354 Interactions, 4 today
As Binance Smart Chain extends its footprint, so do hacks on DeFi protocols hosted on the network.
Binance Smart Network, or BSC, was introduced as a complementary blockchain to Binance Chain in September 2020. It allowed the creation of smart contracts and a staking process for Binance Coin, the native token of both blockchains (BNB).
There have been several decentralised finance, or DeFi, ventures based on it throughout its short nine-month lifetime, but there have also been several instances of attacks on the blockchain’s protocols.
The latest victim in the series of exploits is Spartan Protocol. The liquidity platform for synthetic assets was the subject of an attack that led to a loss of $30 million for the protocol on May 2. According to blockchain security firm PeckShield, the hack allowed the malicious actor(s) to inflate the balance of a particular liquidity pool and burn liquidity provider tokens for a significant amount of crypto in the pool. This is also referred to as a flash loan attack.
According to Cointelegraph chat with Michael Perklin, chief information security officer of crypto trading platform ShapeShift, who said, “The root cause for the Spartan hack appears to have been a bug in the ordering of operations in the smart contract,” adding:
“The way Spartan’s contracts were programmed, some operations were performed after updating the pool’s liquidity instead of before, which allowed attackers to control the price of tokens in the pool based on their deposits.”
The Spartan Protocol breach, according to Rekt, is the sixth-largest DeFi hack in the domain’s history. Three of the top six hacks by performance accessed have occurred on BSC protocols, with the remaining two occuring on Uranium Finance and Meerkat Finance. In addition to these hacks, the top DeFi protocols on BSC, PancakeSwap and Cream Finance, were used for money-laundering phishing attacks.
On April 28, $50 million was stolen from Uranium Finance’s digital market maker website as a result of a hack. The hacker used flaws in Uranium’s balance modifier logic to inflate the project’s balance by a factor of 100. This was the second hack on the platform in quick succession. The first one was on April 10, where the hacker stole $1.3 million from the protocol. Due to this hack, the protocol migrated to the v2 iteration of its code.
Users lost $31 million on the Meerkat Finance website as a result of a suspected rug pull by the developers. A rug pull is a form of escape scam in which funding from liquidity pools is removed from the market in a decentralised market.
Lack of due diligence and decentralization
BSC is an Ethereum Virtual Machine-compatible chain, which means that the network operates in a manner identical to the Ethereum blockchain. The biggest distinction, however, is decentralisation. BSC is highly centralised, and it uses a proof-of-stake authority consensus algorithm.
Instead of making validators spread across the network, as is the case for Ethereum, BSC has 21 validators that are selected from the network and are in charge of the network’s health as well as the validation duties. Since there are only 21 validators on the network, it is heavily clustered in contrast to other blockchains.
The blockchain trilemma, invented by Ethereum co-founder Vitalik Buterin, explains the likelihood of a blockchain achieving all three of the following properties: decentralisation, stability, and scalability. This simply implies that changing one of these three elements would imply compromising the other two.
Therefore, since BSC seems to be compromising on the decentralization aspect, this also potentially means that there should be several points of failure that hackers look to exploit. Marie Tatibouet, chief marketing officer of Gate.io — a cryptocurrency trading exchange — said, “Centralized exchanges and avenues are a lot riskier than their decentralized counterparts, due to their inherent structure. A decentralized system spreads out its risks among its entire network and decreases structural weaknesses.”
Since BSC is a public, permissionless infrastructure, developers can create and implement DeFi protocols without fear of censorship. As a result, the onus of identifying the dangers associated with DeFi protocols on the network falls even more squarely on the users. According to Martin Gasper, a research analyst at CrossTower, a digital asset exchange:
“A key consideration for BSC protocols is that they are relatively new compared to many of the well-known Ethereum DeFi protocols, which have withstood the test of time and many audits of their code. Newer projects on BSC may also have their code written by less experienced developers, creating additional risks for users depositing crypto into them.”
Even if the smart contracts of the DeFi protocols were tampered with and abused in the aforementioned attacks, this does not focus on the inherent security flaws of the BSC network. Cointelegraph contacted Binance to learn more about its perspective on these hacks. Although the exchange representative refused to comment on individual hacks, he did compare it to Ethereum in DeFi’s early days, which put the blame on the users. According to a Binance spokesperson:
“In the 2017 ICO boom, multiple ICOs and projects building on top Ethereum were scams and many were vulnerable to attacks; that doesn’t mean that the Ethereum blockchain had security vulnerabilities, it simply indicated the lack of awareness amongst investors who fell prey to projects’ security breaches. New retail users did not evaluate their risks properly.”
Nonetheless, ConsenSys Labs, a blockchain technology firm that supports Ethereum’s architecture, maintains a “Ethereum Smart Contract Best Practices” page that details numerous documented attacks and other critical aspects of smart contracts deployed on the network. However, no such page is maintained for BSC.
Tatibouet went on to say that due to the bureaucratic existence of BSC, these hacks were exacerbated by a “lack of due diligence.” “Every week, they give approval to hundreds of projects. They just do not have the manpower to perform the requisite check due to their centralised approach.” She also noted that Uranium Finance did not announce which firm audited its code, which should have been a big red flag in and of itself.
Growth of BSC owed to gas fees on Ethereum
In recent months, Ethereum has been plagued by heavy gas fees. As a result, many consumers have been priced out of using DeFi software on the network. BSC, on the other hand, has considerably lower gas fees and shorter block times than Ethereum due to its clustered existence. Since the Berlin hard fork, which allegedly cut gas costs, Ethereum’s gas fees have exceeded 300 Gwei so far in May. In contrast, BSC’s petrol fees are relatively low, with the overall average gas price remaining at 6.6 Gwei.
This disparity in gas prices drew the attention of several DeFi protocols and retail investors to this network. A spokesman for Binance added to this: “Developers can worry less about costs and focus more on innovating. The faster transaction speed and low transaction costs have accelerated its utility since its launch last year.”
On May 9, BSC’s daily transactions reached an all-time high of 9.7 million, while Ethereum’s daily transactions reached an all-time high of 1.7 million. This is almost six times the number of transactions on Ethereum. It’s an indication of the BSC network’s growing popularity, as more DeFi protocols use it. However, when comparing the two networks, Gasper stated:
“There seems to be relatively little innovation on BSC, as many of the projects on the network are modeled after the top DeFi protocols on Ethereum. Moreover, Ethereum has a broader product suite and more developers working on it and products for it, relative to BSC.”
The total volume trapped, or TVL, in the BSC network is approximately $46 billion, a 60% increase from the TVL of $28.6 billion just a month earlier. Because of the clustered method and lack of adequate due diligence, it is important that consumers be vigilant and do rigors analysis before engaging in protocols housed on the network as its usage grows.