NEWSLETTER #5: Thoughts on DeFi Security
Hoping this email finds you well and adjusted (or adjusting) to our new patterns of behavior. If you tuned into the first virtual Ethereal Summit this past week, you heard a lot about the significance of DeFi on Ethereum and the future of the network with the launch of Ethereum 2.0. So for this month’s newsletter, we thought we’d bring you updates about both.
The Question of Security in DeFi Applications
2020 has proven a critical year for the Ethereum DeFi ecosystem. In addition to celebrating over $1bn USD locked in DeFi and significant platform milestones, the industry has been subject to frequent occurrences of minor and major security incidents across both new and established DeFi applications. The bZx and Maker events of February and March have been well-covered, but we have pulled some data and insight into recent events on the Uniswap and Lendf.me protocols, specifically around the compromise of the ERC-777 token standard that allowed hackers to drain $25m worth of crypto on April 18th & 19th.
The imBTC token is an ERC-777 token released by Tokenlon, a DEX running on the 0x protocol. In both the Uniswap and Lendf.me incidents, the hacker(s) exploited a reentrancy vulnerability that arose from the incompatibility between the ERC-777 token standard and the DeFi protocols. Broadly speaking, the reentrancy vulnerability allowed the hacker to essentially re-spend initial deposits of imBTC, effectively providing them with unlimited capital to enact trades or borrows.
The attack was made possible because Uniswap V1 does not have measures in place to guard against this type of reentrancy attack when interacting with the ERC-777 standard. In total, the hacker made away with ~$300k USD in imBTC and ETH (~$141k ETH + ~$160k imBTC).
Interestingly, this attack vector was not unknown to Uniswap or to the crypto community at large. Almost exactly a year before the Uniswap attack, ConsenSys Diligence – the security audit service offered by ConsenSys – identified and published the ERC-777 reentrancy attack vector. Uniswap had plans to address the attack vector, as outlined in their March 23 blog post about the features of Uniswap V2.
The Lendf.me incident exploited the same reentrancy vulnerability made available by the incomplete compatibility between the lending protocol and the ERC-777 token standard, but to a far more extensive degree of success. Nearly 100% of Lendf.me’s funds – over $24m USD – was drained during the attack on April 19.
Unlike in the Uniswap event, the stolen funds were not limited to just ETH and imBTC. Though the majority of stolen funds were WETH ($10.8m), USDT and HBTC made up for an additional $9.7m, followed by at least 16 other tokens. The graphs below show the asset distribution of compromised funds and the monthly token volumes on Lendf.me leading up to the attack on April 19.
In an unexpected turn of events, the Lendf.me hacker(s) returned the stolen funds to the protocol, reportedly because they accidentally exposed an IP address during the attack. The Sankey diagram below shows the flow of funds after the hack. Funds left the Lendf.me contract (green), went through the handler contract (gray), and to the hacker’s address (black). After the IP was revealed, the hacker transferred the funds back to the Lendf.me admin address, which then transferred the funds to a recovery address (both in purple). The far right of the graph, where the diagram flows out into many individual fund streams, marks the moment when Lendf.me returned funds to individual users.
What Does This Mean for DeFi?
Despite these waves of security incidents on DeFi protocols, the industry is still overwhelmingly positive about the opportunities of DeFi and the momentum it is bringing to Ethereum. Objective DeFi statistics support positive sentiment. In response to security events this year and considerable market pressures beginning in March, locked ETH has decreased from an all-time high in February. However, levels have dipped only to December 2019 numbers.These statistics, even in the face of high-profile security incidents, suggests the DeFi ecosystem as a whole has surpassed some point of ‘no return.’ Though confidence in individual protocols has suffered, overall commitment to the emerging paradigms of decentralized finance has remained strong.
During these 2020 security incidents, the Ethereum community has focused attention on ways to prevent and respond to future events. Generally speaking, there is the value proposition of all these hacks occuring on open technology. Without needing particular permission or access, third-party security auditors and dapp developers have been able to freely analyze the incidents, warn against other weaknesses, and propose fixes for future DeFi applications. These incidents reveal the cooperative ethos of open software, and set the stage for a more secure ecosystem. In particular:
DeFi Monitoring Tools: Leveraging the openness of the Ethereum blockchain, a host of DeFi-related monitoring tools are available to the public to more confidently interact with financial applications. Codefi Inspect is an open source tool to aggregate critical security information about DeFi protocols, including public audits, admin key details, oracle dependency, and on-chain activity. Codefi’s DeFi Score is a value of platform risk that can be compared across protocols to better inform users’ decisions when choosing between DeFi applications.
Security Transparency: Dapps are becoming more open about identified security vulnerabilities. Uniswap acknowledged the ERC-777 issue in their March 2020 blog post. A developer from the trading protocol Hegic published an open ‘post-mortem’ about a bug in her code that rendered some funds inaccessible. Exchange protocol Loopring identified a front-end vulnerability, paused the exchange, announced to the community, and worked to fix the issue. This sort of transparency is crucial to building trust among new and existing users and to scaling a more secure network of DeFi protocols.
DeFi Insurance: Blockchain-based insurance has been around for a while, but has been brought sharply into focus these past few months. Nexus Mutual – an blockchain insurance veteran – and more recently Opyn have (re)emerged as top players in this adjacent DeFi industry. Security vulnerabilities are likely to exist in any technology field, whether emerging or incumbent. The more protective measures that exist alongside these technologies, the easier the path to widespread adoption.
Quick Codefi Hits
CBDCs and Stablecoins
14 May 2020
The State of Staking
19 May 2020
New to the Newsletter and to Codefi? Check out this explainer video about ConsenSys Codefi.
ConsenSys Codefi Feedback: TLDR; we want to get to know you better and it’ll take 3 minutes.
Codefi Data API: With the data API, developers, investors, businesses, and DeFi enthusiasts can now retrieve risk data in an easy-to-integrate format that better supports their projects. Get in touch to start with the API.
DeFi Rate: CodeFi Launches New DeFi Lending Risk-Management Tool: Inspect. Released last month, Codefi Inspect is an open source project dedicated to protocol transparency in DeFi, tracking all public audits, admin key details, oracle dependency and on-chain activity.
Looking forward to Ethereum 2.0? Codefi Activate created an Eth2 calculator to help ETH holders begin determining what kind of rewards they could anticipate from staking on the network. Calculate your potential ETH rewards.
Codefi Asset’s report on using blockchain to empower municipal education systems as they transition to digital learning in the time of COVID-19.
A recent report by ConsenSys Codefi examines the preferences, expectations, and pain points of ETH holders as they look ahead to the launch of Ethereum 2.0 and the opportunity to stake ETH. Read the Eth2 Staking Ecosystem Report.
The Ethereum 2.0 Staking Ecosystem Report
The launch of Ethereum 2.0 (Eth2) in 2020 presents a critical and long-anticipated network milestone. The successful launch of the network will require ETH holders to elect to deposit their ETH as stake on the new Proof of Stake network. To understand the motivations, preferences, and behaviors of ETH holders planning (or not) to stake on Ethereum 2.0, Codefi Activate surveyed ~300 ETH holders. These conclusions were collected into the Ethereum 2.0 Staking Ecosystem Report.
Among all respondents, over 65% plan to stake on Ethereum 2.0. Only 17% were either undecided (14%) or had decided not to stake (~3%). Of the respondents who plan to stake, they are split roughly 50/50 between planning to run their own validator nodes and planning to use a third party staking service. Both segments, however, plan to stake roughly 50% of their owned ETH.
A key incentive to the participation of ETH holders in the Ethereum 2.0 network is the potential for block rewards in the form of ETH. When asked what % return would validate their participation in Eth2, respondents who plan to run their own validators would require on average 5.8% returns (of staked ETH). Those who plan to use a third party service, however, would require slightly higher rewards – an average of 7.6%. This 2% discrepancy could be from those who plan to use a third party factoring in an expectation that those services will charge a fee for usage. Interestingly, people who are currently undecided about whether or not to stake would require even higher rewards to convince them to begin staking: 9.4%. With initial Ethereum 2.0 rewards that could range up to 20%, there is considerable potential to capture these undecided ETH holders.
The remainder of the Codefi Activate Ethereum 2.0 Staking Report details the preferences of these ETH holder segments and identifies key takeaways Eth2 service and clients providers should consider when offering products to consumers. Of particular note is the continued need for education around the mechanisms of Ethereum 2.0, its security, and the economic incentives. Fewer than 35% of respondents indicated a ‘sound’ understanding of Ethereum 2.0 economics.
In the interest of promoting education and understanding, ConsenSys has launched the Ethereum 2.0 Knowledge base to continuously provide the most up-to-date Ethereum 2.0 information for both technical and non-technical audiences.
Thanks for sticking through this newsletter. We hope you had the opportunity to tune in this past week to the first virtual Ethereal Summit. If not (or if you just want to watch your favorites again), check out uploaded speeches and panels from across the Ethereum and blockchain ecosystem, including Codefi, on the Ethereal YouTube. In the meantime, follow us on Twitter, learn more on our website, and let us know your thoughts. Whether you’re interested in working with us, for us, or you just want to say hello, please feel free to contact us.
Forwarded this message? Sign up for monthly updates.
Till next time,
The ConsenSys Codefi Team