Web 3.0 is a decentralized internet that involves the use of decentralized protocols deployed on blockchain and executed by virtual machines. These decentralized applications are called smart contracts.
The use of Web 3.0 is vastly associated with money in the form of cryptocurrencies through the DeFi and NFT markets. Financial applications of Web 3.0 are currently key ones. After all, you need to spend some cryptocurrency for every transaction you make to pay miners and validators for their service of processing your transaction.
But when you have a system designed to deal with cash flows, you need it to be securely built. But Web 3.0 is currently in its very early stages of development and looks more like experimental testing than a sound technology. And as it is common for most new digital technologies nowadays, security is one of the major teething problems of Web 3.0. Still, it has already received substantial venture capital lured by enticing rewards.
And every new technological venture that has big money locked in it and a number of unpatched loopholes naturally becomes a lure for hackers who are willing to use them for their own financial benefit. On top of it, the decentralized nature of Web 3.0 and the lack of the need to provide your personal details makes it all the more attractive for cybercriminals.
And the size of investment is the best indicator of an industry’s potential. So, it will be safe to say that Web 3.0 has good potential
some of which probably remains untapped. To bolster its development, the security standards have to be raised.What are the main threats to DeFi’s security?
The current existing threats associated with cyberattacks on Web 3.0 can be put into two groups reentrancy attacks. They are built around exploiting the functions and order of execution of their commands.
vulnerabilities in the code and vulnerabilities in the business logic of smart contracts. The first group includes exploits of virtual machines, mempool overloads andIn essence, these exploits do not damage the decentralized software in the traditional sense as it happens with attacks on centralized IT infrastructures and personal computers. They simply exploit the opportunities that have been unintentionally provided by programmers.
It can happen in different ways. Often, developers use the code base of other open-source projects but at the same time do some modifications to it that may seem minor and not affect the ways the smart contract will operate. However, they might be eventually proved wrong because these modifications can affect the mechanisms of smart contract operation in unforeseen ways.
Reentrancy attacks have gone down in the history of blockchain as one of the classic types of attacks of decentralized protocols. They target the so-called callback function and functions in the contract using its balances. This function is used in the smart contracts of lending protocols because it is needed to monitor the user’s collateral on the platform and calculate the amount of funds they can borrow.
When a user borrows funds, they query the ‘callback function,’ which checks the user’s balance in the contract and issues a respective amount of liquidity as a loan. This process consists of three operation – the check of the user’s balance, calculation of the user’s balance after the issuance of the loan and the issuance of the loan as such.
Depending on the order execution of these operations in the callback function, there might be a way to fool the system and take more liquidity than what your collateral permits.
First goes the balance check, and then goes either the issuance of the loan or calculation of the changed balance. If the loan is issued first and there is a callback at the end of the code sequence, it allows the user to start the process from the beginning, while this transaction is not mined and added to the blockchain.
For example, you have $200 of collateral and take out a loan of $100 for $100 of your collateral. If the loan is issued first and you query the callback before the effects of your actions are finalized on the blockchain, you can take out another loan for an unchanged amount of collateral. This procedure can take multiple iterations and allow the user to drain the contract of liquidity.
The way to protect the contract from this cyberthreat is called the checks-effects-interactions pattern. This pattern puts the calculation of the user’s balance in the contract before the issuance of funds. This simple pattern, however, works for reentrancy attacks on the callback function itself, but cross-function reentrancy attacks are more difficult to defend against.
But reentrancy attacks are becoming less regular as new frameworks are designed to eliminate them. Nowadays, DeFi hackers are focusing their efforts more on exploiting inconsistencies in the business logic of smart contracts, often using numerous protocols to steal funds from one. Such attacks often involve flash-loan services that allow you to take out a loan without submitting collateral.
One of the biggest flash-loan attacks was performed on Cream Finance in December 2021. It resulted in the theft of $130 million worth of cryptocurrencies and tokens. There were two addresses involved in the attack, which used such flash-loan platforms as MakerDAO, AAVE, Yearn.finance and Curve to withdraw funds from Cream Finance.
In the end, the attacker exploited a loophole in Cream’s PriceOracleProxy’s evaluation of the price of cryUSD
Cream’s USD-pegged stablecoin. PriceOracleProxy values cryUSD based on the price of the yUSDVault stablecoin (the Yearn.finance stablecoin) held in the yUSD Yearn Vault.Having done multiple manipulations with the liquidity loaned from MakerDAO, the attacker added eight million yUSD to the eight million yUSDVault. The Cream Finance PriceOracleProxy perceived this as yUSDVault now costing $2 instead of one and doubled the price of cryUSD.
Thus, the attacker got $3 billion in 1.5 billion cryUSD that had been minted from $1.5 billion yUSDVault. This allowed the attacker to pay off the loan, interest and use the remaining $1 billion to drain Cream Finance from liquidity worth $130 million.
What does the future hold for Web 3.0
To make Web 3.0 more secure, security standards should be raised. This requires a competent workforce for building Web 3.0 from the ground up and qualified security specialists working for Web 3.0 companies. While DeFi and other entities of Web 3.0 carry high levels of risk, it is unreasonable to expect the mainstream public to embrace Web 3.0. To make it happen faster, we can also adopt the best security practices from CeFi and implement them in decentralized systems.
Dmitry Mishunin is the founder and CEO of a DeFi security and analytics company HashEx. He devotes a lot of time to scientific activities, such as research into IT systems, blockchain and vulnerabilities in DeFi.
Follow Us on Twitter Facebook Telegram
Featured Image: Shutterstock/kaptn