Before getting into details about what happened in the Defi incident, let’s have a quick overview of the Decentralized Finance (DeFi) platform.
Contents
Decentralized Finance (DeFi)
Decentralized Finance (Defi) is a financial system that utilizes blockchain technology and cryptocurrency to run financial transactions. The whole financial transaction process is a decentralized network of computers that eliminates the need for having a central body such as conventional banking and financial transaction channels. It works on the principle that bitcoin uses i.e decentralized, immutable, public ledger.
DeFI platform has been in the crosshairs of hackers for a very long time. In the first quarter of 2022, a major chunk of cryptocurrencies have been stolen from the DeFI platform
According to cryptosec a total of 86 different exploits have been conducted on DeFi platform with a monetary loss of approximately $3.2 Billion has been inflicted.
The Zeed Hack: How did it all happen and what went wrong?
Out of many DeFi hacks and exploits, a lesser-known protocol of the DeFi platform known as Zeed was attacked by a hacker. Zeed is known to be a decentralized financial ecosystem that handles financial transactions. With Zeed a user can utilize cross-chain transactions at relatively low costs.
The hack came into a highlight on 21 April 2022. A blockchain security firm PeckShield reported that Zeed a protocol on DeFi platform was abused. The exploit was linked with the security loop in the reward distribution system of the protocol
The hack was also reported by BlockSecTeam on Twitter which happens to be a team of security researchers that strive to secure the blockchain ecosystem.
The reward distribution system within the platform allowed lenders to earn additional crypto token awards which the hacker exploited within the system. According to the BlockSec Team, usually, when a user swaps a pair, the token rewards the pair by dividing the reward into three pairs. The reward token is awarded to either party on successful completion of the smart contract. A smart contract is a computer program that is executed automatically when certain conditions are met on the blockchain.
While this is usual, the hackers were able to identify the vulnerability that does not divide the reward into three pairs. The attacker invoked a skim function to obtain the pair of tokens. The obtained reward tokens were then sold plunging the Zeed token price to zero.
It was verified that the hacker was able to profit over $1M in Binance-Peg (BSC-USD) tokens.
After the hacker had exploited the reward distribution system of Zeed DeFi, he followed to transfer the obtained reward token to a smart contract which was quite a traditional process. Such as contract in terms of cryptocurrency hack is known as the “Attack Contract”.
Here comes the funny part of the hack. Usually, when such a hack comes into action the hackers secure the amount of stolen money but in this unusual circumstance, the hacker set the smart contract to self-destruct before withdrawing the funds. Cybercriminals usually set the contract to self-destruct to remove traces or cover up their tracks that could lead to the contract code. Logically speaking if the contract is set to self-destruct before withdrawing the funds, its value is lost and no process could be used to recover the funds. Since the contract was set to self-destruct the hacker was not able to obtain a single penny out of the whole exploit and hack.
BlockSec said that “probably he/she was too excited.” There has been no clarity on such a naive act by the hacker who was known to be smart enough to pull off a hack to exploit a vulnerability on a complex network but forgot to secure the funds before killing the smart contract.
Several seps to protect DeFi Protocols to mitigate cybersecurity risks
There are a number of cybersecurity incidents associated with the DeFi platform and the protocols it uses. However, there are some key points that can be followed to protect the platform itself and bring down the risks to an acceptable level
- Detect any vulnerabilities or malfunctioning at the beginning in any part of the smart contract by performing individual and full unit tests.
- Conduct Smart contract auditing that will help detect issues with the functionality, performance, undefined functions, and vulnerabilities of the smart contract before the project is deployed. Various internal and external smart contract auditing will help prevent any hacking incidents on the DeFi platform
- Ensure the code that is written for different protocols on the platform is unique and is not copied from somewhere else. This type of code may aid in fast deployment of the platform but may also introduce various other vulnerabilities related to code and programming language.
- Proper access control must be ensured on the contracts. To protect the private keys against unauthorized access or exposure use of a separate multisig contract is highly recommended. Multisign contracts allow multiple signers to review and agree on action on the blockchain
- While developing any project or application using different protocols on the DeFi platform it is always encouraged to hire experience DeFi developers that have the appropriate software development knowledge and secure coding practices
- Make your protocol community active in search of relevant bugs and errors. Launching a bug bounty program to test various bugs and errors will help the developers to put appropriate security controls in place before a vulnerability is exploited by hackers.
Since DeFi platforms use open source code and it is visible to everyone there is a very high chance that hackers or cybercriminals will try to find any weakness in the code and try to exploit it. The incident understudy shows that DeFi platforms are being breached quite easily and have caused huge losses of millions & billions in USD due to flaws in the coding of such platforms. Such flaws are exploited by hackers on similar platforms and will continue to grow until relevant securing coding techniques and secure algorithm development are not made sure as per best practices
