Cybersecurity is often referred to as a cat-and-mouse game, requiring companies to stay on top of all the latest scams and hacking techniques to outwit the ever-defending attackers. However, in de-fi, it’s fair to say that cats have a significant advantage, the ability to use the same attack strategy over and over again, as the industry fails to address a few fundamental challenges that have persisted over the years. are

Case in point – one of the biggest DeFi hacks of recent months was carried out using the same technique as the infamous 2016 DAO attack on Ethereum.
Ethereum
. In early September, hackers took $27 million from productivity farming protocol Penpie by exploiting a re-entry vulnerability, which enables an attacker to call a function multiple times before the blockchain state is updated. In the case of the Penpie incident, this allowed them to improperly inflate prize balances with fake tokens, which they later claimed.

Reentrancy attacks point to a major problem with Solidity as a programming language – the ease with which it can allow unintended consequences. Li.Fi, a cross-chain DeFi protocol, suffered an attack in July of this year where a hacker was able to exploit smart contract calls that could perform arbitrary functions, resulting in an $8 million The damage was done. Wrapped Bitcoin
Bitcoin
Protocol Bedrock suffered a similar incident in late September.

Flash loans, which leverage the composability of dApps to disburse and disburse a loan in a single Ethereum transaction, have also proven to be highly beneficial. After the first wave of such attacks in 2020, code under the Flash Loan protocol has become a target practice for hackers. Even after Euler Finance’s massive exploit in 2023, which resulted in $197 million in losses, Hedgey Finance and Dough Finance have suffered in recent months, resulting in a combined loss of more than $45 million.

That’s all before we get to the attacks that can be traced back to more old-school sources. In late September Truflation suffered a $5 million loss, with its CEO confirming that the company had suffered a malware attack, which enabled unauthorized access to the project’s treasury wallet.

Being a hard target

While DeFi hacks tend to be smaller in scale compared to centralized exchanges, recent findings from Peckshield and ImmuneFi confirm that the number of incidents involving decentralized protocols is far higher, indicating that hackers have successfully attacked it. Looking for how easy it is to do.

One argument is that blockchain has a different set of challenges to Web2 security, meaning it needs its own tools and protocols to maintain security. This is a fair argument, but at this point in the age of maturity, lack of available resources is no longer an argument. It’s time to take a leaf out of the Web2 security handbook and put in place a bunch of security measures that depend on the task at hand.

A few ideas to get started? First, robust security audits need to become the industry standard. This basic step can prevent re-entry attacks and many basic smart contract exploits. Although many projects may state that they have been audited, the quality and extent of audits can vary significantly between firms.

Taking this a step further, on-chain security protocols can also monitor on-chain activity for suspicious transactions and potential zero-day exploits and stop them before they happen.

Leveraging advances in encryption introduces an additional layer of security. An example is fully homomorphic encryption on-chain, which enables data to be completely encrypted and secure. These developments introduce a higher level of security for data that was previously publicly available and used by hackers to pursue lucrative goals.

The cat-and-mouse analogy works so well because it frames the ongoing power struggle between hackers and cybersecurity experts as one that is not necessarily won by either side. However, the sheer number of DeFi attacks indicates that the odds are heavily in favor of hackers. Given the pace of development in this field, project founders should take any opportunity to level the fight and tip the odds in favor of a more secure future for user funds and the industry itself.



Source link