The decentralized finance sector is growing at a breakneck pace. Three years ago, the total value locked in DeFi was a mere $800 one thousand thousand. Past February 2022, the figure had grown to $forty billion; in April 2022, information technology attained a milestone of $80 billion; and now it stands at above $140 billion. Such rapid growth in a new market could non but concenter the attention of all fashion of hackers and fraudsters.

Co-ordinate to a report by crypto research company, since 2022, the DeFi sector has lost nearly $284.ix meg to hacks and other exploit attacks. Hacks of blockchain ecosystems are an platonic means of enrichment from the point of view of hackers. Considering such systems are anonymous, they have money to lose, and any hack tin be tested and tuned without the victim'southward cognition. In the offset four months of 2022, losses amounted to $240 million. And these are simply the publicly known cases. We gauge real losses to be in billions of dollars.

Related: Roundup of crypto hacks, exploits and heists in 2022

How does coin get stolen from DeFi protocols? Nosotros have analyzed several dozen hacker attacks and identified the most common problems which lead to hackers' attacks.

Misuse of third-party protocols and business logic errors

Any assail begins primarily with analysis of the victim. Blockchain technology provides many opportunities for the automatic tuning and the simulation of hacking scenarios. For an attack to be fast and invisible, the attacker must have the necessary programming skills and knowledge of how smart contracts work. The typical toolkit of a hacker allows them to download their own full copy of a blockchain from the main version of the network, and then fully tune the process of an attack every bit if the transaction was taking place in a existent network.

Next, the assailant needs to written report the concern model of the projection and the external services used. Errors in mathematical models of business organisation logic and third-party services are two of the issues most usually exploited past hackers.

The developers of smart contracts ofttimes crave more data relevant at the fourth dimension of a transaction than they may possess at any given moment. They are therefore forced to use external services — for example, oracles. These services are not designed to operate in a trustless environment, so their use implies additional risks. Co-ordinate to statistics for a agenda twelvemonth (since the summertime of 2022), the given type of chance accounted for the smallest percentage of losses — only ten hacks, resulting in losses totaling approximately $l million.

Related: The radical demand for updating blockchain security protocols

Coding mistakes

Smart contracts are a relatively new concept in the IT world. Despite their simplicity, programming languages for smart contracts crave a completely different development paradigm. The developers oftentimes simply exercise not have the necessary coding skills and brand gross mistakes that pb to immense losses for users.

Security audits eliminate only a portion of this type of risk, since most audit companies on the market do not bear any responsibility for the quality of the work they perform and are just interested in the fiscal aspect. More than 100 projects were hacked due to coding errors, leading to a total volume of losses continuing at effectually $500 million. A stark case is the dForce hack that took place on Apr 19, 2022. The hackers used a vulnerability in the ERC-777 token standard in conjunction with a reentrancy assail and got away with $25 meg.

Related: Default auditing for DeFi projects is a must for growing the industry

Wink loans, price manipulation and miner attacks

The information supplied to the smart contract is relevant merely at the time of execution of a transaction. By default, the contract is not immune to potential external manipulation of the information independent within. This makes a whole spectrum of attacks possible.

Flash loans are loans without collateral, but entail the obligation of returning the borrowed crypto within the same transaction. If the borrower fails to return the funds, the transaction is canceled (reverted). Such loans allow the borrower to receive big amounts of cryptocurrencies and use them for their own purposes. Typically, flash loan attacks involve price manipulation. An assaulter can first sell a big number of borrowed tokens within a transaction, thereby lowering their price, and then perform a scope of actions at a very depression value of the token before ownership them back.

A miner attack is an analogue of a flash loan attack on blockchains working on the footing of the proof-of-piece of work consensus algorithm. This type of assault is more complex and expensive, but it tin can featherbed some of the protection layers of flash loans. This is how information technology works: The attacker rents mining capacities and forms a block containing simply the transactions they need. Inside the given block, they can first borrow tokens, manipulate the prices and and so return the borrowed tokens. Since the attacker forms the transactions that are entered into the block independently, every bit well equally their sequence, the attack is actually atomic (no other transaction can be "wedged" into the attack), every bit in the case of flash loans. This type of attack has been used to hack over 100 projects, with losses totaling around $1 billion.

The average number of hacks has been increasing over time. At the get-go of 2022, one theft accounted for hundreds of thousands of dollars. By the finish of the year, the amounts had risen to tens of millions of dollars.

Related: Smart contract exploits are more ethical than hacking... or not?

Programmer incompetence

The virtually dangerous type of risk involves the human being fault factor. People resort to DeFi in search of quick money. Many developers are poorly qualified but even so try to launch projects in a blitz. Smart contracts are open source and thus easily copied and contradistinct in pocket-sized ways past hackers. If the original projection contains the first three types of vulnerabilities, then they spill over into hundreds of cloned projects. RFI SafeMoon is a good instance, as information technology contains a critical vulnerability that has been superposed over a hundred projects, leading to potential losses amounting to over $2 billion.

This article was co-authored by Vladislav Komissarov and Dmitry Mishunin .

The views, thoughts and opinions expressed hither are the authors' alone and do non necessarily reflect or represent the views and opinions of Cointelegraph.

Vladislav Komissarov is the chief applied science officeholder of BondAppetit, a lending DeFi protocol with a stablecoin backed by real-world assets with fixed periodic income. He has over 17 years of experience in web development.

Dmitry Mishunin is the founder and master engineering officer of HashEx. More 30 global projects are running on blockchain integrations designed past HashEx. Over 200 smart contracts were audited in 2022–2021.