Me On IT
Published on

Second Thoughts: The Side Entrance Vulnerability

Authors

It would be so simple: You borrow money from a bank and then deposit this money into your own account at the same bank.

However, because the bank does not realize that the loan has not been paid back, but only transferred to one's own bank account, it considers the loan settled.

This can only happen if the bank does not maintain good bookkeeping but instead mixes loan accounting with the accounting for the accounts.

Of course, this cannot happen in today's real financial world, but it can in Smart Contracts in the DeFi environment. At least that's what this example from damnvulnerabledefi suggests.

We learn from this that we must always look at Smart Contracts with two sets of eyes. One eye is the eye of the financial accountant, who needs to know exactly where the money is going, where it is coming from, and why the money flows are happening. The second eye is that of a software developer, who must ensure that the software he develops does exactly what it is supposed to do.

In this sense, the work of a Smart Contract developer is doubly difficul as he must master both the mindset of the financial accountant and that of a programmer.

The example here vividly shows why both perspectives are simultaneously necessary. The financial accountant immediately noticed that something was amiss. The Smart Contract developer, however, is inexperienced in such matters. He views this Smart Contract from an impermissibly simplified perspective. He does not differentiate between the money assigned to the Smart Contract itself and the loan account of a borrower. Therefore, he can make a crucial mistake at this point.

We must assume here that the attacker is smarter in this case: Probably because he knows the source code of the Smart Contract, he not only recognizes the vulnerability but can even devise a strategy to exploit this error.

The security of Smart Contracts is an evolutionary process. To put it bluntly: We learn from mistakes. Over time, however, the cleverness of the attacker is transferred, and the Smart Contracts become better, safer.

That this is accompanied not only by large financial losses but also by much human suffering is something we must live with. Much worse wars are being fought elsewhere...