This article is more than one year old

Wormhole hack recovery ‘sets a very dangerous precedent’ for DeFi

Wormhole hack recovery ‘sets a very dangerous precedent’ for DeFi
DeFi
Jump Crypto president Kanav Kariya (left) and MakerDAO co-founder Rune Christensen (right)

Developers behind Oasis, the main gateway for the top DeFi lending protocol Maker, reclaimed $140 million of stolen cryptocurrency from a hacker last week.

But Oasis, and by extension MakerDAO, have come under fire for its methods because they raise questions about the security of other DeFi protocols and even undermine one of the sector’s central tenets – immutability, the idea that the code behind DeFi protocols cannot be altered after it’s deployed.

NOW READ: Crypto fugitive Do Kwon plots comeback after $60bn Terra collapse

“It sets a very dangerous precedent,” Igor Igamberdiev, head of research at crypto market-making firm Wintermute, told DL News. “Now the likelihood of backdoors through updates is much higher.”

‘While it’s good to stop hackers, these tools can be quickly turned against the industry, and it’s not worth the price’

While Oasis and Maker are two separate ventures, the episode could trigger blowback for the latter. “It could have bad repercussions for Maker if the narrative that Oasis and Maker are the same is maintained and seen as true,” Raphael Spannocchi, a DAO governance researcher at blockchain data platform Flipside, told DL News.

The dustup stems from what appears to be an unprecedented legal proceeding involving digital assets in the British court system and one of the biggest hacks ever in DeFi.

NOW READ: Russia’s crypto criminals are rebounding as US lawmakers urge to ‘ratchet it up’ on sanctions

On February 21, a UK court ordered Oasis to retrieve funds stolen during a $322 million attack on another protocol called Wormhole last year, according to a statement Oasis released that day and first reported by Blockworks. The hacker had deposited a portion of the heisted proceeds in Oasis to increase their Ethereum holdings.

Join the community to get our latest stories and updates

Crypto trading firm Jump Crypto, an investor in Wormhole, is alleged to have worked with Oasis to take back the funds. Jump Crypto did not immediately respond to a request for comment.

Taking funds back from a cybercriminal is normally a cause for celebration

“This was carried out in accordance with the requirements of the court order, as required by law, using the Oasis Multisig and a court authorised third party,” Oasis said in its statement. “We can also confirm the assets were immediately passed onto a wallet controlled by the authorised third party, as required by the court order. We retain no control or access to these assets.”

Taking funds back from a cybercriminal is normally a cause for celebration. But the incident throws into question some of the founding assumptions of decentralised finance, namely that all transactions are final and no crypto can ever leave a user’s wallet – or a DeFi protocol – without their permission.

Adam Cochran, a partner at venture capital firm Cinneamhain Ventures, said the incident highlights the “importance of immutable contracts that don’t have upgradable proxies or management keys.”

“While it’s good to stop hackers, these tools can be quickly turned against the industry, and it’s not worth the price,” he said.

DeFi has long run on the assumption that protocols, unlike traditional finance alternatives, are immutable and nobody can make changes to them after users make deposits. In reality, while some protocols like decentralised exchanges Curve and Uniswap are immutable by design, others, such as Oasis have “upgradable contracts” that allow their creators to make changes at will.

NOW READ: The obscure SEC rule that critics worry is a backdoor attempt to regulate DeFi

The counter-exploit sparked fears that governments could force other DeFi protocols with upgradable contracts to make changes.

“It creates a worrying precedent where doxxed devs could find themselves under pressure from regulators to misuse upgradeable contracts,” Cochran said. “To the extent that we may even see regulators push for [decentralised applications] to require upgradable contracts to do this.”

While the Oasis incident highlights the vulnerabilities of upgradable contracts, sticking to immutable contracts also has its shortfalls.

“It is better to have all contracts immutable,” Igamberdiev said, “but this can only work well if there is no dependency on external contracts.”

Igamberdiev said the decentralised exchange Uniswap is one example of an immutable DeFi protocol that does not rely on external contracts.

In other cases, Igamberdiev said, immutable contracts can “significantly worsen the user experience” because users would need to migrate to new versions every time the developers updated them.

Oasis and Maker

The ramifications of the legal case and Oasis’ actions for Maker are only now beginning to emerge. The Maker protocol is a set of smart contracts on the Ethereum blockchain governed by MakerDAO, a loose collective of people who hold the protocol’s governance token, MKR.

Maker lets users deposit volatile cryptocurrencies like Ethereum and borrow its dollar-pegged DAI stablecoin. With $7.2 billion in deposits, or “total value locked,” Maker is the second-biggest DeFi protocol after liquid staking giant Lido, according to data from DefiLlama.

Total value locked in the Maker protocol

Oasis is one of several gateways – or so-called front-ends – for using the Maker protocol. Although it’s possible to directly use Maker, many users go through front-end gateways like Oasis because they smooth out technical complexities and improve the experience. Oasis also acts as a gateway to another DeFi lending giant, Aave.

Unlike many DeFi protocols, Oasis is not run by a DAO. It’s run by a private UK company called Oaza Apps Limited.

Although Oasis is not part of Maker, the MakerDAO website links (the “Use DAI” button) only to Oasis, which has a “historical connection to the foundation” in the words of MakerDAO co-founder Rune Christensen.

“Use Dai” on Maker’s home page only directs to Oasis, run by a UK company, but following the incident, the DAO also wants to list other front-ends, including those run by decentralised entities

“Oasis came from the Maker Foundation, but is a different product maintained by different personnel,” Spannocchi, the DAO governance researcher, said.

Part of the concern is that Oasis “is seen as ‘an official’ frontend for [MakerDAO],” MakerDAO delegate Mhonkasalo said. “Communication should have been clearer in Maker’s own materials.”

NOW READ: Global regulators fire warning shot that they’re about to kneecap DeFi

“We consider Oasis the de facto front-end for MakerDAO,” said Cochran. “It wasn’t clear to anyone that this backdoor existed – it’s not something that was entirely obvious even to experienced devs.”

Since the Oasis incident, Christensen said on Discord he was “completely for” having a combination of different frontends listed on the MakerDAO website.

Definikola, a researcher at DeFi Saver, another protocol that provides a frontend for Maker’s contracts, said that doing so would decrease chances of “negative publicity caused by the lack of knowledge of the average user.”

But it’s unclear whether the Wormhole hacker also lacked that knowledge, and the person wasn’t aware they were using a non-immutable protocol. “It seems really off. Why would he do that?,” Spannocchi said.