Feb. 3, 2022: Safety Dance👷💃
Multimillion Dollar Wormhole Hack Puts DeFi Safety in the Spotlight
Edit 8:00 AM: Audio issues with the video today, enjoy this instead:
Do people in this space actually still have money left to lose? Yesterday hackers were able to find and steal the last remaining 80,000 ETH, worth approximately $0 at recent prices. Good work hackers, you collected all the coins, time to retire!
So what happened to Wormhole? Cross-chain bridges do have a lot in common with the theoretical physics concept of wormholes. In physics, wormholes tend to be horribly unstable, only existing for mere fractions of seconds before they collapse in on themselves and disappear into the ether. It turns out this has some explanatory power over cross-chain cryptocurrency projects…
Building cross-chain applications is extremely difficult. Vitalik described this in a lengthy essay just a month ago.
Technically, bridging funds between two blockchains is extremely tricky. For starters, you have twice the number of attack surfaces.
Successfully bridging funds requires some sort of proof that funds on the source chain have been locked, then communicating that information onto a different chain that usually has no direct means of exchanging such information. Usually the destination chain has a contract that mints or releases a token whenever a valid signature is received, so hackers need only figure out how to mimic such a signature to print money.
This played out pretty much exactly here, as covered well by multiple in-depth explainers.
The hack has all sorts of interesting implications. For starters, there’s the lessons devs can take, although even this is far from clear. We already know cross-chain development is nearly impossible, so I guess the lesson is be even more careful?
It can also be frustrating because developers of the bridge have to be 100% perfect in terms of their construction, but their work can be undone in an instant by even the sloppiest of hackers. In this case, the hacker left open a three hour window.
The three hour break means the first tiny hack, if it had been detected, could have left enough of a window for the larger hack to have been stopped. Even if the precise mechanics couldn’t be uncovered, they could have just pressed the giant red button at Solana HQ that shuts down the blockchain while they investigate.
Sure, that’s not how blockchains are supposed to work, but SBF also managed to grow fat off the land without even knowing how vegetables work, so don’t lecture him about how to do things.
Another fun afterthought is the philosophical implications of such a hack. Despite the record-setting numbers that get lost, users don’t often tend to lose a lot of funds directly in these hacks. Unless you happened to be in the process of bridging, it tends to only be the bridging protocol that sees its reserves drained. See also the Poly Network hack.
That is, in a bridge attack, it may simply be that the contract that locks funds at the source gets drained, meaning simply it’s impossible to bridge back. Or it may be that the destination bridge happens to mint a bunch of new tokens that don’t have any backing at the source. In this case, if people lack faith in the value of the bridged token, then everybody winds up the loser. There was a lot of concern in the immediate aftermath of this hack that ETH on Solana would lose its value and undermine the entire chain’s DeFi ecosystem.
Fortunately, Wormhole happened to have a few hundred thousand ETH just lying around to keep the peg backed.
The more we keep digging, the less we want answers! From just last week…
In terms of optics, it’s a terrible time for all these hacks. Cryptocurrency is under direct assault by Washington DC, so we really have to step up our game. We choose to build a decentralized permissionless financial system not because it’s easy, but because it’s hard.
So it’s a great time to review basic security.
To be honest, safety is one of the reasons I found myself interested in Curve in the first place. I tend to be overly cautious with my money, which makes me slow to jump into opportunities, but at least I’ve avoided rugs to date. When I was first considering Curve, I spent a ton of time digging into all aspects of the site’s construction. I sat on the sidelines observing for several months to look for red flags.
What I found was a team overly obsessed with user safety. Extensive care to build systems that protected their users. Extremely robust unit testing on all contracts. The team building with and contributing to Vyper, a language extremely similar to Solidity but with some seemingly pedantic improvements to security. But when it comes to securing billions of dollars worth of funds with no major security issues to date, one can’t really be too pedantic.
This safety obsession was on full display in recent days. Independent monitor @DeFiSafety did an initial review and gave Curve an 80%. That’s about a B-?!? The complaint was about a lack of timelocks, which didn’t make a ton of sense.
Curve could have just let it slide, contenting itself with the best track record in all DeFi. Instead, they undertook to an epic thread, detailing the extraordinary safety measures the team has in place and publicly schooling the auditors about security.
Perhaps realizing their auditors knew less on this subject than Curve, they bumped the grade up to a low A.
This is still a lowball mark to be honest, mostly due to this misunderstanding:
IMHO it reflects poorly on DeFiSafety that they are seemingly unaware of how to download any Curve repository from Github, type brownie test —-network mainnet-fork
into their console, and then marvel at the time and attention Curve spends to achieve nearly 100% test coverage. Here you go, here’s a test report for you!
Watch the Curve Brownie Tutorial and learn why publishing test reports is markedly inferior to allowing everybody to easily replicate the test report themselves! So if anybody reads the laughable claim that there is no “test report evident,” note that this really just amounts to an epic self-own on DeFi Safety’s part.
Still, when it comes to grading safety, it’s better to err on the side of caution. At any rate, Curve appears to have stopped pressing the argument so we shall too.
Plus, credit to DeFi Safety for taking the time to have these discussions. Particularly because a number of scammers use a similar approach, but seeking to extort a payoff. It’s nice that DeFi Safety is doing this for seemingly good reasons. Hopefully they know if they want to talk about safety they can chat with Curve anytime.
What normies should take away from the discussion is mostly the high value the Curve team places on security. Consider the public reaction of these two “competing” protocols to this report and ask yourself which has earned more trust, the one that fought back scathingly at the suggestion of a B, or the one that shrugged off an F?
With so many hacks, it’s definitely worth stepping up and seeing what we can all do to make this space safe for all!