ecological stablecoin Project Defrost Finance will return $12 million of the stolen funds by December 23, 2022, despite CertiK taking advantage of the code audit.
defrost will use On-chain data to ensure the correct allocation of stolen funds. The refund comes after an attacker took advantage of a flaw in several defrosted smart contracts. blockchain security firm Peckshield initially Reported Attack on December 23, 2022.
Defrost customers lost $12 million
The hacker allegedly withdrew $173,000 via a quick loan attack based on Defrost’s V1 protocol. In a more significant V2 attack, a criminal stole $12 million by liquidating users’ positions through fake collateral tokens and a malicious value Oracle, attacker later allegedly stolen $1.4 million from cross-chain tech aggregator Rubik Finance, raising concerns about vulnerabilities in smart contract code.
occurs in liquidation DeFi When the value of a user’s collateral falls below the minimum loan-to-value ratio of the lending protocol. Stablecoin protocols such as Defrost allow users to deposit collateral for permanent stablecoin loans. The protocol uses an algorithmically-adjusted stability fee to determine loan interest. The introduction of fake collateral for V2 potentially compromised the loan-to-value ratio of Defrost users, leading to their liquidation.
CertiK audits reveal centralization issues
both hacks draws attention to the conclusions that can be drawn from smart contract code audits when assessing the validity of DeFi Assignment or Project. Blockchain security firm CertiK was implicated in both hacks, with the company conducting code audits of Defrost and Rubik’s.
Sertic audited Defrost the smart contracts of V1 in November 2021, list a key logic issue and five issues related to centralization. The former had been resolved at press time, while the latter had been accepted without evidence of further work. A logical problem, colloquially referred to as a ‘bug’, allows smart contracts to operate incorrectly without crashing. On the other hand, a centralization issue If a hacker gains access to a shared code block or variable, multiple entities can be compromised.
certificate as well Figured out Multiple centralization issues in Rubik Finance’s SwapContract smart contract, including one that would enable hackers to withdraw ETH/BNB and other tokens to hacker addresses.
Audits are not a substitute for common sense
Rather than endorsing a project or its assets, CertiK tests the resilience of smart contracts to various attack vectors. It also assesses the contracts’ compliance with accepted coding standards and compares a project’s smart contracts to smart contracts produced by industry leaders.
A careful examination of CertiK’s website reveals that the company only audits code provided by DeFi protocols. It advises interested investors to conduct their own due diligence. Additionally, its report included the following disclaimer:
“CertiK’s position is that each company and individual is responsible for their own due diligence and ongoing security. CertiK aims to help reduce the high level of variance associated with attack vectors and the use of new and ever-changing technologies, and in no way claims to guarantee the security or functionality of the technology we use to analyze. agree to.
While not the complete picture, these reports can provide insight into project risks, helping to inform interested parties about the project. Any proposed changes to the smart contract code may go through a standard of protocol vote Process without government intervention,
Coinbase CEO Brian Armstrong advocates That DeFi protocols should be protected by free speech in the United States rather than being regulated by laws governing financial services businesses.
BeInCrypto has reached out to the company or the person involved in the story for an official statement regarding the recent development, but has yet to hear back.
#Certify #12M #Recovered #Crypto #Exploit #Audit