Smart contracts are a technology that certainly has the potential to revolutionize the way you trade by fully automating financial transactions and related processes. However, like any other technological solution, they are not immune to external attacks that target potential security failures. Experienced cryptocurrency and blockchain users are well aware that there have been at least a couple of smart contract hacks in the past that have led to significant financial losses and severely damaged the trust of the cryptocurrency community. In the following publication, we attempt to illustrate some of the most memorable smart contract hacks ever, and we will analyze the lessons to be learned from them. From the DAO to Bancor, these negative facts from the history of cryptocurrencies have had a lasting and significant impact on the entire blockchain sector, and also serve as a roadmap for the importance of professional security and auditing of smart contracts.
Attack on DAO
DAO, or Decentralized Autonomous Organization, was designed as a decentralized venture capital fund for the world of digital currencies and related technologies. Its fully decentralized nature was intended to reduce costs as well as increase control, transparency and access for investors. The mechanism of operation of these funds assumed the lack of a central body responsible for managing this project. The DAO was designed to operate on the basis of collective decision-making by the investors involved in the project.
On June 17, 2016, a turning point in the history of DAO took place. This happened because the hacker discovered a security flaw in the DAO code, specifically in the smart contract created on the Ethereum blockchain. This vulnerability led to the attacker being able to repeatedly request that the smart contract provide him with undue funds, resulting in the theft of 3.6 million ETH, which was then valued at around $70 million. This fraudulent activity was made possible by two problems that arose during the design phase of the contract. The first problem was that the possibility of recursive calls was not considered. The second reason for the theft was the existence of a process that first sent ETH and only then updated the internal balance of tokens.
The successful attack on the DAO smart contract caused huge controversy among Ethereum users and the entire cryptocurrency community. The extent of the DAO reputational calamity was increased when cryptocurrency exchanges Poloniex and Kraken delisted DAO tokens in the months following the DAO smart contract attack.
Attack on the Veritaseum
Veritaseum is a digital currency that was launched in 2017. Just a few months later, in April 2018, Veritaseum suffered a massive attack that led to the loss of digital assets worth about $8.4 million.
In this case, the hack again occurred due to a vulnerability in the smart contract that ran the entire Veritaseum cryptocurrency ecosystem. A developer error allowed an attacker to drain funds from the Veritaseum smart contract by performing a reentrant attack. This led to a situation where it was possible to call the smart contract function multiple times before its state was updated, which in effect allowed the attacker to steal funds.
The spectacular Veritaseum hack was a milestone for the importance of proper protection of smart contracts and a number of potential risks that may arise in connection with their use. It also underlined the importance of precise testing as well as auditing the code of smart contracts to ensure that they are safe and free from any kind of dangerous vulnerabilities.
Attack on Bancor
The Bancor network is a decentralized crypto exchange built on the Ethereum blockchain. It allows users to buy and sell various digital currencies. In July 2018, the Bancor network was hacked, which resulted in the loss of cryptocurrencies worth about $12 million.
The hostile operation was carried out in connection with the use of a vulnerability in the smart contract code that managed the entire Bancor network. An oversight by the developers allowed the attacker to take control of the contract and drain the funds from it. Fortunately, the team responsible for the proper operation of the Bancor project was able to quickly react to the hacker's actions and stop trading on the platform to prevent further losses of funds.
Hacks in DeFi
Smart contracts are a critical building block in the decentralized finance (DeFi) sector. This is because they allow for fully automated and self-fulfilling financial transactions and processes. They are used to speed up, verify and enforce negotiation processes or contract performance.
The security and professional auditing of smart contracts is especially important in DeFi projects because smart contracts are the engine of decentralized finance that handles significant transaction amounts. In the event that a smart contract is not properly secured and audited, it can be exploited by potential aggressors who can take advantage of any flaws. The most common outcomes associated with the detection of flaws in smart contract software include theft of funds or other manipulation of the contract. This usually leads to significant financial losses for users of the DeFi protocol, as well as ruining trust in a particular project.
Attack on bZx
BZx is a decentralized financial system (DeFi) that allows potential users to borrow cryptocurrencies using smart contracts as a settlement engine. In February 2020, the bZx network suffered two separate and powerful hacks that were the result of exploiting a bug in the smart contract software.
The first hack took place on February 14, 2020. About $6 million worth of digital assets were stolen that day. The second attack took place on February 18, 2020, and the scale of losses amounted to an additional USD 350,000. Attacks on bZx network smart contracts were the result of software design oversights, which then allowed a hacker to exploit developers' mistakes and steal funds.
Harvest Finance hacked
Harvest Finance is a decentralized financial network operating in the DeFi sector that allows users to earn income by providing liquidity in a range of different financial markets. In October 2020, this decentralized finance protocol was attacked. The reason for this event was the exploitation of a bug in the Harvest Finance smart contract, which resulted in the theft of digital assets worth approximately USD 24 million.
A vulnerability in a smart contract allowed a hacker to manipulate the contract's functions in a way that allowed him to steal funds without triggering the protections contained in the contract. The attack was detected a few hours after it took place, and the Harvest Finance development team was able to stop trading on the platform to prevent further losses.
The importance of proper security for smart contracts is enormous. Often, smart contracts manage huge cryptocurrency assets and can be used to streamline a wide range of financial transactions. However, if the contract is not properly audited and secured, it can cause significant losses for users and damage the credibility and integrity of the project.
Examples of disasters related to individual projects using smart contracts perfectly illustrate how important it is that these technologies are thoroughly tested and audited. Testing and auditing help ensure that smart contracts are properly secured and free of potential vulnerabilities. This is a key element in the development of the financial sector and can significantly contribute to the prevention of security incidents, as well as ensure the safe and long-term operation of projects using blockchain technology.