December 5th, 2022
Decentralized Finance (DeFi) has received significant attention from investors and attackers alike. As more value is invested in DeFi projects, the number of high-value hacks has ramped up as well. With attackers exploiting a wide variety of vulnerabilities in DeFi projects and other smart contracts, understanding the root causes of DeFi hacks is essential to protecting against future incidents.
Sun of XREX’s security team has created a list of the root causes of over 100 smart contract security incidents stretching as far back as the Parity wallet hack in November 2011. For each incident, the list provides the name of the affected project, the type of incident, the date, and the amount lost. Additionally, the Notion board includes a snippet of vulnerable code and a proof of concept (POC) exploit for each vulnerability.
For example, the root cause of the October 2022 hack of OlympusDAO is reported as insufficient validation of user-provided input. In the following code snippet, the attacker controlled token_, allowing them to create a malicious smart contract designed to drain the fund.
The entry also contains a GitHub link to a POC. This also includes instructions for using Foundry to reproduce DeFi hacking incidents.
Root cause analysis is essential to understanding and correcting the security issues that led to a hack. In the case of DeFi projects, understanding the root causes of major hacks provides benefits to other projects as well.
In the DeFi space, code reuse is common, meaning that DeFi projects may copy and inherit vulnerabilities from other projects. Even if code is not copied directly, projects may naturally end up with similar code. If one DeFi project suffers a security incident, an understanding of the root causes helps other projects to determine whether they may also be vulnerable to a similar attack.
Another benefit of root cause analysis is that it provides visibility into the state of the DeFi security space as a whole. For example, a significant number of recent hacks have a root cause of “Insufficient Validation”. This indicates that DeFi developers may want to devote additional attention to the conditional code that checks the validity of user input before processing it.
The greatest security risk to a DeFi project or other smart contract is a failure to perform a security audit before launch. On the Rekt Leaderboard for the most expensive DeFi hacks, nearly all of the top 20 hacks were of unaudited projects.
Security audits help stop DeFi hacks because they identify and remediate the types of vulnerabilities in the root causes list before attackers can exploit them. Learn more about protecting your blockchain project against attack by reaching out to our Web3 security experts at firstname.lastname@example.org.