Despite undergoing a code audit by CertiK, the ecological stablecoin project Defrost Finance will return $12 million in funds stolen through the December 23, 2022, exploit.
Defrost will use on-chain data to ensure that the stolen funds are properly allocated. The refund is the result of an attacker exploiting flaws in several Defrost smart contracts. Peckshield, a blockchain security firm, first reported the attack on December 23, 2022.
The hacker allegedly drained $173,000 from Defrost’s V1 protocol via a flash loan attack. In a more serious V2 attack, the perpetrator stole $12 million by liquidating users’ positions using a bogus collateral token and a malicious price oracle. Later, attackers allegedly stole $1.4 million from cross-chain tech aggregator Rubic Finance, raising concerns about smart contract code vulnerabilities.
When the value of a user’s collateral falls below a lending protocol’s minimum loan-to-value ratio, a user’s collateral is liquidated. Users of stablecoin protocols such as Defrost can deposit collateral for a perpetual stablecoin loan. To set the loan’s interest rate, the protocol employs an algorithmically adjusted stability fee. The addition of bogus collateral to V2 most likely harmed Defrost users’ loan-to-value ratios, resulting in their liquidation.
Both hacks have highlighted the conclusions that can be drawn from smart contract code audits when determining the legitimacy of a DeFi project. CertiK, a blockchain security firm, was implicated in both hacks, with Defrost and Rubic undergoing code audits by the company.
CertiK audited Defrost V1’s smart contracts in November 2021, identifying a critical logic issue as well as five centralization issues. The former had been resolved at the time of publication, while the latter was acknowledged but with no evidence of further work. A logic flaw, colloquially known as a “bug,” allows smart contracts to function incorrectly without crashing. A centralised issue, on the other hand, can compromise multiple entities if a hacker gains access to a shared code block or variable.
CertiK also discovered several issues with centralization in Rubic Finance’s SwapContract smart contract, one of which would allow a hacker to withdraw ETH/BNB and other tokens to the hacker’s address.
CertiK tests the resilience of smart contracts to various attack vectors rather than endorsing a project or its assets. It also evaluates the contracts’ adherence to acceptable coding standards and compares the smart contracts produced by a project to those produced by industry leaders.
A careful examination of CertiK’s website reveals that the company only audits DeFi protocol code. It advises potential investors to conduct their own research. Additionally, its reports contain the following disclaimer:Â
“CertiK’s position is that each company and individual are responsible for their own due diligence and continuous security. CertiK’s goal is to assist in reducing attack vectors and the high level of variance associated with utilising new and constantly changing technologies, and it makes no guarantees about the security or functionality of the technology we agree to analyse.”
While not a complete picture, these reports can help to inform interested parties about a project by providing insight into its risks. Any proposed changes to the smart contract code can go through the standard protocol voting procedure without the need for government intervention.
Coinbase CEO Brian Armstrong believes that DeFi protocols should be protected by free speech in the United States rather than regulated by financial services laws.
