Taking A Closer Look at Roe Finance Exploit
A price manipulation attack at Roe Finance allowed a hacker to be profited by $80,000.
Playing the video that you've selected below in an iframe
Successful attacks on blockchain platforms and protocols have become increasingly common…
Successful attacks on blockchain platforms and protocols have become increasingly common in recent times, raising questions about how stakeholders can better improve the security and integrity of their communities.
People and capital are flooding into the blockchain space like never before. So much so that governments all over the world are having to draw up regulatory frameworks as the growing presence of digital assets, such as NFTs, DeFi projects, and cryptocurrencies is no longer impossible to ignore.
However, all this public interest and money coming in means the risks of cyber-attacks and malicious activities are on the rise too. For many would-be investors and stakeholders, this risk remains a bottleneck preventing them from embracing blockchain-based platforms and applications.
Blockchain has been hailed as an inherently secure technology, and for the most part, it really is. But the reality is that there are several vulnerabilities unaccounted for, and hackers are getting more sophisticated by the day.
As reported by Atlas VPN , hackers are having a field day exploiting vulnerabilities in blockchain projects, carting away over $1 Billion in Q1 2022 alone.
The Ethereum and Solana ecosystems appear the worst hit, which is unsurprising seeing as these networks host the majority of dApps, smart contracts, and related protocols today. What is surprising, however, is the amount. Losing over $1 billion in the space of three months is worrisome, to say the least.
NFT projects only became popular less than two years ago, but are now the most targeted. The recent massive hacks that saw projects like the Ronin and Wormhole bridges lose over $900 million combined are proof of just how savvy hackers have become.
Unfortunately, much of these lost funds are unrecoverable except through the benevolence of the hacker. For instance, shortly after the attack on the Wormhole bridge, the development team issued a message appealing to the hacker to return the stolen funds in exchange for a $10 million reward.
Current Blockchain Security Measures Are No Longer Enough
Hackers are an ever-present threat to blockchain ecosystems. In turn, this has led to the rise of various security measures aimed at safeguarding digital assets and more importantly, cementing stakeholders’ confidence in the project. These include:
A smart contract audit is exactly what it sounds like — a comprehensive, methodical examination and analysis of a smart contract’s code to discover errors and security vulnerabilities. This process is intended to give the code a clean bill of health by carefully combing through the lines, finding issues, and suggesting ways to fix them.
Smart contract audits are a necessity when it comes to protecting blockchain communities. According to a 2021 study published by the International Journal of Digital Accounting Research (IJDAR), even prominent accounting firms, including Deloitte, PwC, and Ernst & Young (EY), have rolled out various smart contract auditing solutions.
However, these audits are not without their limitations. For one, new risks arise all the time, meaning it won’t be until the next audit or after the damage has occurred that any new security vulnerabilities are detected.
There are a growing number of instances where smart contracts were fully audited by reputable firms, only for the protocol to be exploited down the line. For example, the case of the MonoX hack back in December 2021, which saw over $31 million lost, despite the fact that the protocol was audited three times that year .
Another issue is the scope of the audit. There isn’t an industry standard yet for how smart contract audits should be conducted or what framework to use for storing/accessing audit evidence. Some companies might offer more in-depth processes compared to others. These constitute gaps in the literature that must be addressed sooner rather than later.
This involves using a testnet to conduct more rigorous trial runs before taking the project live. This way, creators and investors can quickly identify issues and refine the smart contract code accordingly until everything is running as it should.
While incredibly important for improving security, extensive pre-launch testing can be quite expensive and time-consuming. Test runs and resulting fixes can last weeks or even months, which can be problematic for development teams working on tight deadlines. Some may be tempted to rush the process or gloss over certain aspects, which might prove vital only after the project has been released to the public.
Project development teams can leverage a critical resource at their disposal — their community members — to improve security within the ecosystem. It’s important to note that the power of a blockchain community is not dependent on how large it is, but on the level of interaction and harmony within the community.
Incentivising users to identify weak links in the smart contract code is a great way to get the community more involved and ultimately increase trust in the project. What’s more, it offers a practical alternative to hiring costly security firms.
The main concern here is the cost of the incentive. Projects must be able to offer enticing bounty rewards if they want to attract the best developers who are able to dig deep into the framework to find vulnerabilities. So far, bug bounty rewards range from a few thousand dollars to millions. DeFi project, MakerDAO, offers one of the largest bug bounty rewards in the industry amounting to $10 million .
Some blockchain communities turn to specialised security companies to safeguard one or more aspects of their project. This can be highly advantageous since it means the security is left in the hands of the experts.
One reason this measure might not be enough is that it can lead to increased risk. Blockchain projects are decentralised, whereas security companies typically operate using a centralised system. This makes these companies a highly-valuable target to hackers. Once they break in, they can gain unfettered access to whatever the company was protecting.
Also, outsourcing protection means communities need to establish trust in the security firm. This is counterintuitive to an ecosystem that was built and deployed using a decentralised, trustless network.
The news of a blockchain project being hacked will no doubt reverberate across the community. For the members, loss of funds represents the biggest impact, followed closely by decreased confidence in the project.
The community will expect immediate action. First, the developers will need to walk members through the technical weakness that led to the attack. This can provide some reassurance that the development team is on top of the situation. Next, the community needs to be briefed on how the creators intend to handle the recovery of the stolen funds.
For projects that are insured under traditional discretionary models, they tend to undergo a lengthy claims process. However, this stage is often full of uncertainty, frustration, and impatience. This is because traditional claim assessments can take weeks or even months to conclude.
What’s more, some claims may be denied due to policy exclusions or discretionary rejection. Imagine losing your funds only to be told that there will be no reimbursement because the nature of the loss wasn’t covered in your policy or the claims adjuster did not find enough evidence to include you in the payout. This would lead to anger, resentment, and a sense of double loss.
The reputation of the community and its developers will be tarnished too. No one will want to advocate for, let alone join, a community that has been hacked and has no system in place to reimburse affected members in a timely way.
In an ecosystem rife with evolving risks, creators can better protect their communities through parametric cover models. Already a popular option to protect against weather-related risks in the real world, parametric covers provide a progressive way to mitigate risks and address evident coverage gaps in the blockchain space.
For the uninitiated, parametric models cover the probability of a predefined event happening and payout according to a predefined scheme. Payout amounts, the scope of coverage, parameters, third parties, and other important details are clearly defined in the agreement. If the predefined events do occur, the payout mechanism is automatically triggered.
Basically, it replaces the claims assessment process with a simple yes/no equation. Did the triggering event occur? If yes, then the payment is immediately released to all policyholders. If no, then payment is not made. No discretionary measures or processes are needed.
This removes ambiguity, which is a big deal in today’s blockchain communities. With parametric covers, there’s no confusion as to what events are covered by the policy. Payouts are also released within a matter of days, as opposed to discretionary models where victims often wait weeks or even months to get their payments.
The Neptune Mutual ecosystem is a decentralised protocol where blockchain project creators and developers can generate parametric cover models to protect their communities.
There are four stakeholders in this ecosystem:
As a project creator, building a parametric cover dedicated to your project builds trust across the community and protects your reputation. Creating a cover pool requires you to stake at least 4000 NPM tokens. Providing initial liquidity to the pool demonstrates your commitment to protecting your ecosystem.
Creating parametric cover models tells your community members that you have an actionable recovery plan in place if things go wrong. They can see the scope of the pool themselves and can even decide to become stakeholders, thereby contributing to the security of the community and earning rewards.
With Neptune Mutual’s SDK, you can embed your cover pool into your platform. Community members who wish to become stakeholders in the pool can access it directly. This improves engagement within the ecosystem and helps the community remain focused on the project.
Increasingly, the success of any blockchain project is reliant on the security of the ecosystem. Take action to properly protect your blockchain community.
Visit neptunemutual.com to learn more about parametric cover pools for digital assets and projects.
Users can also sign up on the Neptune Mutual Testnet to connect their wallets and become stakeholders of the available covers.
Neptune Mutual project safeguards the Ethereum community from cyber threats. The protocol uses parametric cover as opposed to discretionary insurance. It has an easy and reliable on-chain claim process. This means that when incidents are confirmed by our community, resolution is fast.
Join us in our mission to cover, protect, and secure on-chain digital assets.
Official Website: https://neptunemutual.com