Cover was hacked. How did DeFi become a hacker's ATM?

In the new week, also approaching the New Year 2021, I saw that Cover was hacked at night.

What happened is that the hacker created a fake coin with the same name as cover, and then conducted liquidity mining. We all know that liquidity mining generally has an LP TOKENS. The hacker then used this LP TOEKNS for pledge, thus withdrawing funds, which caused the market to collapse and the price of cover tokens to plummet.

The matter is not over yet. After the incident, the exchange urgently suspended withdrawals. The incident continued to ferment online, causing Cover's LP TOKENS to be close to collapse. The number of tokens issued by hackers was too large, about 40 trillion, so it can be basically judged that the losses caused by Cover this time are very large.

Cover was previously called safe, an insurance mining project. According to non-small records, Safe is an insurance mining project where users can stake tokens such as yNFT to redeem SAFE tokens. Yieldfarming introduces a new type of agriculture - insurance mining. The project aims to encourage farmers to purchase insurance for their staked assets and hold shares of yNFTs on the platform (allocated to them through yinsure.finance). In return, stakers will receive SAFE.

On November 1, safe was declared invalid and the new token was the cover protocol. This was a brand building process. Since then, cover has been the focus of defi.

Although both are decentralized insurance, Cover and NexusMutua are different. After NexusMutual users purchase a policy, they cannot transfer the policy to others. Cover, by introducing CLAIM and NONCLAIM tokens, allows users to trade the policies they purchase, improving the user's product experience. In this way, corresponding liquidity mining can also be built. In addition, NexusMutual also requires KYC certification for users, which Cover obviously does not require.

However, the exploitation of Cover's own contract vulnerability this time is a bit different from the last time NexusMutual. In NexusMutual, the founder's coins were stolen by hackers, and the NexusMutual smart contract was relatively safe. But this time, Cover's own insurance contract had a vulnerability, which was a bit embarrassing. In the evening, the hacker returned 4,350 Ethereum coins to Cover officials and left a sarcastic statement, which also made people worry about the security of smart contracts.

This year is the year of the DeFi explosion. Although the rise of DeFi has gone through more than three years since 2018, from the perspective of the security of smart contracts, it is actually a relatively long progress. However, it seems that this is far from enough, and the security of DeFi contracts still needs constant attention.

Defi currently has the following main features:

1. The operating status of the contract is open and transparent. No matter who operates it, it can be queried on the chain. It is not like a centralized exchange, where the data is opaque and people cannot see the market status clearly.

Although this has certain advantages, that is, the funds are open to the public, which is convenient for investors to study, but once a problem occurs, there is no way to cover it up. For example, when a centralized exchange is stolen, if the funds are not large, they will not disclose it at all. They will only disclose it when the amount of funds is large. Defi does not need anyone to disclose it. As long as someone pays attention, they will naturally discover it at the first time.

2. The contract code of general DeFi projects is also public

Because DeFi projects need to be transparent, if the code is not transparent, it will increase users' distrust. Therefore, generally speaking, project parties must make part or all of the contract code public so that they can be supervised.

However, for ordinary users, many people may not look at the code, but for peers or other hackers, this is a treasure trove, so they will carefully study the project code in order to find the corresponding loopholes or arbitrage methods, and then write the corresponding contracts to make profits.

It should be noted here that some of them are targeting contract arbitrage. Most people call such people defi scientists. Another part of them exploits code loopholes in defi and uses deceptive methods to make profits. We generally call them defi hackers.

This is similar to the early Linux operating system. Linux is an open source system. After being continuously updated and maintained by a group of open source enthusiasts around the world, it is still not safe today. It can only be said that the system on Linux is highly customizable. Different users have different settings and corresponding strategies to deal with hacker behavior. The security of Linux is relatively good now, which is the result of long-term continuous iteration. Ethereum smart contract EVM is still relatively new, so it naturally takes a certain amount of time to "evolve".

=In fact, no matter what it is, as long as there is capital and transparency is high, such a situation will occur. Defi is constantly being hacked. In fact, this is a stage that must be experienced in the current development. Defi is still in an immature period. This period cannot be skipped by any method. The main reason is that this part cannot adopt the experience of predecessors to learn from, so it can only take one step at a time. In this way, there will naturally be more problems in Defi, but from a long-term perspective, this will be beneficial to the future development and maturity of Defi.