Numerous security risks exist in decentralized finance (DeFi) that can pose serious threats to users, platforms, and the entire financial ecosystem. We have summarized three types of DeFi security risks and illustrated the hacking process and corresponding solutions by analyzing recent real-world security incidents.
Flash Loan Attacks
Flash loan attacks are a form of attack in DeFi applications that exploit the flash loan mechanism, allowing borrowing without collateral. Common attacks often accompany flash loans, where attackers use large amounts of borrowed funds to manipulate prices or attack business logic. Developers must consider whether contract functions may fail due to large sums of money or if rewards can be exploited through interactions with multiple functions within a transaction. Often, values like token quantities in contracts are used for calculating rewards, or token quantities in DEX trading pairs are used in various calculations. Without considering that attackers can manipulate these variables using flash loans, it can lead to the contract’s funds being stolen.
Attackers borrow large sums through flash loans and perform operations within the same transaction to commit fraud.
ShidoGlobal Flash Loan Attack Incident
On June 23, 2023, the ShidoGlobal flash loan attack occurred on the Binance Smart Chain (BSC). The attacker exploited locking and claiming mechanisms and arbitrage opportunities between two pools, successfully stealing 976 WBNB.
Sandwich Attacks
A sandwich attack exploits information asymmetry on decentralized exchanges (DEX). Attackers insert malicious transactions between two legitimate ones to profit from price differences.
Curve Finance Sandwich Attack Incident
On August 2, 2023, Hypernative systems launched a sandwich attack on Curve Finance. The attacker inserted malicious transactions between adding and removing liquidity, earning 36.8K USDT. The malicious transaction removed much DAI and USDC liquidity from the Curve DAI/USDC/USDT pool and destroyed 3CRV LP tokens. This unbalanced the pool, with a relatively higher quantity of USDT, thereby lowering its value.
The other two transactions were the attacker’s adding and removing liquidity. The attacker took advantage of the price difference by adding their DAI and USDC liquidity to the Curve DAI/USDC/USDT pool and withdrawing it at a premium, obtaining more 3CRV LP tokens. Thus, the attacker packaged malicious transactions with two legitimate transactions, buying USDT liquidity at a low price and selling it at a high price for profit.
Blockchain Oracle Manipulation
Price oracles provide real-time price information for cryptocurrencies, which is crucial for regularly operating many DeFi protocols. An oracle attack involves an attacker artificially altering the data provided by the oracle to profit from transactions based on manipulated prices.
Rodeo Finance Oracle Attack Incident
Rodeo is a DeFi platform offering price Oracle services. On July 11, 2023, oracle manipulation allowed hackers to steal approximately 472 ETH (around $888,000) from the Rodeo protocol.
The key to the Rodeo Finance attack lay in the Rodeo TWAP Oracle, which tracked the price ratio between ETH and unshETH. The attack began with the attacker executing a carefully planned transaction, exploiting a potential vulnerability in the time-weighted average price (TWAP) oracle.
The attacker forced the exchange of USDC for unshETH using the earn function associated with an unconfigured strategy address, effectively bypassing slippage control due to the flawed unshETH price oracle. Essentially, the earn function was forced to swap USDC for WETH and then for unshETH.
The TWAP price was calculated by averaging the last four updated prices at 45-minute intervals. However, the flawed price oracle returned a manipulated price, leading the smart contract to believe the position was healthy. The attacker then opened a leveraged position by controlling the TWAP oracle and calling the earn function from the investor contract, borrowing $400,000 worth of USDC.
Tips for Project Developers
Limiting Flash Loan Functionality
Limiting flash loan functionality and introducing flash loan fees are standard methods to reduce flash loan attacks and manipulation risks.
- Limit Flash Loan Functionality
Set minimum loan amounts and loan time limits to reduce the chances of attackers using flash loans for attacks. - Introduce Flash Loan Fees
Charge a fee to borrowers, increasing the cost of attacks and making flash loan attacks riskier and more expensive.
Limiting Transaction Order
To prevent sandwich attacks, implement complex smart contracts and transaction logic, such as limiting transaction orders and introducing transaction delays. Allow transaction execution only if the current block time exceeds the set delay time, giving other users enough time to execute transactions and update prices. This reduces the chances of attackers exploiting price differences.
Using Multiple Oracles for Price Calculation
Ensure the reliability of price queries by using multiple oracles or aggregated price feeds for price calculation instead of relying solely on token pair ratios. This diversity of pricing information sources can improve price data accuracy and make it harder for attackers to manipulate data, especially in pools with poor liquidity.
How Can Users Protect Themselves from DeFi Projects?
- Check if Contracts are Open Source
“Code is the law.” If the contract contents are unclear, exercise caution. - Multi-Signature and Decentralization
Multi-signature should be decentralized and not easily compromised to be effective. - Existing Contract Transactions
Check if the contract is a proxy, if it can be upgraded, and if it has a time lock. - Multiple Audits
Ensure the contract has been cross-audited by various audit firms and that the audited version matches the online version (do not unquestioningly trust audit firms). - Owner Permissions
Ensure owner permissions are controlled. Regular projects should have manageable owner permissions. - Oracle Reliability
Be cautious of oracles that can be manipulated. - Use Secure Wallets
Choose wallets that have undergone security audits and have a good reputation, either software wallets or hardware wallets. Ensure the wallet software and firmware are current and follow best security practices. - Backup and Protect Private Keys
Store private keys securely and use strong password encryption. Regularly backup private keys and store them offline securely to prevent accidental data loss. HyperBC utilizes MPC technology to provide a secure wallet solution.
About HyperBC
HyperBC stands as a market leader in digital asset custody and mpc payment solutions. Catering to businesses seeking a secure and efficient transition to Web3 transformation, ensuring the security of assets and We are committed to the mission of “ fostering financial freedom.” In line with this objective, we provide asset owners with a complete range of services, encompassing asset custody, merchant payments, clearing and other financial services.
