Vulnerable DeFi: The Different Types of Hacks
There are hacks happening in the crypto ecosystem almost every day. Some are small and targeted towards individuals and some are bigger and targeted towards protocols or businesses. Hackers have many sophisticated ways of getting hold of your funds.
This article explains some of the most common types of hacks and how you can try to prevent them from happening to you. There are two broad categories, on-chain hacks that are exploiting vulnerabilities in smart contracts and off-chain, ones that are exploiting front-end weaknesses, compromising passwords or aiming to engineer mistakes of people.
The mid-function restart hack. This one is, arguably, the most famous and frequently used. It uses a vulnerability in a smart contract that allows a code function to be stopped in the middle of execution and start over again.
This is powerful when, for example, making a lending deposit to borrow capital. The function will, in that case, allow the depositor to take out a loan that is smaller than the deposited amount when it is a fully collateralized lending protocol.
However, if the smart contract is not solid, the hacker can take out the loan and before the function stops, start it again and take out another loan, until the pool is drained of capital. This way they can extract way more capital than deposited and therefore steal large numbers of tokens.
Another method often used is the fake deposit hack. This consists of exploiting a smart contract vulnerability by making it believe that a deposit has been made while that is not the case.
The hacker can just drain a protocol from all its available capital by simply making it believe that it receives the required amount of capital in return. Two good examples of those types are the X-Bridge and Wormhole hacks that happened in early 2022.
Another way to take advantage of a smart contract and to exploit it is by manipulating its oracle, an external source for decision making data for smart contracts. The oracle manipulation hack could be on-chain or off-chain depending on the oracle.
By manipulating the oracle, the hacker can take advantage of the smart contract by modifying what it believes to be true. Let’s say the hacker opens a big short position on a certain token and manipulates the oracle price feed of a lending and borrowing protocol and tells it that the token just dropped 50% in price, this will, in turn, cause a cascade of liquidations, which will cause the token price to fall dramatically. That will then benefit the hacker, because of their large short position on that token. This is an indirect way for the hacker to profit. A more direct way is described in this article about the Deus Finance hack that happened in March of this year.
Phishing attacks are the most common way of off-chain hacks. Ever got that weird email with an 80-character long URL that looked like Binance.com, but actually said Binance.discount.com? Those are phishing emails. Never engage with those.
When you would press that link and log into your Binance account, the hacker would take that data and log into your real Binance account and, before you know it, your funds would be gone. Assuming the hacker could get through 2FA in case you have that set up (a friendly reminder to always do).
There is a wide variety of different phishing methods. The most practical approach is to simply engage with emails you have requested and never engage with unexpected ones. Also, never click on links in Telegram chats, Discords, Twitter DM’s or other places from unknown sources.
A recent example of a wide-scale phishing attack is the Opensea NFT hack. A great example and important read about a highly sophisticated personally targeted phishing attack is the one on @revive_dom, who barely survived the one that was targeted on him.
This article does not cover all types of hacks, but the most common ones are described. It is critical that smart contracts are always audited not once but a few times by different audit providers before launch, and any novelties are reviewed by several different experts.
Off-chain hacks are way more common and many individual users suffer from it. Stay safe out there and don’t engage with anything that looks remotely close to being phishy or scammy — be it a DM message with links or an email with attachments.
Hacks can never be fully prevented. Lossless, therefore, launched a protocol that can stop hacks after they occurred and freeze the fraudulent transaction. This is a novel and important approach to making the crypto industry safer for all. Learn more on our website and socials. Stay safe and keep building.
Lossless is the world’s first DeFi hack mitigation tool for token creators. Apart from Lossless’ known cyber security solutions and renowned professionals, the community also plays a role. With a tangible reward system, community members are also encouraged to explore new ways to detect hacks and fraudulent transactions.
Lossless protocol halts counterfeit transactions through various methods of fraud identification and automatically reverses any stolen tokens back to the original owner. Its solutions to the impending problems of cyber theft within the blockchain space are thorough and applicable within many protocols.