Smart Contracts Systematic Risks

Are you really sure about locking billions of $ in a contract?

April 19th, 2015 was supposed to be a normal day, I checked my messages before heading to work and my heart skipped a beat, here it was Blue on Gray the message that any blockchain developer fears “Nxt crashed. Generating just empty blocks and no transaction gets included… can somebody help?”

I frantically logged into my remote node just to see the node stuck and the log file ends with an ominous-looking message:

“SEVERE: Nxt.Account$DoubleSpendingException”

Back at the time I was a relatively novice blockchain developer. I started coding for Nxt as a hobby around August 2014, and I mostly coded the monetary system module so did not have a thorough understanding of the core engine. Looking at the code revealed a fairly general error message that did not provide a clue into what really went wrong. Not knowing better I started discussing my findings on the Nxt forum.

It didn’t take long before the legendary Nxt developer Jean-Luc has posted this immortal oxymoron “Do not worry, it is an attack, trying to exploit a bug.“

It quickly became apparent that someone has found a bug in the Nxt asset exchange order cancellation code, and was trying to exploit it to steal funds. Luckily, an old sanity check introduced years earlier has thwarted this attempt. A fix was quickly deployed as an emergency hardfork, and the blockchain gradually recovered until things went back to normal.

Interestingly, the unsafe code which enabled the attack was deployed to production more than 10 months earlier. In spite of countless code reviews the bug was not revealed and patched until this unfortunate event.

Fast forward 6 years, the year is 2021 and the crypto market is booming. the token ecosystem value is now maybe 1000x larger with new projects added daily. However, finding and patching bugs is still at least as difficult as it was in 2015 and tasks like code review and security scans are still considered a boring and tedious task by developers.

My Point

While I believe that central exchanges are now in a much better shape than they used to be 6 years ago, and even if hacked they should have the capital to compensate their users, this is not the case with decentralized exchanges and services.

I estimate the weakest link is this new brand of decentralized exchanges and “financial services” romantically labelled “Defi” and/or named after popular food. Some of these services are clones of other services, which by themselves develop patchy code written hastily to beat the competition. If the 2015 prime vintage of Nxt developers managed to miss a serious security bug for many months think about the horrors in these project’s codebase just waiting to be discovered and exploited by preying eyes.

Are you still sure about locking all these funds in Defi? Consider this a friendly advice, no level of interest or collateral will save your investment when the underlying service is hacked.