Recent cyberattacks exploit specific technical weaknesses in smart contract protocols and governance structures. The Bedrock UniBTC pool lost $1.7 million in a suspected attack, drawing attention to the vulnerabilities of DeFi protocols. A malware attack on Truflation, a provider of data on crypto inflation, resulted in a $5 million loss, which also highlights the cybersecurity risks crypto projects face.

Reentrancy, an example of a prominent attack vector, has been a constant over the past eight years. These weaknesses occur when a smart contract fails to complete state changes before calling another smart contract externally. The process allows the second contract to reenter the first and potentially repeat some of its operations, enabling attackers to modify the contract’s state and drain funds.

There have been 73 reentrancy attacks since 2016. A notable one in 2024 led to a $27 million loss for Penpie protocol. Reentrancy attacks remain a constant risk as cybercriminals exploit smart contract execution flaws, making repeat withdrawals before balances are updated.

Flash loan exploits have surged in 2024

Attackers use uncollateralized loans to manipulate token prices or gain control over governance tokens. Such attacks are becoming more frequent in 2024. Hackers stole assets worth $22 million from Indodax, Indonesia’s most prominent digital asset exchange, in one of the largest regional crypto hacks to date. The perpetrators swiftly exchanged the stolen tokens for native assets across numerous blockchains.

A similar flash loan attack on Caterpillar Coin resulted in the loss of just under $1.4 million. Following failure of the token’s price protection system, the price plummeted by 99%, and reserves drained quickly.

Attackers are increasingly using flash loans to exploit governance mechanisms, gain temporary control over decentralized protocols, and vote for fund transfers or parameter changes.

Another specific weakness involves cross-contract vulnerabilities. A vulnerability in LI.FI Protocol led to the loss of $10 million in the third quarter of this year, underscoring how interconnected systems create cascading risks. All in all, crypto hacks incurred losses in excess of $409 million in that quarter alone.

The paradox: DAO-based smart contracts are fundamentally centralized

‌Paradoxically, centralization accounts for numerous weaknesses in DeFi protocols. Smart contract development takes place under centralized entities, processes, actions, and platforms in isolated off-chain environments. When DAOs vote on protocol upgrades, there are no on-chain controls to prevent the loss of rights granted earlier. This lack of automatic scope and rights enforcement severely limits the instrumentation, flexibility, and security DAOs can offer users.

SphereX, which integrates into smart contracts, entails a recent breakthrough in this area. It protects smart contracts from real-time cyberattacks and ensures continuity. Contracts don’t stop operating even when under attack, so business processes do not come to a halt. SphereX prevents damage by reverting malicious activity before it’s finalized. Neither suspicious activity nor unexpected manipulations are approved on-chain. More specifically, a dApp integrates with the technology, is deployed on-chain, and reverts suspicious transactions before they are finalized. The protection can be configured as needed, which includes adding rate limits, access management, compliance checks, etc.

Web3, smart contracts, and security vulnerabilities

The Web3 space began as a “wild west” of creativity and opportunity, but also a wild west of security. When it comes to input validation, access control, and arithmetic operations, smart contracts are not immune to vulnerabilities despite developers’ best efforts. Considering the complexity of Web3 projects, malicious entities have multiple vectors to attack these projects through. Infrastructural issues remain a costly industry concern and a predominant vulnerability class. GoPlus defines its security services as SecWares. Developers allow users to access these services by creating SecWare instances on the blockchain. When creating an instance, developers must stake a specific token amount as a commitment to providing an effective and reliable security service. Part of the stake can be slashed as a penalty if a SecWare emerges to be malicious or fails to meet the service-level agreement. The risk of slashing encourages developers to adhere to the rules and maintain elevated standards.

Targeted security solutions like those described can help mitigate risks and off- and on-chain liabilities that DAOs incur due to off-chain smart contract governance under existing blockchain systems. Each new offering, issuance, or transaction a DAO adds or carries out exponentiates risks and costs and increases uncertainty for users. The risk is especially pronounced if the platform offers loans, insurance, or algorithmic stablecoins. As a result, the applications of DeFi protocols tend to be more rudimentary than CeFi applications, and DeFi smart contracts are inflexible. Viable security systems and solutions are tailored to the unique characteristics and challenges within DeFi.