Growing pains? DeFi exploits plunder BSC, which calls for reinforcements
Several decentralized finance (DeFi) protocols running on Binance Smart Chain (BSC) have fallen victim to major exploits in recent months as the sector continues to see substantial growth in 2021.
Binance’s very own smart contract blockchain platform has seen a surge in demand since its launch in September 2021, due to its low fees and high throughput. This has allowed the Binance Smart Chain to appropriate a percentage of the DeFi market as platforms looked for an alternative to Ethereum’s high gas fees.
While Ethereum still commands the lion’s share of the DeFi network’s transaction volume due to the number of major platforms running on its blockchain, BSC is an attractive alternative that has enjoyed real success, spurred on by its interoperability with the larger Binance ecosystem.
Given that Binance is the largest cryptocurrency exchange by volume in the world, its ecosystem drives a significant amount of cryptocurrency transactions and trading. Nascent DeFi platforms running on BSC have attracted large user bases, but an unfortunate consequence has been the prevalence of nefarious individuals exploiting smart contract flaws.
The result has seen millions of dollars fleeced through these exploits. BurgerSwap saw a combined $7.2 million worth of various cryptocurrency tokens drained from its liquidity pools in May. Attackers also managed to net around $6 million in profit through a flash loan attack on Belt Finance in May as well. PancakeBunny saw $200 million worth of various tokens stolen through another flash loan exploit in the same month.
Cream Finance, bEarn, Bogged Finance, Uranium Finance, Meerkat Finance, SafeMoon and Spartan Protocol have also suffered exploits on BSC in recent months, highlighting the scale of attacks across the ecosystem.
The recent spate of exploits of some significant BSC-based DeFi platforms has prompted Binance to directly address questions regarding the security of BSC in recent times. Moreover, Binance moved to secure help from blockchain intelligence firm CipherTrace with hopes to rectify the situation.
Cointelegraph also reached out to Binance for additional comment regarding the hacks but did not receive a reply at the time of publishing.
External and internal threats
The reality of the situation is that judging by the rising amount of total value locked in the platforms, it seems that people enjoy using Binance Smart Chain. Since it’s a public blockchain, however, the decentralized, permissionless nature leaves the door open for exploits.
BSC differs slightly from other public blockchains like Ethereum in that it employs a proof-of-stake consensus algorithm and relies on 21 main elected validators to maintain the network. This also allows BSC to prevent individual validators from gaining significant control and potentially making changes to transactions or the blockchain.
In this sense, the blockchain itself is secure, and there is no risk of a 51% attack or exploits of that nature, where most of the network gets taken over and exploited. However, platforms and smart contracts deployed on BSC can fall prey to what Binance describes as external threats.
An external threat could include any type of exploit of technical or operational vulnerabilities of platforms and projects built or deployed on BSC. Meanwhile, internal threats would include rug pulls, exit scams and insider theft or hacks.
As Binance highlighted in its recent blog post addressing exploits of BSC-based DeFi platforms, auditing every DeFi project and decentralized application that is launched on BSC is a serious undertaking and realistically cannot be carried for every single project running on the chain:
“Not every project on BSC is open-source, and even then, being open-source doesn’t automatically mean secure. Then there’s the security of smart contracts and no zero-defect codes, and as each project is developed by an independent team, there’s always a chance of defects.”
Binance also noted that it does not enforce any “reviewal process or centralized governance” to prevent malicious projects from launching on BSC. This is described as “not technically or logistically possible,” while the exchange notes that it would also constitute a form of censorship that would essentially threaten the decentralization of its ecosystem.
Nevertheless, BSC does work with a couple of third-party firms that carry out verification and audits of various projects and tokens running on its blockchain. This does have its limitations as well, as Binance highlighted: “These audits are not mandatory and they rarely cover new or emerging DApps. When looking for a genuine project, it’s recommended to avoid uncertified projects and always prefer projects with multiple audits from different companies.”
CipherTrace to the rescue
In an effort to address the uptick of exploits of DeFi platforms running on BSC, Binance has also tapped into the services of CipherTrace. The support will aim to identify higher-risk financial transactions on BSC and more than 600 decentralized applications running on the platform.
Cointelegraph reached out to CipherTrace to unpack the extent of its analytics services to BSC and what this will entail. CipherTrace CEO Dave Jevans stated that the company’s monitoring services would offer BSC similar insights to those provided to other clients, projects and platforms:
“Our compliance monitoring tools provide functionality to identify proceeds of crypto crimes and rug pulls for financial institutions, cryptocurrency companies and law enforcement. Monitoring for all chains, including BSC, provides similar outcomes — identifying illicit sources of funds to prevent bad actors from offramping their ill-gotten gains.”
CipherTrace has been extensively involved in cryptocurrency and blockchain analytics, having traced cryptocurrency that has been stolen from exchanges, as well as transactions from dark web marketplaces. Jevans expressed some insights as to why BSC has been the biggest target of DeFi exploits in 2021. He believes that due to the high fees on Ethereum, “BSC makes for an attractive alternative.” However, he added: “The more DApps that are built on BSC, the more exploits we will see take place.”
Jevans also added that the prevalence of exploits targeting BSC-based DeFi platforms is a direct result of the novelty of BSC and the number of unaudited smart contracts deployed by the projects:
“Bad actors flock to new projects that haven’t performed adequate smart contract audits. Especially in the current climate, hackers are examining every single DeFi protocol to see what exploits they can find.”
Interestingly, Jevans also noted a difference in carrying out blockchain analytics on Binance Smart Chain in comparison to other blockchains, like Ethereum and Bitcoin: “Ethereum and BSC are account-based blockchains, making it more difficult to track the flow of Ether or BSC-based tokens. In contrast, Bitcoin and Zcash are UTXO-based, enabling the tracking of actual Bitcoins or Zcash like is possible with dollars that have serial numbers.”
Step by step?
While the Binance Smart Chain continues on its growth path — all while fending off claims of severe network centralization — as things stand, it may not have the necessary resources or tools to completely safeguard DeFi platforms from suffering exploits while running on BSC. However, the platform is at least taking meaningful steps in helping address the issue.
CipherTrace could become an important cog in the Binance ecosystem thanks to its tracing and analytics tools, and this may well give users some peace of mind when using BSC-based DeFi platforms. Should more exploits occur, at the very least, the analytics firm will supposedly be on-hand to trace stolen funds and identify illicit transfers to and from platforms running on BSC.
From here on out, BSC can move on to finding a possible cure for the route of the illness instead of addressing the aftermath.