Skip to content

DeFi Company Hack shows what decentralized financing should and shouldn’t be

May 4, 2020

The decentralized financing or DeFi In short, it became a buzzword in 2019, according to Maker → and Compound, after both companies got substantial rounds from Andreessen Horowitz, Silicon Valley’s elite venture capital firm.

2020 was a difficult year for the DeFi sector with crypto that got into trouble. During the weekend DForce’s Lendf.me ecosystem protocol lost 99.95% of its resources due to a hack. Just a few days later, the hacker disclosed information about his identity, which resulted in most of the stolen money being returned. This news comes after the big test that DeFi underwent on March 12, when the price of ether (ETH) fell sharply, causing systems to get stressed and fail. The big loser that day was Makerficiente, whose poor architecture and infrastructure were exposed by Ethereum due to network restrictions.

The most important decentralized financing platform Makerficiente accumulated a debt that had to be paid with the money of his venture capital company. A month later, DAI’s parity with the dollar had stability problems, and the Maker Foundation was brought in a $ 28.3 million class action lawsuit for negligence at the Northern California District Court. Users want their money back.

DeFi Company Hack shows what decentralized financing should and shouldn’t beDeFi Company Hack shows what decentralized financing should and shouldn’t be

April 18th $ 25 million of ether and bitcoin (BTC) were stolen from users of the Lendf.me loan log. Lendf is a protocol with security problems and part of the dForce Foundation ecosystem. Surprisingly, he was able to recover almost all of the money from the attacker who exploited the re-entry gap in his log, and eventually to return almost all of the money that he had stolen. After the hacker spent $ 25 million, he returned $ 24 millionKeep 1 million to yourself … You know, maybe the fuel rates and these tough times of the COVID-19.

Ironically, the hacker hasn’t returned the same mix of assets that was stolenInstead, the $ 24 million was returned in another combination of cryptocurrency tokens. This happened immediately after news that the dForce Foundation had completed a round of $ 1.5 million led by Multicoin Capital last week with the participation of Huobi Capital and CMB International. We can assume that these funds cover the losses of the hack.

I spoke to two DeFi CEOs from Compound Finance and Kava Labs to ask them about their experience with dForce and what important lessons hacking can teach the DeFi community.

Brian Kerr, CEO of Kava Labs, the DeFi credit platform, spoke to Cointelegraph about what went wrong with dForce and allowed this hack to continue. In mid-2019, Kava announced its stablecoin USDX. Little later dForce started its stablecoin ticker as USDx. Using Kava’s USDX ticker demonstrates dForce’s limited creativity, which is likely to extend to code and technical talent. Robert Leshner, CEO of Compound Finance, a DeFi credit company, spoke personally to Cointelegraph after his interview Tweet about the $ 25 million hack and claims that the company stole code recognized as a compound.

During the phone interview with Cointelegraph, Leshner explained:

“Building a chain is relentless. Security requires the team’s full attention. When teams redistribute code they haven’t written, it’s impossible to know how or why the code works, or what the risks are… everything else is an injustice to the users. And users should ask for more. ”

Unfortunately dForce has become an example of what DeFi shouldn’t be.

So what do you need to know?

Both Maker → and dForce are currently fixing what started as a disaster. Although a significant amount of funds have not yet been booked, based on this experience, users have looked for alternative DeFi loan platforms that they can really trust. Many users have lost money, and many others are careful if they only read the news about DeFi these days, even if their money was not tied up by Maker → or dForce. As a subfield within the crypto space, DeFi is still very young.

Was it really dForce’s responsibility?

Leshner said that dForce firm “copied and pasted Compound v1 without making changes”. According to Leshner, the company claims that the Compound v1 code was “error-free”, but the group was cautious about the asset it listed Tweets. The team from dForce copied the code that Compound did not fully understand and illegally provided it as its own code According to Leshner, the safety aspects when changing parts are not aware of.

Kerr also gave his opinion. Kava Labs – a DeFi credit platform similar to Maker →, while Maker → only accepts ETH tokens, the Kava platform accepts all assets including Bitcoin, Ripple (XRP), Binance Coin (BNB) and Cosmos (ATOM) USDX, the platform’s stable coin, can be minted. These milestones in the development of the platform preceded dForce’s appropriation of the USDX name for its own stable coin. Kerr shared that Kava aims to make USDX a major player in the global financial system.

Based on what Kerr said to Cointelegraph and his answer For Leshner on Twitter, dForce has gone to great lengths to market Lendf.me worldwide without first performing very basic reviews: “A basic review from a reputable company would have grasped this. The possibility of re-entry is a known problem and is easily verifiable. DForce not only stole the composite code, it also stole the name and ticker of the Kava USDX token, despite the fact that we announced our teletype writers many months before their platform. “Kerr admitted:” It’s a terrible example of what DeFi shouldn’t be. “

Because trust is the most central and most important basis for a relationship between a person and their money, Kerr believes that The responsibility was “with both the dForce team and the users of the application”. He continued:

“dForce did not understand what it was doing and marketed an unsafe product. Users did not carefully examine the devices or the code base to determine whether the product was safe.”

DeFi shouldn’t be outrageous

As Cointelegraph previously reported, The dForce hacker used the imBTC token as the “Trojan horse” of the attack, ie as an Ethereum wrapper for Bitcoin. Leshner said the security bug resulted from a known reentry attack: “This is a follow-up to yesterday’s BTC Uniswap attack.” He went on to say, “imBTC is an ERC-777 token and not a normal Ethereum asset. Smart contracts included in the BTC must be particularly careful and write additional code to protect themselves against re-entry attacks. “

This is considered a known vulnerability in the common ERC-20 standard, especially when used in the DeFi context.

DeFi shouldn’t be on Ethereum

The architecture of the Ethereum network does not meet the scaling and security requirements of the DeFi sector, because according to Kerr, the test level required to achieve all results in the Solidity programming language is infinite. “For these and many other reasons, leading projects like Binance, Cosmos and Kava have decided to leave the Ethereum ecosystem for greener pastures,” he said.

“Building a financial service on the Ethereum network is problematic for security reasons. Testing for possible solidity results and errors is almost impossible because it can do practically anything as a Full Turing language. Although it is powerful, it is probably the worst environment “Building a financial infrastructure,” said Kerr, who believes that one of Kava’s value propositions is that it is rooted in security standards as a dedicated platform for all assets for which secure DeFi services are top priority.

DeFi must be safe and secure

Lendf calls itself “the largest DeFi loan protocol with stablecoin supported by Fiat.” The problem is that Lendf focused too much on the rise to fame for capital raising, growth, and expansion to get his biggest, best, and “biggest Fiat-based stable coin”. Instead of focusing on improving the security code, understanding your base code, fixing bugs, and launching safe products, The company over-focused on profits and status perception.

The Basic examsfor example is missing complete and the team overcame the obstacles too quickly, resulting in a security vulnerability that has not yet been resolved.

The event could have been prevented and the users should have seen it coming, according to Leshner, the tweeted Details of how the company stole the composite code: “If a project doesn’t have the experience to develop their own smart contracts, and instead steal and share someone else’s copyrighted codeis a sign of that do not have the ability or intent to take security into accountHe later encouraged developers and users to learn a valuable lesson: Don’t give your money to a company you can’t trust.

Kerr from Kava Labs quoted Facebook CEO Mark Zuckerberg’s motto: “Move fast and break things” and said:

“It’s a great saying when it comes to basic software and startups, but it’s definitely the worst advice on building a financial infrastructure, as the past weekend showed.”

DeFi should focus on users

Kerr also shared the “In Kava, all of our code is created from scratch, in Golang, in very discreet modules designed for specific actions that We can check and verify. This means that we can fully test the code with very high confidence in its accuracy and security. “He continued:

“We value the security of user funds and put it at the forefront of everything we do. We conduct test networks, conduct third-party audits, and conduct extensive peer reviews before code is introduced. In addition, the entire new code will be reviewed and reconciled by the validation group to ensure and bet that $ KAVA will include technically intelligent operators such as Binance, OKEx, Huobi, Bitmax, Hashkey, Lemniscap, SNZ, Dokia Capital and Framework Ventures. “

DeFi has to check to trust

It is not enough to trust a company because it has big investorsAs we have seen, this is the case with dForce and Maker →. However, we often hear “trust and check” when we should probably hear “check and trust “from the DeFi community.

Although Leshner is the CEO of Compound, he is also a personal investor with Kava Labs along with other major sponsors such as Arrington XRP Capital. Kava’s excellent technical team and strict adherence to security measures ensure that auditors talk about their code. Before launching Kava Labs, the credit platform conducted a professional audit through CertiK, the leading formal audit and verification company. In a blog post about the audit results, CertiK said: “Kava is one of the best codebases Certik has seen on a project so far, especially in the decentralized financial sector.”

Finally Kerr took the initiative and concluded: “I encourage anyone thinking about using a DeFi protocol to check the team’s technical skills firstcheck the existence of technically industrious investors and Check whatThat peer audits and reviews were carried out. Even then, assume that DeFi protocols always have a certain technical and market risk. It is a new space and there will be more painful insights like this. “

The views and opinions expressed here are solely those of the author and do not necessarily reflect Cointelegraph’s views.

Andrew Rossow He is a millennial lawyer, legal professor, businessman, writer and speaker in the areas of data protection, cybersecurity, AI, AR / VR, blockchain and digital currencies. He has written for many media and contributed to publications on cyber security and technology. Rossow draws from his millennial background and offers a comprehensive perspective on crime in social media, technology and the effects of privacy.

Do not stop reading:

Receive Breaking News !

Install
×
Enable Notifications    Ok No thanks