DeFi Bug Freezes $30,000 of Ether Forever

Hegic, a DeFi options trading protocol, has been forced to redeploy its smart contract after a bug in the codebase rendered the options contracts unlockable. A war of words ensued between Hegic’s anonymous creator and smart contract auditor Trail of Bits.

What’s the Point of an Audit?

DeFi has seen its fair share of exploits, but nothing quite as simple as the incident with Hegic. 

There was no exploit or hacker that lanced an attack on Hegic. Instead, a simple typo was the real culprit. 

Instead of “OptionsIDs,” the line of code that unlocks liquidity, the developer wrote and published “OptionIDs.” A single omitted “s” in a line of code caused the liquidity unlocking function to go awry. 

Users could withdraw their funds, but the funds couldn’t be unlocked once the options expired.

Molly Wintermute, the creator and sole developer for Hegic, immediately issued warnings on Discord, Twitter, and Telegram when she discovered the error. 

‼️ ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. ‼️ Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW. Everyone will be 100% REFUNDED with the amount of premium that you paid for options.

— Hegic (@HegicOptions) April 25, 2020

Hegic promised to make liquidity providers whole again by reimbursing premiums paid and any losses on existing positions. Three calls and 16 puts, a total of 19 options, went unexercised, freezing nearly $30,000 in ETH forever. 

The story is, however, far from over. 

Dan Guido, CEO of Trail of Bits, took to Twitter to clear the air after his company came under fire for reviewing Hegic’s code. 

Guido stated that a code review is not a certification of safety, but rather a framework for developers to understand the flaws in their code and rectify them. 

An excerpt from the code review that highlights the risk of funds being trapped in the contract, via GitHub.

Second, he indicated that Trail of Bits didn’t have enough time to sufficiently audit Hegic’s code. 

Yet, Wintermute said that she requested a one-week review, and asked if the security audit would be full or partial, as per a series of emails made public.

The firm said that a three-day code review would be sufficient to provide “good coverage of the smart contracts.”

Hegic’s developer also stated that she implemented the suggestions which are evidenced in the summary of the code review.

User Faith in DeFi Protocols

Smart contract audits are widely considered to be a stamp of approval from security experts. 

This debacle confirms, however, that these experts consider audits to be a summary for developers to improve their code, rather than a document that says “this code is ready for mass consumption.”

Love you Lasse but strongly disagree with this take.

1. Auditors complement/improve teams practices, not ensure perfection. An audit report is not a blessing.

2. Time spent is not binary it's a scale. Hegic had a "small" audit.

3. So many follow up recommendations not followed

—