{"id":16170,"date":"2020-04-26T15:36:04","date_gmt":"2020-04-26T15:36:04","guid":{"rendered":"https:\/\/davidgerard.co.uk\/blockchain\/?p=16170"},"modified":"2020-10-03T20:59:56","modified_gmt":"2020-10-03T20:59:56","slug":"the-dforce-and-hegic-defi-exploits-and-why-smart-contracts-are-bad","status":"publish","type":"post","link":"https:\/\/davidgerard.co.uk\/blockchain\/2020\/04\/26\/the-dforce-and-hegic-defi-exploits-and-why-smart-contracts-are-bad\/","title":{"rendered":"The dForce and Hegic DeFi exploits, and why Smart Contracts are bad"},"content":{"rendered":"

A “smart contract” is a computer program running right there on the blockchain itself, so you can do complicated things with your cryptocurrencies and tokens, automatically. Ethereum was the first popular smart contract platform.<\/p>\n

Smart contract programs are extremely hard to alter \u2014 in Nick Szabo’s original conception of the idea, they were impossible<\/em> to alter.<\/p>\n

The idea is that you can have faith that the program is immune to interference from mere humans \u2014 that you’ve automated the human element out.<\/p>\n

The problem there is that another term for “immutable program” is “sitting duck for attackers.”<\/p>\n

The root cause of smart contract issues in practice is the clash of two factors:<\/p>\n

    \n
  1. Smart contracts are hard or impossible to alter, by design. They require the most painstaking code review and analysis \u2014 so that you don’t lose money to an exploit.<\/li>\n
  2. You make more money by being quick to market.<\/li>\n<\/ol>\n

    Decentralised Finance,<\/a> or DeFi, uses chains of smart contract programs to automate complex financial transactions \u2014 so you can chain the attacks too. Unsurprisingly, it’s a continuing dumpster fire, reliably delivering comedy gold.<\/p>\n

     <\/p>\n

    \"\"<\/a><\/p>\n

     <\/p>\n

    dForce pulls a DAO<\/h3>\n

    DeFi provider dForce suffered an unfortunate exploit of its lendf.me protocol on 18 April \u2014 in which an attacker took off with $25 million of assets under management, leaving just $18,900. [CoinDesk<\/i><\/a>]<\/p>\n

    The assets were mostly ether and bitcoins \u2014 not actual ether and bitcoins, but tokens representing them. The exploit involved using imBTC tokens as collateral.<\/p>\n

    imBTC is an ERC-777 token. ERC-777 is an updated version of the ERC-20 standard, which most ICO token contracts were built on \u2014 but the imBTC smart contract had a re-entrancy bug, where you could withdraw repeatedly before the balance updated. (This is the sort of bug The DAO fell to in 2016.<\/a>)<\/p>\n

    After sufficient iterations, the attacker used their imBTC balance as collateral to borrow multiple other assets. The attacker then surrendered their collateral, and kept the borrowed assets. [Twitter<\/i><\/a>]<\/p>\n

    The imBTC pool on Uniswap had been attacked and drained the same way, the previous day. [Twitter<\/i><\/a>]<\/p>\n

    Peckshield wrote up both attacks. “ERC777 itself is a community-established token standard with its advanced features for various scenarios. However, these advanced features might not be compatible with certain DeFi scenarios. Worse, such incompatibility could further lead to undesirable consequences (e.g., reentrancy).” [Medium<\/i><\/a>]<\/p>\n

    The attacker returned some assets to dForce \u2014 tokens they couldn’t possibly cash in, because the tokens were centrally issued, and were already blacklisted by the issuer. These included Huobi BTC and Huobi USD, two ERC-20 tokens representing bitcoins or US dollars, that can only be redeemed at the Huobi crypto exchange. [Twitter<\/i><\/a>]<\/p>\n

    DeFi startup Compound alleged a few months ago that dForce had copied its code \u2014 the word “compound” appears throughout dForce’s code. Compound’s code is not under an open source copyright license \u2014 it’s all-rights-reserved, with the source being publicly available. [The Block<\/i><\/a>, paywalled; <\/i>GitHub<\/i><\/a>; <\/i>GitHub<\/i><\/a>]<\/p>\n

    Hegic Options \u2014 security theatre as a service<\/h3>\n

    Hegic is an on-chain options trading protocol on Ethereum \u2014 intended for use in decentralised finance (DeFi). Hegic proudly proclaims it was audited by Trail of Bits, before its launch on 24 April. [Hegic<\/i><\/a>]<\/p>\n

    The next day, Hegic alerted users to a bug in the code: “!! ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can\u2019t be unlocked for new options. \u203c\ufe0f Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW.” [Twitter<\/i><\/a>]<\/p>\n

    The bug was a typographical error in a function name \u2014\u00a0 Hegic used options.length<\/tt> instead of optionIDs.length<\/tt>, while they had options<\/tt> defined in outer scope, so the Solidity compiler tried to use that. [Twitter<\/a>; GitHub<\/a><\/i>]<\/p>\n

    Hegic originally reported the bug incorrectly: “It\u2019s an incorrect function name (optionIDs instead of optionsIDs).” But they did describe the consensequences correctly: “This function unlocks liquidity in expired contracts. If it doesn\u2019t work, funds are just forever locked.” In any case, Hegic will be refunding any funds that were locked by the bug. [Twitter<\/i><\/a>]<\/p>\n

    Trail of Bits was not so happy that Hegic claimed they had “audited” the smart contract. CEO Dan Guido asked them in a tweet: “Please stop holding up a 3-day code review as an ‘audit’ that proves the code is safe.”<\/p>\n

    Guido later deleted that tweet, but he did post a thread explaining precisely what Trail of Bits had \u2014 and hadn’t \u2014 done: [Twitter<\/i><\/a>]<\/p>\n

    In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.<\/p>\n

    Bottom line: we told them to hold off deploying. This was the right advice, and we generally expect people listen to us when they’re paying for our help.<\/p>\n

    Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an “audit”, then immediately deployed.<\/p><\/blockquote>\n

    Trail of Bits has fired Hegic as a client. [Twitter<\/i><\/a>]<\/p>\n

    The audit summary itself is a collection of polite ways to phrase “this program is laughably ill-constructed and has so many problems we didn’t have time to find them all.” MyCrypto summarised Trail of Bits’ audit summary in a Twitter thread. [Trail of Bits<\/i><\/a>, PDF; <\/i>Twitter<\/i><\/a>]<\/p>\n

    This will keep happening<\/h3>\n

    I published “Smart contracts, stupid humans”, chapter 10<\/a> of Attack of the 50 Foot Blockchain,<\/i><\/a> in 2017 \u2014 which I foolishly thought would knock this deeply and fundamentally dumb and bad idea on the head. If you don’t have the book, I did an interview<\/a> a few months later, about why smart contracts are fundamentally dumb and bad, that covers some of the same ground.<\/p>\n

    The problem with DeFi is not the technology, though that’s bad too \u2014 it’s that people are greedy and foolish.<\/p>\n

    \n

    Update:<\/b> corrected the Hegic bug description \u2014 Hegic misdescribed their own bug, just as if they didn’t know the code very well. (Cheers to myfreeweb on lobste.rs.<\/a>)<\/p>\n

    \"Become<\/a>

    Your subscriptions keep this site going. Sign up today!<\/a><\/i><\/p><\/div>","protected":false},"excerpt":{"rendered":"

    The problem with DeFi is not the technology, though that’s bad too \u2014 it’s that people are greedy and foolish.<\/p>\n","protected":false},"author":1,"featured_media":17567,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[1668,1752,1552,1751,1750,83,1423,1669],"class_list":["post-16170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised","tag-compound","tag-dan-guido","tag-defi","tag-dforce","tag-hegic","tag-smart-contract","tag-trail-of-bits","tag-uniswap"],"jetpack_featured_media_url":"https:\/\/davidgerard.co.uk\/blockchain\/wp-content\/uploads\/2020\/04\/dforce-aum-header.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/16170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/comments?post=16170"}],"version-history":[{"count":22,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/16170\/revisions"}],"predecessor-version":[{"id":17017,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/posts\/16170\/revisions\/17017"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media\/17567"}],"wp:attachment":[{"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/media?parent=16170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/categories?post=16170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidgerard.co.uk\/blockchain\/wp-json\/wp\/v2\/tags?post=16170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}