Assessing what went behind the latest $600k DeFi exploit
The Li Finance protocol was recently compromised with a hack of $600,000. Reportedly, 29 wallets were affected. However, the bug was later fixed. Well, this has added more pain to the increasing list of DeFi hacks.
The Li project’s bug was exploited at 02:51 AM (+ UTC) on 20 March 2022. Among the 10 stolen currencies were USD Coin (USDC), Polygon (MATIC), Tether (USDT), and AAVE (AAVE).
• ~$600K have been stolen from 29 wallets
• User don’t have to do anything
• Bug has been fixed and is already deployedhttps://t.co/fqOxJxDrZs
— LI.FI – Any-2-Any Swaps (?,?) (@lifiprotocol) March 21, 2022
Is DeFi safe?
The Li Finance hacking is understandably a new concern for DeFi uses. The number of DeFi exploits has been skyrocketing since the start of 2021.
In the chart below, one can see the increasing crimes in the crypto sphere with more than $3.2 billion stolen in around 250 thefts. Notably, $2.3 billion of the amount was stolen on the DeFi platforms. There was a 6x increase in DeFi centric attacks in 2021 as compared to 2020.
For these rising DeFi exploits, Chainalysis cites the main reason to be the reliance of DeFi platforms on open-source software.
Furthermore, price oracles is another issue cited by Chainalysis.
Secure but slow oracles are vulnerable to arbitrage; fast but insecure oracles are vulnerable to price manipulation. The latter type often leads to flash loan attacks, which extracted a massive $364 million from DeFi platforms in 2021.
Also, Chainalysis noted,
In 2021, code exploits and flash loan attacks—a type of exploit involving price manipulation—accounted for a near-majority of total value stolen across all services at 49.8%. And when examining only hacks on DeFi platforms, that figure increases to 69.3%.
Code audits were thought to provide a potential solution for the thefts. However, according to Chainalysis, “audits aren’t infallible. Nearly 30% of code exploits occurred on platforms audited within the last year, as well as a surprising 73% of flash loan attacks.”