In brief
- A bug in Defi's protocol Opyn allowed hackers to escape with 370,000 USDC.
- Experts say that the hack was avoidable.
- This marks the sixth DeFi hack in 2020 alone.
Attackers raided the decentralized finance (DeFi) protocol Opyn yesterday, making off with over 370,000 USDC.
Opyn, which deals primarily with options for ETH, was subject to a double-spend attack.
The team behind Bancor, a DeFi blockchain protocol designed to facilitate cross-chain cryptocurrency swaps, just resolved a potentially damaging bug in its latest smart contract update. A smart contract is a piece of code running on a blockchain.
The bug could have allowed hackers to drain the balance of any account that interacted with the latest version of the Bancor Network smart contract. The issue was so bad, it could have resulted in complete loss of funds to anybody that invoked the fault...
"At the time of this post, we've found 371,260 USDC that has been stolen from these contracts," reads Opyn's post-mortem.
Analysis from security researchers PeckShield elaborates that the double-spend transpired due to an exploited smart contract bug, allowing attackers to openly plunder any and all USDC within Opyn’s smart contracts.
Chiachih Wu Research VP for PeckShield and author of the firm's post mortem told Decrypt that while the exploit itself wasn't devastating financially, consequences for Opyn's standing could be dire.
"I would say it hurts the reputation more," said Wu. "Since it's not a subtle bug. Solidity developers should be able to catch it."
The Opyn hack as it happened
After becoming aware of an issue Tuesday afternoon, the Opyn team kicked into action, siphoning liquidity from decentralized exchange Uniswap to prevent further problems.
The team also enlisted the help of a white-hat hacker, known as "samczsun" to extract a total of 572,165 USDC from remaining Opyn smart contracts, in an attempt to mitigate further losses.
For those still holding the platform’s now-illiquid tokens, Opyn has offered to buy them at a 20% mark-up on the crypto exchange Deribit.
DForce, a Chinese decentralized finance protocol, today lost $25 million worth of its customers’ cryptocurrency due to a well-known exploit of an Ethereum token.
On Tuesday, dForce announced that it had secured $1.5 million in a seed round led by crypto VC fund Multicoin Capital.
The money was drained this morning from the contracts of Lendf.Me, a lending protocol that’s part of dForce, a collection of DeFi protocols. The site for Lendf.Me is now offline and its smart contracts have been paused...
Despite Opyn providing a litany of remedies, including a bug bounty program, and enhanced auditing, PeckSheild's Wu remains skeptical that DeFi won't suffer the same again.
"Until the day human beings stop coding, people will keep generating bugs," he said. "On the other hand, there's no perfect system. I'm sure we'll see more 0-days or new tricks to attack Ethereum-based software in the future.
Opyn's exploit marks the sixth DeFi hack this year, and with security experts anticipating more to come, DeFi's narrative as the new financial frontier may be more akin to the wild west.
Daily Debrief Newsletter
Start every day with the top news stories right now, plus original features, a podcast, videos and more.