Content:
Jim gets Rekt: Story of Jim, a victim of the February Platypus exploit
The status quo: The current status of smart contract risk in DeFi
Partner Deep Dive: The three new security partners, who they are, what they do, and how they keep DeltaPrime safe
Jim gets Safu: Jim’s new story with the included partners
Intro: Jim Gets Rekt
It is February, 2023. We just finished the year of the Black Swan, and Jim discovered DeltaPrime. Given the market, Jim wants to avoid exposure to volatile assets. This is why he is hyped about his new strategy: Borrow AVAX from DeltaPrime at 5%, swap it for sAVAX, and lend it out for 8% to Platypus Finance. At 4x, he earns 15% in trading + staking fees regardless of what the AVAX price does. Ingenious!
And then Platypus gets exploited for 8.5 million dollars.
Jim sees the sAVAX balance in his Prime Account, but when he tries to withdraw it from Platypus, nothing happens. Platypus paused the pools, preventing everybody, including Jim, from withdrawing. Rushing to the DeltaPrime discord, he reads an announcement:
In the following weeks, it becomes clear that, while Prime Account holders are better off than direct Platypus depositors (a DeltaPrime emergency fund is collected and distributed to her borrowers), smart contract risk of underlying protocols is still a very real thing. It’s a risk that especially borrowers like Jim must consider when deciding which protocols to allocate funds to.
Thus, depositors are covered. Borrowers, not so much. The team claims DYOR and borrower responsibility, but don’t they have a responsibility as well? Isn’t DeltaPrime supposed to be a safe space where no integrated protocol can be exploited?
The Status Quo
Jim got rekt, but Jim is not alone. Next to Platypus, 74 other protocols have been exploited in the past ten months, with a total amount lost of 1.02 billion dollars. Over the past three years, this number amounts to over 6 billion dollars.
The many DeFi exploits result from a combination of factors: If code is law, your code has to be perfect. While third-party security audits are a basic necessity, getting your code audited by professional auditing companies is costly. Cointelegraph estimates the cost of a single audit between $5,000-$15,000, yet in our experience, an audit can easily cost upwards of $25,000-$50,000 (we might have a word with our company negotiator). Due to the high cost of audits, many DeFi protocols tend to have either no or a single audit of their code.
While having multiple audits significantly increases the security of your code, it is not 100% bulletproof. Many audited protocols have been exploited post-audit as well, offering new protocols an excuse for not carrying out an audit since “it doesn’t work anyway”.
It's a bit like driving a motorcycle without a helmet because you can seriously injure yourself in a crash anyway.
Every protocol's first concern should be to secure its own design. Instead of cutting down on audits, we propose adding various additional security measures. For DeltaPrime, this means, next to the continuous audits, an active bug bounty or a withdrawal guard, amongst its other security features.
To become that truly safe space Jim is looking for, we also need to consider third-party smart contract risk. Ideally, this would protect depositors and borrowers alike in a decentralized fashion: meaning it goes beyond the due diligence of the team white/blacklisting the available protocols.
With our own contract security covered, we have now partnered with three DeFi security experts to reduce our risk on integrated protocol contracts. These partners are Hexagate, Chainalysis, and Atomica.
When you’re reading this, one of the protection pools on the Atomica insurance marketplace has already been set up. Hexagate and Chainalysis will be set up before January 14th, 2024.
Partner Deep Dive
Hexagate
Hexagate in Web3
Hexagate is at the forefront of Web3 security, protecting the blockchain ecosystem from exploits, phishing, fraud and scams, amongst other threats. It shields a plethora of Web3 entities from financial harm, enhancing the ecosystem’s safety.
The company’s platform uses advanced analysis and AI algorithms to predict and prevent Web3 threats. Founded by cybersecurity experts Yaniv Nissenboim and Niv Yehezkel, Hexagate partners with giants like Consensys, Polygon, and others, securing over $7 billion in TVL. It has alerted to all major protocol hacks in the last year, saving billions of dollars in potential losses.
Hexagate’s research team has exposed critical vulnerabilities in projects like Polygon’s PoS bridge and Ledger’s HW.1 wallet, and their skill in reclaiming stolen funds has solidified their reputation as a trusted Web3 security ally.
Hexagate <> DeltaPrime
DeltaPrime shared the contracts of its integrated protocols with Hexagate. Hexagate monitors these contracts, anticipating nefarious transactions. Every transaction in underlying platforms gets a security rating. If a transaction has a critical risk of becoming an exploit, Prime Accounts will automatically withdraw all deposited funds from that contract back into the Prime Account that deployed it.
If you opt-in for notifications on your phone, Telegram, or email, you will be notified when this happens. To date, we have yet to receive a false alarm, and if this happens, you can redeposit your funds whenever you want. You remain in complete control.
Yet, if a critical threat is detected which does result in an exploit, your funds have been pulled to safety.
Hexagate protects at the door.
Chainalysis
Chainalysis in Web3
Chainalysis, the global leader in blockchain intelligence, has aided in reclaiming over $13 billion in stolen assets ever since the Mt. Gox hack in 2014.
Their novel Proactive Crypto Incident Response program focuses on prevention, readiness, quick action, and recovery of stolen funds. The program combats complex cyber threats with a strategic plan that includes clear internal and external communication, technical responses, and a dedicated response coordinator for swift action.
Utilizing its network of global experts and sophisticated tracking technology, it quickly addresses breaches while assisting the victims and law enforcement for asset freezing and recovery. The critical goal of this program is to help keep DeFi users safe and improve recovery outcomes after incidents.
Chainalysis <> DeltaPrime
Let’s say that despite other security measures, someone managed to exploit the (integrated) protocol. User funds are at risk. Chainalysis supports DeltaPrime in two ways: communication and retrieval of stolen funds.
To start with the former: If you have been with us for a while, you know that we take clear communication seriously. Especially in the case of an emergency, regardless of whether we know everything already, you know what we know through our Discord announcements.
Together with Chainalysis, we’ll set up an Incident Response plan to further streamline our process during an incident like this. This allows us to resolve the incident faster and share our findings with you in less time.
We can also rely on Chainalysis’ vast network in the web3 security space, helping us during fund retrieval. Every asset will be tracked in a four-way collaboration with Hexagate and Hypernative, through mixers if applicable. Potential off-ramps, including major CEXs, will be notified of the stolen funds.
Chainalysis has successfully retrieved stolen funds this way numerous times, building the necessary relationships along the way. Now DeltaPrime will benefit from this experience.
Chainalysis retrieves funds once they leave the door.
Atomica
Atomica in Web3
Atomica is a two-sided insurance permissionless marketplace, incubated inside Protofire. Using a novel DeFi security mechanism, — Safety Module — similar to AAVE’s Safety Module, DeFi protocols can deploy and embed protection and insurance of any kind into their protocols (smart contract hacks/bugs, depeg of stablecoins and LSDs, economic attacks, oracle failure etc.), and even obtain 3rd party capital for Bug Bounties.
Previously, the Atomica team successfully developed the Automatic Liquidator protocol for MakerDAO, the UMA project, and Cream finance. Atomica also worked on the decentralized insurance project Etherisc, specifically focused on flight delay and crop insurance products. Currently, they are integrating insurance widgets and setting up Safety Modules with Quickperps.
Atomica <> DeltaPrime
All else fails. Criminal masterminds found an exploit, circumvented all security measures, and have no intent of ever off-ramping their stolen funds. A criminal case is ongoing, and it seems like it will be a long time before any funds are returned.
Nobody likes waiting.
This is where the Safety Module powered by Atomica kicks in. After reviewing DeltaPrime’s security practices, Protofire, amongst others, considered them secure enough to put down their own money as a first layer of defense within the Atomica marketplace. Should DeltaPrime or one of its integrated partners get exploited, up to $150,000 of the lost funds will be covered by them. The cost of this insurance is 3.5%, or $5,250 yearly. This will be paid from DeltaPrime’s stability pool, which accumulates liquidity through liquidations.
Soon, isolated pools will become available on the Atomica marketplace, which allows anyone to provide cover to any underlying DeltaPrime integration. As an LP to these pools your APR depends on supply & demand. This Safety Module reimburses funds for DeltaPrime users, should the exploit of this integration lead to a loss of funds.
Atomica reimburses funds if they are lost.
Jim Gets Safu
It is February, 2023. We just finished the year of the Black Swan, and Jim discovered DeltaPrime. In this universe, Hexagate, Chainalysis, and Atomica have active partnerships with DeltaPrime, and all contracts are monitored. Jim performs his AVAX — sAVAX carry trade, earning 15% on sAVAX…
And then Platypus gets exploited for 8.5 million dollars.
Or well, 7.45 million dollars.
While the attacker was setting up the contracts for the exploit, Hexagate had sent a critical alert to DeltaPrime. Without the team’s intervention, 95% of user deposits were automatically withdrawn from this pool.
But not Jim’s. Jim, together with another 5% of borrowers and lenders, opted out of this feature.
Chainalysis, Hexagate, and Hypernative are tracking the last 5% wherever it goes. Jim is following everything that is happening. The attackers attempt to offramp 20% of the remaining funds, but the CEX freezes it and returns it to DeltaPrime. While DeltaPrime and frens set up a criminal case against the — on the CEX KYCd — attacker, Atomica pays out the last 4%, making DeltaPrime users whole.
Within days, Jim retrieved 100% of his funds.
Jim gets Safu.
Original article by:
Comments