A vulnerability in the Opyn DeFi contract allowed hackers to steal up to 371,260 USDC. Put oTokens (oETH) from Uniswap on Opyn had a flaw which allowed ‘double spending’ of value.
Tim Ismilyaev, CEO and Founder at Mana Security, explained the hack to us in layman terms,
In one of the transactions, the attacker sent 75 ETH and got 150 ETH equivalent in USDC.
The smart contract responsible for the operation had two “vaults”, which contained enough assets to pay the collateral. But after sending 24,750 USDC (e.g., 75 ETH), the contract didn’t burn the attacker’s balance, so after switching to the next vault, it assumed that the attacker should get another 24,750 USDC. That’s commonly called “double spend.”
The developing team behind Opyn attempted to retrieve the funds back by using white hacks methods and paying up to 20% extra on ETH prices. The co-founder of Opyn, Alexis Gauba, stated that they were working on a plan “to mitigate impact for ETH put sellers.” In a recent update by Opyn on Twitter the team notes,
We will be reimbursing ETH put sellers in full who were affected by the vulnerability. We will have more details re reimbursement process in the next 3 days
This is Just the Beginning
Although DeFi stands for Decentralized Finance, there is only a certain degree of decentralisation that can be implemented in these contracts. Moreover, before launching Ismilyaev suggests that a step needs to be added to this. He says,
… best practice for DeFi companies to prevent such issues is to conduct an external audit of their smart contracts before using them in the wild. But the vulnerable contract wasn’t audited in this way, which lead to stolen assets.
Another prominent issue with decentralization is the ‘re-entrancy’ problem. This is very similar to what occurred with Opyn, where the interaction between two pools was flawed. Sami Tannir, DeFi analyst at Conflux explained the problem to us,
a contract interacts with another contract, but the second contract chooses to call (or re-enter) the first contract and is able to achieve a goal that is different from the developer’s original intent.
Hence, despite the growth of the DeFi design, there is a possibility of loopholes being exploited and in some cases trust being broken. The role of centralized Financial Services entities in the future would be analysing and downplaying these risks.
How long do you think before DeFi ecosystem becomes ubiquitous? Please share your views with us.