DeFi hacks on Binance Smart Chain rise as TVL and volumes increase

While Binance Smart Chain expands its footprint, hacks on DeFi protocols housed on the network increase hand in hand.

Binance Smart Chain, or BSC, was launched in September 2020 as a parallel blockchain to Binance Chain. It enabled the creation of smart contracts and a staking mechanism for the native token of both blockchains, Binance Coin (BNB). 

In its brief nine-month existence, there have been a lot of decentralized finance, or DeFi, projects built on it, but there have been numerous instances of hacks on the blockchain’s protocols as well.

The latest victim in the series of exploits is Spartan Protocol. The liquidity platform for synthetic assets was the subject of an attack that led to a loss of $30 million for the protocol on May 2. According to blockchain security firm PeckShield, the hack allowed the malicious actor(s) to inflate the balance of a particular liquidity pool and burn liquidity provider tokens for a significant amount of crypto in the pool. This is also referred to as a flash loan attack.

Cointelegraph discussed the root cause of this hack with Michael Perklin, chief information security officer of crypto trading platform ShapeShift, who said, “The root cause for the Spartan hack appears to have been a bug in the ordering of operations in the smart contract,” adding:

“The way Spartan’s contracts were programmed, some operations were performed after updating the pool’s liquidity instead of before, which allowed attackers to control the price of tokens in the pool based on their deposits.”

According to Rekt, the Spartan Protocol hack is the sixth-largest DeFi hack in the history of the domain. Three of the top six hacks by value exploited have taken place on protocols on BSC, the other two being the hacks on Uranium Finance and Meerkat Finance. In addition to these hacks, even the top DeFi protocol on BSC, PancakeSwap and Cream Finance, were used for phishing attacks to steal money.

In the hack on Uranium Finance, $50 million was stolen off the automated market maker platform on April 28. The hacker exploited bugs in Uranium’s balance modifier logic to inflate the balance of the project by a factor of 100. This was the second hack on the platform in quick succession. The first one was on April 10, where the hacker stole $1.3 million from the protocol. Due to this hack, the protocol migrated to the v2 iteration of its code.

In the Meerkat Finance exploit, users lost $31 million on the platform due to an alleged rug pull by the developers. A rug pull is a type of exit scam where in the decentralized market, the support from the liquidity pools is taken away from the market.

Lack of due diligence and decentralization

BSC is an Ethereum Virtual Machine-compatible chain, which means that the network essentially uses similar logic to the Ethereum blockchain. However, the main difference is decentralization. BSC is quite centralized and employs a proof-of-stake authority consensus algorithm.

Instead of having validators across the network — as is the case with Ethereum — BSC has 21 validators that are chosen from the network and are responsible for the health of the network and the validation responsibilities. Having only 21 validators on the network makes it highly centralized in comparison to other blockchains.

The blockchain trilemma, a term coined by Ethereum co-founder Vitalik Buterin, describes the improbability of a blockchain getting all three of the following properties: decentralization, security and scalability. This essentially means that improving one of these three aspects would mean that the other two are compromised to some degree.

Therefore, since BSC seems to be compromising on the decentralization aspect, this also potentially means that there should be several points of failure that hackers look to exploit. Marie Tatibouet, chief marketing officer of Gate.io — a cryptocurrency trading exchange — told Cointelegraph, “Centralized exchanges and avenues are a lot riskier than their decentralized counterparts, due to their inherent structure. A decentralized system spreads out its risks among its entire network and decreases structural weaknesses.”

Since BSC is a public, permissionless infrastructure, it allows developers to build and deploy DeFi protocols with zero censorship. Thus, the onus of understanding the risks involved with DeFi protocols on the network lies even more on the users. Martin Gasper, a research analyst at CrossTower — a digital assets exchange — told Cointelegraph:

“A key consideration for BSC protocols is that they are relatively new compared to many of the well-known Ethereum DeFi protocols, which have withstood the test of time and many audits of their code. Newer projects on BSC may also have their code written by less experienced developers, creating additional risks for users depositing crypto into them.”

Even though in the aforementioned hacks the smart contracts of the DeFi protocols were tampered with and exploited, it doesn’t really reflect on the inherent security vulnerabilities of the BSC network. Cointelegraph reached out to Binance to understand its take on these hacks. While refusing to comment on specific hacks, the exchange representative did compare it to Ethereum in DeFi’s early stages, which placed the responsibility on the users. The Binance spokesperson said:

“In the 2017 ICO boom, multiple ICOs and projects building on top Ethereum were scams and many were vulnerable to attacks; that doesn’t mean that the Ethereum blockchain had security vulnerabilities, it simply indicated the lack of awareness amongst investors who fell prey to projects’ security breaches. New retail users did not evaluate their risks properly.”

That being said, ConsenSys Labs, a blockchain technology company that backs Ethereum’s infrastructure, does maintain an “Ethereum Smart Contract Best Practices” page that lists various known attacks and other important aspects of smart contracts deployed on the network. However, there is no such page maintained for BSC.

Tatibouet further opined that “the lack of due diligence” caused these hacks in relation to BSC’s centralized nature. “They are greenlighting hundreds of projects every single week. Due to their centralized approach, they simply don’t have the manpower required to do the necessary check.” She also pointed out that Uranium Finance did not even reveal which firm audited its code, which should have been a major red flag by itself.

Growth of BSC owed to gas fees on Ethereum

Ethereum has been facing the issue of high gas fees in recent months. Because of this, several users have been priced out of using DeFi applications on the network. In comparison, BSC, due to its centralized nature, has significantly lower gas fees and faster block times than Ethereum. Ethereum’s gas fees have surpassed 300 Gwei so far in May after the Berlin hard fork, which supposedly reduced the gas prices. In comparison, BSC’s gas fees are extremely small, with the average gas price currently standing at 6.6 Gwei.

It’s this difference in gas prices that led multiple DeFi protocols and retail investors to this network. The Binance spokesperson further commented on this: “Developers can worry less about costs and focus more on innovating. The faster transaction speed and low transaction costs have accelerated its utility since its launch last year.”

On May 9, BSC’s daily transactions hit their all-time high of 9.7 million as Ethereum’s daily transactions also hit their all-time high of 1.7 million on the same day. That’s nearly six times the transactions on Ethereum. It’s a sign of the rising adoption of the BSC network as more DeFi protocols continue to utilize it. However, on the comparison between the two networks, Gasper opined:

“There seems to be relatively little innovation on BSC, as many of the projects on the network are modeled after the top DeFi protocols on Ethereum. Moreover, Ethereum has a broader product suite and more developers working on it and products for it, relative to BSC.”

The total value locked, or TVL, in the BSC network is currently nearly at $46 billion, which is a 60% rise over the TVL of $28.6 billion just a month ago. As the adoption of BSC increases, it’s highly critical that users are cautious and do thorough research before investing in protocols housed on the network, due to its centralized approach and the lack of proper due diligence.