Uneasy Money: How the Resolv Hack Shows an Audit Doesn't Mean 'Secure'

Unchained Podcast Recap

Published:

Duration: 1 hr 23 min

Guests: Omer Goldberg

Summary

The episode dissects the Resolv hack, where an attacker exploited a compromised AWS account to mint $80 million of unbacked USR, resulting in a significant financial loss. The discussion underscores the importance of multi-signature security and the potential pitfalls of relying solely on audits in...

What Happened

The Resolv hack involved an attacker exploiting a compromised AWS account to mint $80 million worth of unbacked USR tokens for just $300,000. The attacker subsequently dumped these tokens on Curve, ultimately walking away with $24 million in Ethereum. This incident caused USR to crash from $1 to just 2.5 cents, illustrating the severe impact of such vulnerabilities.

Despite undergoing 14 audits, Resolv's system was still compromised, as no single component was audited more than twice, and audits often focused on separate components. The hack highlighted the risk of having a single key with unlimited permissions, stressing the need for multi-signature requirements and more robust security practices. The attack was not a result of AWS's key management system being broken, but rather due to unauthorized access to the AWS account.

The episode discusses the limitations of current security audits in DeFi, which can become 'security theater' if they fail to address fundamental risks. Luca, a non-technical founder, emphasized the importance of maintaining best-in-class operational security and not skimping on security costs. Pudgy Penguins employs a head of security, an ex-CIA individual, to ensure high levels of operational security, showing the lengths some organizations go to safeguard their assets.

The attacker used DeFi's composability to spread the hack's impact across multiple platforms, including Curve, Fluid, Venus, and Morpho. Fluid and Venus were each drained of over $20 million, while Morpho lost over $10 million. Morpho's Public Allocator feature, which automatically routed liquidity to markets with rising interest rates, exacerbated the situation by spreading the hack's effects.

The podcast also touched on the concept of 'normal accidents' in complex systems, suggesting that a series of small failures can lead to significant incidents. Synthetix faced a similar issue in 2019 when it printed $11 billion worth of synthetic Ethereum due to an Oracle-related problem. These examples underscore the need for comprehensive threat modeling and risk management practices in DeFi.

In DeFi, there is often a lack of standardized alert systems like those in traditional finance, such as pager duty or Ops Genie. This absence can lead to delayed responses to hacks and vulnerabilities. The episode also pointed out that high yields, such as 25% interest, are a signal of risk, referencing the Terra collapse as a cautionary tale.

AAVE V4 has emerged as a new governance model aiming to replace monolithic pools and mitigate contagion risk. It introduces features for better risk pricing and improved lending products, appealing to institutional investors through enhanced compliance and risk management. Chaos Labs is responsible for risk assessments for AAVE assets, ensuring a documented process for listing assets and maintaining security.

The episode concludes with a discussion on the evolving DeFi industry and the need for improved risk management and accountability mechanisms. Protocols and asset issuers must hold each other accountable to ensure ecosystem robustness, as demonstrated by issues faced by exchanges like Binance due to low liquidity and oracle pricing errors.

Key Insights

View all Unchained recaps