Re-entrancy Strikes Again!
With the decentralized world growing by leaps and bounds every day, there are new projects cropping up all over the place. However, we see the same issues plague the Web 3.0 ecosystem that has existed for ages now.
Today, we are going to talk about three crypto hacks that have occurred over the course of the past month. The common denominator in all of these hacks?
Re-entrancy!
Yes, you read that correctly. In the space of just over a month, we have already seen three hacks which have all been attributed to a re-entrancy vulnerability in their smart contract codes.
What is Re-entrancy?
A re-entrancy vulnerability occurs when an attacker is able to repeatedly execute a function within the smart contract (For eg: Withdrawing funds) by recursively calling the function before any state changes are made final.
The reason this occurs is because developers often code external calls to functions without first modifying the state variables to reflect the change.
Now that we have briefly revised what Re-entrancy is, let's take a look at all three incidents:
- The Midas Capital Hack
On the 17th of January, 2023, a polygon-based project - Midas Capital, got hacked for about $660k due to a read-only re-entrancy vulnerability. The MATIC token was the token being exploited here. Now, I know what you're thinking - this seems like a miniscule amount compared to some of the other hacks that we have discussed here. However, no amount is small and every hack is a serious threat to our ecosystem as a whole.
Another thing to consider here is the fact that this kind of vulnerability is a known issue with the kind of LP token that was exploited here.
Midas had recently implemented a new type of LP token on their platform. This token was known to have a read-only re-entrancy vulnerability with its implementation. However, a workaround was available and if Midas had not been in such a hurry to add the new token, they might have avoided the entire hassle.
2. The Orion Protocol Hack
The second hack we are going to talk about here is the Orion Protocol hack, which took place on the 4th of February, 2023. The hack resulted in a loss of $3M in funds in ETH and BSC. What was exploited here was a common re-entrancy vulnerability within one of Orion's smart contracts.
3. DForce Network Hack
Just a few days later, on the 17th of February, 2023, the Dforce Network fell prey to a common re-entrancy vulnerability exploit that drained them of approximately $3.65M.
Fortunately for the owners of the DApp, however, the attacker agreed to accept a bounty for their efforts and returned the money to the project holders.
What's interesting to note in all three cases, however, is the fact that, while Re-entrancy has been known to be a very critical issue with smart contract security since the past few years, developers and project owners are not adopting a pro-active approach to dealing with these issues. Read on to know how you can avoid these mistakes.
What can YOU do to prevent re-entrancy issues in YOUR smart contract code?
As a developer, here are a few things to keep in mind in order to prevent re-entrancy issues from infiltrating your code:
- Follow the Checks->Effects->Interaction pattern within your code. You can find more info on that here.
- Make sure that external function calls occur ONLY AFTER state changes have been made.
- Use OpenZeppelin's Re-entrancyGuard to prevent re-entrancy issues
Worried about attackers targeting your smart contracts? Contact DeTaSECURE today for all your smart contract audit needs!