Unsinkable can still sink and unhackable can still be hacked. Yes, practice shows that smart contracts are not 100% invulnerable to security breaches. Despite their robust design and cryptographic foundations, it's crucial to stay on guard.
As the crypto market evolves, so do the methods of exploitation employed by malicious actors. A recent report by Chainalysis reveals a shift in the crypto scam landscape. Despite an overall 77% decline from $3.3 billion to $1.1 billion in the first half of 2023, a concerning trend emerges — ransom attacks are making a comeback, with perpetrators enjoying a staggering 62.4% increase in loot compared to 2022.
This resurgence of ransom attacks and other types of scams raises questions about the security of smart contracts, a fundamental tech underlying the blockchain ecosystem. Although smart contracts are considered revolutionary for different industries, their complexity and immutability can indeed make them vulnerable to exploitation.
In this article, our IT security audit team will share the most widespread types of smart contract hacks, examine recent cases, and explore effective prevention measures.
Searching for a reliable and experienced smart contract developer? Look no further
This article is part of our larger series dedicated to Smart contracts. To explore this topic in greater detail, here’s the list of articles we recommend:
Best Smart Contract Use Cases Across Industries to Explore in 2024 and Beyond
How to Audit a Smart Contract in the Most Efficient Way
Most Common Smart Contract Vulnerabilities and How to Prevent Them
What Are the Top Smart Contract Platforms and How to Choose the Right One?
What smart contract hacks are on the rise today?
Smart contract hacks threaten the integrity of decentralized ecosystems and pose substantial risks to users’ funds and digital assets. Not to mention, they jeopardize the reputation of the project and the team behind it.
Let’s delve into a range of evolving attack vectors, including human errors, flaws in contract logic, as well as elusive schemes like rug pulls and flash loan manipulation.
Attacks due to human errors
Smart contract hacks can happen due to various reasons, with human error playing a significant role in many of these incidents. The process of developing and deploying a smart contract involves numerous complexities, and even the smallest oversight or mistake can lead to disastrous consequences.
Misconfiguration of a token smart contract is a common type of human error. When developers create a token smart contract, they need to define critical parameters, such as the total supply of tokens and whether the tokens are mintable or burnable. Additionally, they must specify the access controls, permissions, and other security features. However, if the developers misconfigure any of these parameters or leave security loopholes, hackers can take advantage of these weaknesses.
It’s also important to understand that once a smart contract is deployed on the blockchain, it becomes immutable, and any vulnerabilities become a permanent part of the contract’s code. This means that even if developers realize their mistakes later, they cannot directly fix them without creating a new version of the contract. This may lead to disruptions in the ecosystem.
Exploiting vulnerabilities in contract logic
Smart contract logic vulnerabilities are hidden flaws in the code that may accidentally emerge during the development phase. These weaknesses create opportunities for malicious actors to exploit the contract, much like traps lying in wait.
There are several types of attacks that may occur due to such vulnerabilities. For example, a reentrancy attack can happen when malicious actors repeatedly call back into the contract, potentially draining funds or causing unexpected behavior. Integer overflow/underflow may take place when extreme values are not handled correctly, allowing attackers to manipulate balances or gain unauthorized access.
Unchecked external calls, access control issues, timestamp dependence, and excessive complexity in contract logic are also among the vulnerabilities that can result in attacks. To ensure the security of smart contracts and guard against such risks, it is crucial to be aware of these potential weaknesses and diligently implement secure coding practices.
Rug pulls
A rug pull involves a deceptive practice where the project creator suddenly and intentionally drains the funds and rides off into the sunset.
How exactly does a rug pull happen? Initially, the creators gain trust with a seemingly legitimate project. Investors and users contribute funds, expecting potential returns or benefits. Then, the creators manipulate the smart contract to withdraw funds, leaving investors with significantly reduced or worthless holdings. After the rug pull, the creators simply disappear.
To safeguard against such deceptive practices, users and investors must be very careful when engaging in new projects. Conducting thorough research and being aware of the potential risks associated with crypto and DeFi investments is vital.
Additionally, reviewing the smart contract code and understanding the project’s governance and token distribution mechanisms can help identify red flags and mitigate the risk of falling victim to a rug pull.
Flash loan manipulation
Flash loan manipulation is a sophisticated form of attack unique to the DeFi space, posing significant challenges to DeFi security. Flash loans typically allow users to borrow funds from a lending platform without requiring any upfront collateral. The borrower must repay the loan within the same transaction.
Flash loan manipulation takes advantage of this feature by exploiting price arbitrage opportunities across different DeFi protocols, but within the same transaction. Here’s how it works:
- The attacker borrows a significant amount of funds through a flash loan from a lending platform.
- The attacker uses the borrowed funds to execute multiple transactions across various DeFi platforms, artificially manipulating the price of certain assets or cryptocurrencies.
- The attacker leverages the manipulated prices to gain an advantage and profit from price differences between different DeFi platforms.
- The attacker repays the flash loan, returning the borrowed funds to the lending platform.
While the individual transactions themselves might seem harmless, the rapid and coordinated execution enables the attacker to exploit the temporary price discrepancies and profit significantly.
Flash loan manipulation is complex and challenging to execute, requiring a deep understanding of the DeFi protocols’ intricacies and price dynamics. It illustrates the importance of robust security measures and audits when deploying smart contracts and DeFi protocols.
Read our article to take a deeper dive into possible smart contract vulnerabilities
Popular smart contract hacks analysis: why they happened and how to prevent similar vulnerabilities
Understanding vulnerabilities that can lead to hacks is crucial for fortifying the security of future smart contracts and fostering a safer decentralized ecosystem. What’s also vital to remember is that not only users’ funds are at stake, but also your reputation and money.
Let’s delve into the biggest smart contract hacks that have recently shaken the blockchain industry. We’ll examine the reasons behind them and provide you with essential insights on effective preventive measures.
Yearn Finance and smart contract misconfiguration
On April 13, 2023, Yearn Finance, an Ethereum-based DeFi platform, fell victim to a cyber attack. The incident occurred due to a misconfiguration of the yUSD token’s smart contract, resulting in a staggering loss of nearly $11.6 million.
How did it happen?
This smart contract hack was the result of human error. The attacker discovered an overlooked flaw in the constructor function of a smart contract, which remarkably went undetected for a full 1000 days.
This vulnerability occurred during the deployment phase when the iUSDC token address was mistakenly assigned instead of the appropriate iUSDT. This gave the hacker a chance to meddle with the reserves of the yUSDT token contract.
The attacker employed various tactics, including borrowing DAI and USDC tokens, converting them into USDT, repaying negative balances on another project, and minting iUSDC tokens to manipulate reserves. Leveraging an automated value determination algorithm, the hacker detected a notable deficit due to empty reserves. This allowed them to inflate the USDT token’s value in the compromised contract, generating substantial profits from the attack.
How to prevent similar smart contract hacks?
There are two crucial steps that should be considered:
1. Ensure the accuracy of initialization values. If the contract deployer had provided the correct iUSDT token address in the constructor, the attack would have been impossible.
2. Implement regular audits and security risk assessments. As hacking methods constantly evolve, it is crucial to regularly review even those contracts that seem secure initially. Always stay alert and safe.
Ordinals Finance and the rug pull
In April 2023, Ordinals Finance, a decentralized lending and borrowing platform (or at least pretended to be one), executed a rug pull, where the project’s developer took advantage of excessive access rights assigned to a single account. This allowed them to transfer all tokens held in the contract and escape with approximately $1 million.
How did it happen?
The attacker took advantage of the safuToken function, swiftly transferring all tokens retained within the contract. This type of attack is specific to smart contracts, where developers can have significant control over the contract’s functions and use it maliciously.
How to prevent similar smart contract hacks?
The recent incident with Ordinals Finance has shown that taking preventive measures can be the key to protecting your assets from smart contract hacks. Here is what you need to do:
1. Conduct thorough research. Before investing in any project, analyze its background and reputation. Look for signs of credibility, such as recognition within the community and positive feedback from users.
2. Search for independent audit results. A reputable project should have transparently published audit reports, including smart contract audits, that highlight their commitment to security and user protection.
3. Scrutinize their social media presence and website. Genuine projects will maintain active and verified social media profiles, engaging with their community and providing regular updates. Furthermore, their official website should serve as a reliable hub of information, complete with clear contact details and a team that can be easily verified.
Check out how we performed a smart contract audit and security check for the NFT marketplace
Hundred Finance and flash loan manipulation
On April 15, 2023, Hundred Finance, a fork of the Compound protocol, suffered a major smart contract hack that resulted in a theft of approximately $7.4 million. The smart contract vulnerabilities and logic flaws allowed the attacker to artificially manipulate the token’s price and execute transactions in their own favor successfully.
How did it happen?
Blockchain security firm CertiK concluded that the reason behind this smart contract hack was a flash loan manipulation.
The project involved two kinds of wrapped Bitcoin tokens within the system — one was frequently traded, and the other was mostly inactive. The attacker used a flash loan to borrow a significant amount of WBTC that they later sent to Hundred Finance. In return, they received the platform’s hWBTC token.
Slowly, they returned the hWBTC to get back WBTC, and obtained an extra 2 wei of hWBTC, ending up with 500 hWBTC and 2 wei. They then manipulated the system to withdraw their WBTC from the pool by inflating the price and using only 1 wei.
How to prevent similar smart contract hacks?
To avoid this type of smart contract attack, it is highly recommended to do the following:
1. Perform smart contract audits. Do this no matter how confident you are in your code. It will ensure that any arithmetic errors or potential vulnerabilities are identified and rectified before it’s too late.
2. Implement limits on loan amounts. Setting a cap on how much can be borrowed at one time can help manage the risks associated with flash loans. Even if an attack does occur, this limit can potentially lessen the damage.
3. Improve the monitoring system. This will enable your development team to quickly detect any suspicious activity.
4. Address the issue with non-whole numbers. The use of non-whole numbers in the code can lead to unexpected results due to rounding errors or precision issues. These issues can create vulnerabilities in a smart contract, which attackers might exploit. This is why the developers should test and plan for these possible issues to ensure the security of smart contracts.
Conclusion
In all these cases, the hacks involved vulnerabilities or weaknesses in smart contracts or their interactions with other components, which allowed attackers to exploit the system and cause financial harm.
As smart contracts play a crucial role in most decentralized applications, securing them is of utmost importance to prevent such incidents. PixelPlex offers robust smart contract audit services aimed at preventing such attacks.
With deep expertise in blockchain IT solutions, our team of professionals meticulously scrutinizes your smart contracts, checking for vulnerabilities and possible attack vectors and ensuring they are secure and reliable. We go beyond checking the code — we guarantee that it can interact safely with all other components it’s connected to.
Reach out to us to safeguard your future in the decentralized world.
Below you may find an in-depth research of more smart contract hacks, including the reasons behind their occurrences and detailed analyses on how to prevent them.