DeFi hacks on Binance Smart Chain increase with increasing TVL and volume
Binance Smart Chain (BSC) was introduced in September 2020 as a parallel blockchain to the Binance Chain. It enabled the creation of smart contracts and a staking mechanism for the native token of both blockchains, Binance Coin (BNB).
In its short nine months of existence, many decentralized finance (DeFi) projects have been built on it, but there have also been numerous cases of hacks in the logs of the blockchain.
The latest victim in the series of exploits is the Spartan Protocol. The synthetic assets liquidity platform was the subject of an attack that resulted in a loss of $ 30 million to the log on May 2. According to blockchain security firm PeckShield, the hack enabled the malicious actors to increase the balance of a given liquidity pool and burn liquidity provider token for a significant amount of crypto in the pool. This is also known as a flash credit attack.
Cointelegraph discussed the main cause of this hack with Michael Perklin, chief information security officer of the crypto trading platform ShapeShift, who said, “The main cause of the Spartan hack appears to have been an error in the order of operations in the smart contract.” Add:
“The way Spartan’s contracts were programmed, some operations were performed after the pool’s liquidity was updated rather than before, allowing attackers to control the price of tokens in the pool based on their deposits.”
According to Rekt, the Spartan Protocol hack is the sixth largest DeFi hack in the history of the domain. Three of the six top hacks exploited by value were performed in logs on BSC, the other two are the hacks on Uranium Finance and Meerkat Finance. In addition to these hacks, the top DeFi protocol for BSC, PancakeSwap, and Cream Finance have even been used in phishing attacks to steal money.
When Uranium Finance was hacked on April 28, US $ 50 million was stolen from the automated market maker platform. The hacker took advantage of flaws in Uranium’s balance modifier logic to increase the balance of the project by a factor of 100. This was the second hack on the platform in quick succession. The first was on April 10th when the hacker stole $ 1.3 million from the log. Because of this hack, the protocol was migrated to the v2 iteration of its code.
In the Meerkat Finance exploit, users lost $ 31 million on the platform due to an alleged carpet removal by the developers. A carpet move is a kind of exit fraud in which the support from the liquidity pools is withdrawn from the market in the decentralized market.
Lack of care and decentralization
BSC is an Ethereum Virtual Machine compatible chain, which means that the network uses essentially similar logic to the Ethereum blockchain. The main difference, however, is the decentralization. BSC is pretty centralized and uses a consensus algorithm for proof-of-stake authority.
Instead of having validators throughout the network as in Ethereum, BSC has 21 validators that are selected from the network and are responsible for the state of the network and the responsibility for validation. With only 21 validators in the network, it is highly centralized compared to other blockchains.
The blockchain trilemma, a term coined by Ethereum co-founder Vitalik Buterin, describes the improbability of a blockchain that has all three of the following properties: decentralization, security and scalability. Essentially, this means that improving one of these three aspects would mean that the other two would be compromised to some extent.
Since BSC seems to be compromising on the decentralization aspect, it may also mean that there should be several sources of error that hackers want to exploit. Marie Tatibouet, Marketing Director of Gate.io – a cryptocurrency trading exchange – told Cointelegraph, “Centralized exchanges and avenues are much riskier than their decentralized counterparts because of their inherent structure. A decentralized system distributes its risks over the entire network and reduces structural weaknesses. “
Since BSC is a public, permissionless infrastructure, developers can create and deploy DeFi protocols without censorship. The responsibility for understanding the risks associated with DeFi protocols on the network therefore rests even more with the users. Martin Gasper, research analyst at CrossTower – a digital asset exchange – told Cointelegraph:
“An important consideration for BSC protocols is that they are relatively new compared to many well-known Ethereum DeFi protocols that have withstood the test of time and many tests of their code. For newer projects on BSC, the code may also be written by less experienced developers, which brings additional risks for users who drop crypto in them. “
Although the DeFi protocols smart contracts were manipulated and exploited in the above hacks, this doesn’t really reflect the inherent security flaws of the BSC network. Cointelegraph reached out to Binance to understand how to pick up these hacks. The exchange rep refused to comment on certain hacks, but compared them to Ethereum in the early stages of DeFi, placing the responsibility with the users. The Binance spokesman said:
“In the 2017 ICO boom, several ICOs and projects based on Ethereum were fraudulent and many were vulnerable to attack. This does not mean that the Ethereum blockchain has security flaws, but only that investors who have fallen victim to the security breaches of projects are not aware of them. New retail users have not properly assessed their risks. “
However, ConsenSys Labs, a blockchain technology company that powers Ethereum’s infrastructure, maintains a Ethereum Smart Contract Best Practices page that lists various known attacks and other key aspects of network deployed smart contracts. However, no such page is maintained for BSC.
Tatibouet also argued that “the lack of due diligence” caused these hacks to the centrality of BSC. “They announce hundreds of projects every week. Because of their centralized approach, they simply don’t have the manpower to do the necessary reviews. “She also pointed out that Uranium Finance didn’t even reveal which company had reviewed its code, which in itself should have been a big red flag.
Growth of BSC due to gas fees on Ethereum
Ethereum has faced high gas fees in the past few months. As a result, several users have been banned from using DeFi applications on the network. In comparison, BSC has significantly lower gas fees and faster block times than Ethereum due to its centrality. Ethereum’s gas fees have so far topped 300 Gwei in May after the hard fork in Berlin that supposedly cut gas prices. In comparison, BSC’s gas charges are extremely low. The average gas price is currently 6.6 Gwei.
It is this difference in gas prices that has led several DeFi protocols and retail investors to this network. The Binance spokesman added: “Developers can worry less about costs and focus more on innovation. The faster transaction speed and low transaction costs have accelerated the benefits since it launched last year. “
On May 9, BSC’s daily transactions hit their all-time high of 9.7 million, while Ethereum’s daily transactions also hit their all-time high of 1.7 million on the same day. That is almost six times the transactions on Ethereum. This is a sign of the increasing adoption of the BSC network as more and more DeFi protocols use it. However, when comparing the two networks, Gasper said:
“BSC seems to be relatively little innovative, as many of the projects in the network are modeled on the top DeFi protocols from Ethereum. Additionally, Ethereum has a broader suite of products and more developers working on it, and products for it, compared to BSC. “
The total value (TVL Locked) on the BSC network is currently nearly $ 46 billion, up 60% from the TVL of $ 28.6 billion a month ago. With BSC becoming more and more widely adopted, it is extremely important that users be careful and do thorough research before investing in logs that are stored on the network. This is due to their centralized approach and lack of adequate due diligence.