Decentralized finance is revolutionizing the financial industry on the wings of trustless transactions. This is based on the capability of smart contracts to power automated execution of agreements, removing third-party intermediaries. Global adoption of DeFi (and ultimately web3) is therefore premised on the ability of smart contracts to live up to the expectation of enabling secure, trustless transactions. Judging by their current track record however, there’s much more work to be done to make smart contracts dependable enough to power the decentralized future.
As with any technological innovation, smart contracts have not been immune to vulnerabilities. Prying eyes and hacker hands have been swift to strike while the vulnerability-iron is hot, cashing in on the shortcomings of this emerging technology. As of May 2023, there have been 148 DeFi exploits, totaling $4.28 billion lost to hackers. That’s about one tenth of the entire DeFi TVL (Total Value Locked). Many of these exploits have been due to vulnerabilities in smart contracts.
Sadly, the list of smart contract exploits keeps increasing, so it’s important we understand the common vulnerabilities that hackers capitalize on and popular measures in use to counter these threats, as well as what’s being developed to combat these issues.
Digging Into the Vulnerabilities
Vulnerabilities with smart contracts usually occur in two forms: issues with the smart contract code itself, and external issues from associated connections with other contracts or external sources of information.
Smart contracts operate on the principle of “code is law”, meaning that once deployed, the contract is largely immutable. Consequently, any vulnerability present in the code can have far-reaching consequences. In one of the biggest exploits this year, Euler Finance was compromised for about $200 million when attackers were able to trick the protocol due to an error in its code. Another exploit was the reentrancy attack on the Sentiment protocol in April. The Safemoon protocol suffered a similar fate in March when hackers used its token burn function to cart away about $9 million.
Malicious actors use code vulnerabilities to manipulate the contract’s intended behavior, compromise the contract’s funds, or disrupt its execution. While many of the stolen funds above were returned in part or in full, the continual exploits are proof that there’s more work to do to maintain the integrity of the smart contract technology. The immutability of smart contracts can become a double-edged sword when it comes to fixing vulnerabilities. If a vulnerability is discovered, rectifying it becomes challenging since the code cannot be directly altered. Balancing the need for immutability with the necessity of security upgrades is still a significant challenge.
As of May 2023, there have been 148 DeFi exploits, totaling $4.28 billion lost to hackers. That's about one tenth of the entire DeFi TVL.
External Dependency Risks
Smart contracts often interact with external systems or other contracts to fetch data or execute specific functions. These external dependencies introduce risks as they can be compromised or manipulated, leading to unexpected outcomes. For instance, an oracle providing incorrect data to a smart contract can result in incorrect functionality. Relying on external contracts without proper security measures can expose smart contracts to vulnerabilities in those contracts, thereby undermining its overall security.
According to Chainalysis, there were 41 Oracle manipulation attacks on DeFi protocols in the year 2022, leading to a loss of $403.2 million.
Bad actors typically carry out oracle manipulation attacks by using large amounts of cryptocurrency to quickly increase the trading volume of low-liquidity tokens on the targeted DeFi protocol, which can lead to fast, significant price increases not reflective of the wider market. Those initial funds are often sourced through a flash loan if the attacker doesn’t have the funds on hand. Once an asset’s price has been driven up, the attacker can then exchange their artificially inflated holdings for other tokens with greater liquidity and a more consistent value, or use them as (worthless) collateral to borrow assets, never to be repaid. — Chainalysis.
What’s Being Done About It?
While smart contract exploits have been on the rise, there have also been increased measures both in use and development to reduce the possibilities of hacks. Here are a few of them:
Auditing and Testing
Thorough auditing and testing processes can identify and mitigate smart contract vulnerabilities. This involves the use of formal verification techniques such as theorem proving, model checking, and comprehensive test suites to detect code vulnerabilities and reduce the likelihood of exploitation. These security audits are often carried out by specialized independent firms who then provide the developers with valuable insights into potential weaknesses and recommend necessary improvements. Some examples of these firms include PeckShield, Consensys Diligence, and CertiK.
Conducting penetration tests is another measure used to evaluate the resilience of smart contracts against potential attacks. Here, ethical hackers attempt to exploit code vulnerabilities in a controlled environment. They do this by simulating real-world scenarios, allowing for the identification of weak points and addressing them before deployment. Regular penetration testing ensures that smart contracts remain secure even in the face of evolving threats.
Offering bug bounties incentivizes ethical hackers to actively search for vulnerabilities in other protocols’ codes and report them, facilitating protocol-saving contract upgrades. A ‘white-hat hacker’ bagged $2 million when he was able to spot a critical bug in Optimism’s smart contract in February 2022. Bug bounties have been an effective measure to catch coding flaws before bad actors find and exploit them.
Best Practices and Standards
What better way is there to mitigate smart contract exploits than to sustain the cry for developers to adhere to established best practices and coding standards? These guidelines often include security-conscious coding patterns and input validation techniques, and provide measures for proper handling of external dependencies. Adhering to these standards enhances the robustness and security of smart contracts. Developers should also stay updated with the latest security practices and incorporate them into their development processes.
Smart Contract Insurance
As the adoption of smart contracts increases, specialized insurance products designed to cover potential losses arising from vulnerabilities or exploits will play a vital role in boosting confidence in the technology. While the concept of smart contract insurance is still in its infancy, it is a great way to provide financial protection against the risks associated with code vulnerabilities, thereby encouraging innovation while mitigating potential losses. One such company is Chainproof, which claims to be the world’s first regulated smart contracts insurance provider. Insurers can work closely with developers to assess and mitigate risks, thereby promoting responsible development practices and accountability.
A Brighter Future
Mitigating losses associated with smart contract vulnerabilities and their exploitation requires a multifaceted approach involving collaboration between developers, auditors, researchers, and the wider web3 community. We need to continue to research and innovate in the field of smart contract security in order to address emerging threats and enhance the resilience of this transformative technology.
Regulatory frameworks can also play a role in fostering responsible deployment and incentivizing adherence to best practices. Making smart contracts more secure and reliable is necessary before we reach wider mainstream adoption.
Kornekt is a writer and editor with strong conviction in the world Web3 creates.
Hiro Kennelly is a writer, editor, and coordinator at BanklessDAO, an Associate at Bankless Consulting, and always a DAOpunk.
Tonytad is a graphic designer who has worked locally and internationally with organisations and firms on over 200 projects, which includes branding, logos, flyers, cards, and covers.
BanklessDAO is an education and media engine dedicated to helping individuals achieve financial independence.
This post does not contain financial advice, only educational information. By reading this article, you agree and affirm the above, as well as that you are not being solicited to make a financial decision, and that you in no way are receiving any fiduciary projection, promise, or tacit inference of your ability to achieve financial gains.
More Like This
Distributed Ledger Technology 101 by The Crypto Barista
14 Blockchain Basics by Hiro Kennelly
How to Learn Solidity by 0xzh