Harvest Finance Hack Turns The Spotlight Back On Cybersecurity, DeFi Auditor Discusses Safety Standards
Harvest Finance took over crypto headlines this week after $34 million worth of funds were stolen from the decentralized exchange, pushing the issue of cybersecurity in the DeFi space back to the forefront.
The DeFi space exploded over the summer with $4.25 billion locked into DeFi protocols at the start of August to $11.25 billion locked in at the time of writing, according to DeFi Pulse. Even with all the growth, attracting new and institutional investors is a critical goal for the crypto industry. Many in the community have hoped the hype surrounding DeFi would help attract new investors, however headline-grabbing hacks hurt the reputation of the space. Founder of DeFi security audit website DeFi Safety, Rex Hygate, believes heightening audit standards is the next step for improving the space.
“What DeFi Safety is doing is part of what needs to be done so the rest of the world can understand what they are seeing when they look at DeFi because right now there is very little information on quality,” Hygate said in an interview with BitpushNews.
A recent report from cybersecurity ranking platform and certification platform CER found that 14 out of 25 decentralized exchanges scored lowly on a cybersecurity evaluation designed by the firm. 6 of these exchanges failed to pass a security audit or failed to publicly announce they had gone through one. The missed security steps could be attributed to the breakneck pace at which new DeFi products are launching, Hygate says.
“It’s the phase we’re at right now with very high experimentation and that’s good for the ecosystem and it’s not a bad thing, but there are a lot of lazy forks,” Hygate said. “It’s been a frustration, the past couple audits I’ve done have been very low scores and it’s people who don’t appear to be spending the effort at all, or you don’t see the effort, but I think this is going to be a phase.”
When DeFi protocols have flaws in their smart contracts it can carry costly consequences. The hacker behind the Harvest Finance attack this week exploited an engineering error in the platform to make off with millions worth of funds. Harvest Finance’s DeFi Safety score is 55%, with the platform’s lack of audit being the main component dragging the platform’s score down.
The Harvest hacker issued themselves flash loans which allowed them to manipulate the value of Harvest Finance reserves held in Curve. The flash loans drove down the prices of USDT and USDC on Harvest, allowing the attacker to buy the tokens for less than they were worth, pay back the flash loans and turn a profit. The Harvest Team took responsibility for the engineering error which enabled the attack and politely asked the hacker to return the funds to the community in a blog post following the event.
“We take responsibility for this engineering error and are ensuring such incidents are mitigated in the future,” the blog post read.
Errors like the one which enabled the Harvest Finance attack are not uncommon in the DeFi space. KuCoin was robbed of over $150 million worth of funds and earlier this summer and Balancer lost $500,000 worth of crypto when a hacker exploited a vulnerability in the exchange’s smart contract. Sites like DeFi Safety and CER are aiming to weed out smart contract vulnerabilities to protect both users and the reputation of the industry.
“What DeFi Safety is doing is part of what needs to be done so the rest of the world can understand what they are seeing when they look at DeFi because right now there is very little information on quality,” Hygate said.
DeFi Safety audits DeFi protocols using publicly available information including Ethereum addresses, Github repositories, documentation and testing to generate a percentage for how well a protocol follows process and quality best practices. The DeFi Safety scores are in some ways an indication of effort on the developer side which Hygate hopes will encourage an industry standard of best practices.
“The people who get a good score are the people who do the work upfront and that is generally a very good indicator of people you can trust, it’s not 100%, but normally if you’re looking at a rug pull or something that is just out to pump a token and then leave you find they haven’t put that kind of effort in.”
The DeFi Safety reports emphasize improvement, if a protocol’s developers update their documentation after the audit, their score will improve. Harvest Finance and SushiSwap both had initially low DeFi Safety scores which were moved up after developers took steps to improve security.
While cybersecurity audits are necessary, Hygate says they can be difficult to come by for early projects given the low availability of auditors. This problem means there is very little quality assurance happening in the DeFi space.
“With DeFi you have to trust the code, even if you know the person behind it — and sometimes you don’t — the code is the thing you need to trust and there’s nothing to fall back on if you don’t,” Hygate said.
By Emily Mason