Cao Yin: The Lendf Incident Resembles Apollo 13, Paying Tribute to DeFi Explorers

The DeFi protocol is the spacecraft component that propels us into the realm of freedom. The developers of DeFi protocols play the role of spacecraft engineers, and the complexity of DeFi has already exceeded its maturity.

Original Title: "DeFi Review: Houston, We Have a Problem"
By: Cao Yin, Managing Director of the Digital Renaissance Foundation

In the future, if humanity has the opportunity to use various open and free DeFi services, we should thank the DeFi users who have suffered in past hacking incidents, as well as the dedicated and visionary DeFi developers. This exciting journey always begins with the first steps taken by these explorers and builders, and we salute them. This article is dedicated to all DeFi users.

Advertisement - Please scroll down for more content

On April 13, 1970, at 21:07, after 55 hours and 52 minutes into the Apollo 13 mission to the moon, the ground control center in Houston transmitted the command to the spacecraft already in space to turn on the fan and stir the low-temperature oxygen tank.

Subsequently, the astronauts on Apollo 13 turned on the fan of the low-temperature oxygen tank 55 hours, 53 minutes, and 20 seconds after the launch of the spacecraft.

However, just 2.7 seconds later, the spacecraft exploded violently.

The three astronauts on Apollo 13 were dumbfounded. Astronaut Swigert immediately reported to the ground control center and uttered the famous phrase that has been borrowed by countless people:

"Houston, we have a problem."

Fifty years after the explosion of Apollo 13, humanity's exploration into the digital space has reached its own Houston moment. Lendf.Me, one of the most significant DeFi lending protocols in the Eastern Hemisphere, suffered a severe attack today.

The hacker attack exploited a vulnerability in Lendf.Me protocol caused by the combination of imBTC under the ERC777 standard.

imBTC is a BTC token on the Ethereum blockchain introduced by imToken. ERC777 is a token standard introduced on the basis of ERC20, compatible with ERC20, and adds some new features on top of ERC20.

imBTC itself does not have security issues. However, when the ERC-777 token is combined with the Lendf.Me contract, a re-entry attack vulnerability is created.

The hacker exploited the vulnerability to repeatedly mint over 6,700 fake imBTC tokens on Lendf, using them as collateral to loot assets on Lendf.Me, and immediately converted the stolen coins into ETH and other tokens through DEX platforms like 1inch.exchange, ParaSwap, Tokenlon, and transferred the remaining stolen funds to lending platforms Compound and Aave.

Lendf's lending balance showed 6,732.91 fake imBTC tokens.

According to the preliminary analysis by the security audit firm PeckShield, the cumulative loss from the attack on Lendf.Me is approximately $24,696,616, with the specific stolen tokens and amounts as follows:

WETH: 55,159.02134,
WBTC: 9.01152,
CHAI: 77,930.93433,
HBTC: 320.27714,
HUSD: 432,162.90569,
BUSD: 480,787.88767,
PAX: 587,014.60367,
TUSD: 459,794.38763,
USDC: 698,916.40348,
USDT: 7,180,525.08156,
USDx: 510,868.16067,
imBTC: 291.3471

After the attack, the locked assets on Lendf plummeted in value instantly to $6 from over $24.9 million. This attack not only resulted in significant user losses (including myself) but also severely undermined the confidence of DeFi developers and users in DeFi applications.

Following the attack, the global crypto community was filled with panic and anger. Some individuals, particularly those with preconceived biases against DeFi for various reasons, took advantage of the situation to criticize. This includes individuals who have a narrow understanding of DeFi.

The incident at Lendf has its own reasons for responsibility, and I do not intend to delve into them here until the investigation results are released. However, the developmental issues within DeFi itself are the more critical causes of such incidents. We must realize that the complexity of DeFi has surpassed its maturity.

Since the DeFi boom in the first half of last year, new assets and protocols in the DeFi world have emerged like mushrooms. I monitor the latest DeFi applications daily via Twitter and media. Over the past three months, I have seen new DeFi applications and assets appearing at a rate of at least two to three per day. The composability between DeFi protocols has exponentially increased the complexity of DeFi, and the interactions between protocols have surpassed simple Lego block combinations.

Further readingCao Yin: DeFi will surpass the Lego era and enter the "Emergence" era

However, at the same time, the global DeFi teams and users' understanding of protocol and operational security are still growing linearly like Lego blocks. Therefore, we have seen more and more security incidents recently, including but not limited to bzx's flash loan attack and MakerDAO's Zero DAI auction.

The re-entry attacks on Uniswap and Lendf's imBTC are just another inevitable result of the mismatch between the growth curve of complexity and maturity. It is similar to the incident of Apollo 13 back then.

After the investigation by NASA's team, it was found that before the launch of Apollo 13, many improvements were made in the command module. One of them was to increase the voltage of the heater in the oxygen tank from 28 volts to 65 volts, but the thermal stability switch on the heater was not modified accordingly, and the voltage remained at 28 volts. When it was operational, the thermal stability switch melted, and the tragedy occurred.

How similar this is to the imBTC re-entry attack at Lendf! It is all due to the catastrophic results caused by the incompatibility between new system components and old systems. Lendf was developed based on the open-source Compound protocol, and the developers did not anticipate the emergence of ERC777. The integration of imBTC in ERC777 format with Lendf resulted in an explosion similar to that of Apollo 13's oxygen tank and heater switch, but independently, imBTC and Lendf's code are not problematic.

The time of Apollo 13's launch was a period of great advancement in human space technology. In an era that relied heavily on primitive computer equipment or even manual calculations, the United States exhausted its national strength and spent billions of dollars to develop tens of thousands of space equipment and systems, combining them into the Apollo series spacecraft and the Saturn V rocket that carried the spacecraft. With the technology available at the time, the Apollo program was truly a miracle.

However, even a powerful country like the United States could not avoid catastrophic results caused by the mismatch between the complexity exponential curve and the maturity linear curve, just like the DeFi community, driven mainly by community development forces, cannot avoid the inevitable developmental challenges. How could DeFi exploration, predominantly driven by community forces, avoid the stage of challenges?

Further readingCao Yin: The hidden dangers behind the prosperity of DeFi ecology and 2020 outlook

We should not lose faith in DeFi due to the accidents at Lendf or Maker. After the failure of Apollo 13, NASA did not cancel the Apollo program, and Americans did not stop their pace of space exploration. After deep reflection, NASA launched several successful Apollo missions and later built and launched the even greater International Space Station.

The significance of blockchain and DeFi to humanity is no less than that of space exploration. Space exploration is a revolution of productivity that allows us to leave Earth and fly into space, while blockchain and DeFi are revolutions of production relations that allow us to break free from centralization and take control of our data and financial sovereignty.

DeFi protocols are the components of our spaceship to the free space. DeFi protocol developers play the role of spaceship engineers, and the most important astronauts are the DeFi users. All participants, whether developers or users, play significant roles and deserve respect, regardless of the outcome.

In addition to respect, we must now immediately realize that the development of DeFi has entered a dangerous zone. Developers should set aside various prejudices and self-interests, cooperate, and design and build safer DeFi spaceships, taking responsibility for the users on board.

After the Lendf attack incident, many DeFi developers and exchanges actively stepped in to help Lendf. However, some competitors of Lendf not only refused to provide assistance but also took the opportunity to mock Lendf.

After the Apollo 13 incident, the entire United States was trying to help the three astronauts, and even the United States' enemy, the Soviet Union, actively offered assistance. Compared to the Soviet Union, the behavior of Lendf's competitors is not only unkind but also unwise. In the current DeFi exploration, all global projects, whether they have competitive relationships or not, are essentially on the same spaceship. Even if they do not provide assistance, they should not mock. Ultimately, it harms the confidence of all users in DeFi.

Onlookers who have not used DeFi do not need to mock DeFi developers and users because of the frequent hacker attacks. Without the efforts and sacrifices of DeFi developers and users, where would secure and efficient open financial applications come from? Moreover, many current DeFi users are themselves DeFi developers, and the engineers themselves are on the spaceship.

If in the future our descendants reach places much farther than the moon, they will remember the three astronauts of Apollo 13: James A. Lovell, Jack Swigert, and Fred Haise, as well as the astronauts who sacrificed on the Challenger and Columbia space shuttles.

If in the future, all of humanity, including South America, India, Africa, have the opportunity to use various free and open DeFi services, they should also thank the damaged DeFi users in the past hacking incidents and the tireless DeFi developers who have not forgotten their original intentions. This exciting journey always begins with the first steps taken by these explorers and builders. Salute to them, "Houston, we solved the problem."

This article is reprinted with the authorization of ChainNews. Source: ChainNews (ID: chainnewscom)

Related Reading

• [SlowMist Analysis] Detailed Analysis of the Hack on DeFi Platform Lendf.Me and Defense Suggestions
• [Observation] Binance's Q1 Breaks BNB Burn Record, The Block's Criticisms and Real Evaluations
• [Special Feature] Most Afraid of Teachers Running Away, How Decentralized Protocols Solve Trust Issues

Join Telegram now for the most accurate blockchain news and cryptocurrency updates!