a hack

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

BTC0.0₂₀

ETH0.0₂₀

HTX0.0₂₀

SOL0.0₂₀

BNB0.0₂₀

a hack

橙皮书

2020-04-21 04:09

本文约1868字，阅读全文需要约7分钟

I hope that this attack can teach the crypto circle and everyone in the DeFi industry a lesson.

Editor's Note: This article comes fromOrange Book (ID: chengpishu), reprinted by Odaily with authorization.

Editor's Note: This article comes from

Orange Book (ID: chengpishu)

, reprinted by Odaily with authorization.

Some time ago, I set up a very simple blog and wanted to use it to write some personal diaries. The code is written very simply, scribbled and published. One day later, I discovered that the session stored in the cookie on the website is not encrypted, and the front end can easily parse it out, but a mistake I made was storing sensitive information in the session.

The software world has countless pitfalls. Take the simplest web site as an example, SQL injection, XSS attack, CSRF attack using third-party cookie reuse, picture or file upload vulnerability, all kinds of deadly tricks are staged. A novice sets up his first website on the Internet, just like a sailor sailing a trembling small sailboat for the first time out to sea, he does not know that there are countless storms, icebergs and sea monsters ambush on the road ahead.

It's just that, for the most part, those risks are illusory. Of course, the loopholes on the ship always exist, but storms and sea monsters do not necessarily appear. After all, storms and sea monsters are also very busy. They only attack those who are worth attacking, either overturning the fishing boats returning with a full load, or plundering the freighters of rich merchants.

Therefore, it is no wonder that some people say that software engineering is not like other "hard engineering". If there is a mistake in civil engineering, buildings will collapse and roads will collapse, and it will cost human lives; loss; if the software hangs? Take a website down for half a day at most.

Of course, this sentence is actually wrong. Software is eating the world. Code is everywhere in the world. Vulnerabilities in today's software represent not only a website or an app, but also the control systems on airplanes and rockets. Boeing outsourced the airliner software to a cheaper third party, which eventually left a bloody BUG in the history of aerospace.

Dijkstra also told a similar story [1]. After Apollo landed on the moon in 1969, he once asked the person in charge of the spacecraft software why you could write so many codes correctly. Unexpectedly, the other party confessed: only five days before the launch, he calculated the orbit from the lunar lander. An error was found in the code. This line of code reversed the direction of the moon's gravity. What was supposed to attract, turned out to be repulsive.

In addition to military software and aviation software, now we have another field - blockchain. Crypto, which is inherently tied to currency and finance, makes us feel once again how important code security is in the software world.

Yesterday was a dark day for the Chinese DeFi circle. Lendf.Me, dForce’s lending platform, was hacked and lost $25 million in assets. Hackers exploited the combined vulnerability of the ERC777 standard and the Lendf.Me contract, used reentrancy attacks to create a bunch of imBTC out of thin air, and borrowed imBTC from the platform. other currencies, looted. Just the day before the dForce incident, Uniswap had just been attacked by similar tactics. The vulnerability of the ERC 777 standard was announced by OpenZeppelin in June 2019, but it did not attract attention.

This event will become an important node in the development of DeFi. The incident is still developing, and whether the assets can be recovered and the loss of users can be minimized depends on the follow-up progress, but the various crypto groups are already arguing. There are too many lessons here. Many people will lose confidence in DeFi, think that DeFi is a pseudo-concept, and doubt the story that Ethereum (also a major public chain) has told around decentralized finance in the past few years. There are also many users who are unwilling to put assets into DeFi products, and prefer to choose centralized financial products, because "CeFi can at least protect their rights if something goes wrong."

These quarrels are normal. DeFi is both Lego and a honeypot. From now to the future, there will always be a small group of hackers staring at it, trying to dig out the gold coins inside. Any financial system needs to go through such a process and cannot escape. Those who can pass the test and survive in the end will have the opportunity to go to the mainstream and become a more stable financial infrastructure.