DeFi Bug Freezes $30,000 of Ether Forever
- $30,000 worth of Ether is now frozen in a smart contract forever because of a typo in Hegic’s smart contract.
- Tempers flared between Hegic and its auditor, Trail of Bits, as the security firm told Hegic to delay deploying its smart contract.
- The situation highlights the need for smart contract evaluations that investors – not just coders – can comprehend.
Share this article
Hegic, a DeFi options trading protocol, has been forced to redeploy its smart contract after a bug in the codebase rendered the options contracts unlockable. A war of words ensued between Hegic’s anonymous creator and smart contract auditor Trail of Bits.
What’s the Point of an Audit?
DeFi has seen its fair share of exploits, but nothing quite as simple as the incident with Hegic.
There was no exploit or hacker that lanced an attack on Hegic. Instead, a simple typo was the real culprit.
Instead of “OptionsIDs,” the line of code that unlocks liquidity, the developer wrote and published “OptionIDs.” A single omitted “s” in a line of code caused the liquidity unlocking function to go awry.
Users could withdraw their funds, but the funds couldn’t be unlocked once the options expired.
Molly Wintermute, the creator and sole developer for Hegic, immediately issued warnings on Discord, Twitter, and Telegram when she discovered the error.
‼️ ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. ‼️ Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW. Everyone will be 100% REFUNDED with the amount of premium that you paid for options.
— Hegic (@HegicOptions) April 25, 2020
Hegic promised to make liquidity providers whole again by reimbursing premiums paid and any losses on existing positions. Three calls and 16 puts, a total of 19 options, went unexercised, freezing nearly $30,000 in ETH forever.
The story is, however, far from over.
Dan Guido, CEO of Trail of Bits, took to Twitter to clear the air after his company came under fire for reviewing Hegic’s code.
Guido stated that a code review is not a certification of safety, but rather a framework for developers to understand the flaws in their code and rectify them.
Second, he indicated that Trail of Bits didn’t have enough time to sufficiently audit Hegic’s code.
Yet, Wintermute said that she requested a one-week review, and asked if the security audit would be full or partial, as per a series of emails made public.
The firm said that a three-day code review would be sufficient to provide “good coverage of the smart contracts.”
Hegic’s developer also stated that she implemented the suggestions which are evidenced in the summary of the code review.
User Faith in DeFi Protocols
Smart contract audits are widely considered to be a stamp of approval from security experts.
This debacle confirms, however, that these experts consider audits to be a summary for developers to improve their code, rather than a document that says “this code is ready for mass consumption.”
Love you Lasse but strongly disagree with this take.
1. Auditors complement/improve teams practices, not ensure perfection. An audit report is not a blessing.
2. Time spent is not binary it's a scale. Hegic had a "small" audit.
3. So many follow up recommendations not followed
— Robert Leshner (@rleshner) April 25, 2020
For sophisticated users that can audit code themselves, this is a non-issue as they can find bugs and potential attack vectors. But for those who aren’t technically inclined, a viable alternative doesn’t yet exist.
Smart contract auditing firms understand that regular users do not have a trustworthy source of protocol security ratings. In response to this, several auditors, including ConsenSys and MythX, launched the Ethereum Trust Alliance to begin providing smart contract security ratings for the average user.
This is a step in the right direction, offering users simple information to evaluate protocol risks.