The DeFi Hack: What Decentralized Finance Should and Shouldn’t Be
Decentralized finance, or DeFi for short, became a buzzword in 2019 following the valuations of MakerDao and Compound after both companies raised sizable rounds from the elite Silicon Valley-based Venture Capital firm Andreessen Horowitz.
2020 has been a difficult year for the crypto DeFi sector — it’s been going through the wringer. Over the weekend, the dForce ecosystem protocol Lendf.me lost 99.95% of its funds from a hacking exploit. Just days later, the hacker leaked information about his identity that resulted in him returning most of the stolen funds. This news comes following DeFi’s greatest test on March 12, when the Ether (ETH) price sharply fell, causing systems to become overly stressed and fail. The big loser that day was MakerDao, whose poor architecture and infrastructure was exposed due to the limitations of the Ethereum network.
The leading decentralized finance platform MakerDao accrued debt that had to be bailed out by its venture capital firm’s money. A month later, DAI’s dollar peg was experiencing stability issues and a $28.3 million class-action lawsuit was filed against the Maker Foundation in the Northern District Court of California for negligence. Users want their money back.
Back on April 18, $25 million in Ether and Bitcoin (BTC) was stolen from users of the lending protocol Lendf.me. Lendf is a protocol with security issues and is part of the dForce Foundation’s ecosystem. Surprisingly, it was actually able to collect almost all funds back from the attacker who exploited the reentry loophole in its protocol, as he eventually returned almost all of the money he had stolen. After draining $25 million, the hacker returned $24 million of it, keeping $1 million for himself for… you know, gas fees and these difficult COVID-19 times, maybe.
Ironically, the hacker didn’t return the same mix of assets that was stolen, instead returning the $24 million in a different combination of cryptocurrency tokens. This comes immediately following the news that the dForce Foundation closed a $1.5 million round led by Multicoin Capital, with participation from Huobi Capital and CMB International last week. We can assume these funds are going to cover the losses from the hack.
I spoke with two DeFi CEOs of Compound Finance and Kava Labs to ask them about their experience with dForce and what key takeaways the hack can teach the DeFi community.
Brian Kerr, the CEO of DeFi lending platform Kava Labs, spoke to Cointelegraph about what went wrong with dForce that allowed this hack to transpire. In mid-2019, Kava announced its stablecoin USDX. Shortly after, dForce released its own stablecoin ticker name as USDx. The use of Kava’s USDX ticker displays the limited creativity at dForce, which is likely extended to its code and technical talent as well. Robert Leshner, CEO of DeFi lending company Compound Finance, personally spoke with Cointelegraph in an interview, following his tweet about the $25 million hack and claiming that the company stole code that is recognizable as Compound’s.
During the phone interview with Cointelegraph, Leshner explained:
“Building on-chain is merciless; security requires a team’s full attention. When teams redeploy code they haven’t written, it makes it impossible to know how, or why, the code works, or what the risks are… anything less is an injustice to users. And users should demand better.”
Sadly, dForce has become an example of what DeFi shouldn’t be.
So, what do you need to know?
In the case of both MakerDao and dForce, what started as a disaster is now in the process of being resolved. Though a significant sum of the funds are still unaccounted for, the experience has left users seeking alternative DeFi lending platforms that they can actually trust. Many users have lost funds, and many others feel wary simply from reading DeFi news these days, even if their money hasn’t been compromised by either MakerDao or dForce. As a subfield within the crypto space, DeFi is still very young.
Was it really dForce’s responsibility?
Leshner said that the dForce firm “copy/pasted Compound v1 without changes.” According to Leshner, the company alleges that the Compound v1 code “was not flawed,” but that the group was cautious about the asset it listed, according to his tweets. The dForce team copied code it did not fully understand from Compound and illegally deployed it as its own while changing a few parts without realizing the security issues involved, according to Leshner.
Also weighing in was Kerr. Kava Labs — a DeFi lending platform similar to MakerDao, but while MakerDao only accepts ETH tokens, the Kava platform accepts any asset including Bitcoin, Ripple (XRP), Binance Coin (BNB) and Cosmos (ATOM), which can be used to mint USDX, the platform’s stablecoin. These milestones of the platform’s development came prior to dForce knocking off the ticker name USDX for their own stablecoin. Kerr shared that Kava aims for USDX to become a major player in the global financial system.
Based on Kerr’s account to Cointelegraph and stated in his reply to Leshner on Twitter, dForce heavily marketed Lendf.me to the world without first running very basic audits: “A basic audit from any reputable firm would have caught this — reentrancy is a known issue and easily checked for. Outside of stealing Compound’s code, DForce also stole Kava’s USDX token name and ticker — despite us announcing our token many months before they even had a platform.” Kerr admitted, “It’s a terrible example of what DeFi should not be.”
As trust is the most central and important foundation for a relationship between a person and their money, Kerr believes the responsibility was with “both the dForce team and the application’s users.” He continued:
“dForce didn’t understand what they were doing and marketed an unsafe product. The users didn’t do their own due diligence on the team or the codebase to determine if the product is safe for use.”
DeFi shouldn’t be brazen
As previously reported by Cointelegraph, dForce’s hacker used the imBTC token as a “trojan horse” of the attack — as an Ethereum wrapper for Bitcoin. Leshner explained that the security error came from a known reentrancy attack: “This is a followup attack to the imBTC Uniswap attack yesterday.” He went on to say, “imBTC is an ERC-777 token and not a normal Ethereum asset. Smart contracts that include imBTC have to be extra cautious and write additional code to protect against reentrancy attacks.”
This is considered to be a well-known vulnerability of the common ERC-20 standard, especially when used in the DeFi context.
DeFi shouldn’t be on Ethereum
The Ethereum network’s architecture doesn’t meet the scaling and security needs of the DeFi sector, as the level of testing required to achieve all outcomes is infinite in the Solidity programming language, according to Kerr. “For these reasons and many others, leading projects including Binance, Cosmos, and Kava have chosen to leave the Ethereum ecosystem for greener pastures,” he said.
“Building any financial service on the Ethereum Network is problematic for security. Testing the possible outcomes and bugs of Solidity is near impossible as it can do virtually anything as a Turing Complete Language. While powerful, it’s probably the worst environment to build financial infrastructure,” stated Kerr, who sees one of Kava’s value propositions is that it is rooted in security standards as a purpose-built platform for all assets requiring safe DeFi services as a top priority.
DeFi should be safe and secure
Lendf calls itself, “By far the largest fiat-backed stablecoin DeFi lending protocol.” What’s problematic is that Lendf was too focused on raising capital, growth and expansion to maintain its biggest, best and “largest fiat backed stablecoin” claim to fame. Instead of focusing on improving code for security, understanding its codebase, fixing bugs and releasing secure products, the firm was overly focused on profit and perceived status.
Basic audits, for example, were missing completely and hurdles were being jumped too quickly by the team, resulting in a security vulnerability that is yet to be resolved.
The event could have been prevented and users should have seen this coming, according to Leshner, who tweeted details about how the company had stolen Compound’s code: “If a project doesn’t have the expertise to develop its own smart contracts, and instead steals and redeploys somebody else’s copyrighted code, it’s a sign that they don’t have the capacity or intention to consider security.” He later encouraged developers and users to learn a valuable lesson: Don’t give your money to a company you can’t trust.
Kava Labs’ Kerr proceeded to quote Facebook CEO Mark Zuckerberg’s motto of “move fast and break things,” elaborating:
“It’s a great saying to live by for basic software and start-ups, but definitely the worst advice when building financial infrastructure as this past weekend has shown.”
DeFi should focus on users
Kerr also shared, “At Kava, all our code is built from the ground up, in Golang, in very discreet modules that are scoped to very specific actions that we can audit and verify. This means that we can fully test the code to a very high confidence for its accuracy and security.” He continued:
“We value the safety of user funds and put it at the forefront of everything we do. We run testnets, conduct 3rd party audits, and have a substantial peer review prior to any code going live on the Kava platform. Furthermore, all new code must be reviewed and voted for by the validator group securing and staking $KAVA which includes technically savvy operators like Binance, OKEx, Huobi, Bitmax, Hashkey, Lemniscap, SNZ, Dokia Capital and Framework Ventures.”
DeFi should verify to trust
It’s not enough to trust a company because they have big-name investors, as we have seen is the case with dForce and MakerDao. However, we often hear “trust and verify” when we should probably hear “verify and trust” from the DeFi community.
While Leshner is the CEO of Compound, he’s also a personal investor for Kava Labs along with other top backers like Arrington XRP Capital. Kava’s excellent technical team and strict adherence to security measures is what has auditors talking about their code. Prior to Kava Labs’ launch, the lending platform ran a professional audit by CertiK — the leading formal verification and audit firm. In a blogpost on the audit’s results, CertiK stated, “Kava is one of the best codebases Certik has seen from a project to date, especially in the Decentralized Finance sector.”
Finally, Kerr took the high ground in concluding, “I highly encourage anyone thinking of using a DeFi protocol to first check the team for technical competence, check for technically diligent investors, and check that audits and peer reviews have been done. Even then, assume there will always be some technical risk and market risk when it comes to DeFi protocols. It’s a young space and there will be more painful learnings like this to come.”
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Andrew Rossow is a millennial attorney, law professor, entrepreneur, writer and speaker on privacy, cybersecurity, AI, AR/VR, blockchain and digital currencies. He has written for many outlets and contributed to cybersecurity and technology publications. Utilizing his millennial background to its fullest potential, Rossow provides a well-rounded perspective on social media crime, technology and privacy implications.