"Smart contracts" are programs, and programs have bugs. Some of the bugs are exploitable vulnerabilities. Research has shown that the rate at which vulnerabilities in programs are discovered increases with the age of the program. The problems caused by making vulnerable software immutable were revealed by the first major "smart contract". The Decentralized Autonomous Organization (The DAO) was released on 30th April 2016, but on 27th May 2016 Dino Mark, Vlad Zamfir, and Emin Gün Sirer posted A Call for a Temporary Moratorium on The DAO, pointing out some of its vulnerabilities; it was ignored. Three weeks later, when The DAO contained about 10% of all the Ether in circulation, a combination of these vulnerabilities was used to steal its contents.
|$25M goes Poof!
!! ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. !! Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW.Below the fold, some details.
Gerard sums up concisely:
The root cause of smart contract issues in practice is the clash of two factors:Then he details the two current examples from "decentralized finance". First, dForce succumbed to the same type of bug that infected The DAO:
DeFi provider dForce suffered an unfortunate exploit of its lendf.me protocol on 18 April — in which an attacker took off with $25 million of assets under management, leaving just $18,900. [CoinDesk]dForce should have known the attack was coming:
The assets were mostly ether and bitcoins — not actual ether and bitcoins, but tokens representing them. The exploit involved using imBTC tokens as collateral.
imBTC is an ERC-777 token. ERC-777 is an updated version of the ERC-20 standard, which most ICO token contracts were built on — but the imBTC smart contract had a re-entrancy bug, where you could withdraw repeatedly before the balance updated. (This is the sort of bug The DAO fell to in 2016.)
After sufficient iterations, the attacker used their imBTC balance as collateral to borrow multiple other assets. The attacker then surrendered their collateral, and kept the borrowed assets. [Twitter]
The imBTC pool on Uniswap had been attacked and drained the same way, the previous day. [Twitter]Second, Hegic repeated The DAO's mistake by ignoring a request for delay accompanied by notification of several vulnerabilities. Unlike The DAO, which survived about 7 weeks before disaster struck, Hegic survived only one day:
Hegic is an on-chain options trading protocol on Ethereum — intended for use in decentralised finance (DeFi). Hegic proudly proclaims it was audited by Trail of Bits, before its launch on 24 April. [Hegic]Given the initial rate of vulnerability detection was one per day, waiting for the rate to increase is hardly necessary. It turned out that Hegic was over-selling the Trail of Bits "audit":
The next day, Hegic alerted users to a bug in the code: “!! ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. ‼️ Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW.” [Twitter]
The bug was a typographical error in a function name — Hegic used options.length instead of optionIDs.length, while they had options defined in outer scope, so the Solidity compiler tried to use that. [Twitter; GitHub]
[CEO Dan Guido] did post a thread explaining precisely what Trail of Bits had — and hadn’t — done: [Twitter]Four years after The DAO heist, is seems appropriate to note George W. Bush's rhetorical question "Rarely is the question asked, is our children learning?"
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.
Bottom line: we told them to hold off deploying. This was the right advice, and we generally expect people listen to us when they’re paying for our help.
Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an “audit”, then immediately deployed.