Clipped from: https://economictimes.indiatimes.com/prime/fintech-and-bfsi/hacks-houdini-acts-and-rug-pulls-why-defi-smart-contracts-must-be-more-secure-than-smart-in-2022-/primearticleshow/88720307.cms
SynopsisAs crypto assets became more mainstream in 2021, incidents of hacks and rug pulls also increased. Decentralised finance of DeFi accounted for 76% of all major hacks last year. On the other hand, the value locked in DeFi products rose to USD300 billion. How does one stay safe and benefit from DeFi products? Here’s our take.
The year 2021 was kind for the world of cryptocurrencies. Happiness came in pockets from around the world.
Central American country El Salvador, for its own reasons, adopted Bitcoin as a legal tender. The US finally got its first Bitcoin exchange-traded fund. The total market cap of crypto tokens increased from USD776 billion to USD2.2 trillion last year — that is more than the GDP of Russia or Canada.
In brief, crypto assets came a long way from a general lack of trust to mainstream adoption in 2021.
But aside from all this, the most important aspect of 2021 was the adoption of decentralised applications (dapps) like decentralised finance (DeFi) and non-fungible tokens (NFTs) that are built on top public-blockchain networks like Ethereum. For perspective, the total value locked in DeFi products has grown from USD20 billion to USD300 billion in just 2021. This is easily comparable to the assets under management (AUM) of top hedge funds at present. And this is why it makes for a case to learn and understand DeFi.
So, what is DeFi actually? How has it grown in so little time? And are there any pitfalls?
The DeFi phenomenon
Last year, many bought a crypto token for the first time. And as the new owners of the Internet’s magic money, many wondered what they can use these tokens for.
Well, aside from the tokens rallying to the moon, one also has the option of using them to earn some passive income. That’s where DeFi comes in.
DeFi applications are one of the most popular solutions being built on top of decentralised crypto networks.
Developers build smart contracts on top of peer-to-peer public blockchain networks like Ethereum which try to enable the use of financial products around lending, borrowing, and derivative trading among other things.
As these contracts are deployed on public blockchains they are inherently decentralised in nature unlike their counterparts in the traditional finance space, which is heavily regulated and centralised.
Crypto-holders are rewarded for deploying their assets to these DeFi applications and their participation.
This has led to an exponential growth in DeFi products.
India hasn’t stayed away from DeFi’s expansion.
DeFi products have made major inroads in India as well. In fact, India was ranked sixth in the Global DeFi Adoption Index which was launched by blockchain analysis firm Chainalysis.
The problem of dumb ‘smart’ contracts
Despite being structured like traditional financial products, DeFi applications have a lot of shortcomings as well.
In the last one year, we have seen that these DeFi smart contracts are not as secure as the underlying blockchain they are built upon and have become an easy target for hackers. A report by Atlas VPN says that DeFi-related hacks accounted for 76% of all major hacks in 2021.
Hacks and thefts have been common since the time Bitcoin came into existence. Back in the day, most of these hacks would happen on centralised exchanges like Mt. Gox where USD460 million worth of Bitcoins were stolen in 2014.
Gradually, exchanges understood how to better secure their assets and those of their users. As a result, such cases have dropped.
By design, a decentralised technology like Bitcoin should not be dependent on ‘central’ points of failure and hence the community started to look up ways to eliminate the dependence on such third parties.
Hence, the idea of DeFi started taking shape, where again, the code will be the law.
But as the idea is being put to test, we have seen that it suffers from either design flaws or has also become a favourite tool for scammers to cheat the gullible.
“In total, just over USD12 billion in losses have been suffered as a result of DeFi theft — USD2 billion in direct losses and USD10 billion in protocol losses. USD721 million of these direct losses were subsequently recovered. These losses are accelerating, with USD10.5 billion of losses in 2021 (till November 9), up from USD1.5 billion in 2020,” a report from blockchain analysis firm Elliptic says.
The importance of small things
The report quoted above highlights an example where a single missing line in the code led to a hack.
Decentralised exchange (DEX) vSwap got hacked last year in May. It held user funds in the form of the protocol’s own vBSWAP tokens which got compromised leading to a loss of USD11 million.
“A single line of code: initialized = true; was missing from the function, allowing anyone to initialise it and set themselves as the owner of the account, taking control of it and allowing them to move the funds contained within it,” Elliptic points out.
Enter rug pulls
While human error can be the reason for such thefts, there are those who intentionally keep bugs or backdoors in their DeFi protocol to defraud people.
Let’s take Squid Games for example — no, not the hit Korean Netflix series but the crypto token named after it.
The Squid token was launched as the exclusive coin of the Squid Game project back in October. In a few weeks, the coin was pumped to stratospheric levels and on November 1, the folks behind the project decided to exit and the price of the token fell 99% in five minutes, leading to a loss of nearly USD4 million.
“Sometimes the occurrence of a red flag doesn’t necessarily mean that there is necessarily going to be a rug pull but I think your best weapon for identifying rug pulls is just basically using your common sense.”
— Jorrit Kooi, CEO, Bright UnionSuch rug pulls were a common sight in the DeFi ecosystem in 2021.
Chainalysis says that rug pulls accounted for 37% of all cryptocurrency scam revenue in 2021, against just 1% in 2020, and led to a loss of more than USD2.8 billion worth of cryptocurrency.
Rug pulls can be done in various ways. Rohit Goyal, founder of DeFi platform Mesh Finance, explains one of the most common methods.
“On decentralised exchanges like Uniswap, liquidity providers pool liquidity in a smart contract from which users can buy or sell tokens,” Goyal says.
He explains that trades on Uniswap work on a mathematical formula — X multiplied by Y should equal to K. Here, X is the reserve of asset A and Y is the reserve of asset B while K is a constant.
Let’s say we want to enable trading between ETH (Ether) and USDC (USD Coin). Liquidity providers add ETH and USDC in an ETH-USDC pool smart contract. Here, X is the reserve of ETH and Y is the reserve of USDC.
When a user wants to buy ETH from USDC, she will send USDC to ETH-USDC pool smart contract and the contract will give back ETH following the above formula as per which K should remain constant.
Here is how it calculates how much ETH the user should get.
“When the user sends USDC to the pool, Y (reserve of USDC) will increase. So, the value of X (reserve of ETH) should now decrease for K to remain constant. This difference of ETH will go back to the user,” Goyal says.
“So, anyone who is creating the pool is also creating the price. Price is defined by how much USDC and ETH you have put. If we have 100 ETH and 1,000 USDC in the pool, then basically one ETH equals 10 USDC. And this price increases as you add more USDC and decreases as you add more ETH in the pool,” he adds.
“Let’s say someone wants to launch a rug pull token called XYZ. They will create a pool for XYZ-USDC. They do a lot of marketing and people start buying the XYZ token from this pool. So, users will keep adding more USDC into this pool and take out XYZ tokens. And as more XYZ is taken out of the pool, its price increases. Now, imagine if you have the power to mint new XYZ tokens — you can mint a large number of XYZ tokens, send it to the pool contract, and in return get USDC. To maximise your profit, you can mint and send so many XYZ tokens that you can pull out almost all the USDC available in that pool,” he further adds.
Now, everyone else has XYZ tokens. But there is no USDC left in the pool to exchange XYZ tokens. The price of the XYZ token goes to zero since there is almost an infinite XYZ token in the pool and no USDC. This is what a rug pull looks like.
Many other forms of rug pulls can happen in DeFi, like with initial dex offerings.
Goyal adds that DeFi protocols need to be thoroughly audited by the community for such reasons.
How to spot red flags
While such bad actors have always been present in the crypto space, there are ways through which one can spot some early red flags.
Jorrit Kooi, CEO of Bright Union, an Amsterdam-based startup which provides insurance products for smart contracts to protect holders of crypto tokens against exploits based on bugs in the code, says there are many red flags which one could easily recognise early on.
“Sometimes, the occurrence of a red flag doesn’t necessarily mean that there is necessarily going to be a rug pull. But I think your best weapon for identifying rug pulls is just basically using your common sense,” Kooi says.
“The first one, obviously, is (asking if) the offering is too good to be true. The second item to look into is the team. So, which is the team actually launching the token? Are they visible? Can you verify their background? Do they have experience? For example, with Squid Game tokens, I think the team was anonymous. And that kind of ties nicely with the operators of the actual Squid Game series who also wear masks in the facility,” he says.
The third one, Kooi says, is to check the fundamentals of the project. Is the team actually building a blockchain or a dapp with a utility which is going to add value to the community or is it merely a meme-coin.
The fourth thing is relatively easy to check as per Kooi — the development activity. “Are they actually building a blockchain, or are they building a dapp and those are things you can see on GitHub?” he says.
“If a team is spending more efforts on marketing than on development, then that’s definitely a red flag. And also if the software is not audited, that’s definitely a red flag,” he adds.
Kooi says that the fifth thing to check would be where the token is being traded, its liquidity, and the diversification of its holders.
“Are there any big wallets that hold a lot of tokens? Generally, that’s a red flag because they can influence the price and then the second one on where it is traded. If it is listed on a Dex, then there has been no due diligence prior to listing as anyone can list on a Dex,” Kooi says.
“That’s not to say that all the tokens listed on a Dex are dubious in nature. But they should be viewed in light of the above mentioned checks as well,” he adds.
While crypto assets become more mainstream, there’s always the risk of losing your money through one way or the other.
Tomato, tomahto? Ways of seeing? Nope! Each to his own.
(Graphics by Mohammad Arshad)
(Originally published on Jan 6, 2022, 01:44 AM IST)
The latest from ET Prime is now on Telegram. To subscribe to our Telegram newsletter click here.