The first half of 2021 is nearly complete. The year started with hopes of moving past a global pandemic and for many hopes of financial freedom achieved through cryptocurrencies, tokens, and DeFi (Decentralized Finance) investments. With this excitement, there has been both a huge increase in new tokens created as well as a dramatic increase in DeFi vulnerabilities exposed.
Coins and tokens, what’s the difference? Simply put a coin is a cryptocurrency that has its own native blockchain. On the other hand, a token is a smart contract that lives on top of a blockchain such as Ethereum or commonly referred to as ETH. Creating a token can be as simple as copying and pasting another token’s code. Most people that create a coin end up altering the code to make it suit what they are trying to do with their token. These changes, however small, can often lead to vulnerabilities in the code.
So far this year, hackers have been attacking the space to the tune of $370 million on Binance Smart Chain. Most notably, PancakeBunny was wiped out of over $200 million in assets on May 19th. The value of the token pumped from about $150 – $240 before it dropped to almost $0 in about 30 minutes. It then climbed and settled at around $8 before recovering to its current value of about $23.
This is just one example of about eight Binance Smart Chain tokens that have been attacked recently. Others include Uranium which was hit for about $50 million in tokens, Belt finance at about $7 million, and multiple others including Spartan Protocol and Meerkat each for over $30 million.
I know what you are thinking, blockchain is supposed to be secure! Well, it generally is. The majority of these attacks on DeFi have been done using a flash loan attack or exploiting an error in the smart contract coding.
Flash loans were initially introduced as a way to leverage DeFi loans. This tactic was made popular by Aave. The basic strategy was taking a loan with no collateral, flipping the borrowed asset on another exchange for profit and then repaying the loan and 0.09% fee all in one transaction.
Think of the old story of the boy who started with a paperclip and traded his way up to a house, achieving all of this with one transaction.
Flash loans have two main ways of being executed. The first one I will talk about is known as “Arbitrage”. Arbitrage is where the same coin or token has a different price on different exchanges.
Exchange A lists Pickle Token for $100 and Exchange B lists it for $200. You borrow $100 in BNB (the cryptocurrency coin that fuels the Binance Network) from the DeFi as a flash loan. Then in that same transaction you take the BNB to Exchange A and buy the Pickle Token for $100. Next, you take the Pickle Token to Exchange B and sell it for $200 in BNB. You return the $100 BNB to pay off your loan all in one transaction.
Another option is to Collateral Swap or purchase tokens and swap them with other tokens. For instance, I borrow 1000 ETH from Exchange A. I take that ETH to Exchange B and sell it for BNB. Dumping a large amount of ETH on the exchange will lower the price of ETH. I then take those BNB to Exchange C and buy Pickle. I then move the Pickle back to Exchange B and buy ETH.
The final step is to go back to Exchange A with the ETH I purchased and repay my loan keeping any extra ETH I purchase at a lower price as profit.
Now Flash loans in and of themselves are not an actual “hack” as they are a feature of many DeFi platforms. The “hack” occurs when there is an error in the original smart contract code.
This brings us back to the beginning of the article and just how easy it is to create these new tokens and DeFi apps or dApps. Often the code is a copy-paste with minimal changes made to it. However, those small changes can lead to security issues.
You can see evidence of this in the Uranium V2 hack. The below image is a snippet of the smart contract. The red box shows where the copied code was changed from 1000 to 10000. However, they failed to change the last instance of 1000 in the green box. This error in the code essentially allowed the attackers to swap 1 token for almost all of the tokens in the liquidity pool netting them a $50 million haul.
DeFi and new tokens will continue to be created at a rapid pace. Security of these smart contracts are key to the longevity and safety of those who are invested in liquidity pools.
Fortunately, there are a few things you can do to minimize the risk associated with your investments. First and foremost be careful and research the tokens you are interested in. Do your research on the team behind the token. Ask questions like: Are they public facing? Are those who control the admin keys transparent or have they given up access? Has the token been through a security audit by one of the reputable security audit firms?
Certik is one of many companies that specializes in auditing and monitoring various crypto projects.
I know it is tempting to get into a token early to get the best possible returns. But with that entry, you put your investment at risk. So do so with caution and never invest more than you are willing to lose.
It’s a very interesting time to be in the crypto-verse. There is always something new and always something going on. It can be overwhelming, but it can also be very exhilarating. Enjoy your investments, the communities, and the gains. But most of all protect yourself and your bags.