One of the most high-profile events of the past year was the theft of three million dollars from the DeFi protocol Cover on December 28, 2020. The attacker used the vulnerability of “infinite mining”: invested assets, withdrew them, took profits, and repeated this procedure several times. It is noteworthy that the hacker turned out to be a decent person — he returned the funds, accompanying the transaction with the following message: “Watch your funds next time”.
This event, however, had implications for the protocol. The value of the token dropped by 96%, and the amount of assets blocked in the protocol decreased to one million dollars. Now the situation has partially recovered, but who knows how many users have left forever and will no longer be able to trust this project?
What happened to Cover?
To understand what made the theft of Cover funds possible, we asked for a comment from a company that specializes in working with smart contracts. Telescr.in company agreed to explain the situation:
Such sad consequences were caused by the combination of two minor bugs, which, are relatively harmless separately. The first error is related to memory: in general, there are three types of memory in smart contracts: steak (local variables), storage (the most expensive memory that is stored in the blockchain), and memory (byte sequence). Since the smart contract uses all types of memory, this makes it possible to overwrite one variable from storage to memory, change it as a result of the operation, and then use it in the modified form. The second drawback is related to the mismatch of the order of variables when performing operations. For example, we add a variable to a smart contract that has 18 characters, and then it is written that it has 12 characters – this also causes an inaccuracy, but not a critical one.
When attacking Cover, the hacker initially made several deposit and withdrawal operations, requesting a reward. After passing several cycles, one of the variables gave an error, as a result of which it became possible to output a huge number of tokens.
Experts note that there are tools that allow you to track processes at the time of the transaction. Also, the trivial detection and correction of bugs could protect Cover from trouble.
In this case, everything ended well – after all, the hacker returned the funds, but this does not always happen.
High-profile hacks of 2020
Cover is far from the only cryptocurrency project that suffered from a hacker attack in 2020.
- The attack on the cryptocurrency exchange KuCoin in September was one of the largest hacks in the history of the industry (the damage was estimated at $280 million).
- In April, the dForce DeFi-protocol was affected by the attack. At the time of the theft, the amount was almost $25 million. Hacker took advantage of a critical vulnerability in the smart contracts of Lendf.me platform.
- Harvest Finance also suffered from the hacker attack – a smart contract error cost them almost $20 million.
- Pickle Finance, another DeFi-project, suffered major damage as a result of the attack. Hackers stole more than $19 million.
- In November, the Origin Dollar stablecoin suffered from a hacker attack – the project lost more than $7 million.
What is a smart contracts audit?
Why does this happen if smart contracts are considered one of the safest methods of managing funds today? For all their perfection, hackers are also constantly developing their skills. They become more inventive as the complexity of contracts increases. As the saying goes, “blockchain is secure, but blockchain applications – not always”. Audits of smart contracts, which have recently become increasingly popular, are designed for combating this and preventing such cases.
The usual audit of a smart contract includes an analysis of the specification and related documentation, which explains the principle of the project architecture; testing and searching for major bugs, automated analysis using special software… – according to the explanations of Telescr.in.
But the main thing is, of course, manual analysis. It is this process that allows you to determine how much the code corresponds to the declared functionality. For example, in Telescr.in, this is done by several engineers at once, who then compare the results with each other. This approach allows you to search for vulnerabilities as efficiently as possible. As a result, smart contract owners receive a detailed report on the results, which includes a list of all vulnerabilities and inconsistencies found, as well as recommendations for their elimination.
What problems does the audit detect?
The audit helps to find not only critical but also more common errors of smart contracts. For example, problems with integer arithmetic, the vulnerability of the gas limit in the block when the array overflows, missing parameters or prerequisites (the result of careless development), potential frontrunning (overtaking an unconfirmed transaction), as well as a great number of logical flaws.
All of them can be detected only if the auditor fully understands the architecture of the codebase and has an understanding of the intended functionality of the project and the contract specification. Experts note that this is why the audit of smart contracts takes time, requires certain costs, and the participation of highly qualified specialists.
We believe that the audit market is not developed at the moment and there are no large audit companies that could protect investors’ funds from such situations by checking projects, – according to Telescr.in. – For example, the developing DeFi sector is particularly dangerous in this regard. When a project gets to decentralized sites, there is no way to quickly close it and fix errors, even if they are found. This is both good and bad, so, logically, smart contracts should be checked before entering the market. Moreover, it is optimal to conduct inspections by several organizations at once. The audit is very subjective, one company cannot always find all the bugs, while several views almost always solve this problem. At the same time, the cost of the audit is low relative to the problems that the lack of checks can create and the situation with Cover confirms this.