DeFi often hits. Is it really “decentralized”?

慢雾科技 view 49035 2022-1-10 09:37
share to
Scan QR code with WeChat

Unlike financial institutions in the past, which required the involvement of multiple intermediaries such as banks and commodity exchanges, DeFi-Decentralized finance uses blockchain technology to gradually develop financial products different from the traditional financial system. . Data from DeFi Pulse shows the value of DeFi fixed assets increased by more than 200%, from $ 32 billion in January 2021 to $ 98 billion in December. As a star product in the decentralized world, DeFi opens the door to financially open users with its decentralized, tamper-proof, trustless, open, transparent and configurable features.

But is DeFi really “decentralized”?

Protocol wise and how they affect DeFi is really decentralized enough. However, from the point of view of some attacks, DeFi seems less impactful.

On July 14, 2021, the Polkadot digital collections marketplace platform, Bondly Finance, was launched, with $ 373,088,023 in BONDLY tokens traded on the Bondly Staking Rewards contract. According to the investigation, protesters got Bondly's head through careful planning. Enter manager Brandon Smith's password. The password contains a mnemonic return code for the Smith wallet hardware, allowing the attacker to access the BONDLY smart contract and the wallet dispute.

Interestingly, these hackers appear to have attacked other DeFi projects four months later.

On November 5, 2021, the DeFi bZx protocol announced that the private keys controlling the Polygon and BSC classifications had expired, resulting in a loss of funds. According to a government investigation, a wallet used by hackers was implicated in the Bondly Finance attack. At the same time, these expenses are similar to those of Bondly Financial. The hacker obtains the developer's password and then manages the smart card. Shortly thereafter, bZx said in a new incident report, “We hired a security company called Kaspersky. After an investigation, the security company decided that the attack was carried out by Lazarus, a North Korean hacker organization. The SlowMist AML MistTrack tracking system detected that the attacker earned 0.9 ETH from Tornado.Cash and then distributed the stolen money to multiple locations. The attacker then exchanged several tokens for ETH and eventually sent 10,960 ETH through Tornado.Cash, essentially completing the Ethereum portion of the coin purge.

DeFi 频遭攻击 真的足够「去中心化」吗?

While the above two situations have nothing to do with contract issues, a phishing attack can compromise a developer's private key and affect the user's account. In retrospect, it seems personal vital leaks are all the rage. Levyathan lost $ 1.5 million, 8ight Financial lost $ 1.75 million, Vulcan Forged lost $ 140 million… (DeFi Developers) Did you succeed?

In addition to phishing attacks, direct attacks also pose a high risk of DeFi security issues.

According to conflicting information from December 2, 2021, the decentralized Badger DAO was stolen and clients were sent without authorization. On December 9, Badger released detailed information about the incident, which he said was caused by a malicious phone number being hacked by a Cloudflare employee. The Cloudflare team is the interface for running scripts that administer and modify website traffic as it passes through the Cloudflare platform. An attacker receives a project host key API from the Cloudflare backend without the knowledge or approval of Badger engineers by injecting malicious code into the website's front-end code. When the user visits the home page of the website, the change begins after the malware appears so that the user can identify it. Once the user has confirmed that the exchange is bad and has given the (authorized) token to the attacker, the attacker can send the token without the user's knowledge. An analysis of MistTrack, SlowMist AML's anti-money laundering system, found that hackers traded some of the cryptocurrency for renBTC and used renBTC across chains around 2,100 BTC for 14 BTC addresses. .

In the DeFi world, once a contract is submitted, it cannot be changed or revoked. In theory, there is no human intervention, which confirms the situation, but most frontends still follow the rules. The web pages themselves are constantly evolving and evolving, but there are still many threats. At the same time, attacks on the front-end are often overlooked by developers. These mistakes make the opponent hungry. .

On September 17, 2021, Sushiswap's CTO tweeted that the Sushiswap IDO Miso platform front-end had been attacked. An anonymous employee of the contractor injected a malicious shot into the Miso frontend, changing the location of the wallet with himself, stealing 864.8 ETH (~ $ 307 million).

The problems ahead have started to affect your financial security. As a user, you need to think deeply about how to stay safe in DeFi projects. It's like walking on ice.

concludes

However, the question of whether "DeFi has full impact" will remain. Decentralization is not DeFi's biggest goal, but the ultimate goal of the DeFi world. As a user, inspector, or employee, after facing a lot of DeFi security issues, are you still focusing on smart contracts? The answer speaks for itself.

btcfans公众号

Scan QR code with WeChat

Link
Disclaimer:

Previous: After spending over a million dollars on Avatar, I finally started to understand. Next: Harvard Blockchain Club: Run Crash and Chain Games

Related