What's behind the surge in smart contract breaches?
Unfortunately, the past year's statistics reveal that over $4.2 billion in crypto has been pilfered from smart contracts, DeFi protocols, and cross-chain bridges. What's causing such a frequent occurrence?
Smart contracts serve as a crucial component of the DeFi sector. They're widely utilized by an array of dApps, DEXs, and protocols. Numerous dApps are quick to enter the market without undergoing an audit, leaving them vulnerable, in 99% of cases, to code exploits and other shortcomings. Such vulnerabilities can be taken advantage of by hackers, leading to the loss of customer assets. Simply put, if a smart contract is susceptible to attack, so too is the dApp or protocol that relies on it.
Origins of the problem
Smart contracts, like any software, are created by humans, and as such, the human factor plays a key role and carries substantial risks. No matter the developer's expertise and experience, the chances of bugs or vulnerabilities appearing in the code are ever-present. As a result, smart contracts are not invulnerable to breaches. If a hacker finds a loophole in the smart contract code, they could potentially siphon off all the crypto assets contained within it, and then launder these assets into their wallets, leaving no trace behind.
Developers of decentralized applications (dApps) and protocols are prone to errors just as much as those who craft smart contracts. Regrettably, a large portion of software within the DeFi sector is created by duplicating open-source code or using pre-existing templates that should ideally be meticulously tailored for each project. Unfortunately, this is often not the case, substantially increasing the risk of breaches.
Many DeFi projects commission their development work to external firms, whose programmers may intentionally leave vulnerabilities or even backdoors in the code. These could then be exploited down the line, perhaps at the behest of upper management, or, for instance, after leaving the firm.
Even writing code in-house, using salaried developers, doesn't necessarily provide a safety net, as the scenarios mentioned above can still occur. The creators of a project, particularly those planning to pull an exit scam, might exploit these vulnerabilities in the code to misappropriate customer assets, placing the blame on so-called 'external hackers' who allegedly breached the smart contract or protocol. In such instances, uncovering the truth, as well as the missing funds, may prove challenging.
In conclusion, launching or deploying a smart contract without undergoing an audit, disregarding code security checks, declining penetration testing, or working with unverified development companies or freelance programmers can eventually lead to a catastrophe.
What DeFi service teams can do
Before diving headlong into full-scale operations, it's wise to adopt some preventive measures:
- Organize and undergo a thorough audit of the smart contracts. Certik and ConsenSys Diligence are among the more recognized auditing firms. However, every country has its own local companies whose reputation and experience should be meticulously vetted before engaging in a partnership.
- Carry out penetration tests in both test and live environments.
- Execute a stress test to avoid scenarios where the service is inaccessible due to a sudden influx of users.
- Perform audits of the cloud environments.
- Ideally, consider a second audit from a different company—having two sets of eyes is always better than one.
How users can vet DeFi services
Before entrusting their assets to a decentralized service, users should verify the following:
- The project team. If some members have been previously involved in dubious dealings, it's obvious that risking funds is not advisable.
- The duration of the service in the market. Generally, longer-standing projects are considered more reliable. Projects that have been operational for less than a year often carry a higher risk.
- The existence of an audit report. It is essential to check if the project has undergone an audit conducted by reputable companies. Having audit reports from two separate entities adds further credibility to the project.
And always bear in mind the golden investment rule — invest what you can afford to lose.