In last week’s inaugural edition of ‘The Cortex Connection’, we discussed liquidity risk exposure and covered some clear steps you can take to manage these risks. Today, we want to take a quick look at a risk that grabs the biggest news headlines: smart contract risk.
What is a Smart Contract?
At the core level, smart contracts are self-executing programs, stored on a blockchain that automatically execute when certain conditions are met. Smart contracts have a wide range of applications that can help reduce costs, streamline processes, and increase security and trust. While they offer many benefits, they also come with their fair share of risks as they are not immune to code or process vulnerabilities that can lead to unexpected outcomes.
Smart Contract Exploits in the News
There have been several high-profile incidents in recent years where smart contracts were exploited, resulting in significant financial losses. Notable examples include:
The ‘DAO’ exploit in 2016 was one of the earliest smart contract exploits to make the news. The vulnerability allowed an attacker to drain funds from The DAO, resulting in a loss of over $50 million worth of Ethereum.
The KuCoin hack in 2020 initially exposed the exchange to $285 million in lost crypto after the attacker exploited smart contract code controlling the exchange’s hot wallet showing that even centralized exchanges are exposed to these risks.
The ‘Poly Network’ hack in 2021 was one of the largest smart contract exploits where over $600 million worth of crypto was stolen. The vulnerability allowed the attacker to take complete control of the platform’s funds.
The Badger DAO attack in 2021 where a vulnerability in the web interface enabled attackers to trick users into approving wallet access to a malicious smart contract that allowed funds to be drained from their wallets about a month later.
The SushiSwap vulnerability just last week where attackers exploited an ‘Approval’ bug in their contract stack that allowed them to drain over 1800 ETH from a single wallet.
These incidents highlight the importance of being cautious when routing funds through smart contracts, making sure you understand what is being approved, as well as being aware of which contracts you’ve granted approvals to make transactions on your behalf. Also, monitor your accounts for any signs of unauthorized activity, just like you would for your traditional bank account.
Revoke Unused or Unnecessary Approvals
When you approve a smart contract, you are giving it permission to interact with your assets which is required for things like executing trades on a decentralized exchange or staking your assets onto a platform to earn yield. While it is normal to give this type of permission and convenient to keep the approval active if you regularly interact with a specific platform, leaving the approval does pose a risk to your wallet should the smart contract be compromised. To mitigate this risk, it’s important to know how to revoke approvals that no longer serve your immediate purposes. To review and revoke approval you can follow these simple steps:
Identify the smart contracts you have approved by connecting your wallet to the ‘Approval Checker’ section of the block explorer for the network you’re using. For example, Ethereum uses the Etherscan Token Approval tool (be sure to select ‘Show all approvals’ for a complete list) and Polygon uses the Polygon Token Approval tool.
Make note of all contracts that you no longer use especially contracts approved for ‘unlimited’ access to a particular token, or contracts you have no need to access in the immediate future.
Revoke access to the noted contracts.
If you don’t mind assuming the risks of using a 3rd party solution that works across a wide variety of networks, you may opt to use a popular tool called Unrekt - but still, make sure to double-check using official block explorers like the ones noted above.
There are a few things to keep in mind when going through this process:
There will be a gas cost involved for each individual ‘Revoke’ action performed so make sure to have the funds in your wallet to cover these costs.
You should not lose access to contracts that are revoked access, but if you ever need to interact with them again, you will likely need to re-approve access at the time of the new transaction which will incur a gas cost.
If the funds in your wallet are not significant enough to pay the gas costs to revoke, many users can simply create a fresh wallet for future use. Note: If you have assets deposited into a smart contract, you will only be able to withdraw from that smart contract using the wallet used for the deposit, so make sure to save your old wallet information just in case.
In Other News…
The latest US CPI data comes in slightly better than expected. Do you think inflation will continue on the path downward? How does this news affect our magic internet money?
The Ethereum Shanghai upgrade has gone live and staked ETH withdrawal requests are processing. What will happen to all the newly liquid ETH tokens?
The price of Bitcoin has risen nearly 80% since January 2023 with Bitcoin Dominance rising in tandem. Will it continue or are we due for a pullback or maybe even another alt season as seen in previous years?
FTX legal team announced today that the exchange has recovered roughly $7.3 billion in liquid assets and is also considering reopening the exchange in April 2024. Would you trust the rebooted exchange with your funds?
Keep Calm and Revoke On
In doing the research for this edition of ‘The Cortex Connection’ we were blown away by the number of approvals found for some wallets, with one wallet exceeding 70 approvals across Ethereum and Polygon alone. Talk about needing a spring cleaning. How many approvals do you have? How many do you plan to revoke? Which approvals did you decide to keep? Let us know and maybe your story will make it into a future publication.
Feedback!
As always, we hope you find the information in these issues valuable and welcome any feedback and suggestions you may have. If there are any topics related to DeFi that you would like us to cover in future issues, please feel free to visit our Discord channel to let us know! We want to make sure we’re providing content that you care about.
Thank you for reading!