A brief overview of Ethereum hacks

in #eth4 years ago (edited)

Hacks and vulnerabilities are commonplace in the wild west.

It's crucial to understand the history of Ethereum exploits. These protocol-level events formed Ethereum's social contract, from TheDAO to the Parity hacks. If more apps are created, the attack surface area grows.

This is particularly true when it comes to DeFi.

We don't have to trust people with our money, but we must trust the code.

We must trust that the code was written without errors, whether bugs, economic risks, oracle abuse, or even centralization risks are involved. This is a difficult task. We're just human, so we're bound to make mistakes. (Find out more about the three types of DeFi risk.)

Here's the good news: the longer the code is out in the wild, the better.

Here's the good news: the longer the code is out in the wild and the more value it contains, the more powerful it becomes. This is known as the Lindy effect. Every day that passes without incident brings us closer to our goal of trustless finance.

Hugh Karp is a hacker and exploiter who has gone deep down the rabbit hole of hacking and exploits. (In fact, he's been hacked!)

He was motivated to create Nexus Mutual, a decentralized insurance alternative, by early Ethereum exploits.

As a result, we invited him in to give us a brief history lesson.

A Brief History of DeFi Risks
DeFi is a land of possibilities. Despite all the conventional finance people calling them "scams" with double-digit yields, wealth can be found and made. Those on the frontier, on the other hand, are consistently making money.

To be sure, there is risk, but the market remains inefficient, and in a world where banks offer 0% interest rates, it's worth setting old biases aside for a moment and digging deeper.

In conventional finance, the majority of risk stems from having to entrust the capital to others.
Many people believe DeFi destroys trust, but it actually transfers trust from individuals, organizations, and legal structures to code. In theory, this implies that if we can trust the code to function as expected, we can "delete" trust. Unfortunately, coding with 100 percent accuracy (even if audited) is extremely difficult. Most long-term Ethereum users have encountered this issue at some stage during their journey.

Here are the numbers of errors per line of code to give you an idea of coding precision:

15-50 per 1000 is the industry average.

1–25 per 1000 apps delivered

0.1 per 1000 according to NASA

Coding is a difficult task. Humans are prone to making errors. The issue is that this is where Ethereum and decentralized finance have a huge amount of risk.

Is it preferable to relying on others? Sure, but it's still early in the game.

To put things in perspective, here's some context...

The Beginning of Time
TheDAO was one of the first major instances of coding errors on Ethereum. It brought attention to the problem and caused such division on how it should be "fixed" that it spawned Ethereum Classic, a fork of Ethereum.

This was quickly followed by the Parity glitches, in which a commonly used multi-sig experienced two different cases, resulting in millions of dollars in losses as well as philosophical fallout.

These were the first big security incidents in Ethereum's history as they happened all at once. We now see them as isolated logic errors where the code simply didn't function as anticipated.