- Hegic options exchange confronted a vulnerability in its smart contract codes hours after launching.
- The bug locked user funds into expired options contracts, rendering them permanently inaccessible.
- Hegic’s security evaluator, Trail of Bits, said it warned the exchange of these vulnerabilities and that they weren’t properly addressed before the code shipped.
A new options trading protocol built on Ethereum just entered mainnet, but it has already run into significant problems with its own code.
Just hours after Hegic launched its smart contracts on April 23, a bug in its code locked up $28,000 worth of user funds in the platform’s smart contracts. The majority of these funds were in the DAI stablecoin, while the rest were in ETH.
The Hegic team has pledged to reimburse all affected users with their own money, though the funds will be forever locked up in the smart contracts.
But what’s got the community riled up is that the team originally said that the vulnerability was the result of a typo. It backpedaled two days later after the community, as well as the independent team that reviewed its code, said that the vulnerability was caused by a bug that could have easily been avoided.
Trail of Bits, the software auditing firm that reviewed Hegic’s code, told Decrypt that the exchange ignored warnings about the bug, as well as other critical flaws; instead, Hegic slapped a bandaid on the problems and rushed to ship its infant code.
“It's clearly an error, and one that would have been easily caught had they written any unit tests,” Dan Guido, CEO of Trail of Bits, told Decrypt.
When Decrypt reached out to Hegic for comment, it replied with the company’s official post-mortem which, two days after the incident, “apologize[s] to each Hegic user (holders and writers) for calling this a typo, but not a bug or a security issue.”
Team cried bug, people called foul
In an older tweet explaining the issue, Hegic claimed that a “typo” in the code prevented traders from unlocking funds from an expired options contract.
In options trading, traders purchase a contract that gives them the option to buy or sell an asset for a specific price at a certain maturity date; Hegic’s “typo” kept users from accessing the funds locked in these contracts after they expired.
But Trail of Bits, the security auditing firm that reviewed Hegic’s code, called it a bug—not a typo, as originally claimed by Hegic. Trail of Bits’ CEO claims that Hegic misrepresented how secure the exchange was when it presented a security assessment—a brief review of code—as an audit—a more comprehensive review of the code.
Guido said in a Twitter thread after the incident that Hegic had ignored many of Trail of Bits’ suggestions and was too cavalier with its launch. He said that his company found “10 critical flaws” in Hegic’s code when they reviewed it earlier in April.
Trail of Bits recommended that Hegic delay the launch of its mainnet. But Guido said the DeFi fledgling refused and “patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an ‘audit’, then immediately deployed.”
This gave users the false impression that Hegic was safe, Guido said, even though the project has no public documentation, nor a single published or verifiable test of the software.
Danger to DeFi
Guido said that the misrepresentation of security audits by malicious or ill-informed teams is pernicious for the whole of Ethereum and DeFi.
And Ethereum’s been here before. As blockchain platform MyCrypto pointed out on Twitter, the 2017 Parity wallet debacle, where a library of wallets worth $280 million in the Parity DAO was deleted by an anonymous developer, was also ostensibly an accident. But the bug was still exploited, by accident or not, and Parity ended in a controversial hard fork that split Ethereum into two chains to recover the lost ether.
You won’t get a fork here, but a snafu’s a snafu—no matter how many times you try to call it a typo.