Blockchain projects position themselves as more secure than centralized structures, but this is only in case you consider it from one perspective. Indeed, thanks to them you are not dependent on a single company and should not trust it with your funds or transactions. However, the human factor plays a significant role as smart contracts are written by people, and people tend to make mistakes.
That is why before launching any blockchain project, it must be audited by professionals who will check all work aspects under a well-elaborated checklist and find potential vulnerabilities.
The most famous hacks of crypto projects
In 2020 alone, DeFi projects were hacked a huge number of times, and the level of the tumult around these events is directly proportional to how much money was stolen. Here are just a few examples that caused the biggest agiotage (and, admittedly, significantly undermined the project’s reputation).
The amount stolen from the DForce DeFi protocol at the exchange rate at the time of the event was $ 25,000,000. The hacker found a vulnerability of the imbtc token, working on the ERC-777 standard, and a critical error of smart contracts Lendf.me – the platform responsible for updating the clients` balance. The attacker was caught and forced to return the money – the fact is that he accidentally declassified his identification data.
Harvest Finance Hacking
The hacker withdrew $ 19,800,000 from the Harvest Finance platform in just seven minutes, and the reason was, according to the developers, an engineering error. A little later, the attacker returned a small amount of the money. The developers distributed it among the platform users and also assigned a rather large reward to those who would help return the rest.
Pickle Finance Hacking
The decentralized project Pickle Finance lost over $ 19,000,000 as a result of a hacker attack. The project token price immediately collapsed and, unable to regain its reputation, Pickle was announced to merge with yearn.Finance.
One of the key projects in the DeFi sphere was also hacked, as a result of which it lost over $ 8,000,000. Consequently, many investors gathered and filed a class-action lawsuit against the Maker Foundation. The MKR token owners refused the offer to compensate the collateral holders for the damage.
This DeFi project was stolen $ 6,000,000 in USDC and DAI stablecoins. However, then the attacker partially compensated the users for the losses, but not all of them. In particular, he returned 50,000 DAI to a nurse who claimed that her last savings were missing. The hacker’s loophole was instant loans, and according to financial experts, this vulnerability can still exist in many projects.
The most common mistakes in smart contracts
Comment of the audit company Telecr.in:
Most often, we encounter problems in our work, such as incorrectly written code, technical errors that slow down the work, and various logical flaws.
There is a list of well-known attacks below that you need to know about and take into account when writing smart contracts:
● Re-access to a single function before the first function call has been completed. The best way to prevent this attack is to make sure that you can’t call the function until it has done all the work that was required of it:
● Re-access via a cross-function. A similar attack, but using two different functions responsible for the same state.
● Front-running. Since all transactions are visible in the mempool for some time before they are executed, observers can see and react to the action before it is included in the block.
● Integer overflow or insufficiency. Only the administrator can have access to changing the variable state.
There are many other vulnerabilities. Some of them are easy to eliminate, others are more difficult. However, the most essential thing is to detect problems in time before launching a blockchain project, otherwise, you may face the same unpleasant situation as the hacks described in the previous section.