Over the weekend, the exploitation of a smart contract vulnerability forced developers at Ethereum-based app Fulcrum to partially disable its smart contract. A recent postmortem of the security breach shows that the attacker used a series of complex trades across multiple applications to exploit the vulnerability. [bZx] This caused researchers to conclude that the attacker possessed an “extremely in-depth knowledge of every DeFi protocol.”
The Viability of DeFi
As BeInCrypto has previously reported, the incident prompted some to question the viability of the DeFi sector. Charlie Lee, the founder of Litecoin, said the fact that so-called decentralized applications have an admin key to pause contracts amounted to ‘decentralization theatre.’
Lightning Network developer Alex Bosworth shared a similar opinion:
If your “defi” project has an admin key or a coordinator, a set of oracles, a group of validators or cosigners, a default trusted keys list, even if you “have plans to phase it out”, what you are actually doing is running a financial service. In other words you actually have no d
— Alex Bosworth (@alexbosworth) February 15, 2020
Whether claims of absolute decentralization are accurate or not, the incident points at a much larger and more fundamental problem within the industry. Although the report by researchers at bZx states that all user funds are safe and that they have implemented a patch to stop future attackers using the same exploit, such reactive fixes do nothing to prevent future vulnerabilities.
As financial applications, the likes of Fulcrum represent vast honeypots for hackers. Running constantly and with increasingly complex functions, the fact that so many smart contracts have already fallen victim to exploits proves that they make an alluring target.
Reporter and industry observer Larry Cermak highlighted the issue via Twitter earlier Tuesday. He describes current DeFi applications as a constant “multi-million dollar bounty open 24/7 and with very little consequences.”
Cermak concludes that creating a DeFi application must be an enduring headache for developers:
In all seriousness, I can’t even imagine the stress that the DeFi currently have EVERY SINGLE DAY. It’s a multi million dollar bounty open 24/7 and with very little consequences.
— Larry Cermak (@lawmaster) February 18, 2020
The bZx developers themselves seem to agree with the above. Kyle J Kistner, CVO of bZx writes:
“The space is evolving quickly, and security is becoming increasingly more dire as the barriers to entry to executing an exploit drop to zero. There is no analog to this in the traditional financial system. We are now in uncharted territories.”
Meanwhile, others have argued that people that the industry is still far too untested for people to be investing such large sums of money in new, complex dApps. In the following Twitter thread, Taylor Monahan, CEO of MyCrypto.com, details how bZx has been at the heart of several previous vulnerabilities:
The problem is idiots can build an exciting product, ignore security, refuse to learn, and still handle millions of dollars worth of your money bc y'all think #DeFi is safe.
1. Start holding people accountable
2. Stop giving idiots your money
3. Start learning from history
— Taylor Monahan (@tayvano_) February 18, 2020
Ultimately, she concludes that past DeFi exploits should be enough to steer people away from the industry. She also argues for greater accountability in the industry. However, with interest and subsequent investments in decentralized finance growing rapidly, and the applications also growing in complexity, it is undoubtedly a matter of when rather than if a similar incident to the Fulcrum hack will occur again.