In the ever-evolving world of Web3, the significance of security cannot be overstated. Despite bear market conditions, the alarming surge in DeFi hacks and scams has raised concerns. Countless victims have sought assistance after losing their hard-earned money, underscoring the gravity of the issue and the critical need for preventive measures.
Our blockchain platform was established in 2021 with support from prominent investors and customers. It offers various products, including Phalcon Explorer, which is widely used by security researchers to analyze transactions. Additionally, the platform provides the MetaDock and MetaSleuth, which are available free of charge to the community.
The importance of security in Web3 is evident, as even during the bear market conditions, the rise in DeFi hacks and scams is concerning. The increasing number of victims reaching out for help after losing their money demonstrates the seriousness of the issue and the need for assistance to prevent bankruptcy caused by such attacks.
DeFi hacks are common today due to several reasons.
- Firstly, attackers have economic incentives to perform these hacks, as they can gain substantial profits from such actions.
- Secondly, the lack of enough qualified developers contributes to the vulnerabilities in the protocols. Many developers focus on functionalities rather than security and lack adequate training in blockchain security.
- Additionally, universities have limited courses on blockchain security, leading to a shortage of qualified experts in the community.
- Lastly, some hacks are initiated by organized hacking groups or Countrywide organizations. These groups are highly covert and persistent, specifically targeting financial institutions, military organizations, and cryptocurrency exchanges to seek huge profits. Their advanced attack methods and abundant resources pose an even greater threat to DeFi projects.
When discussing protocol security, many people think of code audits as the primary solution for DeFi protocols. However, code audits alone are not sufficient due to their high cost and time-consuming nature. Qualified auditing services are expensive, and the process can take several months, making it impractical for some protocols with time constraints.
Moreover, there is a scarcity of qualified auditors in the space, leading to a lack of available expertise. Consequently, some protocols are forced to go live without comprehensive security measures, which may result in unaddressed vulnerabilities and potential threats.
In order to ensure the security of DeFi protocols, a proactive approach is crucial. This means that protocols cannot simply be deployed and left unattended. They need to actively monitor the ongoing activities within the protocol and be prepared to respond automatically to any potential attacks.
The importance of this proactive approach is heightened in Web3 compared to Web2, for the following reasons.
- First, Web3 introduces more attack vectors and the openness of blockchain makes it easier for both good and bad users to access and analyze the source code of smart contracts.
- Second, exploiting vulnerabilities becomes lucrative for attackers, especially due to the anonymous nature of blockchain transactions, which makes tracking their activities challenging.
- Third, the availability of flash loans allows attackers to amplify their financial capabilities, unlike in Web2 where launching attacks required significant capital.
- Last but not least, certain private transaction services can be abused to conceal malicious transactions.
Consequently, the unique properties of Web3 make it easier for harmful attacks on protocols and users to happen, while simultaneously making it harder to trace and identify the attackers.
We have developed a prototype system called Phalcon Block in the blockchain industry. Since February 2022, we have been actively exploring ways to overcome certain challenges associated with DeFi hacks, going beyond code audits.
Phalcon Block empowers us to closely monitor transactions in the blockchain. By monitoring these transactions and automatically responding to them, we can reconstruct the underlying technology by replaying the attack transactions and replicating the essential logic of the attack contract.
This process allows us to synthesize a new rescue smart contract. We can then send rescue transactions to ensure that our transactions are faster and placed on the blockchain ahead of the attack transactions. By leveraging this approach, we have the potential to completely block the attack transactions by acting faster and gaining a leading position within the blockchain.
The key aspect of this mechanism or system is how it automatically reconstructs attack transactions and "attack" contracts. The fundamental idea is to consider what is most important in attack transactions and attack smart contracts—the critical elements being the attack logic within the smart contract.
Though the basic idea is simple, it is not as straightforward in practice. We face a series of technical challenges. The most significant point is how to handle the reuse of basic blocks within smart contracts. Compilers often utilize block reuse to generate smaller code, which is a common practice in code size reduction. Throughout this process, we were inspired by the concept of binary code rewriting, a technique that has been used and developed for over two centuries, if not longer. Therefore, we leverage this idea and apply it to the technique of bytecode rewriting.
By leveraging our system, we have successfully prevented multiple protocol attack transactions and recovered substantial liquidity losses. For instance, we managed to recoup $5 million in losses for ParaSpace this year and we recovered $3.8 million for Saddle Finance last year. In the following discussion, we will highlight representative cases to illustrate how we prevented these transactions.
Let's consider ParaSpace as an example. It encountered an attack in March this year, but the attackers made critical errors. They failed to allocate sufficient gas, resulting in the transaction being reverted. We monitored and identified this transaction on the blockchain. We then automatically synthesized a similar rescue contract. After executing our rescue contract on the blockchain, BlockSec successfully recovered the $5 million loss for ParaSpace.
Another case is Platypus, which faced an attack in February this year. Exploiting a vulnerability in the smart contract, the attackers found an entry point to exploit the Platypus DeFi protocol. However, they overlooked setting up the logic to withdraw funds from the compromised contract. Consequently, the hackers encountered a challenge: how to extract the remaining $2.4 million from the compromised contract?
In this scenario, BlockSec possesses an internal system that automatically disassembles the attack contract. Through heuristic methods, we conducted a comprehensive analysis of the attack smart contract, uncovering intriguing features.
First, we found that the flash loan callback in this contract was exposed. Second, the Platypus pool contract had been granted approval for USDC. The pool contract can be upgraded to utilize the approval from the attacked contract to withdraw the remaining USDC. By sharing this idea and PoC with the protocol, we helped them successfully retrieve $2.4 million from the attack contract.
Another case involves Transit Swap, which was targeted by an MEV bot. We discovered that the MEV bot's address was generated by a flawed tool called Profanity. Exploiting the vulnerability in this tool, we calculated the private key of the MEV bot and retrieved the funds to reimburse the protocol.
We think to improve the efficiency of this system requires careful thought and strategic actions.
- Firstly, a rapid and proactive response is essential. It is crucial to gather information and take immediate steps when situations arise.
- Secondly, maintaining accuracy is crucial. We must avoid generating excessive false alerts. As we discussed previously, if your monitoring tool generates too many alerts, it significantly impacts the usability of the product. Therefore, we should strive for a systematic approach rather than focusing on tracking attackers.
BlockSec possesses a range of tools for contract analysis and disassembly, employing heuristic methods to conduct meticulous bytecode analysis. All these measures are aimed at constructing a comprehensive system and delivering an effective product.
In the dynamic realm of Web3, security is of utmost importance. With the rise of DeFi hacks, it is imperative to adopt a proactive approach and leverage innovative systems like Phalcon Block to protect protocols and users. By continually pushing the boundaries of security measures, we strive to enhance the safety and integrity of Web3, paving the way for a secure and prosperous decentralized future.