All the highs for DeFi theft this year are over $ 120 million. Has a financial exchange turned into a "hacker" artifact?

On December 2, DEFI security incident occurred in the well-known Badger DAO process.The total loss is around 2,100 BTC and 151 ETH, or around US $ 120 million., one of the most stolen security events of the year.

foughtDEFI security incidents have been happening for a long time.Crimea Finance has been hit twice this year alone, the most recent one costing around $ 130 million in losses on October 27. The first was a loss of around $ 18 million on August 30.

Two consecutive lightning bolts in 90 days have exposed the weakness of the ecosystem, and in the hacker mud, medics once turned their attention to security.

What is more serious is that the loopholes in the NFT and Gamefi market have been exposed several times, and improvements will remain due to security concerns. I am not good at analysis.Focus attempts to define the security issues that the DEFI platform is currently facing compared to previous attacks..

Before we can understand lightning death, we must first understand what lightning is.

"Innovative finance" is frequently used by hackers

In Lightning Die, all lender and lender contracts and risks are governed by the platform, and the outcome and performance of the loan outweighs the costs.It can save a lot of home inspections and inspection requirements, and it is called lightning because of its convenience..

In blockchain work, financial management is a medium-term financial statement for the blockchain, and its ecosystem uses real banking management a lot, and the lending and commodity rules are generally in accordance with the intermediate budget rules.

As the central financial management complies with the rules set by the central agency, errors can occur, and compliance with DEFI financial rules is mentioned for smart contracts.The decentralized structure and the security of assets fully managed by smart contracts have accelerated the pace of development in this area.

In early 2021, the DEFI ecosystem has grown rapidly to reach the $ 100 billion level, and the DEFI flash death chart appears to be occurring as the pool promises exponential growth and value for money in exponential growth.

Lightning Dai, the new financial model, can offer the same speed and speed as Internet Lightning Dai.Unsecured loans are possible but must be repaid in the same block, otherwise the changes will be repaid and illegal.

Therefore, in the Lightning Die model, most doctors find that they can get “rich” on the platform in seconds without much effort and effort. At the same time, many early adopters involved in Lightning Die have obtained enormous wealth.

Sister tab,The benefits of Lightning Dai can be seen by hackers.As the temptation to compromise on processes grew more complex, many hackers seemed to sacrifice the assets of the same users, and through repeated attempts loopholes in the process were used to steal money. of the Lightning Die contract.

So how do hackers perform blitz attacks?

DEFI dai deserves

It is widely believed that lightning strikes against the use of the Lightning Die protocol and that the platform is unable to bypass the recovery process by using technology, bidding or controlling costs, and then spending sums of money. to earn money.

This is often what we feel.Hackers generally have two objectives.One is to steal information from a competitor's system (like digital devices and other information), and the other is to show off your cognitive skills by sharing your skills to break through an opponent's defense system. .

However, the thunderbolt in the DEFI field is no different from the actual crime, and does not use force to detonate (actually a few thieves distributing explosives in general) or do not see the system. . There is no force that shows their strength.

principe,Lightning strikes in DEFI fields are generally not the case with pirates.Using more financial instruments means using capital and capital to move the business at a very low cost and make the cost manageable across multiple contracts.

So the purpose of blitz attacks is usually real, and direct attacks target a large number of digital devices rather than hackers' subconscious attacks to show that their devices are powerful.. In this case, instead of calling DEFI Lightning Attack “hackers,” it is better to call those financial moguls well versed in the rules of digital asset trading.

In addition to the business model mentioned above through the use of technology and finance to benefit, the DEFI love at first sight that brings the product straight to the market. Users will also be able to maintain standardized control to get the most out of the green environment. vote against flash death. , and modify the performance of the platform at a lower cost. Management policy so that the rules are infinitely based on their own preferences to achieve the goal of income.

Both from the point of view of investment and governance,If the DEFI platform were supplemented by Lightning Die, the DEFI smart contract would become uninterrupted financially viable., hackers can extend the platform's “cash” through smart contracts that strictly follow contractual mechanisms.

To help you understand, we sent you the Lightning Die Attacks earlier this year to give you a taste of the attacker, while also showing you how weak the CHALLENGE Lightning Die mod is!

Tuag Lightning Attack

1. AMM protocol combined with various performance ideas of the BSC chain on May 30, 2021The financial belt has been struck by lightning..

Protesters began by buying and selling BUSD several times, using loopholes in the bEllipsisBUSD strategy equation to control the value of BeltBUSD in profit. (Note that the protesters in this case ultimately controlled the value of BELTbusd, not to control the users and the money in the liquid pool.)

The strike is as follows.

Step 1: The first attacker borrows 8 Solar Lights from PancakeSwap. Of this amount, BUSD 10 million was placed in the bEllipsisBUSD contract.

Step 2: Deposit 187 million BUSD into the bVenusBUSD strategy, then trade 190 million BUSD for 169 million USDT through the Ellipsis contract.

This is an important step, this,The attacker made a total of 7 kidnappings-exchanges-refunds., these reforms will not benefit the protesters, but these large exits will affect the value of the BeltBUSD.

When the value of BeltBUS is affected, it is better for the opponent to control the value of digital assets, and the opponent can take advantage of the discrepancies in the bEllipsis contract balance to make a new deduction rate. Create a balance. In other words, at this point you are rewarded!

Once the income was created, the protesters used the Nerve Bridge (Anyswap) above the chain to convert ETH assets in the supply chain and then move on.

2. 23 June 2021, November The barrel of the machine gun linked to the financial nerf has been struck by lightning.

The indication of the onslaught of protesters was that the November financial crisis miscalculated the balance and did not use the machine to cause damage.

The strike is as follows.

In the first step, the attacker borrows BUSDs from PancakeSwap and exchanges some of the BUSDs to the NRV, which is a natural process and can be accomplished by anyone.

In the second phase, the attacker adds income to PancakeSwap by adding Nerve and BUSD to receive LP tokens.

In the third phase, the attacker received nrvbusd LP tokens by offering LP tokens on the November Financial Nerve machine gun.

When an attacker withdraws Pancake LP tokens from an exchange, deposit or withdrawal, the Emergencyburn function of ElevenNeverSellVault should destroy 11 Lvb token LP tokens in exchange for Pancake LP tokens, but Emergencyburn does not work. shame).

The attacker quickly discovered this flaw and used it.

The attacker then created contract 0x01ea and leased 30.9 BTCB, and contract 0xc0ef leased 285.66 ETH and 0x87E9 for 2,411,889.87 BUSD and 7,693 BUSD on Lightning. It was finally released after earning almost 4.6 million US dollars.

3. This attack comes from Cream Money.On October 27, Cream Money was used by hackers who frequently used "Lightning Dai" to borrow and lend money in two locations (A and B). at for, at, at, at, at, at, at, at, at, at, at, at, at, at, at, to wm brush brush brush brush brush brush brush brush brush brush brush brushing brushing brushing brushing brushing brushing brushing brushing brushing brushing brushing brushing brushing brushing brushing brushing

The strike is as follows.

Step 1: Assassin uses Slot A to get $ 500 million in Token MakerDAO Lightning Die Stability Coins, issues yUSD through yPool, then rolls yUSD into Yearn's yUSD strategy.

The attacker used $ 500 million tokens to withdraw $ 500 million from crYUSD. In the first stage, there are no major problems, only major changes.

Step 2: The protester receives $ 2 billion in ETH from AAVE Lightning Dai at address B and uses it as funds for CREAM. This will allow you to borrow up to an additional $ 500 million in yUSD, which you can put back into mint crYUSD.

Step 3: Attacker starts depositing and lending in two weeks until Account A has around $ 1.5 billion in crYUSD and around $ 500 million in yUSDVault.

On repeated trade, the value of yUSDVault changes due to this trade, and there is no exchange of profits and casts start to charge.

After the strike ended, the attacker received US $ 130 million in BTC and ETH.

Of the 3 Lightning Die attacks above,I think we can explain the real security risk of DEFI Lightning Die platform.

Security and vulnerabilities of the DEFI platform

I must say,Please note that the legacy of the DEFI platform is reliable and that the assets referred to here are the assets of the users.In DEFI Responsibility and Marketing, consumers are fully controlled by smart contracts, not centralized management or business management. Therefore, the platform has no problem for the safety of users' money.

Sister tab,This security is weak.The platform is often compatible with a variety of requirements based on the needs of each concept industry. The logic of the contract and the contract may be inconsistent. Contract conflicts of this kind are not problematic in the end-user classroom, and money in the end-user's hand cannot change commerce.

However, there was no central committee in the case of protesters controlling big expenses.Such changes may be permitted. Thus, the "equal" exchange is created by the exchange rate.

The balance of each token is minimal and when that balance reaches hundreds of millions or thousands of dollars, larger returns are generated.

When the opponent completes the subtraction using a collision of process logic and value control, the "black" result of the exchange will create an account, for which every user and every platform will ultimately pay. ,The security of the DEFI Lightning Die is low.

After the Cream Finance challenge, the industry maintained the assumption that the development team was committed to expanding the market and therefore was more in tune with the different processes. What a lot of people seeThe risks presented by the DEFI Lightning suspension will affect the future development of the industry.

Contents

Cream Finance has been hit hard and the industry does not have to wait to see who bears the terminal loss and how it can regain consumer confidence. The important thing is that the foundation of the house will not determine the stability of the upper floors.

Whether it is voluntarily "returned" left by the manufacturers, or "released" by the big company, it affects more users.

Also, in the early days of designing the Lightning Protocol, how to avoid the impact of the short-term exchange of the contract itself, or how to avoid a lot of money in the market and the exchange rate of a token still needs further discussion. .

However, the growth of the industry should not only prevent food from suffocating, but should also know what to do about it. If cost manipulation amplifies a logical equilibrium in the contract, the market loss will be enormous.Now that the industry has solved the safety concerns, it's time to beef up and redefine the superstructure.