ViaBTC | The Lesson We Draw from the Largest DeFi Hacking Incident in History

Recently, the hacker attack with the largest amount of money stolen in history has stirred a wave of discussion and even become known to outsiders. According to the explorer on the chain, the hackers stole about $610 million worth of cryptocurrency in just 34 minutes. As a result, the cross-chain transfer function O3 swap, which is mistaken as the target of the hacker attack just because it was built on the Poly Network cross-chain protocol, has witnessed a staggering drop of 30%. The security issue of DeFi has been once again pushed to the forefront of the storm.

Apart from this incident, other DeFi-related hacker attacks have cost users nearly $360 million as of the end of July. According to relevant data, nearly 40 such incidents have been recorded since early this year, with a loss approaching $1 billion (assets later returned by hackers are not counted).

One can hardly predict what will happen to the deployed smart contracts, even the best security auditors. Considering the billions of dollars in smart contracts, certainly the most cunning hackers are still looking for security weaknesses to make profits.

The huge risks facing DeFi projects lie in their inherent innovation and complexity that make it difficult for security auditors to discover existing vulnerabilities. DeFi application developers must ensure constant security inspection by network security auditors to prevent vulnerabilities from being exploited; otherwise, an attack, once successful, will cause immeasurable economic losses.

Since its inception, DeFi has suffered countless attacks. Two are commonly seen, Flash Loan and Rug Pull.

As a financial instrument, Flash Loan can be deemed a great innovation in smart contracts. Users can get huge amounts of money without any mortgage and but a negligible fee. Repayment must be made within the same block, or otherwise, the transaction will be rolled back.

Taking advantage of the flash loan, hackers borrow funds, trade, deposit funds, and, again, borrow a large number of funds. In this way, hackers can manipulate and distort specific crypto prices and in the end, return the “principal” for arbitrage.

For example, a flash loan attack this February against the DeFi lending protocol Alpha Homorahas resulted in a loss of $37.5 million. In an Alpha Homora V2 pool, the attacker manipulated millions of stablecoins, inflated their value, and finally managed arbitrage.

Rug Pull refers to a malicious manipulation trick in the cryptocurrency field. It is usually seen among decentralized exchanges (DEX) where developers abandoned their DeFi projects without warning and ran away with investors’ money. Scammers will invest a lot of money in liquidity pools and post alluring advertisements on social media to attract investors. Once the investors deposit tokens in these liquidity pools, the scammers will “pull the rug” to withdraw all the tokens in the pools.

Operators of DeFi100, a BSC-based DeFi project, for example, absconded approximately $32 million (that is, RMB 200 million) of user funds. Its official website is no longer accessible. Before the website was shut down, there were words “We scammed you guys and you can’t do shit about it” on it, and were deleted later.

The Poly Network hacking incident has awakened us to a painful reality that DeFi is still in its infancy despite its current boom and that many relevant technologies are far from being fully-fledged. Hacks are unavoidable, and for developers ready to launch cross-chain projects, the only way out is to reinforce project security audits and repeat stress tests.