- More than $25 million was stolen from DeFi protocols across three different hacks in Q2 2020
- A majority of the funds were returned, but hundreds of thousands more are still in the accounts of hackers
- Other protocols have announced, corrected, and analyzed vulnerabilities as the industry grows up
More than $25 million has been hacked from DeFi products—but it’s all a part of growing up. That’s according to a Q2 2020 DeFi Report from Consensys Codefi, which chronicled three separate hacking efforts during the three-month period starting April 1.
On the upside, it’s not all bad news: Multiple trends highlighted in the report all point to a rapidly maturing industry, with the excitement, drama, and vulnerability that comes with building a new financial paradigm.
Three things that defined DeFi
Indeed, the Codefi report highlighted three things that “defined Ethereum DeFi during Q2 2020: 1) BTC on Ethereum overtaking BTC on the Lightning Network, 2) three major security incidents, responsible for $26M being hacked, and 3) the release of COMP and the frenzy of yield farming.”
The report found that during Q2, Bitcoin became more popular on the Ethereum blockchain than in utilities specifically built for Bitcoin itself. Wrapped Bitcoin (WBTC), or Bitcoin locked in a smart contract on Ethereum to make it usable like any other ERC20 token, vastly outpaced Bitcoin locked in the Lightning Network, a system of trusted nodes used to speed up transactions on the Bitcoin network.
WBTC grew more than 800% to more than 8,000 BTC locked during the quarter, with additional BTC lockup schemes adding an additional 3,000 BTC before June 30. By Comparison, the Lightning Network held just under 1,000 BTC at the end of the second quarter.
The report outlines how two back-to-back April DeFi hacks that totaled nearly $25 million targeted Uniswap V1 and Lendf.me using the same “reentrancy” exploit. That hack takes advantage of an ERC-777 Ethereum token design that, under certain circumstances, allows bad actors to execute unlimited trades using a small initial deposit.
Notably, the reentrancy attack vector was a known quantity within the Ethereum developer community, having been described by Consensys Diligence in 2019. (Decrypt is funded by Consensys but editorially independent from it.)
On April 19, nearly all funds stored in crypto lending platform Lendf.me were stolen using the same reentrancy exploit used in an $300,000 attack on Uniswap just a day earlier, totalling close to $24 million. Unlike the Uniswap hack, however, the exposure of an IP address used in the attack induced the hackers to return the stolen funds, which eventually found their way back into the hands of robbed depositors.
Just a few days before the end of the quarter on June 28, token pooling and swap protocol Balancer was hacked for more than $450,000 in a variety of different cryptocurrencies. Rather than targeting an issue within the ERC-777 token standard, The Balancer theft took advantage of a bug in Balancer smart contract code that allowed a similar exploit. Pools containing deflationary STA tokens—whose supply is reduced when tokens are used— allowed the attackers to swap out large amounts of ERC-20 tokens for a negligible amount of STA in return. Balancer CTO Mike McDonald quickly responded to the incident, and ultimately all users who lost funds were made whole by the Balancer team.
The Q2 report notes a number of other bugs and stumbling blocks that emerged during the quarter, including inaccessible Heglic funds, a Loopring front-end vulnerability, and the halt of Keep Network’s tBTC smart contracts.
“The trend of the past six months suggests that DeFi will continue growing but only under a pattern of stress-testing that forces innovation and refocuses attention on areas of improvement. Transparency is fundamental to this growth,” Consensys researcher and report author Everett Muzzy said.
“This past quarter, we're seeing a different kind of transparency complement that of de facto transparency. Companies, protocols, and devs are volunteering information about bugs and hacks even if nothing actually happened on-chain. Our ability to analyze, audit, and research what's happening with these protocols gives people the ability to very clearly see where the ecosystem is improving and where it still needs support.”
Yield farming in full bloom
Yield farming also emerged as a popular trend this quarter, where users work to maximize the rewards or ‘yield’ in DeFi governance tokens from interacting with different services. As previously reported by Decrypt, farmers earned as much as 100% APR each day during the height of the Compound yield farming frenzy.
In the end, however, these painful lessons help reinforce the importance of transparency from developers and across the DeFi industry as a whole, allowing existing exploits to be patched and laying the groundwork for a safer decentralized financial system in the years to come.