Over the past couple of years, hundreds of new decentralized finance applications and protocols have flooded onto the Ethereum network and other blockchains. In November 2021, the total value locked in all DeFi apps reached a staggering $290 billion.
DeFi, in theory, is designed to democratize access to finance by enabling people from all over the world, from any background, no matter who they are, to participate. There are no financial or geographical restrictions or centralized intermediaries – everything is decentralized, trustless, and peer-to-peer.
It’s a vision that has proven popular, with DeFi growing faster than anyone could have imagined. However, its rise has been clouded by numerous critical security threats that make it seem like a very risky venture to anyone who’s not extremely knowledgeable about how crypto works.
While 2021 was a big year for DeFi, it was arguably even bigger for hackers, with a recent report from Chainalaysis finding that they stole a combined $3.2 billion worth of cryptocurrency that year. This year is likely to be just as profitable for hackers. According to CertiK’s latest report, DeFi and Web3 together lost more than $2 billion to hackers in the first six months of the year.
Chainalysis said hackers in the crypto sphere have migrated away from wallets and other targets, and are almost exclusively targeting DeFi protocols today. In the first three months of 2022, almost 97% of all funds stolen by hackers came from DeFi, up from 72% in 2021 and just 30% in 2020. A quick look at some of the biggest hacks of this year explains why DeFi has become such a popular target for attackers. The amounts they can steal are tremendous. The most expensive hack so far this year was the Ronin Validator Security Breach. On March 23, the person or persons responsible for the attack were able to compromise Sky NMavis’s Ronin and Axie DAO validator nodes, hack the private keys and make illicit withdrawals. They stole an incredible 173,600 ETH and 25.5 million USDC, amounting to $615.5 million in total, via just two transactions.
Unfortunately, the Ronin hack was not just an isolated event. In February hackers exploited a security vulnerability in Wormhole’s signature verification, enabling them to make off with 120,000 wETH on Solana, an amount that was worth $326 million at the time of the attack. Similarly, in April, the Beanstalk protocol fell victim to a one-day delay inside a $BEAN governance proposal contract to complete a flash loan. The attacker was able to steal 70% of the total seeds, getting away with $181 million in total.
Spotting Smart Contract Vulnerabilities
The vast majority of DeFi hacks occur due to vulnerabilities in the smart contracts that power the protocols. Smart contracts are self-executing bits of code that automatically process transactions when certain conditions are met. They’re one of the core elements of DeFi as they make the requirement for a trusted intermediary redundant.
The good news is that the community is aware that smart contracts are a glaring weakness in DeFi security and is taking steps to address them. The most reliable DeFi protocols today are sure to carry out a comprehensive smart contract audit to identify if any vulnerabilities exist. Audits are carried out by reliable firms such as CertiK and Hacken, and assess the recorded transactions within a blockchain ledger to try and spot any bugs.
Other ways of identifying vulnerabilities include penetration tests by teams of security experts, who attempt to hack DeFi protocols so they can inform the developers how they did it, allowing them to close whatever loopholes are discovered. In addition, protocols can also offer “bug bounties”, where they essentially crowdsource security. Dozens of “white hat” hackers compete for a monetary prize to identify vulnerabilities within a protocol. Bug bounties can be especially beneficial because they incentivize participants to act like real cybercriminals, meaning they will likely attempt to hack the protocol using similar methods as the real bad guys do. The idea being that the good guys will discover any obvious exploits before they’re exposed in the real world.
Smart contract code audits and bug bounties can help to protect DeFi protocols against common hacks around unhandled exceptions and transaction order dependency. However, audits are unfortunately not infallible – the Chainalaysis study found that 30% of exploits this year occurred on platforms that had been audited within the past 12 months. So while code audits and bug bounties can be helpful, they do not provide any guarantees. As such, DeFi protocols that are managing billions of dollars in user’s funds ought to adopt a more robust approach to security.
Reinventing Smart Contracts
One of the most exciting solutions to emerge is the Scrypto programming language developed by Radix, which is a layer-1 blockchain protocol that has been built specifically for DeFi.
The Scrypto language is based on the popular Rust programming language and retains most of its features. However, it notably adds a number of specific functions based on the Radix Engine. It can be thought of as a collection of libraries and extensions to Rust that provides asset-oriented features, enabling Rust-style logic to interact with assets as a native, first-class citizen.
The most important distinction of Scrypto is that it effectively does away with smart contracts. Instead of smart contracts, it uses blueprints and components to process transactions. Blueprints are compiled source code that lives on the blockchain, where they can be used by anyone. Their role is to provide “constructor functions” for DeFi transactions, with flexible parameters that others can instantiate. They’re generally quite specialized in terms of functionality, though they can support multiple different use cases depending on exactly how they’re instantiated. Blueprints can sometimes work with other blueprints, deployed together as a “package”.
To activate a blueprint, it must be instantiated by calling one of its constructor functions in order to obtain the address of a newly created instance, known as a “component”. Components are used to manage state and can gather, hold and distribute resources according to the logic associated within the blueprint that created it. In other words, components in Scrypto resemble smart contracts, however, they derive from the logic defined within the blueprint that gave birth to it.
Scrypto’s unique architecture allows it to carry out transactions in a very different way to regular smart contracts written in Solidity or another language. Instead of sending a number or reference to some tokens, Radix Engine transfers ownership of tokens from the caller to a component. Once that component receives a bucket of resources or multiple buckets, it can take those resources and deposit them into a vault it holds, or else a different bucket. Then, the Radix Engine ensures that the caller can no longer access the bucket or vault.
The end result is that dApps built on Radix have a much simpler and safer way of transacting. To better understand how it works, Radix offers us the example of a gumball machine that accepts USD tokens in exchange for a token held within its vault.
In this example, the user passes a bucket of 0.25 USD to the insertCoins method of the MyMachine component. The blueprint’s logic sees that the correct price has been paid, adds those tokens to a vault, then takes 1 gumball from its gumball vault and passes it back to the caller. It can even send back some change if the caller passed too much USD.
With Ethereum’s Solidity-based smart contracts it’s much more complex and risky. In the same machine, the user would call a smart contract to give the machine permission to withdraw from their wallet on their behalf. They would tell the machine they wish to input 0.25 USD. The machine would then call the USD contract to make the withdrawal, then call a gumball smart contract to send the gumball to the user. Finally, it would probably also update an internal cache of the number of remaining gumballs to check for erros. Each one of these processes uses a smart contract, and each one is therefore at risk of being hacked due to a smart contract vulnerability.
That’s just a simple example. With DeFi, transactions can be many times more complex, meaning they’re exposed to multiple times the risk. All it takes is one vulnerability somewhere, in any one of numerous smart contracts involved in a transaction, for an attacker to pull off an attack.
As DeFi grows and its total value locked increases, the risk of exploitation will only increase. If there’s one takeaway we can gather from the stunning amount of crypto that’s been stolen by DeFi hacks, it’s that the need for smart contract security has never been greater. While code audits and bug bounties can help to spot the most obvious vulnerabilities in DeFi, it’s clear that the industry could benefit immeasurably from a radical overhaul based on an infrastructure that’s designed to minimize the number of potential exploits from the get-go.
Disclaimer: This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice