In March 2020, Compound launched the "loan mining" model, which revived the currency circle that had been silent for a long time. A "miner" who has participated in DeFi mining said that in order to grab the top mine, he bet on untested code, "Regardless of whether it is safe or not, grab the top mine first."

Developers are even more anxious. In order to quickly launch the main network and get the most benefits from the newly released code, they directly skip the steps of security audit.

Those hackers who are as stable as Mount Tai have also begun to seize the opportunity, relying on their own technical strength, to wait for the opportunity to attack those DeFi who have not taken security precautions.

secondary title

Thrilling time: Two attacks in 24 hours cost nearly $8 million

On November 17, PeckShield monitored that the DeFi protocol Origin Protocol stablecoin OUSD was attacked. The attacker used the flash loan on the derivatives platform dYdX to carry out a re-entrancy attack (Re-entrancy attack), causing a loss worth 7.7 million US dollars.

Subsequently, on November 18, PeckShield monitored a code loophole in the DeFi fixed-rate lending protocol 88mph, and an attacker exploited the loophole to mint MPH tokens worth $100,000.

secondary title

Ambushed just 48 hours after going live

Through tracking and analysis, PeckShield found that first, the attacker calls the DInterest::deposit() function to store the stable currency in the fund pool. At this time, the depositor will receive a new depositID, which is equivalent to a non-homogeneous token (NFT), and the MPHMinter contract will start minting MPH tokens;

Then, call the fundAll() function to purchase floating-rate bonds. In this step, the user can obtain MPH tokens and a fundingID (non-fungible token);

Next, the attacker passes the depositID and fundingID obtained in steps 1 and 2 into the earlywithdraw() function to extract the assets deposited in these two steps. That is to say, the attacker withdraws the encrypted assets that were originally locked for one year in step 1 in advance, and the attacker will not get any interest at this time, so the funds provided in step 2 will also be returned in the original way, and MPHMinter will be destroyed in the All MPH tokens minted in step 1. It is worth noting that the MPH tokens minted in step 2 are not destroyed. The attacker took advantage of this and obtained $100,000 worth of MPH tokens minted in step 2 at 0 cost.

secondary title

Get away with it by exploiting another loophole

In fact, there is still a loophole in the MPHMinter contract, and the developer managed to escape by exploiting this loophole, so that the attack has not caused any economic loss for the time being.

First, the developer calls takeBackDepositorReward to transfer the obtained MPH tokens from Uniswap V2: MPH 4 to govTreasury (equivalent to mph’s treasury). There is no threshold for this function, and anyone can call this function to transfer MPH tokens to govTreasury middle.

Because the attacker deposited the obtained MPH tokens into the Uniswap V2: MPH 4 pool, and the 88mph project team emptied the pool by itself, and then took a snapshot, so no economic loss has been caused yet.

The relevant person in charge of PeckShield said: "The attacks of hackers may destroy or 'kill' a project. DeFi people should not be lucky, and should take adequate precautions. If you don't understand this, you should find a professional auditing agency to verify it. The code is thoroughly audited and researched to prevent various possible risks.”

Every piece of code written by developers is like a screw in industrial production. Even if it is very small, it is closely related to the success or failure of the DeFi industry.

The DeFi ecology is still in the early stage of development, but the core value of the blockchain lies in universal trust. If DeFi people still blindly pursue the fast launch of the mainnet and ignore the audit security of the code, they will only end up wiping away the trust of community members , becoming a body without a soul.