The development of blockchain industry and how to defend against attacks on DeFi

Nowadays, the blockchain market as a whole is in its infancy, and the decentralized finance (DeFi) market is its most promising part. According to DefiLlama data, in 2021, the DeFi market had around $200 billion of liquidity locked in smart contracts. If we view this capital as an initial investment, this market looks like a highly promising venture. Not too many global companies can boast of such a capitalization. But any young market has its teething problems. With DeFi, the main issue is a lack of qualified blockchain developers.

This industry is very young and has a relatively small user base. Most people have at best heard about DeFi without having any idea about what it is. But as it happens with every new promising venture, it quickly creates a lot of speculative interest. Unfortunately, preparing personnel takes much longer, especially when it comes to such knowledge-intense spheres as blockchain and smart contract development. This means that some project teams will have to compromise and hire less experienced personnel.

This problem inevitably creates a growing risk of security loopholes in the code of these projects. And then we have to deal with its consequences in lost user capital. For just a brief understanding of how big this problem is, I can say that about 10% of DeFi’s total liquidity locked has been stolen by hackers. It should not surprise anyone that the mainstream public would prefer to stay away from a financial system that poses such dangers to their funds.

How have DeFi exploits changed recently?

Attacks on DeFi have long been centered around reentrancy attacks. We can recall the famous The DAO hack of 2016 that resulted in the loss of $150 million in investor capital and led to Ethereum’s hard fork. Since then, this vulnerability has been exploited many times in different smart contracts.

The callback function is actively utilized by lending protocols: It allows smart contracts to check users’ collateral balance before giving out a loan. All this process happens within one transaction, which has given hackers a workaround to steal money from such smart contracts. When you send a request to borrow funds, the callback function first checks the collateral balance, then gives out the loan if the collateral was sufficient and then changes the user’s collateral balance inside the smart contract.

To fool the smart contract, hackers return the call to the callback function to initiate this process from the beginning. Since the transaction has not been finalized on the blockchain, the function gives out another loan for the same collateral balance. Even though the solution to this problem has been on the scene long enough, many projects still fall victim to it.

Sometimes, project teams with little skill in writing smart contracts decide to borrow the codebase of another open-source DeFi project to deploy their own smart contract. They normally do so with reputable projects that have been audited and have large user bases and have proved to be securely built. But they may decide to make minor modifications to the borrowed code to add functionalities they want to have in their smart contract, without even changing the original code. This can damage the logic of the smart contract, which developers often do not realize.

This is what allowed hackers to steal around $19 million from Cream Finance in August 2021. The Cream Finance team borrowed the code from a different DeFi protocol and added a callback token in their smart contract. Even though you can prevent reentrancy attacks by implementing the “checks, effects, interactions” pattern that prioritizes the change of balance over the issuance of funds, some teams still fail to safeguard their platforms from these exploits.

Flash loan attacks allow hackers to steal funds differently and have been growing increasingly popular since the DeFi boom of 2020. The main idea of flash loan attacks is that you do not need to…