By using this site, you agree to our use of cookies, which we use to analyse our traffic in accordance with our Privacy Policy. We also share information about your use of our site with our analytics partners.

Codefi

NEWSLETTER #5: Thoughts on DeFi Security

by Nicole AdarmeMay 12, 2020
codefi feature

Hey Friend,

Hoping this email finds you well and adjusted (or adjusting) to our new patterns of behavior. If you tuned into the first virtual Ethereal Summit this past week, you heard a lot about the significance of DeFi on Ethereum and the future of the network with the launch of Ethereum 2.0. So for this month’s newsletter, we thought we’d bring you updates about both.


The Question of Security in DeFi Applications

2020 has proven a critical year for the Ethereum DeFi ecosystem. In addition to celebrating over $1bn USD locked in DeFi and significant platform milestones, the industry has been subject to frequent occurrences of minor and major security incidents across both new and established DeFi applications. The bZx and Maker events of February and March have been well-covered, but we have pulled some data and insight into recent events on the Uniswap and Lendf.me protocols, specifically around the compromise of the ERC-777 token standard that allowed hackers to drain $25m worth of crypto on April 18th & 19th. 

The imBTC token is an ERC-777 token released by Tokenlon, a DEX running on the 0x protocol. In both the Uniswap and Lendf.me incidents, the hacker(s) exploited a reentrancy vulnerability that arose from the incompatibility between the ERC-777 token standard and the DeFi protocols. Broadly speaking, the reentrancy vulnerability allowed the hacker to essentially re-spend initial deposits of imBTC, effectively providing them with unlimited capital to enact trades or borrows.

Uniswap:

The attack was made possible because Uniswap V1 does not have measures in place to guard against this type of reentrancy attack when interacting with the ERC-777 standard. In total, the hacker made away with ~$300k USD in imBTC and ETH (~$141k ETH + ~$160k imBTC). 

Interestingly, this attack vector was not unknown to Uniswap or to the crypto community at large. Almost exactly a year before the Uniswap attack, ConsenSys Diligence – the security audit service offered by ConsenSys – identified and published the ERC-777 reentrancy attack vector. Uniswap had plans to address the attack vector, as outlined in their March 23 blog post about the features of Uniswap V2.


chart 1.png

Lendf.me

The Lendf.me incident exploited the same reentrancy vulnerability made available by the incomplete compatibility between the lending protocol and the ERC-777 token standard, but to a far more extensive degree of success. Nearly 100% of Lendf.me’s funds – over $24m USD – was drained during the attack on April 19.

Unlike in the Uniswap event, the stolen funds were not limited to just ETH and imBTC. Though the majority of stolen funds were WETH ($10.8m), USDT and HBTC made up for an additional $9.7m, followed by at least 16 other tokens. The graphs below show the asset distribution of compromised funds and the monthly token volumes on Lendf.me leading up to the attack on April 19.


chart 2.png


chart 3.png

In an unexpected turn of events, the Lendf.me hacker(s) returned the stolen funds to the protocol, reportedly because they accidentally exposed an IP address during the attack. The Sankey diagram below shows the flow of funds after the hack. Funds left the Lendf.me contract (green), went through the handler contract (gray), and to the hacker’s address (black). After the IP was revealed, the hacker transferred the funds back to the Lendf.me admin address, which then transferred the funds to a recovery address (both in purple). The far right of the graph, where the diagram flows out into many individual fund streams, marks the moment when Lendf.me returned funds to individual users.


chart 4.png

What Does This Mean for DeFi?

Despite these waves of security incidents on DeFi protocols, the industry is still overwhelmingly positive about the opportunities of DeFi and the momentum it is bringing to Ethereum. Objective DeFi statistics support positive sentiment. In response to security events this year and considerable market pressures beginning in March, locked ETH has decreased from an all-time high in February. However, levels have dipped only to December 2019 numbers.These statistics, even in the face of high-profile security incidents, suggests the DeFi ecosystem as a whole has surpassed some point of ‘no return.’ Though confidence in individual protocols has suffered, overall commitment to the emerging paradigms of decentralized finance has remained strong.

During these 2020 security incidents, the Ethereum community has focused attention on ways to prevent and respond to future events. Generally speaking, there is the value proposition of all these hacks occuring on open technology. Without needing particular permission or access, third-party security auditors and dapp developers have been able to freely analyze the incidents, warn against other weaknesses, and propose fixes for future DeFi applications. These incidents reveal the cooperative ethos of open software, and set the stage for a more secure ecosystem. In particular:

DeFi Monitoring Tools: Leveraging the openness of the Ethereum blockchain, a host of DeFi-related monitoring tools are available to the public to more confidently interact with financial applications. Codefi Inspect is an open source tool to aggregate critical security information about DeFi protocols, including public audits, admin key details, oracle dependency, and on-chain activity. Codefi’s DeFi Score is a value of platform risk that can be compared across protocols to better inform users’ decisions when choosing between DeFi applications.

Security Transparency: Dapps are becoming more open about identified security vulnerabilities. Uniswap acknowledged the ERC-777 issue in their March 2020 blog post. A developer from the trading protocol Hegic published an open ‘post-mortem’ about a bug in her code that rendered some funds inaccessible. Exchange protocol Loopring identified a front-end vulnerability, paused the exchange, announced to the community, and worked to fix the issue. This sort of transparency is crucial to building trust among new and existing users and to scaling a more secure network of DeFi protocols.

DeFi Insurance: Blockchain-based insurance has been around for a while, but has been brought sharply into focus these past few months. Nexus Mutual – an blockchain insurance veteran – and more recently Opyn have (re)emerged as top players in this adjacent DeFi industry. Security vulnerabilities are likely to exist in any technology field, whether emerging or incumbent. The more protective measures that exist alongside these technologies, the easier the path to widespread adoption.


Quick Codefi Hits

Upcoming Webinar

CBDCs and Stablecoins

14 May 2020


cbdc.jpg


State+of+Staking+Webinar+Featured+(1).png

Upcoming Webinar

The State of Staking

19 May 2020

Announcements


Codefi Spotlight:

The Ethereum 2.0 Staking Ecosystem Report

The launch of Ethereum 2.0 (Eth2) in 2020 presents a critical and long-anticipated network milestone. The successful launch of the network will require ETH holders to elect to deposit their ETH as stake on the new Proof of Stake network. To understand the motivations, preferences, and behaviors of ETH holders planning (or not) to stake on Ethereum 2.0, Codefi Activate surveyed ~300 ETH holders. These conclusions were collected into the Ethereum 2.0 Staking Ecosystem Report

Among all respondents, over 65% plan to stake on Ethereum 2.0. Only 17% were either undecided (14%) or had decided not to stake (~3%). Of the respondents who plan to stake, they are split roughly 50/50 between planning to run their own validator nodes and planning to use a third party staking service. Both segments, however, plan to stake roughly 50% of their owned ETH.


chart 5.png

A key incentive to the participation of ETH holders in the Ethereum 2.0 network is the potential for block rewards in the form of ETH. When asked what % return would validate their participation in Eth2, respondents who plan to run their own validators would require on average 5.8% returns (of staked ETH). Those who plan to use a third party service, however, would require slightly higher rewards – an average of 7.6%. This 2% discrepancy could be from those who plan to use a third party factoring in an expectation that those services will charge a fee for usage. Interestingly, people who are currently undecided about whether or not to stake would require even higher rewards to convince them to begin staking: 9.4%. With initial Ethereum 2.0 rewards that could range up to 20%, there is considerable potential to capture these undecided ETH holders.

The remainder of the Codefi Activate Ethereum 2.0 Staking Report details the preferences of these ETH holder segments and identifies key takeaways Eth2 service and clients providers should consider when offering products to consumers. Of particular note is the continued need for education around the mechanisms of Ethereum 2.0, its security, and the economic incentives. Fewer than 35% of respondents indicated a ‘sound’ understanding of Ethereum 2.0 economics. 

In the interest of promoting education and understanding, ConsenSys has launched the Ethereum 2.0 Knowledge base to continuously provide the most up-to-date Ethereum 2.0 information for both technical and non-technical audiences.


Final Remarks

Thanks for sticking through this newsletter. We hope you had the opportunity to tune in this past week to the first virtual Ethereal Summit. If not (or if you just want to watch your favorites again), check out uploaded speeches and panels from across the Ethereum and blockchain ecosystem, including Codefi, on the Ethereal YouTube. In the meantime, follow us on Twitter, learn more on our website, and let us know your thoughts. Whether you’re interested in working with us, for us, or you just want to say hello, please feel free to contact us.

Forwarded this message? Sign up for monthly updates.

Till next time, 

The ConsenSys Codefi Team