
Bitcoin

Divergent On-chain Trends Within Ethereum/Bitcoin Network Add to Reasons Why the ETH/BTC Price Might Continue Dropping

ADS SIDE

More News

Bitcoin Price and Ethereum Prediction: Can the Fed Rate Hike Amid Banking Turmoil Boost BTC and ETH?

Bitcoin Price and Ethereum Prediction: Can the Fed Rate Hike Amid Banking Turmoil Boost BTC and ETH?

Aussie crypto exchange hints interest in Hong Kong base, but it’ll depend

Aussie crypto exchange hints interest in Hong Kong base, but it’ll depend

Xapo Bank to enable USDC deposits and withdrawals

Xapo Bank to enable USDC deposits and withdrawals

Long Liquidations Spike Bitcoin Suffers “Sell the Fact” Reaction to Dovish Fed, But BTC Dip-Buyers Will Probably Pounce

Long Liquidations Spike Bitcoin Suffers “Sell the Fact” Reaction to Dovish Fed, But BTC Dip-Buyers Will Probably Pounce

Arbitrum’s ARB token signifies the start of airdrop season — Here are 5 to look out for

Arbitrum’s ARB token signifies the start of airdrop season — Here are 5 to look out for

Bankruptcy Judge: Celsius Account Holders Can Retrieve 72.5% of Crypto Holdings, Permitted They Opt-In to Settlement Plan

Bankruptcy Judge: Celsius Account Holders Can Retrieve 72.5% of Crypto Holdings, Permitted They Opt-In to Settlement Plan

Deloitte dives into immersive experiences as more industries turn to Web3

Deloitte dives into immersive experiences as more industries turn to Web3

Ethereum price at $1.4K was a bargain, and a rally toward $2K looks like the next step

Ethereum price at $1.4K was a bargain, and a rally toward $2K looks like the next step

Bitcoin price whipsaws as Fed says rate hikes may not be ‘appropriate’

Bitcoin price whipsaws as Fed says rate hikes may not be ‘appropriate’

French lawmakers propose ban on crypto influencer promotions

French lawmakers propose ban on crypto influencer promotions

  • Advertise with us
  • Contact Us
  • Disclaimer
  • Terms & Conditions
  • Privacy Policy
  • Sitemap

© 2020 Copyright - All rights reserved.

No Result
View All Result
  • Home
  • News
  • Altcoin
  • Bitcoin
  • Blockchain
  • Ethereum
  • Litecoin

© 2020 Copyright - All rights reserved.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT