7 months ago
A recent incident involving the Fulcrum DeFi platform shows how fast trust can become shaky. As DeFi adoption depends on trust in the community, it could be an opportunity to learn by (bad) example.
Decentralized finance (DeFi) providers like the Fulcrum DeFi platform have great potential to enable financial inclusion and provide access to financial services like cheap and fast remittances to sections of the global population. At the same time, it should be remembered that the concept is in its infancy and, inevitably, vulnerable to errors and malicious attacks. The DEX aggregator 1inch.exchange recently shared its experiences with the Achilles Heel of DeFi, in a case involving the DeFi platform Fulcrum. In its report, 1inch.exchange stressed that it doesn’t want to see faith in DeFi shattered because of the mistakes of individual actors. Still, the following account offers some insights into how cautiously we need to tread on new terrain.
The firm 1inch.exchange says the problem started on January 11, 2020, when the Fulcrum team released its Flash Loans feature on the Ethereum Mainnet. “We discovered that US$ 2.5m of user funds from three pools could be stolen within a single transaction,” 1inch.exchange writes. “We prepared our own smart contract to perform a white-hat hack to protect user funds. Since the vulnerable smart contract was published less than 48 hours before we discovered the issue, there was a very high chance malicious attackers could exploit it, and we wanted to assure that this wouldn’t happen.”
As a proof of concept, 1inch.exchange transferred a tiny amount (1 weiDAI, or 0.000000000000000001 DAI) in two separate transactions. This would give the Fulcrum team a chance to shut down the system to avoid further damage. “We decided to spend up to half of an hour trying to reach the team by every accessible communication channel, and if we failed to reach them we were standing by to white-hack the funds and immediately disclose it to the DeFi community,” says 1inch.exchange.
The Fulcrum team responded after about 20 minutes, even though it was 2:00 am local time.
The team at 1inch.exchange says it offered to white-hack Fulcrum’s pools to protect user funds, but Fulcrum declined. Fulcrum eventually managed the issue – almost four hours later.
But the deployment of the fix took yet another 12 hours, because of a special system upgrade timelock in the smart contract.
That adds up to a 16-hour window of opportunity for someone to steal up to US$ 2.5m.
The exchange team points out three critical aspects of the situation: buggy source code was publicly available on GitHub and Etherscan, anyone could discover and investigate the proof-of-hack txs and the team had a 1-click solution to rescue funds and its finger on the red button. But since Fulcrum had rejected the white-hack offer, 1inch.exchange was legally prohibited from taking any further action.
A fix that didn’t fix everything
Even after Fulcrum had deployed the fix on mainnet, the story wasn’t over. The exchange says that instead of disclosing the incident to the community, Fulcrum tried to cover up. According to 1inch.exchange, two separate exploits have taken place since the incident, draining around US$ 1m from the Fulcrum system.
The 1inch.exchange team is clearly unhappy with Fulcrum’s management of the issue. “We strongly feel that we need to come forward with this information, and honestly wish we had done so earlier,” it said. “Making mistakes is ok, but denying the truth to users and the community and therefore depriving them of their ability to make informed decisions, especially when it comes to money, is unacceptable.” In addition, 1inch.exchange accuses Fulcrum of trying to evade bounty payment. In the industry, bounties comprising a percentage of the funds protected are customary when third parties detect a breach and help mitigate losses.
In its account, 1inch.exchange says it heard from several people at the recent ETHDenver hackathon that Fulcrum suspected the exchange team itself was behind the attacks, an accusation that adds insult to injury.
Clearly, such an incident and its surrounding controversy are potentially damaging to DeFi adoption and trust in the community. Understanding how it all unfolded might be the first step in avoiding future train wrecks of this kind.