Tuesday, April 28, 2020

Rarely Is The Question Asked

Four years ago the first major Smart Contract was launched. Then this happened:
"Smart contracts" are programs, and programs have bugs. Some of the bugs are exploitable vulnerabilities. Research has shown that the rate at which vulnerabilities in programs are discovered increases with the age of the program. The problems caused by making vulnerable software immutable were revealed by the first major "smart contract". The Decentralized Autonomous Organization (The DAO) was released on 30th April 2016, but on 27th May 2016 Dino Mark, Vlad Zamfir, and Emin Gün Sirer posted A Call for a Temporary Moratorium on The DAO, pointing out some of its vulnerabilities; it was ignored. Three weeks later, when The DAO contained about 10% of all the Ether in circulation, a combination of these vulnerabilities was used to steal its contents.
$25M goes Poof!
Now, David Gerard reports the latest Smart Contract fiascos in The dForce and Hegic DeFi exploits, and why Smart Contracts are bad. One caused the $25M loss shown in the chart, the other caused this reassuring message to users:
!! ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. !! Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW.
Below the fold, some details.

Gerard sums up concisely:
The root cause of smart contract issues in practice is the clash of two factors:
  1. Smart contracts are hard or impossible to alter, by design. They requires the most painstaking code review and analysis — so that you don’t lose money to an exploit.
  2. You make more money by being quick to market.
Then he details the two current examples from "decentralized finance". First, dForce succumbed to the same type of bug that infected The DAO:
DeFi provider dForce suffered an unfortunate exploit of its lendf.me protocol on 18 April — in which an attacker took off with $25 million of assets under management, leaving just $18,900. [CoinDesk]

The assets were mostly ether and bitcoins — not actual ether and bitcoins, but tokens representing them. The exploit involved using imBTC tokens as collateral.

imBTC is an ERC-777 token. ERC-777 is an updated version of the ERC-20 standard, which most ICO token contracts were built on — but the imBTC smart contract had a re-entrancy bug, where you could withdraw repeatedly before the balance updated. (This is the sort of bug The DAO fell to in 2016.)

After sufficient iterations, the attacker used their imBTC balance as collateral to borrow multiple other assets. The attacker then surrendered their collateral, and kept the borrowed assets. [Twitter]
dForce should have known the attack was coming:
The imBTC pool on Uniswap had been attacked and drained the same way, the previous day. [Twitter]
Second, Hegic repeated The DAO's mistake by ignoring a request for delay accompanied by notification of several vulnerabilities. Unlike The DAO, which survived about 7 weeks before disaster struck, Hegic survived only one day:
Hegic is an on-chain options trading protocol on Ethereum — intended for use in decentralised finance (DeFi). Hegic proudly proclaims it was audited by Trail of Bits, before its launch on 24 April. [Hegic]

The next day, Hegic alerted users to a bug in the code: “!! ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. ‼️ Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW.” [Twitter]

The bug was a typographical error in a function name — Hegic used options.length instead of optionIDs.length, while they had options defined in outer scope, so the Solidity compiler tried to use that. [Twitter; GitHub]
Given the initial rate of vulnerability detection was one per day, waiting for the rate to increase is hardly necessary. It turned out that Hegic was over-selling the Trail of Bits "audit":
[CEO Dan Guido] did post a thread explaining precisely what Trail of Bits had — and hadn’t — done: [Twitter]
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.

Bottom line: we told them to hold off deploying. This was the right advice, and we generally expect people listen to us when they’re paying for our help.

Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an “audit”, then immediately deployed.
Four years after The DAO heist, is seems appropriate to note George W. Bush's rhetorical question "Rarely is the question asked, is our children learning?"

2 comments:

Dragan Espenschied said...

News from the art world regarding blockchains and smart contracts as a proof of ownership of digital artworks in this Twitter thread by Harm van den Dorpel: https://twitter.com/harmvddorpel/status/1255108289584644097

Highlights:

"1/9) The way left gallery used to work (v1) was that people could pay with +50 cryptocurrencies (using Coingate), PayPal, or creditCard (using Stripe)"

"8/9) Interestingly, most people who bought editions from left gallery, and who are active in the blockchain space, paid with PayPal, not with their crypto..."

David. said...

Jemima Kelly reports that Bitcoin’s “halvening” is upon us:

"The reason this is so exciting to bitcoin bros (and gals, though there are far fewer of those) is that this event is seen as a “surefire way” for number to go up (ie, for the price to increase). That’s because, according to the logic, if demand remains the same, the “age-old phenomenon of supply and demand” will kick in.

As we’ve pointed out before, however, the supply is still actually increasing, just at a slower rate. The halvening, therefore, can be thought of as a kind of “tapering”, but not a reduction in supply. Tomorrow, there will still be more bitcoins in circulation than today. So we see no reason that the halvening should boost bitcoin’s price."

And it didn't - staying around $8.5K.