The decentralized financial sector is growing at an alarming rate . Three years ago ,DeFi The total value of locking is only 8 Billion dollars . To 2021 year 2 month , This figure has increased to 400 Billion dollars ;2021 year 4 month , It achieved 800 Billion dollar milestone ; Now? , Its value has exceeded 1400 Billion dollars . Such rapid growth in a new market , It will certainly attract the attention of all kinds of hackers and fraudsters .

According to a report by cryptocurrency research , since 2019 Since then ,DeFi The domain lost about... Due to hackers and other vulnerability attacks 2.849 Billion dollars . From a hacker's point of view , Hacking the blockchain ecosystem is an ideal way to get rich . Because this system is anonymous , They have money to make , And any hacker can test and adjust without the victim's knowledge . stay 2021 The first four months of the year , The loss reached 2.4 Billion dollars . And these are only publicly known cases . We estimate that the real losses are in the billions of dollars .

DeFi How the agreed money was stolen ? We analyzed dozens of hacker attacks , Identified the most common problems leading to hacker attacks .

Abuse of third-party agreements and business logic errors

Any attack mainly starts with the analysis of the victim . Blockchain technology provides many opportunities for automatically adjusting and simulating hacker attack scenarios . In order to make the attack fast and hidden , Attackers must have the necessary programming skills and knowledge of how smart contracts work . The typical toolkit for hackers allows them to download a complete copy of their blockchain from the main version of the network , Then make a comprehensive adjustment to the attack process , It's as if the transaction took place in a real network .

Next , Attackers need to study the business model of the project and the external services used . The mathematical model of business logic and the errors of third-party services are the two problems most often exploited by hackers .

Developers of smart contracts often need more relevant data when trading than they may have at any particular time . therefore , They are forced to use external services —— for example , Predicting machine . These services are not designed to operate in a de trusted environment , So their use means additional risks . According to a statistic ( since 2020 Since the summer of 2000 ), A given type of risk accounts for the smallest proportion of loss —— Only 10 A hacker attack , The total loss caused is about 5000 Thousands of dollars .

Coding errors

The smart contract is in IT Domain is a relatively new concept . Although they are simple , But the programming language of smart contract needs a completely different development paradigm . Developers often don't have the necessary coding skills at all , And make serious mistakes , Cause huge losses to users . 

Security audit can only eliminate part of such risks , Because most audit companies in the market do not take any responsibility for the quality of their work , Only interested in Finance . Because of a coding error , exceed 100 A project was hacked , The total loss caused is about 5 Billion dollars . A striking example is what happened in 2020 year 4 month 19 Japanese dForce Hackers . Hackers use ERC-777 A flaw in the token standard , Combined with reentry attack , It's stolen 2500 Thousands of dollars .

Flash loan 、 Price manipulation and miners' attacks

The information provided to the smart contract is only relevant when executing the transaction . By default , Contracts are not immune to potential external manipulation of the information contained in them . This makes a series of attacks possible .

Flash loan is a kind of loan without collateral , But you need to return the borrowed cryptocurrency in the same transaction . If the borrower fails to repay the funds , The transaction will be cancelled . Such loans allow borrowers to receive large amounts of cryptocurrency and use it for their own purposes . Usually , The flash loan attack involves price manipulation . Attackers can first sell a large number of borrowed tokens in the transaction , So as to reduce its price , Then before buying back the token , Execute a series of actions with very low value .

The miner attack is similar to the lightning loan attack on the blockchain based on the workload proof consensus algorithm . This type of attack is more complex and expensive , But it can bypass some of the protective layers of lightning loans . It works like this . Attackers rent mining capacity , Form a block that contains only the transactions they need . Within a given block , They can borrow tokens first , Price fixing , Then return the borrowed token . Since the attacker independently forms a transaction into the block , And their order , The attack is actually atomic ( Other transactions cannot be “ The embedded ” To attack ), Like the flash loan . This type of attack has been used to attack 100 Multiple projects , The total loss is about 10 Billion dollars .

as time goes on , The average number of hackers has been increasing . stay 2020 Beginning of the year , The amount of a theft is as high as hundreds of thousands of dollars . By the end of this year , This figure has risen to tens of millions of dollars .

Developers are incompetent

The most dangerous type of risk involves human error factors . People turn to... For quick money DeFi. Many developers are poorly qualified , But still trying to launch the project in a hurry . Smart contracts are open source , Therefore, it is easy to be copied and changed by hackers . If the original project contains the first three types of vulnerabilities , Then they will spread to hundreds of cloning projects .RFI SafeMoon It's a good example , Because it contains a key vulnerability , Copied to 100 items , Lead to potential losses exceeding 20 Billion dollars .