Ethereum and its DeFi/dApp Ecosystem’s Embrace of the “Move Fast and Break Things” Philosophy
The reckless philosophy of “move fast and break things” was, unfortunately, at the forefront of the development of Ethereum L1 and its DeFi/dApp ecosystem. Ethereum was initially created as an experimental project to showcase the potential of smart contracts as a foundation for a new kind of decentralized platform.
Here is an interview with Gavin Wood, the co-founder of Ethereum and creator of Polkadot, in which he talks about how Ethereum started as a “Tech Demo.”
Prioritization of speed over long-term planning
The team behind Ethereum prioritized speed and innovation over long-term planning and stability, resulting in a platform that was not built methodically and lacks sustainability and reliability. Sustainability and reliability is exactly what is required for widespread adoption. In their haste to get something out to the public, the team neglected to consider the long-term consequences of their design choices fully.
This approach led to the creation of a platform that is prone to errors, instability, and security breaches, putting users at risk and undermining the trustworthiness of the entire system.
Uncovering Ethereum’s Achilles’ Heel: A Review of Ethereum’s Vulnerabilities and High-Profile Attacks
So let’s take a look at a few examples that reflect the consequences of the poor design and developmental choices of Ethereum.
The DAO hack (2016) – Reentrancy Attack – loss of 3.6 million ETH ($60 million at the time)
Reentry attacks have been a major vulnerability for Ethereum-based DeFi dapps, resulting in significant financial losses. The most significant reentry attack in Ethereum was the DAO attack in 2016, which caused a hard fork of Ethereum. This resulted in creating of two separate versions of Ethereum: Ethereum Classic and Ethereum.
Reentry attacks have continued to be a problem in the DeFi ecosystem, with notable hacking incidents occurring on the dForce (2020) and Grim Finance (Dec 2021) platforms, resulting in a combined loss of $54 million.
The dForce incident was caused by the fact that the ERC-777 standard, which is used for token contracts, allows transaction notifications to be sent in the form of callbacks, giving the recipient control of execution.
Beanstalk Farms Exploit (2022) – Flash Loan Exploit – $182 million lost
Flash loans, a type of unsecured lending that relies on the atomicity of blockchain transactions, have been a major vulnerability for Ethereum-based DeFi dapps, resulting in significant financial losses. While they can bring dynamism to DeFi and reduce the risk and cost of launching various attacks, they have also been exploited by attackers to fund attacks such as reentry vulnerabilities and double solicitation attacks, such as the attacks on Grim Finance and Popsicle Finance. In addition, attackers have borrowed money from lending platforms using flash loans and used the borrowed funds to manipulate token prices and make arbitrage, causing significant damage to the DeFi ecosystem.
Ronin Bridge Hack (March 2022) – Private Key Leakage – $624 million lost
Private Key Leakage is a devastating vulnerability that has affected numerous Ethereum-based DeFi dapps, resulting in the loss of millions of dollars.
This vulnerability occurs when the private key of a dapp’s wallet is exposed or leaked, allowing attackers to gain control of the contract and mint or transfer tokens to other addresses under their control. Ethereum-based DeFi dapps need to interact with the wallet, such as Metamask, and Ethereum provides APIs that enable this interaction.
However, the reliance on these wallets and APIs also creates an opportunity for attackers to obtain the private key of the original contract deployer or manager and exploit the vulnerability.
Parity MultiSig Wallet hack (2017) – Default Visibility – $31 million lost
Default Visibility is a vulnerability that occurs when developers fail to properly specify the visibility of functions in their Solidity code. If a function does not specify its visibility, it is set to [public] by default and can be called by external users. This can be a problem if the function should be private or only callable within the contract itself.
One well-known example of this issue was the Parity MultiSig Wallet hack, in which an attacker was able to exploit a [public] function to change the ownership of the wallet contract and drain it of $31 million worth of Ether.
https://www.ccn.com/hackers-seize-32-million-in-parity-wallet-breach/
Nomad bridge Hack (2021) – smart contract vulnerability – $190 million lost
On January 6th, 2021, the Nomad bridge, a protocol allowing users to move digital assets between different blockchains, experienced a security exploit that resulted in the loss of approximately $190 million.
The vulnerability, which was present in the Ethereum-based smart contracts that power the Nomad bridge, allowed hackers to bypass the message verification process and systematically drain the bridge’s funds over a series of transactions.
The exploit occurred during a routine upgrade, enabling attackers to copy and paste transactions and drain the bridge contract of nearly all of its funds before it could be stopped.
https://www.certik.com/resources/blog/28fMavD63CpZJOKOjb9DX3-nomad-bridge-exploit-incident-analysis
Compound Hack (2021) – reverse rug pull – $40 million lost
The Compound lending protocol suffered a bug in October 2021 that resulted in the accidental disbursement of $80 million in COMP governance tokens to the wrong addresses.
The incident is known as a “reverse rug pull,” where a bug in a smart contract leads to accidental fund disbursements rather than a fraudulent act by the contract creator.
Synthetix Incident (2019) – Oracle mechanism vulnerabilities
Oracle mechanism vulnerabilities can be a major concern for smart contracts that rely on external data as input. These vulnerabilities can occur when an oracle, a service that provides external data to a smart contract, is compromised or experiences a single point of failure.
One example of this was the Synthetix incident, in which over 3 million sETH were arbitrated due to oracle errors.
This is a long list and this shows the fragility of dApps in the Ethereum ecosystem. Many billions of dollars have already been lost. But this trend does not end with vulnerabilities in the dApp layer.
Ethereum’s rambling transition from PoW to PoS and its consequences
Ethereum’s transition to a proof-of-stake (PoS)-based consensus algorithm has been met with criticism and delays. When it happened, it was executed without following a systematic or methodical approach.
The implementation of the “Slasher” algorithm and the 32 ETH minimum requirement for staking were quintessential examples of this approach. Let’s take slashing as an example. The slashing mechanism punishes validators who act maliciously by reducing their stake. While this may seem like a reasonable approach to ensuring the security of the network, it has proven to be flawed in practice.
The punishment for misbehaving validators is often too harsh. This, combined with a minimum 32 ETH staking requirement, is leading to the centralization of the Ethereum network. A situation where only a small number of validators are being operated by small players or individuals. This, in turn, compromises the decentralization of the network.
This is driving the control of the Ethereum network to the centralized staking providers, such as Coinbase and Kraken. These companies offer to stake services to their users, allowing them to earn rewards for participating in the network without the need to run their own validator node or needing 32 ETH to stake.
While this may be convenient for users, it also means that the responsibility of validating transactions is consolidated in the hands of a few large companies rather than being distributed among a larger number of independent validators.
These features, like slashing, were never tested out using an “Incentivised Testnet,” where you can actually learn the behavior of participants and the consequences before implementing it on the mainnet.
A prototype that ended up being too big to fail
Ethereum is that it was originally designed as a prototype, with the intention of eventually being replaced by a more fully-fledged and better-engineered version known as Ethereum 2.0. However, due to the rapid growth of the Ethereum ecosystem, the decisions were made to continue building on top of the original prototype rather than disrupting the existing dApp ecosystem.
The implementation of “slashing” on Ethereum has been seen by some as a confession of the platform’s flawed and weak design. This security measure is viewed by some as a drastic measure taken to compensate for the underlying weaknesses of the system.
Ethereum’s reckless “move fast and break things” mentality has resulted in major problems and undermines its potential as a platform for building safety-critical financial infrastructure. This approach leads to shortcuts and unintended consequences, which are detrimental to the platform’s stability and reliability.
The situation is even worse in one of the newer chains that were built to elevate the blockchain space to mass adoption.
“Move fast and break things” have compromised the economic security of Solana
Solana is a blockchain platform that has gained significant attention and traction in recent years, particularly in the DeFi and NFT space. It has been praised for its fast transaction speeds and low fees, which have made it a popular choice for developers looking to build and launch dApps.
However, Solana’s approach to building and growing its ecosystem has come under criticism, with some arguing that it has led to the socio-economic compromise of the entire Solana ecosystem.
One of the key criticisms of Solana’s approach is its focus on fast bootstrapping of dApp ecosystems and protocol economic security through the use of growth hacks. This approach, which has been encouraged by entities such as FTX and Alameda, has been seen by some as a short-term solution that prioritizes rapid growth and liquidity over long-term stability and security.
FTX, Alameda and Solana
Solana’s approach to building and growing its ecosystem has come under criticism in recent months following the bankruptcy of key investors FTX and Alameda Research.
Following the collapse of FTX, Solana saw a significant drop in the number of validator nodes on its network. This suggests that many of the validators on the network were either affiliated with FTX and Alameda Research or lost confidence in the Solana platform as a result of the bankruptcy of these key players.
The close connection between these companies, the Solana ecosystem, and major DeFi projects on the platform, such as Serum and Raydium, has led to a loss of confidence and significant drops in value for these projects.
The substantial amount of SOL held by FTX and Alameda is another source of concern for the Solana ecosystem. With both companies having filed for bankruptcy, this SOL will eventually have to be sold, creating significant sell pressure on the market. This could potentially have a negative impact on the price of SOL and further undermine confidence in the Solana platform.
Alternatives to Flawed Blockchain Development?
We have now seen that the most prevalent developmental approaches in the current blockchain landscape is flawed. It is not fit to provide an open global financial platform that can serve billions of people without compromising financial security.
Then what’s the solution for this?
Is there an alternative platform that can offer safety, sustainability, and stability to build the future of open global finance?
Blockchain technology is different from traditional internet infrastructure in that it relies on both technical, social, and economic factors to ensure security. The answer lies in the blockchain that approaches development in a fundamentally different way.