The original title: "DeFi protocols continue to get hacked due to same basic maths problem"

The original author: Osato Avan-Nomayo, DLNews

The original translation: Luccy, BlockBeats

Editor's note:

According to BlockBeats, on November 11th, the stablecoin protocol Raft was attacked, with a damage of about 3.3 million US dollars. The attacker minted the stablecoin R and then sold it to exhaust the liquidity of the automated market maker, while extracting collateral from Raft. On November 17th, Raft announced that it would compensate users affected by the attack with 3.96 million DAI.

Osato Avan-Nomayo, a DeFi reporter stationed in Nigeria for DLNews, analyzed that Raft Finance's theft exposed a tricky mathematical challenge facing DeFi builders. With the frequent occurrence of approximation algorithm vulnerabilities, hackers take advantage of the protocol to steal funds. Despite multiple audits, similar vulnerabilities have affected DeFi protocols such as Balancer and Onyx.

Osato believes that rounding errors and precision loss may occur in DeFi environments that execute complex mathematical calculations. This mathematical challenge has raised concerns about the security of DeFi, especially in the case of vulnerabilities that are not prevented by approximation algorithms.

DeFi builders face a mathematical challenge - if the approximation method they use in smart contracts is not protected against vulnerabilities, hackers can steal funds from their protocols.

Last week, hackers stole $3.6 million from the stablecoin protocol Raft Finance. The hackers launched an attack using flash loans, exploiting a precision loss vulnerability in the Raft smart contract. These types of vulnerabilities are caused by rounding errors that occur when approaching a number, allowing hackers to obtain additional token shares.

Although Raft has undergone multiple audits by companies such as Trail of Bits and Hats Finance, this vulnerability has not been patched.

Raft Finance's hacking incident is just the latest in a series of DeFi thefts, with attackers targeting precision loss vulnerabilities. DeFi protocols such as Balancer and Onyx have also been targeted by such attacks. In fact, a forked version of the DeFi lending protocol Compound, like Onyx, was found to contain rounding errors in its code, which were exploited, as was the case with Hundred Finance and Midas Capital.

Approximation or rounding is the use of a number that is close but not exactly the same as the original number, which may result in rounding errors and loss of precision, especially in complex DeFi protocols that involve a large number of mathematical calculations.

I do believe that DeFi is facing mathematical challenges in terms of integer rounding," said Taylor Weber, a smart contract developer and security researcher, to DL News.

When the error caused by the approximation method is not significant, it is not a problem. However, when the error accumulates to a sufficiently large degree, hackers will use these error values as they have done in countless attacks.

"The highly dynamic and innovative behavior of some DeFi applications may amplify precision loss to a considerable extent," Trust, the head of the anonymous cryptocurrency auditing company Trust Security, told DL News.

"The combination of lightning loan mechanism and high liquidity AMM enables hackers to exploit the theoretical problem of 'value loss'," Trust added.

Difficult to detect

In the field of encryption, rounding errors and loss of precision are common occurrences, and there are several reasons behind this.

The main reason is that the cryptographic computing logic is not very compatible with fractions.

"EVM is almost similar to any other computing architecture, which does not support calculations in fractional form, and therefore will inevitably lose accuracy," Trust said.

At the same time, the decimal places of tokens vary. For example, USDC has six decimal places, while DAI has 18. In the transaction pool for exchanging these two tokens, some form of precision scaling must be designed to account for the different decimal places. Precision scaling involves adjusting the decimal places of the minor asset to match those of the major asset.

In addition, like other arithmetic problems, rounding errors are extremely difficult for smart contract auditors to detect. In fact, these vulnerabilities are often overlooked during the auditing process, resulting in even heavily audited protocols becoming victims of hackers exploiting these vulnerabilities.

"A Cultural Change"

The hacking incident of Raft Finance has sparked a discussion on taking rounding errors seriously.

"I think the problem lies not in the integer limitations imposed by EVM, but in how developers and auditors handle rounding errors and other types of vulnerabilities," said Webb.

Webb calls for a "cultural change" and hopes that DeFi builders and auditors can treat rounding errors like they do with recursive call vulnerabilities.

The smart contract auditor Joe Dakwa told DL News that sound unit testing and fuzz testing should become standard best practices. Fuzz testing is a type of testing that can be performed on smart contracts, in which random data is inputted into the code to see if any issues arise.

Security experts suggest that invariance testing, similar to fuzz testing, should also be added to the testing suite.

"Original article link"

Welcome to join the official BlockBeats community:

Telegram Subscription Group: https://t.me/theblockbeats

Telegram Discussion Group: https://t.me/BlockBeats_App

Official Twitter Account: https://twitter.com/BlockBeatsAsia