Analysis The Attacts That Happens On DeFi Apps And How Can DeFi Platform Strengthen Their Security…

https://cryptocurrencyhub.io/analysis-the-attacts-that-happens-on-defi-apps-and-how-can-defi-platform-strengthen-their-security-107757d77e8e?source=rss----71fc7ee9c781---4
Source

Analysis The Attacks That Happens On DeFi Apps And How Can DeFi Platform Strengthen Their Security Control

Author: Gamals Ahmed, CoinEx Business Ambassador

Abstract

DeFi unleashed a wave of innovation. On the one hand, developers use smart contracts and the decentralized settlement layer to create unreliable versions of traditional financial instruments. On the other hand, they create completely new financial instruments that cannot be achieved without the basic public Blockchain. Atomic swaps, independent liquidity pools, decentralized stable cryptocurrencies and flash loans are just a few of the many examples that demonstrate the great potential of this ecosystem. While this technology has great potential, there are some risks involved. Smart contracts may contain security issues that may allow unintended use. Moreover, the term “decentralization” is deceptive in some cases. Many protocols and applications use external data sources and special administrative keys to administer the system, perform smart contract upgrades, or even perform emergency shut-downs. While this isn’t necessarily a problem, users should be aware that in many cases, there is a lot of confidence involved. However, if these problems can be solved, DeFi may lead to a paradigm shift in the financial industry and may contribute to a more robust and transparent financial infrastructure. In this report we look for those problems to provide some solutions to them in a clear and simple way.

1. Introduction

With the continuous development of blockchain technologies, the financial landscape on top of the blockchain, especially decentralized finance (DeFi), has been expanded and explored in depth. Its market size grows dramatically and gives a certain degree of influence. As of February 2020, there are about $ 1 trillion of financial assets involved in blockchain systems. While this technology has great potential, there are some risks involved. Smart contracts may contain security issues that may allow unintended use. Moreover, the term “decentralization” is deceptive in some cases. Many protocols and applications use external data sources and special administrative keys to administer the system, perform smart contract upgrades, or even perform emergency shutdowns. There are also some major and expected shortcomings in the future when Ethereum needs to service broadband DeFi applications. DeFi lacks more security, fewer transactions, higher usability, and more comfort.

Trending Cryptocurrency Hub Articles:

1. Introduction to Cryptocurrencies: BSV, the Messenger to Realize Satoshi Vision

2. How Do I Secure My Blockchain Wallet

3. Learn to use Blockchain in apps — Lab 4

4. The role of regulation and the crypto economy

For example, you can cite the recent attack that occurred with the bZx protocol, which has recently been breached twice by the attackers who found the weak points. If these problems can be resolved, DeFi may lead to a paradigm shift in the financial industry and may contribute to a more robust and transparent financial infrastructure.

Paper structure. First, Section 2 provides an overview of DeFi, Defi benfites And DeFi best Apps, Section 3 presents a Background . Section 4 then provides the Flash Loan and main reasons the flash loans are especially attractive to attackers. Turning specifically to attacks, Section 5 considers the analysis the attacks that happens on defi apps. Section 6 presents How can DeFi protect assets some previous operations. Section 7 then provides QuarkChain Solu-tion and Section 8,9 conculution and referrances.

2. Decentralized Funding Platform (DeFi)

Decentralized Financing (DeFi) is a movement in the Blockchain space that has recently gained a lot of attraction. The term generally refers to open financial infrastructures built on public smart contract platforms, such as the Ethereum blockchain. Unlike the traditional financial sec-tor, DeFi does not rely on intermediaries and central institutions. Instead, it relies on open protocols and decentralized applications (DApps). Agreements are implemented through smart contracts, transactions that are carried out in a safe and inevitable manner, and legitimate state changes have continued on the public blockchain. Consequently, this structure is capable of creating a highly stable and non-interchangeable financial system with unprecedented transparency, equal access rights, central clearing rooms, or guarantee services, where most of these roles can be assumed through smart contracts. DeFi already offers a wide range of applications. One can, for example, purchase stable cryptocurrencies linked to the US dollar on decentralized exchanges, transfer these tokens to a decentralized lending platform alike to earn interest, and then add tools with symbolic interest to the decentralized liquidity pool or serial investment fund. The backbone of all DeFi protocols and applications is called smart contracts, a term that generally refers to the small applications stored on a Blockchain that are implemented by a large network of many computers. Smart contracts are relatively ineffective com-pared to traditional centralized computing. Its feature is a high level of safety, meaning that smart contracts guarantee the inevitable implementation and allow anyone to check the resulting status changes. When implemented in a safe manner, smart contracts are very transparent and reduce the risk of arbitrary tampering and interference.

To understand the novelty of smart contracts, we first need to look at regular server-based web applications. When someone interacts with such an application, that person is unable to monitor the internal logic of the application. Moreover, this person does not control the implementation environment. Either (or both) can be manipulated. As a result, the user must trust the application service provider. Smart contracts reduce these two issues and ensure the app runs exactly as expected. The code of the nodes is stored on the main blockchain and thus can be publicly scanned. Contract behavior is crucial and job calls (in the form of transactions) are handled by hundreds of network participants in parallel, ensuring legitimacy of implementation.The ecosystem consists of applications built on public ledgers distributed to facilitate unauthorized financial services.

Overall, DeFi is an ambitious attempt to decentralize basic traditional financial use cases such as trading, lending, investment, wealth management, payment, and blockchain insurance. DeFi relies on decentralized applications or protocols. By running these dApps on the blockchain, it provides a peer-to-peer financial network. Like Lego building blocks, all dApps can be merged with each other. Smart contracts act as connectors — comparable to fully defined APIs in conventional systems.

2.1 What is the buzz about DeFi?

DeFi has become a popular topic in the blockchain community. In contrast to the decentralization of funds through Bitcoin, DeFi aims for a broader approach to the overall decentralization of the traditional financial industry. The essence of the initiative is to open traditional financial services to all, in providing an ecosystem of financial services without permission based on the blockchain infrastructure.

2.2 What are the main benefits of DeFi?

DeFi was built on top of the blockchain. The blockchain is often referred to as a generic infra-structure layer, and therefore, DeFi can be considered as a set of Layer 2 applications. This allows DeFi to root the basic ownership of decentralization. It is important to note that this is only proven if the blockchain itself is decentralized. After fulfilling this precondition, the primary benefits of opening financing are shared with the core benefits of the blockchain:

  • True decentralization allows to resist oversight and participation all over the world regardless of social status and distribution of trusted third parties.
  • Use of the blockchain as a technology infrastructure enables relatively fast and low cost transactions / settlement, stability of financial contracts, and contract automation.
  • DeFi apps generally allow the user to keep private keys. This is referred to as not being held in the blockchain ecosystem. The user fully controls the funds without a trusted third party.
  • Increase the transparency of the ecosystem, and thus price and market efficiency. Minimum risk of the main agent, as unequal information is absent and personal interests are governed by a transparent protocol. DeFi prefers network effects, as much innovation is created by uniquely combining different projects in Layer 2 or even Layer 3 applications.

2.3 Best DeFi Dapps

Below, you’ll find the most important DeFi protocols supported by Ethereum that you can use today ranked by dollar amount locked in smart contracts for each platform.

I have used data from DeFi Pulse, a DeFi analytics provider, to compose this list of the best DeFi platforms.

1. Maker

Maker is the most important decentralized financial app on the market. With DeFi dominating nearly 60 percent of the market, nearly $ 600 million in digital assets are currently secured in Maker Smart contracts.

2. MakerDAO

MakerDAO is a decentralized lending protocol that uses a collateralized debt position (CDP) to create a stable Dai currency (DAI), the value of which is linked to the U.S. dollar. Dai is created when users deposit Ethereum (ETH) as collateral into CDPs.

3. Dai

Dai is the only stable decentralized digital currency that anyone can use without restrictions. Unlike other stable cryptocurrencies linked to the dollar, they do not hold the dollar in a

bank. Instead, the Maker protocol uses smart contracts and warranties in the form of ETH to keep the price bound. Dai can be used to lend (to earn interest), pay, trade or invest in other Ethereum-based assets.

4. Synthetix

Synthetix is a decentralized investment platform supported by Ethereum that enables users to create and trade so-called “Synths”, which provide chain exposure to symbolic and complex versions of real assets.

5. Compound

Compound is a decentralized money market protocol that enables holders of digital assets to borrow and lend encryption in exchange for collateral. By adding digital assets to Compound, liquidity pool crypto owners can earn interest, which is automatically adjusted in relation to supply and demand.

6. InstaDApp

InstaDApp refers to itself as an unreliable smart wallet for decentralized financing. It is an app that enables DeFi users to “seamlessly manage, optimize and deploy your assets to get the best returns across protocols.”

InstaDApp provides an easy-to-use dashboard that allows users to manage DeFi investments via protocols like Maker, Uniswap and Compound. For new DeFi users, InstaDApp provides a great starting point.

7. Uniswap

It is a decentralized exchange protocol that enables users to convert Ethereum-based ERC20 codes on the chain in a private, secure and non-custodial manner via a very easy-to-use user interface. Instead of using order books, Uniswap uses so-called liquidity pools that help enhance exchange liquidity in the protocol.

8. DYDX

It is a non-portfolio trading platform powered by Ethereum that enables crypto traders to buy long and short digital assets on margin. Currently, traders can trade ETH using DAI or USDC stable currencies with a leverage of up to 5x.

9. BZX

It is an open financing protocol built on top of the Ethereum chain that enables users to borrow, lend and trade digital assets. Ethereum users can earn the benefit of lending over the protocol, while borrowers can borrow at reasonable rates, determined by supply and demand. Margin traders, for example, can take advantage of the platform by paying lower margin lending rates than central exchanges.

10. Bancor

The Bancor Network is a decentralized exchange protocol that allows users to transfer digital codes between each other rather than having to go through a centralized trading platform.

11. WBTC

It is a symbolic version of Bitcoin on the blockchain Ethereum. ERC20 is supported in 1: 1 bitcoin currency.

The reason for its existence is to enable Ethereum users to purchase, own and trade Bitcoin within the Ethereum ecosystem. In addition, it enables users to use bitcoin in smart contracts in an easy-to-use manner interoperable with all Ethereum-based applications.

12. Set Protocol

It is an open financing protocol powered by Ethereum that enables crypto investors to create and / or buy strategy enabled symbols (or groups), algorithmic algorithms for digital assets that are based on a set of criteria, strategies, parameters, and asset weightings. Each group is represented by a negotiable ERC20 code.

3. Background

There are major drawbacks that DeFi has to overcome to protect data and maintain security. The purpose of each new technology is to create a global impact. But if it is integrated on the global side, more people will join the network. However, maintaining security and protecting data becomes a more difficult task as the network grows.

There were several scenarios where DeFi could not address security issues. As a result, there have been reports of several weaknesses. Since this framework has no governing authority, safety is the most necessary feature here. So, for the future development of this technology, DeFi needs to maintain security and protect all types of data on the network.

DeFi in its current state is vulnerable to attacks and malfunctions, as can be seen from attacks on bZx flash loans in February 2020. Moreover, most DeFi projects on the Ethereum platform are not very suitable for high-frequency trading, as they are limited in terms of computing speed. In addition, there is a problem with user acceptance. The lack of awareness and knowledge among the general public, as well as the fact that most DeFi applications have complex and confusing user interfaces, means that adoption can continue for years. The concept of decentralized financing is staggering, but there are a number of risks that hinder its rapid global progress.

These systems are new and take some time to test in practice. When the protocols interact with each other, the risks of smart contracts multiply. In the event of a fatal error in one protocol, this could lead to a general system vulnerability. The risks of collateral and the risk of fluctuations. Some forms of collateral for loan insurance involve certain risks.

Excessive collateral reduces the risk of volatility, but if the asset’s price drops too quickly, this requirement does not guarantee full coverage of the loan amount. The controversial point is the volatility of interest rates on many DeFi platforms, casting doubt on the meaning of participating in them.

4. Flash Loan

The concept of a flash loan was first termed by Marble Protocol in 2018. Marble marketed itself as a “smart contract bank,” and its product was a simple yet brilliant DeFi innovation: zero-risk loans via a smart contract.

Flash Loan is a further innovation at the head of DeFi and Ethereum, as the blockchain is mostly associated with the concept of “programmable money”. The product was first released by DeFi Aave in this January, then by bZx on February 10.

Flash loans are almost risk free, at least for the borrower. Since the Ethereum network automatically settles transactions, which means that all transactions in a book are executed or nothing is performed, a trader who cannot pay back his loan with his trade loses nothing. Because the deal never happens.

4.1 There are main reasons the flash loans are especially attractive to attackers.

Many attacks require lots of up-front capital ( oracle manipulation attacks) and it minimize taint for attackers. If the attacker want to manipulate an oracle with $ 5M of Ethereum, he might not want to risk it with his own capital. Probably his ETH will get tainted, because the exchanges platforms might reject his deposits. So the flash loans will be easier and riskless.

5. The Attacks that happened on DeFi in 2020 year

2020 has been a difficult year for the DeFi coding sector as we mentioned earlier. These attacks and difficulties will be mentioned as follows:

1. bZx first attack, On February 14

2. The second attack on bzx, On February 18

3. Uniswap attack, April 18

4. Lendf Lending Protocol Attack, April 19

5.1 Analysis DeFi attacks

DeFi is bringing financial tools onto the internet in a way that makes them accessible, programmable, and useful for everyone. Just how the internet made it easy for anyone to create, share, and program information, DeFi is doing the same for money and finance.

DeFi products are trustless, global (accessible to anyone), transparent (anyone can inspect the code), and immutable (can’t be changed unless they’re programmed to). They’re also compos-able with each other, where products can be built on top of each other, similar to how Lego bricks can be combined into something greater than the sum of their parts.

DeFi has created something called a Flash Loan — essentially a risk free loan where anyone can borrow millions of dollars for the duration of a single transaction. If, by the end of the transaction you have not paid back the loan, the whole transaction is rolled back. No capital is exposed to risk, and any end user is able to deploy a large sum of capital for arbitrary purposes.

5.1.1 BZX attacks

BZx (Fulcrum) is a DeFi product that provides a tokenized borrow / lend and margin trading platform. Anyone can add capital to bZx’s pool and borrow against their capital, or leverage long or short by trading into other assets on margin. Their platform uses many other DeFi protocols to fully service these products, taking advantage of DeFi’s composability.

Recently, the bZx decentralized lending protocol was used in consecutive “Flash loan” attacks. While the two programs were distinct, the final results remained the same. In total, $ 954,000 was collected from the platform.

BZx is currently the seventh-largest DeFi protocol, with the total amount of funds locked at around $15.5 million, according to DeFi Pulse.

5.1.2 BZX first attack

Saturday 15th February 2020 at 01:38:57 UTC

On February 14 , KZ Kestner co-founder of bZx describes the exact moment when the attack occurred. The bZx team was out to attend the ETHDenver conference — Ethereum’s tuxedo elebrating the best of DeFi. Alarm bells started ringing when the team received information about a “suspicious” treatment. Kistner writes:

“We immediately returned home from the happy hour tBTC.”

Kistner informed the members of the company’s Telegram group, stating that an “exploit” was performed under the bZx contract — which was paused — and that “part of the ETH” had been lost. The actual amount harvested in the first accident was 1,193 Ethereum (ETH). Echoing the words of Binance Changpeng Zhao manager, bZx confirmed that user money was “SAFU”.

Fortunately for its users, bZx works failover safety — collecting 10% of all interest earned by lenders and putting them in an insurance fund. Thus, the losses for bZx users are symbolic. For bZx, the attack came at a great reputation.

Automated loans that are automatically executed are executed as “risk-free” as the Ethereum network corrects any payments for the loan failure through the original re-transaction. Due to its atomic nature, so neither side was able to intercept the flash loan attack while it was occur-ring.

However, it wasn’t just a flash loan to the attacker. They also benefited from the weaknesses of the bZx smart contract. Kestner explained to cointelegraph how the initial attack was al-lowed:

“The first attack was somewhat simple in that they did a lot of trading that covered lenders’ money. The flag was raised in the stack that allowed the trade to bypass the check whether they were putting the lender’s money at risk or not. “

The bypass checks Kistner mentioned are the same thing that former Google engineer Korantin Auguste points out in his detailed analysis of the attack:

“The attacker took advantage of the bZx error that caused the circulation of a large amount on Uniswap at an inflation price of 3x”.

As it turned out, the crucial job is to check whether the market recession has occurred or not. If so, he would have invalidated the bZx attacker’s position — which made the trade ineffective. Instead, the attacker was allowed to continue unimpeded.

The attack at its core was a single, incredible transaction that borrowed millions of dollars in a flash loan, and threaded these funds through several DeFi protocols to elegantly manipulate and exploit bZx’s collateral pool.

1. The attacker succeeded in making a profit of 1,193 ETH. To use a somewhat reduced interpretation, the attacker invented a network of parameters to implement “pumping and discharging”.

2. The attacker got a 10,000 to ETH loan on the DeFi dYdX lending platform. They then split the loan between bZx and another loan platform known as compound. ETH sent to the Compound was used to secure another loan for 112 wrapped Bitcoin (WBTC) files. Meanwhile, the 1300 ETH allocated to bZx was used to shorten the ETH for WBTC.

3. The ETH sent to Compound was used to collateralize another loan for 112 wrapped Bitcoin (WBTC). Meanwhile, the 1,300 ETH allocated to bZx was used to short the ETH for WBTC.

4. By exploiting low liquidity on a decentralized exchange known as Uniswap, which shares price data with bZx via the DeFi Kyber network, the attacker managed to pump the price of WBTC to Uniswap through the WBTC set to bZx.

5. The opponent then cast the loaned WBTC from Compound on Uniswap, taking ad-vantage of market price inflation. With profits in hand, the attacker paid off the original dYdX loan in full and earned a profit of 1,193 ETH leaving bZx with an unsecured loan.

Everything detailed above was performed in one transaction — achieved through a DeFi product known as “flash loan”.

Figure(1): First attack on Bzx

Immediately following the attack, the bZx team used their admin super-keys to pause trading and borrowing on bZx, and fixed the underlying bug. As the community discussed this new exploit and trading and borrowing resumed, a second attack occurred through a similar mechanic.

5.1.3 The second attack on BZX

On February 18, bZx fell victim to another attack, forcing the suspension of another protocol. Similar to the first way, flash loans were used to facilitate pumping and unloading on Uniswap — this time leading 2378 ETH to the attacker.

This time, the attacker took 7500 ETH flash loan on bZx, trading 3.517 ETH for 940,000 Synthetix USD (sUSD) — a stable cryptocurrency tied to one with the US dollar. Next, the attacker used 900 ETH to buy another round of SUSD on Kyber and Uniswap, and pumped the SUSD price more than 2.5 times the market price.

Then, using the now oversized SUSD borrowed from Synthetix as collateral, the attacker took out a 6,796 ETH loan on bZx. Using the newly borrowed ETH and the remaining ETH from the original loan, the attacker repaid the 7,500 Flash ETH flash and once again made a profit, this time to 2,378 ETH.

This attack was more akin to an oracle attack, or a process that manipulates a trusted value. In this case, the flash loan drove up the spot price of ETH-sUSD on Uniswap (the oracle), which BZx used to determine the value of collateral in loans.

  • The manipulation of Oracle

Instead of repeating the original error, which was fixed after the first attack, it appears that the second round was the result of the Oracle manipulation.

Oracle is a blockchain-based broker that feeds external data into smart contracts. In this case, the Oracle bZx price posted the inflated SUSD price without verification, causing bZx to be-lieve that the 6769 ETH loan was fully guaranteed. Analysis from PeckShield, a blockchain security company exploiting Oracle summed up as follows:

“Oracle’s processing significantly increases the price of the affected token, i.e. SUSD, and makes it highly valued in the bZx lending system. An attacker could then simply deposit the purchased or stored SUSD earlier as a guarantee of WETH borrowing for profit”.

Volatility along with low liquidity can prove to be a mixture that has left. In this case, market slippage was inevitable, and the attacker knew that. Fortunately, since the accident, bZx has made the decision to partner with Oracle’s decentralized Linkchain and used its price data.

  • Weaknesses in bZx protocols

The attacker misused multiple vulnerabilities in bZx protocols, taking advantage of low liquid-ity markets and using blatant manipulation methods. Kistner, co-founder of bZx, also told Cointelegraph that it is cut and dried:

“It is an attack because he used our code in a way that was not designed to achieve an unexpected result that created responsibilities for third parties.”

By sharing a similar opinion, Former Google engineer Korantin Auguste asserts that no matter how he looks at him, these were malicious attacks:

“In either case, there were bugs exploited in bZx code, so these were definitely attacks and could not be described as smart arbitration or something legitimate.”

Thomas Gluxman, vice president of global business development, Blockchain analyst Merkle Science. The incident was a breakthrough as it was flash to redirect the lights back on bZx, hinting that any offensive carriers should have been corrected sooner, especially given the lessons learned from piracy in a self-decentralized organization in 2016.

“Developers can usually avoid such scenarios by ensuring intelligent contract scrutiny. It is surprising that some teams have not yet learned of the consequences of the DAI disaster and illustrate the current fragility of DeFi services.”

Indeed, the specific attack against bZx was described months before it was committed by Samczsun’s White Hat hacker in a detailed blog post. As Samczun wrote at the time, assuming there is an exploit involving bZx, the Ethereum symbol known as DAI and other decentralized exchanges called DDEX:

“By relying on Oracle’s decentralized price on the chain without checking the rates returned, DDEX and bZx were vulnerable to atomic price manipulation. This could have resulted in liquid ETH loss in the ETH / DAI market for DDEX, and the loss of all money in bZx.”

At bZx, the team turned their attention to securing the network. Kistner said trading will re-sume again soon after using Chainlink oracles for pricing, although there are no new users. For the future, Kistner said, bZx will consider duplicating the infrastructure for MakerDAO, DeFi’s largest provider.

Figure(2): The second attack on Bzx

5.2 Attack by cannibalizing PoS security

A PoS system is secure when there are lots of coins actively staked for the network. In most PoS algorithms, so long as 2/3rds of all the staked assets are owned by honest actors, the block-chain will be secure. In PoS, an attacker can perform this attack while hedging out all of their price risk, all without anyone’s permission, all on-chain.

When a PoS network is in an open ecosystem, any on-chain lending market can cannibalize its security by offering higher yields. Actually , even if the system does not directly support smart contracts.

If the staking asset can be tokenized and transferred cross-chain, a tokenized lending market on another chain could have the same situation!

PoS has two options to solve this: either force on-chain lending markets to cap their interest rates, or compete with the lending markets by offering better returns to stakers. This first strategy would be akin to imposing capital controls. This is impossible on permissionless block-chains.

The only real way to defending is by using flexible monetary policy to offer competitive rates. A PoS network must use its issuance rate as a tool that adapts to real-time market pressures. It must have adaptive monetary policy, if it wants to remain secure in perpetuity.

5.3 Uniswap and Lendf.me attacks

Timeline of the relevant events in Uniswap and Lendf.Me

8:58 SGT on April 18th. An attacker used a vulnerability with Uniswap and ERC777 to per-form a reentrancy attack.

12:12 on April 18th. The Tokenlon team observed the anomaly, defined the incident as a P0-level security issue and established an emergency response team.

12:49 on April 18th. After evaluating the situation, Tokenlon suspended the transfer of imBTC and notified imBTC partners including Lendf.Me to evaluate potential security risks.

17:00 on April 18th. ImBTC transfer was resumed after receiving the confirmation from Lendf.Me and other partners that it is OK to do so.

09:28 on April 19th. Tokenlon received a message from Lendf.me about a reentrancy attack, similar to the one happened to Uniswap, resulting in a large number of abnormal borrowing on the platform.

10:12 on April 19th. In order to cooperate with the investigation of the reentrancy attack, Tokenlon suspended the transfer of imBTC.

5.3.1 Uniswap attack

The attack became possible because Uniswap V1 does not have protection measures for this type of re-entry attack when interacting with ERC-777. In total, the hackers have moved away from ~ $ 300k USD in imBTC and ETH (~ $ 141k ETH + ~ $ 160k imBTC).

Uniswap or the crypto community did not know these attack vectors. About a year before the Uniswap attack, ConsenSys Diligence — ConsenSys Security Audit Service — identified and deployed ERC-777 reentry attack vectors.

5.3.2 Lendf lending protocol attack

The Lendf.me incident exploited the same reentrancy vulnerability made available by the in-complete compatibility between the lending protocol and the ERC-777 token standard, but to a far more extensive degree of success. Nearly 100% of Lendf.me’s funds — over 24m USD — was drained during the attack on April 19.

Unlike in the Uniswap event, the stolen funds were not limited to just ETH and imBTC. Though the majority of stolen funds were WETH ($10 m), USDT and HBTC made up for an additional $9.7m, followed by at least 16 other tokens.

In an unexpected turn of events, the Lendf.me hacker(s) returned the stolen funds to the proto-col, reportedly because they accidentally exposed an IP address during the attack. The Sankey diagram below shows the flow of funds after the hack. Funds left the Lendf.me contract (green), went through the handler contract (gray), and to the hacker’s address (black). After the IP was revealed, the hacker transferred the funds back to the Lendf.me admin address, which then transferred the funds to a recovery address (both in purple). The far right of the graph, where the diagram flows out into many individual fund streams, marks the moment when Lendf.me returned funds to individual users.

Figure(3): Funds Flow Throughout Lendf.Me Incident

Uniswap and Lendf.me — The Reentrancy Attack on ERC-777

The imBTC token is an ERC-777 token released by Tokenlon, a DEX running on the 0x pro-tocol. In both the Uniswap and Lendf.me incidents, the hackers exploited a reentrancy vulner-ability that arose from the incompatibility between the ERC-777 token standard and the DeFi protocols.

The reentrancy vulnerability allowed the hacker to essentially re- spend initial deposits of imBTC, effectively providing them with unlimited capital to enact trades or borrows.

6. How can DeFi protect asset some previous operations

6.1 Control and arrangement tools

By taking advantage of the openness of the Ethereum blockchain, a host of DeFi-related monitoring tools must be made available to the public to interact with greater confidence in financial applications.

6.2 Monitoring network health: For individual users

On lending platforms, user deposits are at risk of liquidation once the collateral ratios drop below certain thresholds due to price fluctuations. Once the collateral falls, the percentage drops, and the vault becomes open for liquidation. Users can track the collateral and decide to pay off borrowers or add deposits to keep the vault safe and out of liquidation. Monitoring tools will play an important role in confident user interaction with lending protocols if these tools provide reliable real-time and reliable price feeds for different assets in order to alert users to take action in advance.

Another measure of monitoring on lending platforms is the utilization ratio of asset liquidity. The utilization ratio is calculated by dividing the total amount of debts based on the size of the offer in the liquidity pool. If all the money in the complex is borrowed and not paid, then the utilization rate is almost 100%.

6.3 Smart contract audits

Auditing services are able to identify potential contract vulnerabilities through strict testing and white hat penetration before protocol or feature release. Although third-party automated tools can identify groups of common weaknesses, these tools are most effective when combined with direct audit services. As the DeFi protocols grow in number, complexity, and interconnectedness, more vulnerabilities and security threats are likely to occur.

On decentralized exchanges, liquidity pool sizes can help users determine which platform is the most flexible reserve. DEXes is one of the most important portals in the arbitrage chain, proven in the case of bZx. Uniswap is one of the most actively used DEXes, and its liquidity sets are linked to many DeFi / DEX protocol interfaces. The biggest drop occurred on February 18, which is the timing of the second bZx attack. On February 18, the pool of liquidity in Uniswap decreased because the operator borrowed a large amount of WBTC on bZx via Ky-berUniswap Reserve. The second biggest drop occurred on March 13, when crypto markets fell. On March 13, the Uniswap liquidity pool declined because cryptocurrency holders were concerned about market volatility and pulled out large amounts of their liquidity from the Uniswap pool. Despite significant declines in the pool size of liquidity, Uniswap has surpassed its weaknesses and market volatility in the past few months very well — demonstrating the flexibility of the DeFi protocol with a larger set of liquidity.

7. QuarkChain solution

Recently QuarkChain announced the partnership with NUTS Platform for the Building Next Generation of DeFi Ecosystem ( DeFi 2.0). The partnership between QuarkChain and NUTS Finance can reshape the existing DeFi ecosystem and help build an even more flourishing ecosystem.

The proposal of this partnership is:

  1. Significantly lower the hurdles of DeFi: Using QuarkChain’s high throughput and low transaction feeds, we will attract more users to participate in DeFi.
  2. Improve user experience: through issuing QNUT native token.
  3. The first project that supports the composability of cross-chain Defi: NUTS Platform will be the first blockchain project that supports the composability of cross-chain DeFi.
  4. Build a high-performance DeFi platform: QuarkChain will provide full support for the NUTS platform, including seamless support of QuarkChain wallet for QNUT, support of ad-vanced transactions on the upgraded DeFi platform, and other special businesses.

I’ve contacted QuarkChain developer team with this question:

How can QuarkChain strengthen DeFi platform security control in DeFi 2.0 ?

And I’ve got the following answer:

“We will support most single-chain consensus including PoW, PoS, and DPoS. Further, we could support consortium consensus such as PoA”.

The benefits of our cross-shard are a lot:

  1. All cross-chain tx will be secured by our share security, both in terms of double-spending attack and token limit protection.

This means a double-spending attack must not only attack a single shard, but also need to attack the whole network, which is much more difficult.

Further, we also ensure that for the token transfer cross-shards, the limit of the tokens will be invariant — even a double-spending attack will not increase or decresae the number of tokens in the network, which is very important.

Note that Cosmos cannot ensure the property, and Polkadot is working on it — but I haven’t seen the concrete method to avoid it.

2. Our cross-shard is very efficient — the cost is almost the same as in-shard tx, and the through-put of cross-shard txs are very high.

This means we are able to accept a large applications in our network no matter such it is cross-shard or in-shard.

3. The user experience is almost the same as in-shard, i.e., the end user can hardly find the user difference between cross-shard or in-shard.

I think with these features, we could achieve several important feature such as cross-shard DeFi composability, which is planned for ETH2.0.

With our multi-native token feature ready, we believe more applications can enjoy our cross-chain capabilities.

Our core technology is called sharding, and the sharding consensus is called Boson consen-sus.

You could find the details of the algorithm here https://github.com/QuarkChain/pyquarkchain/blob/master/papers/boson.pdf “.

8. Conclusion

DeFi has created powerful new financial products, weaving them together in emergent ways. But these attacks are a sobering reminder that programmable finance is still programmable and bugs are therefore expected — especially when innovation pushes the boundaries of what is possible. Today, the combination of flash loans and a web of composable DeFi protocols that interact in complex ways have created this new class of vulnerabilities.

DeFi should expect more flash loan style oracle attacks. But this is just part of how DeFi be-comes more resilient.

We should not expect DeFi to become completely secure against all attacks, but we can build an increasingly robust ecosystem with Defense in Depth, where multiple layers of redundancy provide increased security. We also need to develop greater levels of consumer protection and/or insurance. Notably, one DeFi insurance product made its first payout following the bZx attacks, an encouraging sign.

Protocols should graduate to increasing levels of decentralization over time, and only after they’ve demonstrated a track record of good security hygiene. Compound is one notable ex-ample.

9. References

1. February 22, 2020 by cointelegraph : https://cointelegraph.com/news/are-the-bzx-flash-loan-attacks-signaling-the-end-of-defi

2. March 9, 2020 by QuarkChain: http://bit.ly/DEFIQKC_TELE

3. February 18 , 2020 by palkeo: https://www.palkeo.com/en/projets/ethereum/bzx.html

4. May 19, 2020, codefi: https://codefi.consensys.net/blog/security-risks-in-ethereum-defi

5. February 27, 2020, coindesk: https://www.coindesk.com/the-defi-flash-loan-attack-that-changed-everything

6. March 13, 2020 Coinbase: https://blog.coinbase.com/around-the-block-analysis-on-the-bzx-attack-defi-vulnerabilities-the-state-of-debit-cards-in-1289f7f77137

Don’t forget to give us your 👏 !

https://medium.com/media/974d07603b9c9ad19d749b8dbe54e438/href


Analysis The Attacts That Happens On DeFi Apps And How Can DeFi Platform Strengthen Their Security… was originally published in Cryptocurrency Hub on Medium, where people are continuing the conversation by highlighting and responding to this story.