Crypto Sees $12M Recovered From Exploit Despite Certification Audit

Ecological stablecoin project Defrost Finance will return $12 million in stolen funds by December 23, 2022, despite a code audit by CertiK.

Defrost will use on-chain data to ensure the correct allocation of stolen funds. The refund comes after an attacker took advantage of a flaw in several defrosted smart contracts. Blockchain security firm PeckShield initially Reported Attack on December 23, 2022.

Defrost customers lost $12 million

The hacker allegedly withdrew $173,000 via a quick loan attack based on Defrost’s V1 protocol. In a more significant V2 attack, a criminal stole $12 million by liquidating users’ positions through a fake collateral token and a malicious price oracle. The attackers later reportedly stole $1.4 million from cross-chain tech aggregator Rubik Finance, raising concerns about vulnerabilities in smart contract code.

Liquidation in DeFi occurs when the value of a user’s collateral falls below the lending protocol’s minimum loan-to-value ratio. Stablecoin protocols such as Defrost allow users to deposit collateral for permanent stablecoin loans. The protocol uses an algorithmically-adjusted stability fee to determine loan interest. The introduction of fake collateral for V2 potentially compromised the loan-to-value ratio of Defrost users, leading to their liquidation.

CertiK audits reveal centralization issues

Both hacks draw attention to the conclusions that can be drawn from smart contract code audits when assessing the legitimacy of DeFi projects. Blockchain security firm CertiK was implicated in both hacks, with the company conducting code audits of Defrost and Rubik’s.

CertiK audited Defrost V1 smart contracts in November 2021, listing a significant logic issue and five issues related to centralization. The former had been resolved at press time, while the latter had been accepted without evidence of further work. A logistical problem, colloquially referred to as a ‘bug’, allows smart contracts to operate incorrectly without crashing. On the other hand, if a hacker gains access to a shared code block or variable, a centralization problem can lead to compromise of multiple entities.

CertiK also discovered several centralization issues in Rubik Finance’s SwapContract smart contract, one of which would have enabled the hacker to withdraw ETH/BNB and other coins to the hacker’s address.

Audits are not a substitute for common sense

Rather than endorsing a project or its assets, CertiK tests the resilience of smart contracts to various attack vectors. It also assesses the contracts’ compliance with accepted coding standards and compares a project’s smart contracts to smart contracts produced by industry leaders.

A careful examination of CertiK’s website reveals that the company only audits code provided by DeFi protocols. It advises interested investors to conduct their own due diligence. Additionally, its report included the following disclaimer:

“CertiK’s position is that each company and individual is responsible for their own due diligence and ongoing security. CertiK aims to help reduce the high level of variance associated with attack vectors and the use of new and ever-changing technologies, and in no way claims to guarantee the security or functionality of the technology we use to analyze. agree to.

While not the complete picture, these reports can provide insight into project risks, helping to inform interested parties about the project. Any proposed changes to the smart contract code can go through the protocol’s standard voting process without government intervention.

Coinbase CEO Brian Armstrong advocated that DeFi protocols should be protected by free speech in the United States rather than being regulated by laws governing financial services businesses.

be for[In]Crypto’s Latest Bitcoin (BTC) Analysis, Click Here.


BeInCrypto has reached out to the company or the person involved in the story for an official statement regarding the recent development, but has yet to hear back.

Source link

Leave a Comment