DeFi Security Questioned: Defrost Finance Hack and the Role of Smart Contract Audits

In the fast-evolving world of Decentralized Finance (DeFi), security is paramount. Recently, Defrost Finance, an ecological stablecoin project, experienced a significant security breach despite undergoing a code audit by CertiK, a well-known blockchain security firm. The good news? Defrost Finance has committed to returning $12 million in funds that were stolen during the exploit on December 23, 2022. But this incident raises critical questions about the effectiveness of smart contract audits and the overall security landscape in DeFi. Let’s delve into what happened and what it means for the future of DeFi security.

What Exactly Happened with Defrost Finance?

The Defrost Finance exploit wasn’t a single event, but rather a series of attacks that highlighted vulnerabilities in their smart contracts. Here’s a breakdown:

• Initial Detection: Peckshield, a blockchain security firm, was the first to report the attack on December 23, 2022.
• V1 Protocol Exploit: Attackers initially targeted Defrost’s V1 protocol using a flash loan attack, draining approximately $173,000.
• V2 Protocol Major Breach: The more significant attack targeted the V2 protocol, resulting in the theft of $12 million. This was achieved by manipulating the system with a bogus collateral token and a malicious price oracle, leading to the liquidation of user positions.
• Rubic Finance Impact: Shortly after, cross-chain tech aggregator Rubic Finance also faced an attack, losing $1.4 million. This raised further concerns about widespread smart contract vulnerabilities, especially as both Defrost and Rubic had been audited by CertiK.

Defrost Finance has stated they will use on-chain data to meticulously ensure the stolen funds are returned to their rightful owners. This commitment to restitution is a positive step in the aftermath of a significant security incident.

Understanding the Exploit: How Did it Happen?

To understand the Defrost Finance hack, it’s important to grasp the concept of liquidation in stablecoin protocols. Here’s a simplified explanation:

1. Collateral Deposit: Users deposit collateral (like other cryptocurrencies) into protocols like Defrost to borrow stablecoins.
2. Loan-to-Value Ratio: Protocols maintain a minimum loan-to-value ratio. If the value of the collateral drops below this ratio, liquidation occurs.
3. Liquidation Trigger: In Defrost’s V2 attack, the hackers introduced a bogus collateral token and manipulated the price oracle. This falsely lowered the perceived loan-to-value ratio for users.
4. Forced Liquidation: As a result, the system wrongly liquidated users’ positions, allowing the attackers to steal their funds.

This exploit demonstrates a critical vulnerability: manipulating price oracles and introducing malicious collateral can have devastating consequences for DeFi protocols and their users.

CertiK Audits: What’s Their Role and What Went Wrong?

The fact that both Defrost Finance and Rubic Finance were audited by CertiK before these exploits raises important questions about the role and limitations of smart contract audits. CertiK had audited Defrost V1’s smart contracts in November 2021 and identified several issues:

• Critical Logic Issue: A significant flaw in the smart contract logic was found. This was reportedly resolved by Defrost at the time of the audit report.
• Centralization Issues: CertiK also flagged five centralization concerns. While acknowledged, there was no public evidence of these being fully addressed before the hack. Centralization issues can be particularly dangerous as they create single points of failure that hackers can target.

CertiK also found centralization vulnerabilities in Rubic Finance’s SwapContract, including one that could allow unauthorized withdrawal of ETH/BNB and other tokens.

What Does a CertiK Audit Actually Do?

It’s crucial to understand what a smart contract audit, like those conducted by CertiK, entails and what it doesn’t.

What Audits DO:

• Test Resilience: Audits rigorously test smart contracts against various known attack vectors.
• Coding Standards Check: They evaluate if the code adheres to industry best practices and secure coding standards.
• Benchmarking: Auditors often compare the project’s smart contracts to those of leading, established projects in the space.
• Identify Potential Issues: Audits aim to uncover logic flaws, centralization risks, and other vulnerabilities that could be exploited.

What Audits DO NOT DO:

• Guarantee 100% Security: No audit can guarantee absolute security. The DeFi landscape is constantly evolving, and new attack vectors emerge.
• Project Endorsement: Audits are not endorsements of a project or its tokens. They are technical assessments of the code at a specific point in time.
• Eliminate All Risks: Audits reduce risks but don’t eliminate them entirely. Ongoing monitoring and proactive security measures are still essential.

CertiK explicitly states on their website that they audit code and advise users to conduct their own thorough research (DYOR – Do Your Own Research). Their reports include a clear disclaimer:

“CertiK’s position is that each company and individual are responsible for their own due diligence and continuous security. CertiK’s goal is to assist in reducing attack vectors and the high level of variance associated with utilising new and constantly changing technologies, and it makes no guarantees about the security or functionality of the technology we agree to analyse.”

This disclaimer underscores the point that audits are a valuable tool but not a foolproof solution. They are a snapshot in time and the responsibility for security ultimately lies with the project and its users.

Key Takeaways and Lessons for DeFi Security

The Defrost Finance hack, despite a CertiK audit, provides several crucial lessons for the DeFi space:

• Audits are Essential but Not Sufficient: Smart contract audits are a vital security measure, but they are not a silver bullet. Projects must implement a layered security approach, including ongoing monitoring, bug bounties, and proactive security updates.
• Centralization is a Risk: The identification of centralization issues in CertiK’s audit highlights the dangers of centralized elements in supposedly decentralized systems. True decentralization and robust security protocols are crucial.
• Oracle Security is Critical: The exploit via a malicious price oracle underscores the importance of secure and reliable oracle mechanisms. DeFi protocols must carefully choose and monitor their oracles to prevent price manipulation attacks.
• User Due Diligence Remains Key: Despite audits and project assurances, users must always conduct their own research and understand the risks involved in DeFi protocols. Never invest more than you can afford to lose.
• Transparency and Community Governance: Open communication about vulnerabilities and proposed changes, along with community-driven governance for protocol updates, can enhance security and resilience. As the article notes, proposed changes to smart contract code can go through standard protocol voting procedures, showcasing the power of decentralized governance.

The Future of DeFi Security and Regulation

The Defrost Finance incident, alongside other DeFi hacks, fuels the ongoing debate about regulation in the crypto space. Coinbase CEO Brian Armstrong’s view that DeFi protocols should be protected by free speech rather than financial services laws adds another layer to this discussion.

While the industry grapples with the balance between innovation, security, and regulation, one thing is clear: security must be a top priority in DeFi. Incidents like the Defrost Finance hack serve as stark reminders of the risks and the continuous need for improvement in smart contract security, auditing practices, and user awareness.

The return of funds by Defrost Finance is a welcome development, demonstrating a degree of accountability in the DeFi space. However, the incident serves as a valuable learning experience for developers, auditors, and users alike. As DeFi matures, a collective focus on robust security practices will be essential for building trust and fostering sustainable growth.