Certik Sees $12M recovered from Crypto Exploit Despite Audit

Ecological stablecoin project Defrost Finance will return $12 million in funds stolen through Dec. 23, 2022, exploit, despite undergoing a code audit by CertiK.

Defrost will use on-chain data to ensure the correct allocation of the stolen funds. The refund comes after an attacker exploited flaws in multiple Defrost smart contracts. Blockchain security firm Peckshield initially reported the attack on Dec. 23, 2022.

Defrost Clients Lose $12 Million

The hacker reportedly drained $173,000 through a flash loan attack leveled at Defrost’s V1 protocol. In a more significant V2 attack, a perpetrator stole $12 million by liquidating users’ positions through a fake collateral token and a malicious price oracle. Attackers later allegedly stole $1.4 million from cross-chain tech aggregator Rubic Finance, raising concerns about vulnerabilities in smart contract code.

Liquidations occur in DeFi when the value of a user’s collateral falls below a lending protocol’s minimum loan-to-value ratio. Stablecoin protocols like Defrost allow users to deposit collateral for a perpetual stablecoin loan. The protocol uses an algorithmically-adjusted stability fee to set the loan’s interest. The introduction of fake collateral to V2 likely compromised Defrost users’ loan-to-value ratios, leading to their liquidations.

CertiK Audits Reveal Centralization Issues

Both hacks have drawn attention to the conclusions that can be drawn from smart contract code audits when assessing the legitimacy of a DeFi project. Blockchain security firm CertiK was implicated in both hacks, with Defrost and Rubic having undergone code audits by the company. 

CertiK audited Defrost V1’s smart contracts in Nov. 2021, listing a critical logic issue and five issues relating to centralization. The former had been resolved at press time, while the latter was acknowledged without evidence of further work. A logic issue, colloquially referred to as a ‘bug,’ allows smart contracts to operate incorrectly without crashing. On the other hand, a centralization issue can cause the compromise of several entities if a hacker gains access to a shared code block or variable.

CertiK also unearthed several centralization issues in Rubic Finance’s SwapContract smart contract, one of which would enable a hacker to withdraw ETH/BNB and other tokens to the hacker’s address.

Audits Don’t Replace Common Sense

Rather than endorsing a project or its assets, CertiK tests smart contracts’ resilience to various attack vectors. It also assesses the contracts’ compliance with acceptable coding standards and compares a project’s smart contracts to those produced by industry leaders. 

Careful scrutiny of CertiK’s website reveals that the company only audits code provided by the DeFi protocol. It advises interested investors to conduct their own due diligence. Additionally, its reports contain the following disclaimer:

“CertiK’s position is that each company and individual are responsible for their own due diligence and continuous security. CertiK’s goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies, and in no way claims any guarantee of security or functionality of the technology we agree to analyze.”

While not the complete picture, these reports can provide insight into a project’s risks, helping to inform interested parties about a project. Any proposed changes to the smart contract code can undergo a protocol’s standard voting procedure without government intervention. 

Coinbase CEO Brian Armstrong advocates that DeFi protocols be protected by free speech in the United States rather than be regulated by laws governing financial services businesses.

For Be[In]Crypto’s latest Bitcoin (BTC) analysis, click here.