Self-hack highlights DeFi’s slow response problem
Decentralized finance has a control problem it needs to solve if it is to become the economic powerhouse supporters believe—and opponents fear—it can become.
And fear that they do.
In March, Deloitte wrote that in DeFi, “traditional financial services face a potentially existential moment that could challenge traditional business models,” adding that it “represents the most significant disruptive force on the global financial system.”
Not to be outdone, the International Monetary Fund added in April that “the absence of governance entities means that DeFi is a challenge for effective regulation and oversight.”
That said, DeFi seems to have developed something of an Achilles heel in the form of slow reaction times, and solving that weakness can be something of a Catch-22.
While many, if not most, DeFi projects are still not truly and fully decentralized, with developers holding what amounts to backdoor master keys, the apparent goal is for them all to be fully powered by self-executing smart contracts. Which would make it virtually impossible to react quickly to problems, as it requires centralized control.
Which is a problem in any business, but especially finance. And especially in a segment with vulnerability to hackers, DeFi has shown, with more than $3 billion stolen in 2022 alone, according to Chainalysis.
Security gaps aside, consider court orders, money-laundering responses, a sudden crash in exchange rates—any number of issues that require a quick response.
Not a game
This issue was on full display again on Thursday night (November 3), when pay-to-earn blockchain game developer Gala Games revealed that it had effectively hacked its own project, “stealing” more than $2 billion to prevent actual thieves from using a potential exploit found in the code.
It began at 16:54 when the blockchain security firm PeckShield noticed a huge outflow of funds that happens on a liquidity pool that supports the firm’s cross-chain bridge, which allows users to trade crypto quickly and cheaply for GALA tokens.
A few minutes later, pNetwork, a blockchain infrastructure provider for Gala, tweeted out: “We noticed that pGALA was no longer considered safe and coordinated the white hat attack to prevent pGALA from being exploited maliciously. The money is safe.”
Yes, we noticed that pGALA was no longer considered safe and coordinated the white hat attack to prevent pGALA from being exploited maliciously. Funds are safe, but users should NOT transfer or buy/sell pGALA on pancake exchange
— pNetwork 🦜 (@pNetworkDeFi) 3 November 2022
Unwrap it for a minute. They found a “misconfiguration of the @pNetworkDeFi bridge” and instead of turning off the service, the only way to fix it—or at least the fastest way—was to steal it yourself.
And that’s disregarding the fact that the thought of a $2 billion hack wasn’t shocking. Of course, $718 million was stolen last month in what Chainalysis called the “hacktober.”
Way too slow
Aside from the specifics of Gala Games’ issue, the issue is how DeFi is governed by the decentralized autonomous organizations, or DAOs, that are at the heart of decentralized finance.
DAOs are at the core of smart contracts that operate independently of human control. But to allow users to update them in any way, from code upgrades to interest rate changes, there is a voting procedure that uses governance tokens, a type of cryptocurrency that generally does little more than give owners a say in DAO updates.
The problem is that these changes are usually handled in a slow two-step procedure. First, a change is proposed by someone who writes up the details and then tries to raise support for it, usually on social media such as project-specific Discord channels.
After a certain number of days, a preliminary vote is held – often over several days – which is essentially a primary election. If the proposal receives enough support, a new election is held to approve or reject it. The discussion periods last between days and weeks, as do the voting periods.
Until then, nothing can be done. Something that makes robbing oneself sound like a reasonable action.
Whether it is a reasonable way to do business is a completely different question.
For all PYMNTS crypto coverage, subscribe to the daily Crypto newsletter.
We are always looking for opportunities to collaborate with innovators and disruptors.