Text | Bisa Linger
Recently, three DeFi projects encountered hackers one after another, and their assets were stolen, which shocked the industry.
Just one of the platforms lost $6.59 million.
And this is not an isolated phenomenon. In the February-March period of 2020 alone, there were 6 security incidents in the DeFi field, resulting in a loss of more than 1.5 million US dollars.
As a result, DeFi was pushed to the forefront. Some users joked that DeFi, which is frequently stolen, has become a cash machine for hackers.
stolen
stolen
On April 21, the DeFi platform PegNet suffered a 51% attack.
PegNet is a decentralized trading platform where users can trade 42 different assets.
On the same day, the core developer of PegNet stated on the Internet that 4 miners controlled 70% of the computing power and artificially raised the price of the stable currency linked to the yen, thus turning an $11 wallet into a $6.7 million wallet.
As a result, the hacker made a profit of 6.59 million US dollars.
Fortunately, the funds of other users of the platform were not lost.
This is already the third security incident in the DeFi field recently.
On the morning of April 19, the DeFi project Lendf.Me was hacked at block height 9899681, and assets worth nearly $25 million were swept away.
The data on the chain shows that the hacker transferred multiple assets by snowballing, and the amount of each transaction doubled from the previous one.
image description
DeFi Pulse data shows that lendf.Me locked assets fell to $6
At the same time, investors found that the utilization rate of funds on Lendf.Me has reached as high as 99%, and that of imBTC has even reached 100%. The lending rate of almost all borrowable assets remains high.
The Lendf.Me site was quickly shut down. The development team reminds users with red letters on the user interface not to deposit to the contract address.
Strangely, just when everyone thought the loss was irreparable, the events reversed.
At around 10:00 p.m. on April 19, the hackers began to return assets to lendf.Me one after another, adding the words "Better future", which seemed to be a warning to the platform.
On the afternoon of April 21, the Beijing Chainsmap monitoring system found that hackers returned almost all stolen tokens to the platform, including 57,992 ETH, 425.61 MKR, 137,000 DAI, 500,000 USDT, and 252.34 imBTC, etc. .
All assets stolen from Lendf.Me in this incident have been recovered.
Why did the hacker return all the assets?
On April 22, dForce announced the details of the incident, and people seemed to discover the reason:
The security team obtained breakthrough clues through the traces left by the hackers and resources from various parties at home and abroad. The hackers may have to return the assets voluntarily under pressure from various parties including the police.
The day before Lendf.Me was stolen, the Uniswap exchange, a DeFi project on Ethereum, was also hacked.
The attack method of this coin theft incident is exactly the same as the Lendf.Me theft incident: hackers have adopted "re-entry attack".
Both Lendf.Me and Uniswap are "Internet celebrities" in the DeFi world, and they were stolen, perhaps because they are big trees that attract the wind.
Lendf.Me is a decentralized lending project developed by dForce. It was launched in September last year and became the largest fiat currency stablecoin lending agreement more than half a year later.
Four days before the theft, it had just received a strategic investment of US$1.5 million from Multicoin Capital, Huobi Capital and CMB International.
image description
DeFi Locked Assets Ranking List Source: DeFi Pulse official website
secondary title
hacking cash machine
This is not the first time that DeFi has concentrated on a security crisis.
From February to March 2020, there have been 6 security incidents in the DeFi field, including 4 in February and 2 in March, with a total loss of more than 1.5 million US dollars.
Due to frequent security incidents, DeFi projects have begun to be dubbed "hacking cash machines" by investors.
This dose was once regarded as a "good medicine" to solve traditional financial problems, but it has gradually become a "poison" in the mouths of victims.
What makes DeFi so vulnerable to hackers?
"In the process of the creation and development of a complex system, security incidents are inevitable." Lei Yu, co-founder of The Force Protocol and ForTube, told a blockchain.
He believes that in the field of DeFi, there are many reasons for security incidents, including the lack of technical accumulation of the development team, and the local risk amplification caused by the composability of DeFi applications.
Hao Tian, brand director of blockchain security company PeckShield, also holds a similar view.
“DeFi products are highly composable, which enables liquidity and asset sharing between different DeFi products, but product combinations may have some 0day (zero-day) loopholes due to differences in business logic.” Hao Tian told a blockchain.
Zero-day, which first appeared in war-the crisis caused by something that can destroy the world on a large scale, is called a zero-day crisis. After the destruction of the world, the first day of re-establishing a new civilization is 0day.
Since then, in the hacker culture, some large-scale, fatal, high-threatening, and capable of causing huge damage vulnerabilities are also called zero-day vulnerabilities.
Hao Tian believes that there are two other reasons for the frequent occurrence of security incidents in the DeFi field.
First, DeFi protocols are currently mainly engaged in asset custody or lending and financial management services. They manage a large number of user assets, and they are all open source, which is easy to attract hackers.
Second, many developers underestimated the risk of loopholes - the current mainstream DeFi protocols are all based on the Ethereum network, and various loopholes that have appeared in Ethereum in the past may reappear on DeFi.
In addition to potential safety hazards, there are also some fake DeFi projects on the market.
Take the Ai Nuomi community as an example.
"Ai Nuomi community attracts users with the slogan of DeFi, but its main business is digital currency wealth management: take users' assets to other exchanges for wealth management, and then pay users interest." Zhang Peng, a currency player, told Yiben Blockchain.
image description
Ai Nuomi community APP interface
In February of this year, FCoin crashed, and the true face of the fake DeFi in the Ai Nuomi community was also revealed. Ai Nuomi has part of the funds involved in mining in FCoin. After the collapse of FCoin, this part of the funds cannot be withdrawn.
secondary title
What is the future?
DeFi is also known as "open finance", and practitioners liken it to the parallel world of traditional finance.
Once upon a time, it was considered the second breakthrough after Bitcoin in the history of blockchain development.
"The goal of DeFi is to build a transparent financial system." Lu Zhiqiang, a practitioner in the blockchain industry, told Yiben Blockchain.
This system is open to everyone, without permission, and without relying on third-party institutions to complete financial needs. Traditional finance can also be integrated with DeFi to complement each other.
image description
DeFi Industry Map
Data from the blockchain data platform DAppTotal shows that in 2019, the DeFi lending market has achieved rapid development, and the amount of ETH locked in the industry's leading project MakerDAO has increased by 25.66%. The same is true for another lending platform, Compound, whose locked assets have quadrupled in a year.
DAI has become the king of circulation in the DeFi lending market, and USDC has become the fastest-growing emerging stable currency in the emerging stable currency market.
DeFi looks to be Ethereum's killer app.
The major public chains are also eager to try. Polkadot and Cosmos started to build their own DeFi ecology in 2019. The domestic public chain Conflux also announced that it will build its own DeFi ecology.
But everything is not that simple. Today, many people's attitudes have been shaken.
On the second day after the Lendf.Me theft happened, the founder of HelloEOS, Zi Cen, wrote that DeFi "is not capable of proving that it is not a poison."
Xu Yingkai, the founding partner of BlockVC, pointed out that DeFi is one of the three blockchain application scams that have been "exploded".
This year's "March 12" incident caused DeFi to suffer heavy losses. Coupled with the frequent theft of DeFi projects, many people began to realize that DeFi is not as safe as imagined.
"The DeFi field will be the same as last year's DApp field and become the hardest hit area for hackers." Hao Tian said that DeFi developers should not take it lightly.
In any case, there are still many practitioners who are hopeful about the future of DeFi.
The staring eyes of hackers will put pressure on DeFi, but it will also encourage the latter to build a solid security city.
"From another perspective, hacker attacks are also an opportunity to promote the healthier and safer development of the entire industry." Lei Yu said.
DeFi is like a newborn baby, and people don't know what its future will look like.
Will it create a whole new financial world?
Is it a leveraged scam?
* Some interviewees in this article are pseudonyms.
* Some interviewees in this article are pseudonyms.
