Cointime

Download App
iOS & Android

Staying Safe From DeFi Hacks: Learn Possible Vulnerabilities and Scam Attacks

Validated Project

The more a user knows about possible vulnerabilities or scam attacks, the safer their assets are.

While DeFi is constantly evolving and blockchain technology is becoming more secure, hackers still succeed in running fraudulent schemes and taking advantage of security vulnerabilities.

However, not every news report about another project suffering from a hacker attack should necessarily be frightening. In many cases, user funds remain safe or possible losses are offset by coverage, while on many occasions, hackers return stolen funds (partially or in full) after negotiations.

In any case, knowing about possible threats can help users to evaluate the risks of using a particular service to avoid losing funds.

Contract vulnerabilities

A developer’s failure to identify a bug often enables hackers to exploit a vulnerability and eventually withdraw user funds.

Over the past year, we have seen multiple attacks of that kind. For example, a programming flaw that appeared to be a fake minting bug was recently disclosed in the bridge between Optimism and BitBTC. Prompt vulnerability patching prevented extracting 200 bln tokens from Optimism since the flaw allowed for faking tokens on one side of the bridge and exchanging them for real ones.

In another case, the warning of a vulnerability in Opensea’s non-updated contracts prevented many users from losing their funds. The vulnerability facilitated withdrawing users’ NFTs after signing a malicious transaction.

The inability to properly validate the input of a transaction also causes multiple hacking issues, as it happened with Nomad bridge and Olympus DAO.

Exploitation of contract vulnerabilities comes in various ways, and a common strategy is based on reentrancy hacks occurring when a contract uses an outer call to interact with another contract whose former state isn’t yet updated. A hacker uses a specially built malicious smart contract to cause withdrawal from the target. Since the program flow is interrupted, the target’s smart contract is unable to update the attacker’s balance. One of the most significant reentrancy attacks ever is the Fei Protocol exploit that caused an $80 mln loss.

The first and primary countermeasure to prevent this type of attack or to disclose it before any damage has been done is to conduct audits.

Code should be audited regularly, and reports should be published to be available to the user. In the auditing process, security companies uncover bugs and simulate hacker attacks. Thus they help to ensure smart contract security and make transactions safe. So, before using any platform, it is worth checking its commitment to safety. This article thoroughly explaining the 1inch Network’s safety measures can help you to get a better idea of what security information should look like.

Flash loan attacks

Flash loans facilitate lending by enabling users to take a non-collateralized loan of any size from a liquidity pool under the condition that it will be repaid within a single transaction. Otherwise, a smart contract cancels the flash loan transaction and returns the funds to the lender.

Flash loans are often exploited by malicious actors to manipulate the borrowed asset’s price.

The Mango Markets trading platform was recently hit by an attacker who borrowed the MNGO token and pumped its price to use overpriced coins as collateral for borrowing BTC and other assets and withdrawing the profit. Hackers always know where to look for a weakness. For instance, New Free Dao’s contract calculating rewards was too simple, which caused a flash loan attack.

In the Crema Finance case, hackers created a fake price change data account to bypass contract checks and then used flash loans to drain the pool. The stolen finds were later partially returned thanks to a successful negotiation.

Meanwhile, other factors may also create an opportunity for attackers. Sometimes, an off-chain component causes a failure of price reporting even while on-chain price aggregation functions correctly.

Nefarious actors mainly target centralized price oracles, pulling data from a single exchange. Decentralized oracles, which focus on diversifying data collectors to the point where violating their quorum becomes too challenging, are therefore less vulnerable to that kind of manipulation.

Call the vulnerable function

Meanwhile, no matter how secure DeFi platforms may be, they are not immune to issues caused by a vulnerable third-party tool. Profanity, which offers vanity address generation and is quite popular among both users and platforms, turned out to be such a vulnerable tool. Earlier this year, 1inch contributors discovered a vulnerability in Profanity and immediately published a blog post and social media posts to warn the service’s users.

Such an event is almost impossible to prevent, but it is still possible to react quickly. Users can at least follow the social media accounts of the projects they interact with and monitor announcements of reputable market leaders. The Profanity case is quite typical, as, despite the 1inch warning, the vulnerability caused considerable losses, which timely reaction to the notification could have prevented.

Phishing attacks

One of the most common forms of attacks threatening all users is phishing. This cybercrime remains popular with hackers targeting all online services, not specifically DeFi platforms. Users of popular websites, platforms and projects can suffer from progressing phishing attacks.

Frequently, phishing attacks are performed through fake sites and applications of platforms/wallets that can imitate the interface of legitimate websites. However, the site’s domain name often helps to determine whether it is fraudulent. For example, the fake part may contain “com” rather than “io” etc. Essentially, the ultimate goal of phishing is to connect to the user’s device. So hackers trick users in different ways to make them connect their wallets or sign malicious transactions.

The good news is that this threat can be identified and prevented by users without any special knowledge or thorough research. All recent phishing attacks share the common trait of luring users to a fake website. In one case, Etherscan, CoinGecko and DeFi Pulse were attacked via malicious pop-ups offering users to connect their wallets to a phishing site that resembled the famous Bored Apes Yacht Club NFT project.

Another case involved airdropped tokens sent to addresses connected to Uniswap. Those tokens led users to a fraudulent site that encouraged them to sign malicious contracts enabling hackers to empty their wallets.

Phishing links are not necessarily automatically sent to users via emails or wallets. Even someone whom a user knows personally can send them. One of the frequently used methods is a ‘romance scam,’ whereby the victims’ trust is gained by a scammer in order to engage them in fake interest-earning schemes, usually persuading them to invest on suspicious platforms or websites resembling popular projects.

There are some strict rules to follow when interacting with websites, emails and wallets.

First, users should enter website names manually and download updates only via official platforms. Second, if users are taken to a website asking them to perform some action like connecting a wallet, entering a seed phrase or signing a contract, it’s a red flag.

Observe these rules, and stay safe!

Comments

All Comments

Recommended for you

  • Whale Transfers 1,133 BTC to Coinbase Prime, Valued at $71.48 Million

    According to Onchain Lens monitoring, a whale transferred 1,133 BTC from Coinbase to Coinbase Prime through an intermediary wallet, valued at $71.48 million.

  • U.S. AI Chip Stocks Decline Before Market Open, Intel Falls Over 3%

    On July 7, U.S. AI chip stocks experienced widespread declines before the market opened. Intel dropped over 3%, while AMD, Qualcomm, and NXP fell more than 2%. TSMC, Broadcom, and Tesla decreased by over 1%, and NVIDIA declined by 0.7%.

  • China's Central Bank Increases Gold Reserves for the 20th Consecutive Month

    As of the end of June, China's gold reserves stood at 75.44 million ounces (approximately 2,346.446 tons), an increase of 480,000 ounces (about 14.93 tons) from the end of May, which reported 74.96 million ounces (approximately 2,331.52 tons). This marks the 20th consecutive month of gold accumulation.

  • China's Foreign Exchange Reserves in June at $341.6262 Billion

    On July 7, China's foreign exchange reserves for June stood at $341.6262 billion, a decrease of $26 billion from the end of May, representing a decline of 0.75%, with expectations set at $343.2 billion.

  • U.S. Storage Stocks Drop Pre-Market, SanDisk and Micron Down Over 4%

    On July 7, U.S. storage concept stocks collectively fell in pre-market trading. Western Digital dropped over 5%, SanDisk and Micron Technology fell over 4%, Seagate Technology declined over 3%, Rambus fell over 2%, and SMI fell over 1%.

  • U.S. Stocks in Optical Communication Sector Drop Pre-Market

    On July 7, stocks in the optical communication sector of the U.S. market collectively fell pre-market. Astera Labs dropped over 4%, while Marvell Technology, Credo Technology, and AXT Inc. fell more than 3%. Tower Semiconductor, MaxLinear, Corning, Applied Optoelectronics, GlobalFoundries, Lumentum, and Qorvo all declined by more than 2%. Coherent, Nokia, Amphenol, and Broadcom dropped over 1%.

  • Pre-market Decline in U.S. Storage Stocks

    In pre-market trading, U.S. storage concept stocks experienced a widespread decline, with Micron Technology falling by 4.8%, SanDisk dropping over 4%, Corning down more than 2%, and Intel decreasing by over 3%.

  • Two Departments: Support for Reinsurance Institutions to Increase Capital and Issue Supplementary Capital Tools

    On July 7, the National Financial Supervision and Administration Bureau and the Shanghai Municipal Government released several measures to accelerate the construction of the Shanghai International Reinsurance Center. Among these measures, they proposed to enhance the quality and efficiency of the reinsurance industry, support reinsurance institutions in increasing capital and expanding shares, and issuing supplementary capital tools to improve the capacity for internal capital accumulation and external capital supplementation, thereby strengthening the reinsurance industry's capabilities. The initiative aims to guide the insurance industry to focus on major national projects, strategic emerging industries, and livelihood security, consolidating insurance and reinsurance underwriting capabilities to enhance risk protection levels. It also supports reinsurance institutions in leveraging their professional technical advantages to assist the insurance industry in reducing risk.

  • Sources: Saudi Arabia Plans to Expand Oil Pipeline to Red Sea, Increasing Capacity by 2 Million Barrels Daily to Bypass Strait of Hormuz

    On July 7, five informed sources revealed that Saudi Arabia is considering expanding the crude oil pipeline capacity to its western coast on the Red Sea, allowing Saudi Arabia and its neighbors to transport more oil without passing through the Strait of Hormuz. This east-west pipeline, built in the early 1980s, has gained strategic importance since the outbreak of the Iran war in February and the disruption of shipping in the Strait of Hormuz. The pipeline can deliver up to 7 million barrels of crude oil per day to the Red Sea port. The CEO of Saudi Aramco stated in May that approximately 2 million barrels are supplied to west coast refineries, while about 5 million barrels are for export. Sources indicate that Saudi Arabia is in preliminary discussions with some neighboring countries regarding the pipeline expansion, aiming to add about 2 million barrels of pipeline capacity per day. It remains unclear whether Aramco's planned expansion involves upgrading existing infrastructure or constructing new pipelines. One source mentioned that the expansion plan also includes a smaller refined oil pipeline. Two sources indicated that the expansion scale could range from 1 million to 2 million barrels per day, with refined oil also being considered. Another source stated that the project would take several years and cost billions of dollars, requiring adjustments to Saudi crude pricing mechanisms.

  • Citi: Tencent's WorkBuddy Gains Momentum, Maintains 'Buy' Rating

    On July 7, Citi released a research report stating that, according to the latest industry data, Tencent's AI agent product WorkBuddy has reached 20 million monthly active users (MAU) and over 13 million daily active users (DAU), with a DAU/MAU ratio between 65% and 75%. Considering the product has only been launched for a few months, user stickiness and daily engagement are performing strongly. Citi quoted Tencent's management as saying that in terms of daily active users, Tencent is leading its Chinese peers in the deployment of AI agents. Early user data reflects strong natural growth for both CodeBuddy and WorkBuddy, with high retention rates. Early users are interacting with the AI agents for long durations and with high frequency, creating a positive feedback loop. It is expected that AI products will become a key revenue source for Tencent Cloud. The firm believes that WorkBuddy's success demonstrates the strength of Tencent's ecosystem, the synergy between various productivity tools, and users' trust in Tencent's products and security. Citi maintains a 'Buy' rating on Tencent with a target price of HKD 763 unchanged.