ETH derivatives data shows uncertainty ahead of Ethereum 2.0 upgrade
Questions raised about DeFi insurance following Cover Protocol exploit
OKEx Insights' DeFi Digest is a weekly examination of the decentralized finance industry.
DeFi market snapshot
Coinciding with BTC's push above $30,000, the total value locked in the DeFi market rose slightly this week, reaching $14.36 billion. At the same time, the total borrowing volume in the DeFi lending sphere rose by 4% as Compound maintained its market dominance in this sector with a 52% share. The weekly average trading volume of decentralized exchanges, meanwhile, dropped by 3% — with Uniswap still remaining dominant.
Cover Protocol exploited for $4.4 million
Following the hack of Nexus Mutual's founder's wallet in early December, the decentralized insurance market suffered another blow this week as Cover Protocol found itself exploited by hackers — losing $4.4 million on Dec. 28.
Cover Protocol is a peer-to-peer insurance coverage market that allows for the trading of insurance coverages on decentralized exchanges, such as Balancer and Uniswap. As revealed by yearn.finance core developer "banteg," the attacker cashed out roughly 1,400 ETH, 1 million DAI and 90 WBTC — a total of approximately $4.4 million. Following the attack, the price of COVER plummeted by over 70% to a low of 254 USDT.
Not a flash-loan attack
While DeFi protocols suffered from flash-loan attacks frequently in 2020, Sorawit Suriyakarn of Band Protocol believed that the attack on Cover Protocol did not involve flash loans. Instead, hackers performed the following steps to exploit the DeFi insurance protocol:
- Hacker deposits liquidity pool tokens to Blacksmith, the shield mining contract for Cover protocol.
- Hacker withdraws almost all LP tokens to inflate "accRewardsPerToken" — meaning they inflate the accumulated rewards for each COVER token.
- Hacker deposits the LP tokens again.
- Hacker claims COVER rewards and tricks the contract into minting quintillions of tokens.
The attack looked to exploit the vulnerabilities in the reward and minting functions of Cover Protocol's smart contracts. Shortly after the incident, the Cover Protocol team advised users to withdraw liquidity from the COVER/ETH pool on SushiSwap and refrain from buying COVER tokens.
Grap.finance took responsibility for the Cover Protocol exploit on Dec. 28, claiming the obtained funds in the liquidity pool had been returned to Cover Protocol. The Cover Protocol team acknowledged that 4,351 ETH were returned. The team also released a compensation plan by distributing a new token. User's compensation will be based on a snapshot of their balances taken before the hack.
Audited smart contracts are not immune to attacks
With the increasingly sophisticated techniques being utilized by hackers, smart contracts are not immune to hacks — even if they have been "audited." In October, Cover Protocol announced PeckShield Inc. as the auditor of its smart contract. However, PeckShield stated that it had not audited the contract involved in the exploit.
On the other hand, Arcadia Group performed an audit of the Blacksmith contract in Cover Protocol in early December. However, the group did not spot any vulnerabilities regarding the "amplifier" that allows extra rewards to be minted.
Decentralized insurance has not fulfilled its potential yet
With frequent flash-loan attacks occurring in the DeFi space in the second half of 2020, the concept of decentralized insurance emerged and was meant to protect investors from faulty codes of DeFi protocols. Recently, Polkadot-based DeFi insurance app Tidal Finance raised $1.95 million from European investors, such as KR1.
Despite the growing interest in decentralized insurance solutions, however, the hack of Cover Protocol led to a number of concerns from the crypto community:
- How are investors compensated for the loss incurred by decentralized insurance platforms?
- How can decentralized insurance platforms, themselves, be insured against losses?
- How are decentralized insurers safe from security loopholes in audited smart contracts?
While decentralized insurance is able to mitigate counterparty risks, it incurs the security risks of smart contracts — which do not exist in centralized insurance solutions. Moreover, it is difficult to take legal action against hackers, as they are usually very difficult to trace.
OKEx Insights presents market analyses, in-depth features, original research & curated news from crypto professionals.