Latest round of DeFi exploits display its wide range of vulnerabilities
Over the past couple of days, three incidents affecting decentralized finance (DeFi) projects have led to a total of around $2 million in losses.
The amount may not seem much in comparison to blow-ups such as FTX or some of the larger exploits to hit the sector, but the cases demonstrate the varied nature of the dangers faced by DeFi users.
Threats against DeFi protocols can come from all sides and they must defend against hackers, governance attacks, and potentially vulnerable third-party code, as these three incidents show.
Atlantis Loans experienced governance attack
Atlantis Loans is a lending platform on Binance’s BNB Chain, though it was abandoned by the developers earlier this year. On Saturday, former users were drained of approximately $1 million worth of crypto.
Once launched, DeFi protocols are self-executing, maintained or not, and the platform continues to function. As explained in its farewell Medium post, “Atlantis Loans as a protocol is fully decentralized and the only way to make changes or turn things off will have to be done through … governance.”
With presumably little attention paid to Atlantis since the devs departed, the defunct project was susceptible to a governance attack targeting previous users.
⚠️Atlantis Loans was under a governance attack for ~$1M.
The attacker gained control over the contract and replaced with a contract containing backdoor function to transfer tokens approved by users.
— Beosin Alert (@BeosinAlert) June 11, 2023
In order to deposit funds into a DeFi lending pool, users must grant the pool’s smart contract approval to spend a certain token in their wallet. These approvals are often, by default, for an infinite quantity and last until they’re manually revoked by the user.
Any user who still had active approvals granted to Atlantis contracts, regardless of whether or not they had withdrawn their funds, was a potential victim if hackers took control of the contracts.
This is exactly what the attacker did, publishing and voting for a proposal that allowed them to upgrade existing Atlantis contracts to their own malicious version.
They then used the existing approvals to send around $1 million in a variety of tokens to their own address, directly from the wallets of previous Atlantis users.
Oracle exploit at Sturdy Finance
DeFi projects often come into the crosshairs of hackers, both white- and black-hat, looking for loopholes in the code from which they can profit or earn a bounty.
Sturdy Finance, another lending protocol, came under attack on Monday via a known vulnerability, leading to 442 ETH in losses (approximately $800,000).
The exploit involved the manipulation of Sturdy’s price oracle, a system designed to calculate the value of a deposit token based on the balance of underlying assets in its pool. The hacker tricked the protocol into overvaluing their collateral, allowing them to borrow excess funds. The process was repeated for various pools.
1/ @SturdyFinance was attacked and the loss is ~442 ETH. The root cause is due to the typical Balancer’s read-only reentrancy, while the price of B-stETH-STABLE was manipulated! pic.twitter.com/5l9mVfhpQN
— BlockSec (@BlockSecTeam) June 12, 2023
The capital necessary to carry out the attack was obtained via a flash loan, whereby funds are borrowed and returned (with interest) within a single transaction. Flash loans allow arbitrage traders to balance minor price discrepancies profitably, but are often used in hacks to fund an attack.
K3PR: vulnerable tooling
The open-source nature of DeFi encourages projects to plug into one another, building layers of applications on top of established and battle-tested code. This permissionless composability is often cited as one of the main advantages of the sector when compared to traditional finance.
However, in the event of DeFi exploits, these structures act less like a fortress built of ‘money legos,’ and more like a house of cards.
The Keep3r Network, itself a prime example of this composability, allows projects to outsource “Jobs” to a decentralized network of “Keepers” in order to effectively automate devops tasks, protocol maintenance, etc.
However, an address with control over a number of Keeper contracts was created via Profanity, a tool for creating “vanity addresses,” which was discovered to be insecure last summer.
On Monday morning, the compromised address was used to drain the contracts of around $200,000 worth of K3PR tokens to the attacker’s address.
.@thekeep3r has been attacked. Due to the governor’s private key being compromised (Vanity Address), the attacker reset the governor of several pools and launched a reentrancy attack, profiting 4084 KP3P (~ $200K). pic.twitter.com/It6XgEn1Wv
— Phalcon (@Phalcon_xyz) June 12, 2023
Decentralized exchange 1inch published a blog post warning of the vulnerability on September 15. Five days later, crypto market maker Wintermute lost $160 million to the bug after failing to adequately protect its assets (and mocking a hacker who had also lost funds).
Composability between projects leads to rapid and creative innovation, but can also create risks when depending on external code.
If a protocol upon which others rely is hacked, it can bring down others with it, as was the case with the $200 million Euler hack in March (most funds were later returned).