This series of articles, excerpted from the "Latest Escape Strategy"co-curated by OKX Web3 and BlockSec, addresses the security concerns faced by DeFi users and DeFi project teams.
Q1:Could you share several real-life DeFi risk cases encountered by the whales?
BlockSec Security Team : DeFi's allure lies in its stable, high asset returns, drawing in significant players and prompting projects to boost liquidity by courting large whales. We frequently witness whales making substantial DeFi deposits, as reported in the news. However, these 'whales', while enjoying steady returns, navigate inherent risks. Keep an eye out as we explore the publicly documented scenarios of DeFi risks in depth.
Case One:The 2022 PolyNetwork Incident and Discus Fish's Million-Dollar Challenge
In the 2022 PolyNetwork security incident, over 600 million U.S. dollars worth of assets were attacked. It was rumored that "Discus Fish" (Co-founder and CEO of Cobo) also had 100 million U.S. dollars involved. Although the attacker eventually returned the funds and the incident was resolved satisfactorily, and "Discus Fish" announced plans to establish a monument on the blockchain to commemorate this, the process must have been quite tormenting. While some security incidents end well, the majority do not fare as well.
Case Two:SushiSwap Shock -- 0x Sifu's Catastrophic Loss of $3.3 Million in the 2023 Attack
The well-known decentralized exchange (DEX) SushiSwap was attacked in 2023, resulting in the significant loss for a major holder known as 0x Sifu, who lost over $ 3.3 million. His individual loss accounted for approximately 90% of the total amount lost.
Case Three:Prisma Breach -- 80% Loss from Four Wallets, 4M Unrecovered
In the Prisma security incident in March of this year, the total loss amounted to 14 million U.S. dollars. These losses originated from 17 wallet addresses, with an average loss of 820,000 U.S. dollars per wallet. However, the losses incurred by four users accounted for 80% of the total. Most of the stolen assets have not yet been recovered.
Ultimately, DeFi, especially on the mainnet, has non-negligible gas fees, making profitability contingent on substantial asset investments, excluding airdrop incentives. Therefore, the main Total Value Locked (TVL) in DeFi projects is generally contributed by 'whales', and in some projects, 2% of the whales contribute to 80% of the TVL. When security incidents occur, these whales inevitably bear the brunt of the losses. 'One cannot only see the whales feasting; they too have their moments of being hit.'
OKX Web3 Wallet Security Team: With the prosperity of the on-chain world, the DeFi risk cases encountered by users are also increasing, and on-chain security is always the most basic and important need of users.
Case One:PlayDapp Breach -- $32M PLA Tokens Stolen via Key Leak
PlayDapp Private Key Breach: Between February 9th and 12th, 2024, the Ethereum-based gaming platform PlayDapp suffered a breach, with the attacker exploiting leaked private keys. The attacker unauthorizedly minted and stole 1.79 billion PLA tokens, resulting in a loss of approximately 32.35 million U.S. dollars. The attacker added a new minting operator in the PLA tokens, minted a large amount of PLA, and dispersed it across multiple on-chain addresses and exchanges.
Case Two:Hedgey Finance Hack -- $44.7M Lost to Contract Flaw Exploitation
Hedgey Finance Attack Incident. On April 19th, 2024, Hedgey Finance suffered a significant security vulnerability on Ethereum and Arbitrum, resulting in losses of approximately 44.7 million U.S. dollars. The attacker exploited a flaw in the contract that lacked user input verification, gaining authorization to the vulnerable contract and thereby stealing assets from it.
Q2: Is it possible to summarize the main types of risks present in the current DeFi ?
OKX Web3 Wallet Security Team: Drawing from actual incidents, we've identified the four common types of risks in the current DeFi field.
The first type: Phishing Attacks.
Phishing attacks are a common type of cyber attack, which deceive victims into providing sensitive information, such as private keys, passwords, or other personal data, by disguising themselves as legitimate entities or individuals. In the DeFi field, phishing attacks are usually carried out in the following ways:
· Fake Websites: Attackers create phishing websites similar to real DeFi projects, tricking users into signing authorizations or transferring transactions.
· Social Engineering Attacks: On Twitter, attackers use high-imitation accounts or hijack project parties' Twitter or Discord accounts to post false promotional activities or airdrop information (which are actually phishing links), to carry out phishing attacks on users.
· Malicious Smart Contracts: Attackers release seemingly attractive smart contracts or DeFi projects, tricking users into authorizing access rights, thereby stealing funds.
The second type: Rugpull.
Rugpull is a unique scam in the DeFi field, referring to the situation where project developers suddenly withdraw funds and disappear after attracting a large amount of investment, causing investors' funds to be completely rolled away. Rugpull usually occurs in decentralized exchanges (DEX) and liquidity mining projects. The main manifestations include:
Liquidity Withdrawal: Developers provide a large amount of liquidity in the liquidity pool to attract user investment, and then suddenly withdraw all liquidity, causing the token price to plummet and investors to suffer heavy losses.
· Fake Projects: Developers create a DeFi project that appears to be legal, deceiving users to invest with false promises and high returns, but in fact, there are no actual products or services.
· Contract Permission Manipulation: Developers use backdoors or permissions in smart contracts to change the rules of the contract or withdraw funds at any time.
The third type: Smart Contract Vulnerabilities.
Smart contracts are self-executing codes that run on the blockchain and are immutable once deployed. If there are vulnerabilities in smart contracts, they can lead to serious security issues. Common smart contract vulnerabilities include:
· Reentrancy Vulnerabilities: Attackers repeatedly call the vulnerable contract before the previous call is completed, causing issues with the contract's internal state.
· Logical Errors: Logical mistakes in the design or implementation of the contract, leading to unexpected behavior or vulnerabilities.
· Integer Overflows: Contracts do not correctly handle integer operations, leading to overflows or underflows.
· Price Manipulation: Attackers manipulate the prices from oracles to carry out attacks.
· Precision Loss: Calculation errors due to issues with the precision of floating-point or integer numbers.
· Input Validation Oversight: Insufficient verification of user input, leading to potential security issues.
The fourth type: Governance Risks.
Governance risks relate to the core decision-making and control mechanisms of a project. If maliciously exploited, they could cause the project to deviate from its intended goals, and even lead to severe economic losses and trust crises. Common types of risks include:
· Private Key Leakage
- Some DeFi project's privileged accounts are controlled by EOA (Externally Owned Accounts) or multi-signature wallets. If these private keys are leaked or stolen, attackers can manipulate contracts or funds at will.
· Governance Attacks
-
Although some DeFi projects adopt decentralized governance schemes, they still face the following risks:
-
Token Manipulation: Attackers manipulate voting results by borrowing a large number of governance tokens over a short period.
-
Power Consolidation: If governance tokens are highly concentrated in the hands of a few, these individuals can control the entire project's decision-making by concentrating voting power.