Trending News: The Post Web Accelerator’s first batch of 8 selected projectsWhich one is more “just” between Nubit, Babylon and Bitlayer?Golden Encyclopedia | How did the trade war affect stocks and crypto markets?Golden Encyclopedia | Is BTC a safe haven during the trade war?Why Americans Want to Leave the United States: Economic, Political and Global ChangesData: BTC mining is highly centralized, and six major mining pools mine more than 95% of the blocksWhat is the core of the game between China and the United States caused by Trump’s tariff war?How to go to the marketWhy does blockchain die?What challenges does blockchain adoption face?Report: DeFi lending has increased by 959% since 2022 to $19.1 billionBitwise: Bitcoin’s extraordinary resilienceBankless: Can Bitcoin flourish on the chain?Coingecko: How wide is the adoption of encryption AI in 2025?Coingecko: How trust is people in AI agent KOLsHow much impact does Trump’s overturning IRS rules have on the crypto field?What is a bear market attack?How whales use them to make money in crypto tradingDeepSeek accelerates web3 transformation and changes corporate value and risk management modelsThis is the truth Trump is being stabbed by Japanese institutionsInterpretation of SEAL: Sui’s decentralized key management solutionWho made Trump change his mindTrump’s 180-degree turn What happened in the 18 hours of changing the global marketReciprocal tariffs are suspended, crypto markets are surging, and only China is in troubleQuick view of Binance HODLer Phase 14 Airdrop Project Babylon (BABY)US Senator: What status should Bitcoin have in the United States?Coingecko: Which listed companies are major BTC holders?Sei Lianchuang: Expanding EVM requires L1 instead of L2The full text of the latest speech by Trump’s think tank: The essence of the United States’ “reciprocal tariffs”Vitalik’s latest speech: Why speed up L2 confirmation?How to speed upEthereum Pectra Upgrade: Is it a milestone or another gimmick?CZ Fireside Dialogue: HODL Strategy Challenges, Survival Rules under Market VolatilityStablecoin earnings guideMusk openly criticizes the tariff faction and calls for Europe and the United States to establish a free trade zone with zero tariffsEmily Parker: 2025 Web3 trends int and US and AsiaEmily Parker: How to bridge the Web3 assets and traditional capitalGMGN Co-founder Haze’s speechXiao Feng Hong Kong’s latest speech: Why is it said that public chains are a new generation of financial infrastructureSolana Lily’s speechBitcoin will benefit from the ebb of the US dollar reserve system and the global de-dollarization trendFrom traditional replication to innovation Can Backpack seize the future?Saylor’s $200 trillion BTC strategy: U.S. BTC domination and immortalityEthereum’s two major upgrades to Pectra and Fusaka are explained in detail. What will be brought to ETH?Coingecko: How do investors view the potential of crypto AI technology?Galaxy: Research on the current situation of Futarchy governance system and on-chain forecast marketThe latest updates from ETH and Solana: What are the things to pay attention to?Golden Encyclopedia | What is address poisoning attack? How to avoid it?Quick view of Binance HODLer’s latest airdrop project Particle NetworkWill Celestia pose a threat to Ethereum?Ethereum supply tightening: a prelude to a price rebound or a temporary fog?BSC Meme’s popularity remains unabated for a week. Can it really work this time?Galaxy: The Twilight Road to Web3 GamesEthereum declines, PVP prevails, misses the summer of 2020Why invest in AR?How Bitcoin Takes Over Wall StreetThe lively thrill of CZ and MEME BNB Chain is in progressPoW mining does not constitute securities issuance. No registration is required. See what the US SEC said.PumpFun fills up the Swap puzzle, the first encrypted dApp outline appearsTrump: The United States will dominate cryptocurrencies and next-generation financial technologyWhy are North Korean hackers so good at stealing cryptocurrencies?Why can BSC successfully replicate the Solana Ecological Meme miracle?Hacker storm resurfaces: OKX suspends DEX, Binance winsAnalysis of the crypto market in 2025: MEME boom and cold thinking in the Trump eraAnalysis of the crypto market in 2025: MEME boom and cold thinking in the Trump eraEthereum price falls into a “cursed” downward trend and may continue throughout the yearStrategic Reserves and Game of Thrones II: The Encrypted Order in the Trump AgeRAY rose by more than 22% in 24 hours: Raydium LaunchLab In-depth Research ReportPectra upgrade countdown Vitalik explains the “Wallet Security” strategy in detailIt turns out that this is how BSC gets rich by beating dogsThe Middle East is coming, and the Golden Dogs are constantly on the BSC chainMubarak soared by 1300 times CZ has added several more A8 players to BSCBankless: What are native Rollups?Bitwise: Why is it said that the tariff war triggered a sharp pullback in BTC is a buying opportunityBTC pullback nearly 30% When will institutional funds returnEthereum Don’t let newcomers downThe narrative of altcoin ETF is not working?Time of liquidity ebb: Who is protecting the Tower of Babel of Ethereum?The next major upgrade to Bitcoin?Evaluation of OP_CAT and OP_CTVMake encryption great again Trump helps Wall StreetThe latest speech by former vice president of the central bank: The rise and challenge of cryptocurrenciesBitcoin’s crossroads: Bear or new highs, where will the market goLinkedIn Recruitment Phishing AnalysisGold hits record high How long will it take for Bitcoin to beTrump adviser David Sacks’ “clearance drama”Meme currency market review: How many people have caught the Golden Dog in the past year?3 Reasons Why Ethereum Still Being Bullish After Slump to 17-Month LowJudicial disposal of virtual currencies: Beware of becoming illegal financial activitiesFinancial advisors and large brokerage firms drive the next wave of Bitcoin ETF adoptionBTC ETF Next Process: Financial Advisors and Big Institutions Lead the Expansion WaveSudden news: Trump’s stake in BinanceLogical analysis of Binance’s share reduction and MGX investment: Valuation Motivation and Market InfluenceEthereum Prague Upgrade In-depth Research Report: Ecological Impact and Future OutlookCan the Pectra upgrade reshape the Ethereum ecosystem?Binance surrenders to the UAEGolden Encyclopedia | What role does gold, oil, and BTC play in the US reserves?How did Meme coins go from online jokes to crypto culture engines?Users don’t want VC coins or meme coins. So what do users want?a16z: Exploring the efficient and secure path of zkVMGlassnode: Is there still a bull market?What is the bottom of this round of declineARK Research Report: Oversold, Currency Circulation—A Study on the Crypto Market in FebruaryWeb3 Consumer Application mainstream paradigm, opportunities and challengesEthereum standing at the intersectionWhat made Solana revenue plummet 93% from its January high?
Thu. Apr 17th, 2025
Trending News: The Post Web Accelerator’s first batch of 8 selected projectsWhich one is more “just” between Nubit, Babylon and Bitlayer?Golden Encyclopedia | How did the trade war affect stocks and crypto markets?Golden Encyclopedia | Is BTC a safe haven during the trade war?Why Americans Want to Leave the United States: Economic, Political and Global ChangesData: BTC mining is highly centralized, and six major mining pools mine more than 95% of the blocksWhat is the core of the game between China and the United States caused by Trump’s tariff war?How to go to the marketWhy does blockchain die?What challenges does blockchain adoption face?Report: DeFi lending has increased by 959% since 2022 to $19.1 billionBitwise: Bitcoin’s extraordinary resilienceBankless: Can Bitcoin flourish on the chain?Coingecko: How wide is the adoption of encryption AI in 2025?Coingecko: How trust is people in AI agent KOLsHow much impact does Trump’s overturning IRS rules have on the crypto field?What is a bear market attack?How whales use them to make money in crypto tradingDeepSeek accelerates web3 transformation and changes corporate value and risk management modelsThis is the truth Trump is being stabbed by Japanese institutionsInterpretation of SEAL: Sui’s decentralized key management solutionWho made Trump change his mindTrump’s 180-degree turn What happened in the 18 hours of changing the global marketReciprocal tariffs are suspended, crypto markets are surging, and only China is in troubleQuick view of Binance HODLer Phase 14 Airdrop Project Babylon (BABY)US Senator: What status should Bitcoin have in the United States?Coingecko: Which listed companies are major BTC holders?Sei Lianchuang: Expanding EVM requires L1 instead of L2The full text of the latest speech by Trump’s think tank: The essence of the United States’ “reciprocal tariffs”Vitalik’s latest speech: Why speed up L2 confirmation?How to speed upEthereum Pectra Upgrade: Is it a milestone or another gimmick?CZ Fireside Dialogue: HODL Strategy Challenges, Survival Rules under Market VolatilityStablecoin earnings guideMusk openly criticizes the tariff faction and calls for Europe and the United States to establish a free trade zone with zero tariffsEmily Parker: 2025 Web3 trends int and US and AsiaEmily Parker: How to bridge the Web3 assets and traditional capitalGMGN Co-founder Haze’s speechXiao Feng Hong Kong’s latest speech: Why is it said that public chains are a new generation of financial infrastructureSolana Lily’s speechBitcoin will benefit from the ebb of the US dollar reserve system and the global de-dollarization trendFrom traditional replication to innovation Can Backpack seize the future?Saylor’s $200 trillion BTC strategy: U.S. BTC domination and immortalityEthereum’s two major upgrades to Pectra and Fusaka are explained in detail. What will be brought to ETH?Coingecko: How do investors view the potential of crypto AI technology?Galaxy: Research on the current situation of Futarchy governance system and on-chain forecast marketThe latest updates from ETH and Solana: What are the things to pay attention to?Golden Encyclopedia | What is address poisoning attack? How to avoid it?Quick view of Binance HODLer’s latest airdrop project Particle NetworkWill Celestia pose a threat to Ethereum?Ethereum supply tightening: a prelude to a price rebound or a temporary fog?BSC Meme’s popularity remains unabated for a week. Can it really work this time?Galaxy: The Twilight Road to Web3 GamesEthereum declines, PVP prevails, misses the summer of 2020Why invest in AR?How Bitcoin Takes Over Wall StreetThe lively thrill of CZ and MEME BNB Chain is in progressPoW mining does not constitute securities issuance. No registration is required. See what the US SEC said.PumpFun fills up the Swap puzzle, the first encrypted dApp outline appearsTrump: The United States will dominate cryptocurrencies and next-generation financial technologyWhy are North Korean hackers so good at stealing cryptocurrencies?Why can BSC successfully replicate the Solana Ecological Meme miracle?Hacker storm resurfaces: OKX suspends DEX, Binance winsAnalysis of the crypto market in 2025: MEME boom and cold thinking in the Trump eraAnalysis of the crypto market in 2025: MEME boom and cold thinking in the Trump eraEthereum price falls into a “cursed” downward trend and may continue throughout the yearStrategic Reserves and Game of Thrones II: The Encrypted Order in the Trump AgeRAY rose by more than 22% in 24 hours: Raydium LaunchLab In-depth Research ReportPectra upgrade countdown Vitalik explains the “Wallet Security” strategy in detailIt turns out that this is how BSC gets rich by beating dogsThe Middle East is coming, and the Golden Dogs are constantly on the BSC chainMubarak soared by 1300 times CZ has added several more A8 players to BSCBankless: What are native Rollups?Bitwise: Why is it said that the tariff war triggered a sharp pullback in BTC is a buying opportunityBTC pullback nearly 30% When will institutional funds returnEthereum Don’t let newcomers downThe narrative of altcoin ETF is not working?Time of liquidity ebb: Who is protecting the Tower of Babel of Ethereum?The next major upgrade to Bitcoin?Evaluation of OP_CAT and OP_CTVMake encryption great again Trump helps Wall StreetThe latest speech by former vice president of the central bank: The rise and challenge of cryptocurrenciesBitcoin’s crossroads: Bear or new highs, where will the market goLinkedIn Recruitment Phishing AnalysisGold hits record high How long will it take for Bitcoin to beTrump adviser David Sacks’ “clearance drama”Meme currency market review: How many people have caught the Golden Dog in the past year?3 Reasons Why Ethereum Still Being Bullish After Slump to 17-Month LowJudicial disposal of virtual currencies: Beware of becoming illegal financial activitiesFinancial advisors and large brokerage firms drive the next wave of Bitcoin ETF adoptionBTC ETF Next Process: Financial Advisors and Big Institutions Lead the Expansion WaveSudden news: Trump’s stake in BinanceLogical analysis of Binance’s share reduction and MGX investment: Valuation Motivation and Market InfluenceEthereum Prague Upgrade In-depth Research Report: Ecological Impact and Future OutlookCan the Pectra upgrade reshape the Ethereum ecosystem?Binance surrenders to the UAEGolden Encyclopedia | What role does gold, oil, and BTC play in the US reserves?How did Meme coins go from online jokes to crypto culture engines?Users don’t want VC coins or meme coins. So what do users want?a16z: Exploring the efficient and secure path of zkVMGlassnode: Is there still a bull market?What is the bottom of this round of declineARK Research Report: Oversold, Currency Circulation—A Study on the Crypto Market in FebruaryWeb3 Consumer Application mainstream paradigm, opportunities and challengesEthereum standing at the intersectionWhat made Solana revenue plummet 93% from its January high?
Thu. Apr 17th, 2025

Decentralized financial security: understanding risks and reducing risks

Author: SALUS Insights

There are a lot of security risks in the field of decentralized finance (DEFI), which may cause serious harm to users, platforms and the entire financial ecosystem.We summarized three DEFI security risks and analyzed the process of hackers and corresponding solutions by analyzing the recent real security incidents.

  • Price manipulation risk

  • Smart contract vulnerability risk

  • User operation risk

1. Price manipulation risk

In DEFI, price manipulation risk refers to the behavior of malicious actors trying to profit or affect the market by manipulating the price of assets.This manipulation may lead to abnormal market prices, bringing losses to other participants.In the following, we summarize three situations that may occur in the price manipulation risk in DEFI:

  • Lightning Loan attack

  • Sandwich attack

  • Judge machine attack

1.1 Lightning Loan attack

Lightning loan attack is a method of attacking in DEFI applications.It uses financial operations such as Lightning Loan without providing mortgages.The attacker borrows a lot of funds through Lightning Loan and performs a series of operations in the same transaction to perform fraud.

Shidoglobal Lightning Loan attack event

On June 23, 2023, Shidoglobal Lightning Loan attacks occurred in the BSC (Binance Smart Chain).The attacker realizes the albon arbitrage by locking and obtaining the mechanism, and the price difference between the two pools.976 WBNB was successfully stolen.

Attack tx:

https://explorer.phlcon.xyz/bsc/0x72F8dd2BCFE2C9FBF0D93367804178A0D89956BFBABE3AA712D6

How does an attacker perform Lightning Loan attacks?

  • The attacker borrowed 40 WBNB lightning loans.

>

  • The attacker exchanged 39 WBNB into 10, 436, 972, 685, 676, 390, 697 Shido Inu: Shido tokens (9 digits after decimal point), and stored in Pancakeswap V2: Shido-WBNB pool.This step has increased the supply of Shido INU: Shido tokens in the pool, resulting in a decline in the price of the token.

>

  • The attacker then called Shidolock.Locktokens and Shidolock.claimtokens in turn, which transformed 10, 436, 972, 685.676390697: Shido tokens (9 digits after decimal point) to 10, 436, 986, 70 4, 133, 494,387, 000, 000, and 000 Shido tokens (18 digits after decimal point).

When the attacker calls the Locktokens function in the Shidolock contract, they will be locked in the contract 10, 436, 972, 685.676390697: Shido token lock in the contract.This means that these tokens cannot be transferred or traded until specific conditions are met.By locking tokens, attackers can maintain the price of tokens to a certain extent.

The attacker calls the ClaimtoKens function and converts the lock -up token to 10, 436, 986, 704, 133, 494, 387, 000, 000, 000 SHIDO token.In fact, the decimal digits of Shido tokens increased from 9 to 18, increasing the total supply of tokens.

>

  • By locking and obtaining mechanisms, there is price difference between Pancakeswap V2: Shido-WBNB pool and Pancakeswap V2: Shido 28 pool.Specifically, due to the increase in supply in the Pancakeswap V2: Shido-WBNB pool, the increase in price increases, resulting in a decline in price.In Pancakeswap V2: Shido 28 pool, the price is relatively high because the supply has not increased.The attacker uses this price difference to exchange tokens between the two pools. At a more favorable price, 10, 436, 986, 704, 133, 494, 387, 000, 000, 000, 000 Shido token (after the decimal point,18 -bit) exchanged to 1, 016 WBNB.

>

  • Finally, the attacker repaid 40 WBNB Lightning Loans and received about 976 WBNB profits.

>

Limited Lightning Loan function

Limit Lightning Loan function and introduce Lightning loan feesIt is a common way to reduce the risk of lightning loan and manipulation.

  • Limit Lightning Loan function: Lightning loan functions can be limited, such as setting the minimum loan amount, borrowing time limit, etc.This can reduce the opportunity to attack by attackers using Lightning Loans.

  • Introduce Lightning Loan Fear: You can charge a certain fee to borrowers.This can increase the cost of attack, so that the attacker faces higher risks and costs when attacking Lightning Loan attacks.

>

In the above example code, we have set up some restrictions to restrict the use of Lightning loan, such as minimum loan amount, maximum loan amount, and loan time.Before performing Lightning Loan operation, we calculate and charge a certain percentage of handling fees.

1.2 Sandwich attack

Sandwich Attack is an attack method that uses information asymmetric in the decentralized exchange (DEX).The attacker uses a malicious transaction between the two transactions to use price differences to obtain profits.

Curvefinance sandwiches attack incident

On August 2, 2023, Hypernatic Systems launched a sandwich attack on CURVE Finance.The attacker inserts a malicious transaction between the two transactions between the liquidity and the removal of liquidity.Earn 36.8 K USDT.

Attack tx:

https://explorer.phlcon.xyz/tx/eth/0xd4933393952049644C531309dd4134bf3DB1E6F0B68B016EE0BFFFDE

How does an attacker implement sandwich attack?

  • The attackers get huge Lightning loans from multiple sources of funds, including WSTTH, WETH, and USDT.

>

  • The attacker provides 3 POOL 155, 000, 000 USDT liquidity and obtains 3 CRV LP tokens.3 CRV is an LP token of the Curve Tripool (Curve Dai/USDC/USDT Mining Pond), which is a mining pool that is damaged in the attack.

>

  • The attacker removed from the pool (almost all) DAI and USDC liquidity, and destroyed 3 CRV LP tokens.At this time, the pool was almost completely USDT, which temporarily made it much cheaper than DAI and USDC.

>

  • Call the underlyingburner contract Execute () function and continue to add liquidity to the Curve Dai/USDC/USDT mining pool.UnderlyingBurner mainly holds USDT, added DAI: USDC: USDT quantity is 100, 000: 100, 000: 227, 079, 039, 776.This has caused the mining pool to be more unbalanced, the relative amount of USDT is higher and the value is lower.

>

  • The attacker added the DAI and USDC he held to the CURVE DAI/USDC/USDT mining pool and enjoyed a premium, which means obtaining a higher number of 3 CRV LP token.

>

  • The attacker destroys its 3 CRV LP token and extract USDT liquidity.

>

  • The attacker repaid Flash Loan and retains the profit of 36.8 K USDT.

>

In this process, malicious transactions refer to the attacker removed a large amount of DAI and USDC liquidity from the Curve Dai/USDC/USDT mining pool, and destroyed the 3 CRV LP token transaction.This transaction makes the mining pool very unbalanced, and the relative number of USDT is higher, which leads to lower value.

The other two transactions refer to transactions of attackers to add liquidity and extract liquidity.The attacker uses the price difference to add the DAI and USDC liquidity to the CURVE DAI/USDC/USDT mining pool, and extract it at a premium to obtain a higher number of 3 CRV LP token.

In this way, the attacker wraps malicious transactions with other two transactions through sandwiches, buy USDT liquidity at a low price, and then sell profits at high prices.

Restricted transaction sequence

When it comes to prevent sandwiches, code implementation may involve complex smart contracts and trading logic.The following is a simplified example, how to pass the displayRestricting the sequence of transaction and the introduction of transaction delaysCome to prevent sandwich attacks.

>

In this example, we assume that there is a smart contract SandwichattackpRevent to manage the balance and transaction operation of users.In order to prevent sandwich attacks, we have introduced two major defense mechanisms.

First of all, in the Allowtransaction function, only the contractor of the contract can set the ISTRANACTIONALOWED to true to allow users to execute transactions.This can ensure that the transaction is executed in the correct order without allowing attackers to insert malicious transactions between two transactions.

Secondly, in the ExecuteTransAction function, we introduced the concept of transaction delay.Users can execute the transaction only after the current block time exceeds the delay time.This can give other users sufficient time to execute the transaction and update the price, thereby reducing the opportunity to use price differences by attackers.

1.3 Prophecy machine attack

The price prophet is a data source that provides real -time price information of cryptocurrencies.This information is crucial to the normal operation of many DEFI protocols.The prophet attack refers to the data provided by the attacker artificially changing the data provided by the prophecy machine, the purpose is to make a profit from a transaction based on manipulation price.

RODEO Finance prophet attack event

RODEO is a DEFI platform that provides price prediction machine services.On July 11, 2023, the manipulation of the price prophet caused the hacker to steal from the Rodeo protocolAbout 472 ETH (about 888,000 US dollars).

Attack tx:

https://explorer.phlcon.xyz/tx/arbitrum/0xb1be5dee3852C818AF7428DEF285B497FFC2eda0d893a09FB25A

How to manipulate the price prophet?

The key to the Rodeo Finance attack is Rodeo Twap Oracle.The prediction machine is used to track the price ratio between ETH and UNSHETH.

  • Analysis of attack transactions: The attack process begins with the attacker to perform a well -planned transaction.The attacker used the in -depth understanding of the potential vulnerabilities of the platform architecture and time weighted the average price (TWAP), and launched this attack.

  • Manipulating TWAP prophecy: The attacker can use the EARN function associated with the unconfigured strategic address, and forcibly exchange USDC to UNSHETH.This manipulation effectively bypasses the sliding point control caused by the defective UNSHETH price prophet.In essence, the Earn function is forcibly replaced from USDC to WETH, and then replaced with UNSHETH.

  • Calculating TWAP price: TWAP price is calculated on average through the last four updated prices, each update interval is 45 minutes.However, the defective price prophet returns a manipulated price, causing smart contracts to believe that the position should be healthy.

  • Open position leverage: The attacker controls the TWAP prophecy machine through sandwiches, and then uses the EARN function from an investor contract to open the leverage position.They borrowed USDC worth $ 400,000.

>

  • Exchange assets: The attacker exchanges the borrowed assets with the CamelotDex pool at the bottom, and sells it to the prepared UNSHETH back to the pool.

  • Wet the verification: contracts usually verify whether the operation is valid.However, because the attacker controlled this strategy, they easily bypassed this inspection.This enables the attacker to use the prepared UNSHETH back to the pool to use the manipulated position to effectively extract the liquidity from the platform.

  • Transfer funds: The attacker transferred the stolen funds from Arbitrum to Ethereum, 285 ETH to UNSHETH, and then transferred them to Arbitrum to continue the attack.The stolen funds worth 150 ETH were subsequently transferred to Tornado Cash, a Ethereum mixed coin service that focused on privacy.The remaining 371.2 ETH (about 701, $ 679) is still held by the attacker.

One of the major vulnerabilities of this attack is the defects of Rodeo Twap Oracle.The prophecy machine depends on the reserve of the WETH/UNSHETH transaction pair. The transaction is low in liquidity, so the price fluctuates greatly.

Calculate the price based on multiple prophecy machines

Ensure the reliability of price query, a reliable prophet should be usedMultiple prediction machines or aggregate feeding pricesCalculate the price, not just depend on the tokens comparison rate.Especially in the case of poor mining pools, this diverse pricing information source can improve the accuracy of price data and make it difficult for attackers to manipulate data.

To achieve this goal, a possible solution is to use decentralized prophecy machines, such as ChainLink.The CHAINLINK predictable machine can collect data from various data sources and use blockchain technology to verify and confirm the accuracy of the data.By using multiple data sources, ChainLink reduces the possibility of single -point failure and is more difficult to manipulate data by attackers.

The following is an example code that uses the chainlink polymer contract to obtain price data:

>

In the above code, we use an array of Aggregatorv3Interface types to store multiple examples of prophecy machines.The constructor accepts a prophet address array as a parameter and instances each address into an Aggregatorv3Interface object.

The getLaTESTPRICE function is used to obtain the latest price data of multiple data sources.It traverses the PriceFeeds array and obtains price data by calling the LateStrounddata function of each prophecy machine.All price data are stored in an array of an INT type and returned to the caller.

In this way, we can obtain price data from multiple data sources and ensure that price query reflects asset prices more accurately.

2. Smart contract vulnerability risk

Smart contract vulnerabilities Smart contract vulnerabilities refer to the security vulnerabilities or errors in the code written on Ethereum or other smart contract platforms.The core of DEFI is a financial agreement based on smart contracts, so the loopholes in smart contracts may cause the loss of user funds, manipulating market behaviors or other malicious behaviors.

Identifying these vulnerabilities is very important,usThe audit coversVarious potential issuesEssenceThis includes but is not limited to re -entered vulnerabilities, access control vulnerabilities, integer overflow vulnerabilities and business logic vulnerabilities.Our comprehensive audit service aims to strengthen the security of your smart contract and protect the impact of these risks.

In the following, use access control vulnerabilities as an example, indicating the impact of smart contract vulnerabilities on DEFI.

Leetswap access control vulnerability

Leetswap suffered an attack,The loss exceeds 340 ethEssenceThe fundamental reason is that there are access control vulnerabilities in the Leetswap V2 Pair contract.

Attack tx:

https://dashboard.tenderly.co/tx/base/0xbb837d417b76dd237B441695a50941C4dee561ea57D982B9F10EC

Vulnerable Contract:

https://baseScan.org/address/0x94dac4a3ce998143AA119C05460731DA80AD90CFF

>

The attacker calls _transferfeessupportingtaxtokens function to manipulate the pool. The attack process is as follows:

  • Exchange another token A with WETH.

  • Call the _transferferFeEssupportingtaxtokens function to transfer tokens A, and then call the Sync function to cause the price of tokens A to rise.

  • Use tokens A to exchange more Weth and clear the pool.

Solution

To fix the access control vulnerabilities of the _transferferferntingtaxtOkens function, the function visibility should be changed to Private or Internet.The function is declared as Private, and only other functions inside the contract can be called.Declarize the function as an Internet, which can be accessed by the contract of the contract.When other contracts inherit the Leetswap V2 Pair contract, you can call the Super keywords _transferfeEssupportingtaXTOKENS function through the super keyword.External users cannot directly access this function to improve the security of the contract.

It is necessary to determine how to change the visibility of the function according to the specific contract logic and needs to ensure that it does not affect the normal operation of the contract while improving security.

Smart contract audit is an important step in identifying and preventing vulnerabilities.At SALUS,We have a team consisting of experienced smart contract developers and audit experts, which can help you enhance the security of the contract.Our professional knowledge enables us to accurately locate potential weaknesses and ensure the safety and reliability of your project.

3. User operation risk

In the field of DEFI, the risk of user operation refers to the risk of capital loss due to their own operation errors, insufficient security awareness or unsatisfactory behavior when using the DEFI platform.Here are some common user operation risks:

  • Click malicious links: Users may make mistakes to click the malicious link, leading to malicious software or virus infection with their equipment. The attacker can use these malware to obtain the user’s sensitive information or control his wallet.

  • Using unsafe wallets: If the user chooses to use unsafe wallet applications or hardware wallets, the attacker may use these vulnerabilities to steal the user’s private key or operation authority.

  • Discover private key: If the user leakes the private key in an unlike environment or stores the private key in an unsafe place, the attacker may easily obtain the user’s private key and then control its funds.

  • Uncontinental trading operations: When the user is conducting a transaction, if you do not carefully check the transaction details (such as the target address, the number of transactions, etc.), it may cause the capital to send to the wrong address or the number of errors.

In order to reduce the risk of user operation, the following are some suggestions:

  • Improve security awareness: Understand common online fishing, malware and fraud methods, and learn how to identify and avoid them.Keep alert and check the links and applications related to DEFI.

  • Use a safety wallet: choose to use safety audit and good reputation wallet applications or hardware wallets.Ensure that wallet applications and firmware are the latest version and follow the best security practice.

  • Backup and Protection of Private Key: Stay the private key in a safe place and encrypt with a strong password.Back up the private key on a regular basis and store it in offline and safe places to prevent accidental data from being lost.

  • Check the transaction details carefully: Before performing any transaction, carefully check the transaction details to ensure that the target address and the number of transactions are correct.Double inspection can avoid the loss of funds caused by negligence.

4. Summary

Please note that the solution to each attack and vulnerability above is just a simple example, and it cannot completely prevent the corresponding attack, or repair the corresponding vulnerability.If you are interested in auditing smart contracts, pleaseContact usWe will cooperate with you to provide you with professional audit services to ensure that your contract is safe and reliable.We are committed to providing you with high -quality services and comprehensive technical support to ensure that your smart contracts are running in a safe and reliable environment.

    • jakiro

    Related Posts

    Report: DeFi lending has increased by 959% since 2022 to $19.1 billion
    Report: DeFi lending has increased by 959% since 2022 to $19.1 billion

    Source: Blockchain Knight A recent Galaxy report states that although Tether and two other companies dominate the Crypto lending market,The amount of outstanding loans for decentralized applications has almost doubled…

    Continue reading
    Bankless: Can Bitcoin flourish on the chain?
    Bankless: Can Bitcoin flourish on the chain?

    Author: Jean-Paul Faraj Source: Bankless Translation: Shan Oppa, Bitchain Vision Bitcoin has been the cornerstone of the crypto ecosystem for more than a decade – praised for its decentralization, censorship…

    Continue reading

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    You Missed

    Research Report

    The Post Web Accelerator’s first batch of 8 selected projects

    • By jakiro
    • April 17, 2025
    • 2 views
    The Post Web Accelerator’s first batch of 8 selected projects
    Bitcoin

    Which one is more “just” between Nubit, Babylon and Bitlayer?

    • By jakiro
    • April 17, 2025
    • 0 views
    Which one is more “just” between Nubit, Babylon and Bitlayer?
    Encyclopedia

    Golden Encyclopedia | How did the trade war affect stocks and crypto markets?

    • By jakiro
    • April 17, 2025
    • 4 views
    Golden Encyclopedia | How did the trade war affect stocks and crypto markets?
    Encyclopedia

    Golden Encyclopedia | Is BTC a safe haven during the trade war?

    • By jakiro
    • April 16, 2025
    • 8 views
    Golden Encyclopedia | Is BTC a safe haven during the trade war?
    People

    Why Americans Want to Leave the United States: Economic, Political and Global Changes

    • By jakiro
    • April 16, 2025
    • 10 views
    Why Americans Want to Leave the United States: Economic, Political and Global Changes
    Investment Research

    Data: BTC mining is highly centralized, and six major mining pools mine more than 95% of the blocks

    • By jakiro
    • April 16, 2025
    • 11 views
    Data: BTC mining is highly centralized, and six major mining pools mine more than 95% of the blocks
    Home
    News
    School
    Search