The documentation advises developers on what code structures to use to secure their protocols from identified vulnerabilities.
Increasing Need For Transparency
The crypto-space is increasingly getting littered with exploits and hacks. From rug pulls to flash loan attacks, the activities of criminals are threatening the credibility of the crypto industry. Recently, three different projects PancakeBunny, AutoShark, and Merlin Finance, were hacked using a similar method.
On its Twitter handle, cybersecurity firm, Inspex, gave a detailed analysis of how Merlin’s code was exploited. The impact on Merlin Finance appeared to be hard enough to force it to shut down operations, as can be seen on its website, Twitter, and Medium links. The attacks across the ecosystem warrant a need for transparency between platforms and the seriousness of their security.
When we consider that three top-tier audit companies audited Merlin, we understand how audacious hackers can be.
The Merlin exploit happened through the Alpaca Finance vault on its platform. After information on how the exploit occurred became clear, Alpaca Finance announced the release of documentation that would improve the security of their Binance Smart Chain logic. The documentation guides developers on how to securely integrate into Alpaca in a way that will protect them from a Merlin-style attack.
Strategies Outlined By Alpaca
The documentation advises developers of specific code formats to use when integrating their smart contracts into Alpaca Finance. The recommended formats are as follows:
Alpaca discouraged the use of MaxUint256 to approve ‘token spending allowance‘ for a vault deposit action. According to the platform, the use of MaxUint256 may introduce a security vulnerability. Alpaca instead advises that deposit calls should be made by:
Calling the ‘deposit‘ method,
Specify the exact deposit amount in the ‘amount Token‘ box using the data type ‘uint256’
Format ‘uint256‘ to the exact decimals for the tokens to be deposited.
To withdraw base tokens from the ‘vault’ contract, input the desired amount to the ‘withdraw‘ for the number of tokens to be withdrawn.
For interest-bearing transactions, the ratio of the interest-bearing token (ibToken) and the actual base token needs to be accurately determined at all times. In addition, the price of ibTokens should not depend only on the smart contract’s calculations. These two points are vital in preventing a flash loan attacker from manipulating ibToken prices.
Alpaca recommended the following steps to determine the prices of ibTokens securely:
By smart contract calculation, deduce the price of the ibToken
Fetch the price of the ibToken from either an external price oracle or directly from Alpaca’s application programmable interface (API).
Compare the two prices. If the percentage difference is more than a single digit, reverse the transaction.
For developers who want to implement a staking function, Alpaca advocates the inclusion of these codes:
Calling the ‘deposit‘ method with the parameters _for, _pid, and _amount (uint256 format expressed in the deposited token’s decimals).
If a user wants to harvest rewards from a staking pool, the ‘harvest‘ method must be called, and the pool ID supplied
To withdraw tokens staked in a pool, the value of the user’s share in the pool must be equal to the ‘withdraw‘ called in the contract.
Exploits and hacks have been a recurring issue in decentralised finance and blockchain. As is often the case, when the route used in an exploit is established, platforms take measures to fix their systems.
Alpaca Finance released this guide to developers to close the gaps identified as the loopholes in Merlin Finance, ValueDefi, and bEarn.Fi exploits and fortify the security of the Binance Smart Chain ecosystem.
About Alpaca Finance
Alpaca Finance touts itself as the biggest lending protocol that allows leveraged yield farming on BSC. It is a community-owned project that allows lenders safe and stable yield and borrowers to get loans for leveraged yield farming positions undercollateralized. Their leverages allow borrowers to multiply their farming principles and the resulting profits. The project has partnered with other promising BSC projects like Wault Finance to expand the platform’s reach.
Source : bsc.news
Founded in 2020, BSCNews is the leading media platform covering decentralized finance (DeFi) on the Binance Smart Chain (BSC). We cover a wide range of blockchain news revolving mainly around the DeFi sector of the crypto markets. BSCNews aims to inform, educate and share information with the global investment community through our website, social media, newsletters, podcasts, research, and live ask me anything (AMA). Our content reaches hundreds of thousands of global investors who are active in the BSC DeFi space.