What Did We Learn from the MonoX Hack?
Gleb Zykov is the Co-Founder and Chief Technology Officer of HashEx, a blockchain advisory and security audits company.
The recent cyberattack on MonoX Finance that resulted in the theft of USD 31m, once again points to the insufficient security in decentralized finance (DeFi) protocols. To back up this recent instance with more data, let us look at the numbers in a report on fraud and theft in DeFi since 2020 done by a data analytics firm Elliptic. The report says that USD 12bn had been stolen from the DeFi space from 2020 until 18 November 2021, with USD 10.5bn marked for the eleven unfinished months of 2021.
These data pretty much mirror the growth of DeFi itself and send a clear message about the importance of security in decentralized finance to all of its participants and communities of various DeFi protocols. We see it as the biggest stumbling block for the industry moving forward because DeFi will not be able to become a sustainable alternative to centralized finance as long as its users expose their funds to such high levels of risk.
In this article, I will explain how the MonoX attack came to fruition and speak about the importance of security audits in DeFi and how project founders and traders can protect funds locked in smart contracts.
The MonoX swap attack explained
MonoX is a multi-blockchain decentralized exchange (DEX) that allows investors and traders to provide liquidity for the Ethereum (ETH) and Polygon (MATIC) blockchains. This type of DeFi protocols has been found the most vulnerable to cyber threats as their level of code complexity is higher than that of DeFi protocols that are deployed on a single blockchain. However, the exploit that has led to the loss of user funds from MonoX Finance is a pretty elementary thing.
The fraudsters used the bug that allowed them to use the native MONO token of MonoX Finance as a base and quote asset in a single swap operation. This thus allowed them to elevate the price of MONO without any real liquidity. After having done that, they simply swapped their MONO for such assets as WETH, LINK, IXM, MIM, DUCK, GHST, leaving the liquidity providers with pretty much worthless digital tokens.
MonoX Finance had been audited by Halborn and Peckshield, though, and had an extensive list of issues identified in the audit report. This is indicative of the poor quality of the code of the project’s code base, which makes it much harder not to ignore one bug or another. Therefore, it is not only a failure on the auditors’ part to find a major exploit but also a failure of the developers to provide easy-to-read code of their smart contracts.
In this context, I would like to emphasize how important it is to write easy-to-read code, which is the duty of the programmers. Also, before handing it to the auditors, the developer team had better do some functionality testing of their own to make sure that every smart contract works as expected.
What can help save funds
There is no doubt that audits are a modus operandi to make a DeFi smart contract safer. But what are the other ways to save the money locked in a smart contract from theft? There are different tactics for investors and owners.
For DeFi founders
Multisignature or DAO
To earn the trust of the community, an honest DeFi project has to take steps to ensure that there will not be any kind of a rug pull, i.e. money being stolen from inside the project. The first thing to do in this respect will be to decentralize the ownership of the smart contract between several team members. It means that for changes or commands to be executed in a smart contract, they will require authorization from several private keys.
The DAO (decentralized autonomous organization) is another way to minimize the rug pull threat. A DAO allows the distribution of the voting power through tokens that will be necessary to make changes to the DAO’s smart contract. To vote for changes, token holders will have to lock their tokens in the smart contract until the vote ends. Therefore, if the project founder does not have an overwhelming majority of the tokens, he or she will not be able to make changes to the contract single-handedly.
Command execution delay
Another option is to enable a delay in command execution in a smart contract for commands entered using the private key to it. It will not allow executing commands immediately but only after a certain delay. Users who deposited funds in the smart contract can monitor queued transactions and will be able to alert the community before it is too late.
Check the team
Look up the team members on social media and see if their personal data matches across different social networks. If the team does not reveal their real identities, it might be a signal for concern.
See the site
The site of the project should be presentable, and the text on it should be literate. The same goes for the project’s documentation: it should be well structured and written in good language. Mediocre language on the site is a big reason for concern.
See audit reports
If there is no mention of audits of the project, it is a serious issue and should alarm a potential investor right away. If there are links to audit reports, you should go through them and see what the auditor has stated about the project’s code. It is important to see what they wrote about the quality of the code too.
With DeFi projects becoming more complex, the probability of bugs being present in the code has increased, but that has not affected the procedure of the audits. Still, more than 90% of the work is manual verification of the code. Only the new types of exploits require additional code checking on top of what we were previously doing.
Investors should also do their own due diligence: research the project’s site, documentation and audit reports as a bare minimum. Staying on guard is also very important when dealing with DeFi as long as this financial market carries such a high level of threat for the users’ funds.
– Hacked Bitmart to Compensate Crypto Traders After USD 200M Loss
– AnubisDAO Points at ‘Critical Mistake’ After Losing USD 60M of Investors Money