DeFi developers and auditors are getting lax. Attackers are taking advantage of an exploit that exists across multiple DeFi platforms and making off with millions of dollars as a result.
In the latest DeFi exploit, ‘Popsicle Finance,’ a platform that automatically deploys user funds to the liquidity pool that gives them the highest yield, was exploited for $25 million by an attacker that took advantage of a loophole in the Popsicle Finance code.
What’s unfortunate is, Mudit Gupta, a security researcher, pointed out that that this bug existed in DeFi contract protocols in late June.
$10k has been awarded to @Mudit__Gupta for finding a bug in the RewardDistribution contract involving snapshotAccount function which would lead to the loss of all stored rewards.
The bounty remains open for all other qualified bugs. https://t.co/8We72JgZBo
— WildCredit (@WildCredit) June 21, 2021
Yet, the DeFi projects that came to fruition afterward, as well as smart contract developers and auditors, failed to recognize and patch this bug that exists in many DeFi protocols.
“When a user deposits tokens into Popsicle, it updates `token0PerSharePaid` and `token1PerSharePaid` against their account to keep track of when they deposited the tokens. This helps the contract pay rewards to the user from the date they entered rather than from the first day,” said Gupta shortly after the attack occurred.
“The bug in Popsicle is that these variables are not updated when the user transfers their share to a different address. The new address is eligible to claim rewards from day 0 rather than from when the user deposited their tokens. This is what the attacker did. This bug also allows the user to keep transferring the shares and claiming rewards for the same shares multiple times using different accounts.”
Where’s the progress?
Rather than taking the time to write the contract for the app or service they are looking to build, several DeFi developers simply copy and paste the code from projects that accomplish similar goals. Even when DeFi platforms pay for a security audit before they go live, it is not uncommon for auditors to miss crucial bugs in contracts that pave the way for multi-million dollar exploits–like when Akropolis, the DeFi platform that underwent two independent audits, was exploited.
“Auditors and Smart contract devs need to keep up with the ecosystem. This code should not have made it to production,” said Gupta.
The lack of innovation and progress shows that a majority of the DeFi industry has not improved over time. New projects are typically forks of old projects with no new features just a new name, developers and auditors are still missing critical bugs in the code that can drain a project’s liquidity pool, and attackers are still exploiting these bugs and making off with millions of dollars. Although a significant amount of time has passed since the creation of DeFi, not much has changed.
New to Bitcoin? Check out CoinGeek’s Bitcoin for Beginners section, the ultimate resource guide to learn more about Bitcoin—as originally envisioned by Satoshi Nakamoto—and blockchain.