Hackers stole around $1.7 billion from cryptocurrencies in 2023, underscoring the persistent threat posed by vulnerabilities in smart contracts. In the ever-evolving landscape of blockchain technology, the integrity and security of smart contracts are paramount. However, recent notable auditing failures have shed light on the potential risks and consequences of overlooking critical security measures. In this blog, we will delve into lessons learned from these failures, highlighting key insights and best practices to fortify smart contract audits and safeguard digital assets.

Euler Finance Hack Analysis — Flash loan attack

Euler Finance was the victim of a terrible attack on March 13, 2023, which was carried out via clever Flash loan tactics. The attacker exploited a key logical issue in Euler Finance’s announced contributor liquidity function, manipulating the conversion rate logic for borrowing and selling DAI tokens. This nasty behaviour cost the project an astronomical $197 million.

The breach began with the attacker obtaining a Flash loan of $30 million DAI from AaveV2 and creating two separate accounts, one as a borrower and the other as a liquidator. The attacker carried out a series of transactions using the borrowed funds. Initially, the borrower used $20 million DAI to create a large number of e-DAI and d-DAI tokens. Subsequent actions, such as partial loan repayment and extra token minting, created the conditions for a major issue to develop within Euler Finance’s software.

This issue, which occurred within the donateToReserve() method, caused the generation of unbacked “d-DAI” token debt, posing a severe danger to the project’s stability. The liquidator took advantage of this vulnerability to liquidate the debt and borrow it, netting a significant profit of 310 million e-DAI. The attacker quickly returned the Flash loan with the accumulated profit, which amounted to 38.9 million DAI, resulting in a net profit of 8.8 million DAI.

The exploit persisted until the attackers successfully drained Euler Finance’s funds, leaving behind a trail of financial devastation and highlighting the pressing need for enhanced security measures within the DeFi ecosystem.

Lessons Learned from the Euler Finance Flash Loan Attack

Token burning should be handled correctly, with both tokens burnt if money are sent to another account. Furthermore, compute debt with no logical mistakes to ensure openness and prevent abuse.

Over-Collateralization Checks: Include checks in the smart contract to ensure that the donator stays over-collateralized following the gift. This may be accomplished by comparing the collateral’s current market value to the existing loan balance. If the collateral value falls below the loan value, the transaction should be denied to avoid further risks.

Reliable Conversion Rate Determination: Use reliable oracles or known market price feeds to calculate the correct conversion rate during liquidation. By depending on external sources for market data, the smart contract can increase transparency while reducing the danger of manipulation.

By implementing these steps, smart contract protocols can improve their security posture and reduce the chance of further attacks.

MEV Bot hack analysis

The MEV Boost Relay Attack, a sophisticated hack, shook the cryptocurrency industry on April 3rd, 2023. In this ingenious manoeuvre, a malevolent proposer exploited a weakness in Flashbots’ open-source mev-boost-relay code to steal $20 million from a large number of sandwich bots. The assault highlighted a significant weakness found in the majority of mev-boost relays, laying the groundwork for a disastrous breach.

The relay’s weakness, which indiscriminately exposed block bodies to proposers upon successful signature of a block header, was at the heart of the assault. Surprisingly, the relay failed to authenticate the validity of the signed block header, allowing access to block bodies regardless of legality. Although rejected by beacon nodes, these faulty blocks were visible to the malicious proposer, creating a profitable opportunity for exploitation.

Armed with access to block bodies, the attacker planned a strategic attack on sandwich bots, methodically constructing a bespoke block to syphon liquidity and annihilate their assets. By cleverly combining transactions from the stolen block into their own, the attacker successfully stole cash from unwitting victims. To conceal their illicit operations, the malevolent proposer cleverly modified parent and state roots, disguised the transaction as an innocent broadcastable block.

The consequences of the MEV Boost Relay Attack were severe, providing a sharp reminder of the inherent weaknesses of decentralised systems. As the crypto community deals with the fallout from this hack, it is critical to analyse the lessons learnt and strengthen defences against future breaches.

Lessons Learned from the MEV Boost Relay Attack

Patch Implementation: After discovering the vulnerability, the open-source community quickly patched the mev-boost-relay mechanism. This fix assures that the relay will no longer allow transactions if the block cannot be effectively broadcast to the network, preventing bad actors from taking advantage of the issue.

Response Delay: The server’s response method now includes a one-minute delay. This delay acts as an extra safety, allowing for complete inspection of block headers prior to any further actions being conducted. By creating this delay, the risk of unauthorised block broadcasts and subsequent exploitation is greatly decreased.

Enhanced Security Measures: In addition to the patch implementation and response delay, rigorous security safeguards have been included to prevent MEV Boost relays from broadcasting block bodies back to proposers. This guarantees that crucial block data is safeguarded and unavailable to potential attackers, strengthening the system’s defence against exploitation efforts.

Dissecting the Banana Hack

On September 11, 2023, the Telegram bot Banana Gun’s native token BANANA saw a catastrophic price drop owing to a fundamental business logic weakness. Within three hours of debut, the price of BANANA dropped from a high of $8.70 to a low of $0.02, undermining investor confidence and showing the severity of the vulnerability.

The vulnerability was caused by a bug in the token’s _transfer() function, which failed to deduct fees from senders owing to an incorrect computation. Instead of subtracting fees, the contract erroneously created tokens equal to the fees and sent them to its own address for each transaction.

The fundamental source of the problem was a misplaced calculation line within the code. The erroneous logic enabled senders to keep the fee amount, which was then printed to the treasury rather than deducted from the seller’s balance. This mistake caused a cascade impact.

This severe vulnerability not only resulted in large financial losses, but also demonstrated the significance of comprehensive code review and testing in blockchain initiatives. It’s a sobering reminder of the importance of strong security measures and aggressive risk management tactics in protecting token contracts from potential exploits and flaws.

Lessons Learned from the Banana Token Hack

One important takeaway from the Banana token attack is the critical significance of thorough code validation via rigorous testing processes. It emphasises the need of developers creating detailed test cases that cover all potential business logic scenarios.

By providing thorough test coverage, developers may identify possible vulnerabilities and logic problems before they materialise in a live environment. This proactive approach to code inspection provides an important defence mechanism against unanticipated errors, reducing risks and ensuring the integrity of token contracts.

In essence, meticulous testing techniques are the foundation of strong code development, allowing developers to uncover and address risks early in the development lifecycle. Blockchain initiatives that prioritise testing and validation may establish trust in users and stakeholders, resulting in a safe and resilient environment for token transactions.

Kyberswap Hack: Understanding the Exploitation

On November 23, 2023, Kyberswap had a massive breach caused by tick manipulation and the unintended duplication of liquidity, leading to huge losses surpassing $40 million USD.

The root cause of the exploitation at Kyberswap was traced to manipulative maneuvers involving tick adjustments. By aligning the system state to ensure that the current tick coincided with a valid tick range boundary, with the nearest current tick set at currentTick — 1, the attackers laid the groundwork for their scheme. Subsequently, liquidity was minted within the range (currentTick, currentTick + n) for a specific value of n.

During a one-for-zero swap in this state, a critical miscalculation occurred. The nearestCurrentTick was erroneously computed as currentTick — 1 instead of the next initialized tick, leading to unintended consequences. This error resulted in the duplication of recently added liquidity, exacerbating the impact of the attack.

The smart contract vulnerability exploited at Kyberswap involved manipulative actions centered around tick adjustments and the double counting of liquidity. The attackers leveraged a flash loan to deplete pools characterized by low liquidity. Through a series of swaps and strategic position changes, they manipulated the prevailing prices and ticks within the targeted pools. Multiple swap steps and cross-tick operations were initiated to induce double liquidity counting, effectively draining the affected pools.

Lessons Learned from the Kyberswap Hack

One of the important takeaways from the Kyberswap hack is the vital need of verifying code using comprehensive test cases that cover all potential business logic scenarios. Smart contracts and blockchain protocols may be thoroughly tested by developers to identify any flaws and weaknesses before they are exploited by malevolent actors. In the instance of Kyberswap, a lack of thorough testing enabled the exploitation of a weakness in the tick manipulation process, resulting in large financial losses. Moving forward, prioritising extensive testing methods might help reduce the possibility of such attacks while also ensuring the security and integrity of decentralised platforms and apps.

To summarise, from flash loan exploits to tick manipulation assaults, each instance emphasises the significance of strong auditing processes and extensive testing techniques. Developers may improve smart contract resilience and the Web3 ecosystem’s integrity by learning from these failures and introducing proactive measures such as code inspection, vulnerability assessments, and community involvement. As the environment of blockchain technology evolves, continual learning and adaptation are critical to reducing risks and protecting the assets and interests of both users and stakeholders.