Pocket 10 types of DeFi attacks & solutions

T
Comments: 0Views: 85

tech

Administrator
Bforum free bitcoin

The article about today's sophisticated forms of DeFi attacks and how you can protect yourself.



When the market goes down, scams, attacks, and rug pulls emerge. I am also a DeFi user myself and often experience different projects. Therefore, it is essential to equip yourself with knowledge to help protect your assets, especially during this time.

Below is a list of 10 prominent forms of DeFi attacks today. Among these, there are quite a few sophisticated forms of attacks that many users do not know. In addition, Coin98 Insights also has an article on 19 common scams in Crypto . This is a set of basic tricks often used by bad guys for newcomers to Crypto in general.

10 common forms of DeFi attacks today​

Attack with Oracle​

Oracle simply said the system provides pricing information for asset classes, DeFi projects rely heavily on oracle for price updates. Imagine if the price of token A in the market is 10 USD but in a DeFi protocol it shows as 100 USD, what will users do? Of course, buy A token in the market and sell on that protocol to make a profit. This creates damage to that protocol and to those who have provided assets to that protocol.

Solution:

To avoid encountering the above situation and causing unnecessary damage, users should use DeFi protocols that integrate oracle of reputable parties. This will greatly reduce the risk from oracle attacks in general.

Chainlink's Oracle is protecting the majority of Crypto assets - Source: Coin98 Analytics

Attack using flash loans​

Flash Loans are uncollateralized loans with the condition that the loan amount must be returned to the lending platform in the same transaction. In other words, the borrowing user then does ABC with that loan, finally paying back the borrowed amount, all of which happens in 1 transaction.

Nearly all attacks using flash loans are programmed and executed by bots. Therefore, the owners of those bots can earn money while sleeping, and DeFi protocols with price differences (usually due to oracle errors) are good prey for these bots.

Taking the example from the above Oracle attack, in case a user sees an opportunity to trade the difference in the price of token A from 10 to 100 USD but they have no money but only token B, what to do?

⇒ Use token B as collateral to borrow token A or ETH/USDC… to buy token A and sell it for profit on DeFi protocol with oracle error, then repay and get back token B.

As a simplified example, attacks using flash loans can take many different forms and are much more complex. Users can visit here to get more information about flash loan attacks.

With flashloans, an attacker causes the price of an asset to change and profit from the difference - Reference link
Solution:


Most of the projects hit by flashloans are due to the error of the oracle service or the uneven proportion of assets in the pool. Users should prioritize projects using reputable oracle services and projects with stable trading volume (when there are many users who only need a small price difference, there will be arbitrage traders, from there). help stabilize the proportion in the pool).

Attack with admin rights (51% attack)​

If an attacker can possess a large amount of governance tokens, they can take advantage of the protocol's governance mechanism and seek to make a profit for themselves. This is known as a 51% attack and can be combined with a flash loan to create an attack where the bad guys don't need to own the project's tokens.

For example, a DeFi protocol has a mechanism that only needs more than 50% of token A to agree to a proposal for that proposal to be approved. The bad guy used flash loans and borrowed 51% of token A (or borrowed money to buy token A), then he created and approved a proposal to send 100 million USDC to himself. In the end, he just paid the debt and the same fee and pocketed a profit of 100 million USDC.

This case happened to Beabstalk once and the bad guys pocketed 182 million USDC. Details can be found here .


Solution:

To avoid projects that are at risk of being attacked with administrative rights, users should choose DeFi protocols that have tight governance mechanisms or have a large barrier to attackers. For example, we will choose projects with a high consensus rate for the proposal to be approved, or choose projects where the attacker must own a large number of assets to hold the necessary amount of tokens. through the proposal.

Front running​

Front-running is taking advantage of KNOWING that a future transaction will affect the price and placing an order right before that transaction to make a profit for yourself. With the design of Ethereum or similar blockchains (see details in the link above) has created conditions for bots to profit by front running other transactions.

For example:

Front-running bot example. Txs hash: transaction 1 , transaction 2 , transaction 3
As an example of the USDC-SAK3 pair, we can see right in the middle of a buy order of 1 SAK3 there are 2 buy and sell orders of 0.4x SAK3 simultaneously from the same address, this is typical of users being front-run in crypto . Looking at the txs hash details above, in just 2 trades, this bot pocketed more than $1,500 when he bought 0.4x SAK3 at $7,473 and sold it for $9,013.

Solution:

To prevent users from being front-run, a few solutions can be applied including:

  • Split transactions.
  • Adjust low slippage.

Attack with admin key​

Many protocols have an “admin key” that allows a particular wallet to have control of the protocol's funds. If the admin key is hacked, funds can be stolen.

A typical example can be mentioned in the attack on EasyFi, the admin key of the CEO of EasyFi was hacked and the bad guys took 6 million USD from the liquidity pool and 2.98 million EASY tokens (worth 75 million USDC at the time of writing). there). Details can be found here .

Solution:

Choose projects carefully, do not invest too much assets for projects with poor quality or little information team or backer. Beware of protocols that have an “admin key” and too much power concentrated in one person or group.

Fraudulent front-ends​

Front-ends are the display interface for the app you use, when the user interacts on that interface, it will affect the underlying elements (back-ends) to help the user perform the tasks that he/she wants to do. want to do. This part of the interface can also be hacked and cause damage to the user.

An example of this type of attack is the Badger DAO with damage at the time of attack up to 120 million dollars. The attacker targeted the Badger DAO's API key, causing a normal user interaction to grant unlimited approval to the wallet and create an opportunity for the badger to withdraw assets from that wallet.


Solution:

Always double check the approval when making transactions on the wallet. If you interact with a strange project and grant permissions to that project, you can use tools to help Revoke like Coin98 Super App or Approved.zone .

Use Coin98 Super App to track the approve orders on the wallet and remove them if necessary

Attacks via social networking sites​

Having accounts in social networks like Discord, Twitter, Telegram is a common thing for Crypto users. The need to update news, find opportunities and participate in communities large and small has created the conditions for a fraud department to appear. They often pretend to be members of the project or the project itself to invite users to visit fake websites or dangerous links.

This is an extremely common form of attack and appears constantly, requiring users to be highly vigilant and avoid being fooled for the "falling from the sky" benefits.

Pretend to be reputable projects and send mint token links at bargain prices
Solution:

“There is no such thing as a free lunch”, if you get an unbelievable bargain anywhere, it is almost certainly a scam. The form of attack through social networking sites is easy to recognize, but has a constant frequency and attackers are becoming more and more sophisticated and have more tricks. Users should pay special attention and be careful with all requests related to their properties.

Hijacking social media accounts​

More sophisticated than the trick of spoofing the social networking sites above, the attacker will hack and use the subject's social network account to deliver false information in order to appropriate user assets.

Bored Ape instagram, the social networking site of one of the most popular NFT collections ever hacked. Accordingly, the attacker announces the airdrop to the Bored Ape holder and just needs to connect the wallet to receive the airdrop. An amount of $2.8 million worth of NFTs was stolen following this attack.


Solution:

Be careful when there are announcements related to “Free airdrop, give away, …” including from social networking sites of trusted projects. Need to confirm information with team members before joining.

Attack layer 1​

“The security of smart contracts is only equivalent to the security of the blockchain they run on.” If the blockchain is hacked, every project above will be affected and cause damage to users.

Ethereum Classic , a hardfork of Ethereum was attacked by 51% and lost the trust of its community.

Solution:

Join the prestigious layer 1 that has been battle tested for a long time.

Attack by other parties​

Surely readers know the event that UST lost its peg , the source of the collapse of an entire Terra empire. The cause of the attack was most likely pre-arranged, because a large amount of UST was withdrawn in Anchor in a short time, which led to a Panic Sell.

It was a major event beyond the crypto market as a company that was once valued at $40 billion collapsed in just a few days. This has shown the riskiness of a fledgling capital market like Crypto when even the top projects can "disappear" in a short time.

Terra's capitalization from 40 billion dollars to more than 1 billion dollars in a short time
Solution:

Not all in one project, even if they are at the top of the market. Making money in Crypto is not easy and we should not put too much faith in a certain project. You can refer to 5 lessons "for a lifetime" thanks to the UST & LUNA crash event shared by a dedicated Terra follower to gain more experience for yourself.

Epilogue​

“To make money, you have to keep it.”

During such a bad market period, I would personally prioritize protecting assets rather than focusing on high-risk earning opportunities.

Above are the Top 10 DeFi attacks and ways to protect your assets, hopefully helping you equip more knowledge for your investment. Have you guys encountered any attacks? Please comment below to discuss and share with Coin98!
 

Please login or register to comment here.

Members online

No members online now.

Forum statistics

Threads
930
Messages
974
Members
1,008
Latest member
ntna
Top