The security issues in the DeFi world are frequent. Can the hacker bounty hunter platform Immunefi solve this?

Author: Lao Yapi

Three years ago, the total value of cryptocurrencies locked in DeFi was only $800 million. By February 2021, this number had grown to $40 billion; by April 2021, it reached the milestone of $80 billion; and now, it has surpassed $246 billion. This emerging sector has rapidly captured the value of capital liquidity.

From the perspective of hackers, attacking the DeFi ecosystem is an ideal and quick way to get rich, clearly making it a playground for various hackers and fraudsters. CipherTrace pointed out in its latest "Cryptocurrency Crime and Anti-Money Laundering Report" that as of the end of July, DeFi-related hacking incidents have caused users to lose $361 million. What are their main tactics? And how should we respond?

How is the funds of DeFi protocols stolen?

REENTRANCY ATTACK

A striking example is the DForce hack that occurred on April 19, 2020.

In a DeFi protocol, the smart contract has the following four withdrawal steps:

1. The user calls the contract to prepare to withdraw all funds from the contract.
2. The contract checks whether the user has funds in the contract.
3. The contract sends the user's funds in the contract to the user.
4. The contract updates itself, indicating that the user has no funds in the contract.

The reentrancy vulnerability allows hackers to call the contract again before it has fully executed (the "reentrancy"). In the above example, the attacker can re-enter the contract between the third and fourth steps and withdraw again before the user balance is updated. By repeating this process, they can extract all existing funds from the contract, stealing $25 million in a loop of repeated withdrawals.

FLASH LOAN ATTACK

Recently, flash loan attacks have become the most popular hacking method. A flash loan is a loan that is valid only within a single blockchain transaction, with no default risk. It means that the lender agrees to provide any amount of loan to the borrower, provided that the amount is returned to the lender within a given time; otherwise, the lender can roll back the entire transaction. Hackers circumvent the loan mechanism, leading to various vulnerabilities, such as asset price manipulation.

Flash loan attacks exploit the security of a platform's smart contracts, where attackers typically borrow large amounts of uncollateralized funds. They then manipulate the prices of cryptocurrency assets on one trading platform and quickly resell them on another trading platform.

Vulnerabilities in Smart Contracts

Coding errors arise from carelessly executed smart contract security audits or unchecked smart contract vulnerabilities and weaknesses. Unfortunately, many blockchain project founders choose to run their projects with insufficient testing coverage and ignore the relevance of security audits, leading to an increased likelihood of being attacked and causing losses to investors.

Manipulation of Price Oracles: A Representative Example of Maker Dao

The execution of smart contracts relies on accurate data provided by price oracles. However, obtaining this price data is not as secure and reliable as one might hope. If the oracle provides inaccurate data, the smart contract will lead to erroneous transaction executions. This fact benefits hackers who attempt to manipulate prices to their advantage. Manipulating the information sources that oracles rely on for short-term price manipulation to mislead on-chain prices is a typical oracle attack, essentially manipulating the oracle to create price discrepancies and using new financial tools like flash loans to arbitrage.

The Emergence of DeFi Vulnerability Bounty Platforms

Traditional bug bounty platforms for websites and applications, such as HackerOne and BugCrowd, have succeeded in this old-world model. However, there is a significant difference between existing "Web 2.0" bug bounties and the new era of "Web 3.0" bugs related to blockchain and cryptocurrencies. In the era of decentralized finance (DeFi), the key nature of Web 3.0 vulnerability bounties is related to actual monetary value, not just software vulnerabilities.

What is Immunefi?

Launched in December 2020, Immunefi provides smart contract security through bug bounties. More importantly, they claim to be the world's leading bug bounty platform! Immunefi has the ambition to curb DeFi hacking issues. To achieve this goal, it offers consulting services, vulnerability detection, project management, and, most importantly, a team of white-hat hackers. Immunefi seeks to connect DeFi protocols with hackers to protect the assets of platforms and users.

What is a Bug Bounty?

A bug bounty program rewards security researchers for discovering potential vulnerabilities in smart contracts and applications. Additionally, the bounty incentivizes white-hat hackers to find and report vulnerabilities to projects, which then compensate them based on the severity of the vulnerabilities.

Challenges Faced by Traditional Bug Bounties

1. Economic Incentives

While hackers are categorized into white-hat and traditional hackers worldwide, most operate in a gray area. For example, a hacker who discovers a vulnerability that could quickly earn $5 million might face a moral dilemma in the face of enormous benefits: should he do the right thing and negotiate with the platform with the bug for a $5,000 bug bounty? Or should he take action on the bug himself? Without a consistent and fair white-hat reward system, the temptation of human nature's darker side will always exist.

2. Reporting

DeFi projects often lack someone responsible for handling bug bounty incidents. Therefore, if a white-hat hacker tries to report a vulnerability, they may struggle to find a decision-maker. Moreover, if the CTO receives an external risk alert indicating that their code has flaws, their ego may easily take precedence, making bounty hunters less favorable. Even if the entire process of discovering the bug is reported through the proper channels to the company’s leadership, there is no guarantee that the company will reward them. The finance department may also disagree with the development team on the value of the bug bounty, leading the entire process into a series of dead ends.

Immunefi's Bounty Program

The Immunefi platform represents their white hats and project teams in handling/communicating and negotiating, significantly improving efficiency and compressing time costs for both parties. Immunefi allows hackers to remain anonymous and does not require KYC documentation.

The Immunefi platform has already released some lucrative bounties, with its client Astroport offering rewards of up to $3 million. Other notable bounties come from Celer, worth up to $200,000, xDAI up to $2 million, and a $1.25 million bounty released by Sushi.

Immunefi currently has $71 million in bounties, aiming to turn bug hunting from a hobby into a viable career. So far, the platform has paid out over $10 million, helping clients avoid losses of $20 billion.

How to Launch a Bounty Program?

After clients fill out the Immunefi bug bounty registration form, they receive a questionnaire.

Immunefi begins drafting a bug bounty program based on the answers to these questions, which is then sent to the client for review. Once modifications are complete, the program is handed over to Immunefi's operational experts. The operational experts work with the project team to determine the launch time of the bounty activity and the public relations/marketing details of the bounty, as well as how fees and payments will be handled.

Posting a bug bounty on Immunefi does not require upfront fees. When hackers discover a genuine vulnerability, clients only need to pay Immunefi a 10% performance fee based on the bug bounty.

Due to the rapid development of the DeFi space, the accompanying security issues have caused most platforms and user funds to suffer losses. This may explain why Immunefi, one of the emerging bug bounty and security service platforms in DeFi, has been able to quickly capture value, having raised $5.5 million in funding, led by Electric Capital, with participation from Blueprint Forest, Framework Ventures, Bitscale Capital, P2P Capital, IDEO Colab, The LAO, BR Capital, 3rd Prime Ventures, North Island Ventures, and other individual investors.

Amador added in an interview with TechCrunch: "The reality is that Web 3 is a more adversarial environment, which means that every part of the bug bounty process is different from before, from the submission and processing of reports to the verification of reports and the negotiation of payments. Traditional Web 2 bug bounties are a convenient tool for fixing errors, while our Web 3 bug bounties are a more critical emergency system for DeFi projects."

As the building blocks of the DeFi ecosystem continue to grow and enrich, security issues remain a Damocles sword hanging overhead. The incidents of DeFi being attacked by hackers will not stop and will continue to occur in the future, and this is self-evident.