We’ve been making copy-paste jokes for years. Remember all CTRL + C and CTRL + V memes? They have come to harass us because we have used them for the wrong purpose.
For the IT industry, copying and pasting is an old and common form of software reuse. Most people do it to save time and effort, others use it because they don’t want to spend time doing it themselves, both end up with consequences.
The most significant of the many disadvantages is the duplication of errors and security vulnerabilities throughout the system when copying existing code. Whether or not the practice of copying and pasting code is permissible can be disputed because of its controversies and disadvantages, but on this fact we can all agree that errors caused by unmodified copied code can lead to serious situations. The stakes are even higher when it comes to the encryption and DeFi ecosystem.
DeFi is a confusing state. It is free for everyone, not only in terms of access, but also in terms of technology implementation. Most DeFi protocols and ideas are open source, so anyone can help, but for this reason it has become a double-edged sword. One side of the camp helps DeFi projects improve, while the other side copies the projects and codes to develop their own solution.
What made Apple a successful business? Steve Jobs knew that painting the back of a fence is as important as painting the front, even if no one else would see it. In addition to quality, uniqueness also plays an important role in creating a loyal fan base.
But in addition to the uniqueness factor, DeFi mode has not realized that the code they copied is not perfect. Each DeFi protocol evolves rapidly and explores itself. Therefore, each protocol can find new errors. Although the code is well audited, new errors can emerge and the protocol can only be protected from such errors if its core team implements the original concept.
Dangers of copying and pasting in DeFi
In particular, the copied code of DeFi mode can cause large financial losses. In addition, most copy-paste files are of poor quality due to limited data on copy personnel, leading to wasted time, unwanted changes, and most importantly, hacker attacks.
Some time ago, the DeFi industry was hit by news about the Binance Smart Chain DeFi protocol The pancake has been put to good use as a result of the flash loan attack, the community was believed to have suffered a $ 1 billion loss.
Before choosing a DeFi product, it is very important to check the quality and uniqueness of the code. One look at a professional in this field can easily identify whether the code has been copied or not.
It is very important to understand that by copying code, developers not only copy data but also copy bugs and vulnerabilities. In addition, when programmers try to copy code, more subtle semantics can arise. It’s no surprise that the DeFI industry faced so many hacker attacks, most of which were successful. From 2019 hackers have caused losses of about $ 285 million.
Thus, the first lesson is to “always check the code”. Even if you are the owner of the product, you will need to review the code generated by your team.
Forewarned is pre-certified- if you know what you’re looking for, you can reduce the chances of scammers taking advantage of your product. One of the many good things about the DeFi community is that even if you don’t know how to code, there’s open code around the project and if people find it interesting, the community is sure to do research and share the results with others about people.
Most developers agree that copying and pasting codes is generally a bad practice. It’s common because changing code or making a new one takes time, effort, and money.
This does not necessarily mean that reusing the code is a bad thing. The code can be reused and should be used whenever appropriate as it saves time and effort. However, this code must be professionally audited after changes.
Reasons to avoid copy-paste in DeFi
Here are some other reasons why copying should not be avoided in DeFi mode:
Each code has its own dependencies. Even if they are common, the version of dependencies, libraries, languages, and the code itself is constantly updated. This means that even if you copy the latest code, reuse is poor no matter how good you are at copying.
The coin always has two sides. If you want to recover the profits of the project, you also have to recover the losses. The most common problem with copying code is copying problems related to the original code. The worst part is that the copied code is modified for its specific purpose, making it difficult to trace the error. Even from an audit standpoint, copied code with small changes is even more difficult to audit.
Introducing new bugs
If you’re copying code, you’ll probably want a short market time so you don’t have time to understand the code in and out. Any new changes you make will most likely lead to a new vulnerability that cannot be easily identified because it may have links to existing code functionality.
In other words, edits are made without understanding the original code, which makes it more prone to errors.
Copying and pasting code from open source projects is easy, but understanding the licensing implications of copied code can be a problem, especially on embedded devices where firmware is considered new and unique.
Real-life examples of copy-paste threat
DeFi will not be left untouched by the horrific practices of copying glue. Some DeFi projects copy and paste smart contract codes for Uniswap, Compound, and other successful protocols. The worst thing about this practice is that they often copy it by mistake – making the work of the attackers a cake!
One recent example of such an attack was BSC-based Uranium Finance, this was the Uniswap V2 fork that was exploited on April 28, 2021 $ 57 million. Fulcrum Developer – Kyle Kistner pointed out that Uranium developers copied the SushiSwap code (which is already a Uniswap clone) and replaced the number 1000 with 10,000 everywhere – except in one case:
Another example of copy-paste danger is BurgerSwap, which was hacked on May 28, 2021 and has an estimated loss of $ 7.2 million.
“According to Hayden Adams, founder of Uniswap, it could easily have been avoided.”
It also bracketed the Uniswap code, but went unnoticed: the x * y = k check, it played an important role in calculating the value of each token. Without this, the attacker exchanged every small amount by creating a dummy ID thousands of BNB & BURGER.
Copying and pasting are not all bad. In certain situations, they can be very useful for a project to quickly implement a particular element that has already been built correctly. In other cases, it can also help you stay in the current situation and implement what is acceptable as a solution.
However, DeFi is not the right space for it. Although there are only a few lines of code that you need to edit, copying and pasting is not recommended. As an expert in intelligent contract auditing, we have seen many companies with good intentions and vision fail such practices. The main reason is not only vulnerability, but the inability to gain the trust of users. And the whole DeFi state arises from the need for trust.
Even if you choose to use copy-paste for certain factors and reasons, a thorough audit of the code should be at the top of your priority list. Even if the code is audited, it does not mean that the copy is as secure as the original code. For example, an oracle used in the original code may have migrated to a new version, and when you copy the code, that new version may not be compatible with the old version of the code, and the vulnerability is exploited. To ensure that your ambitious ideas and vision come true with your DeFi code, to audit before investing millions of dollars.
Industry presence for years, QuillHash has delivered enterprise solutions around the world. With a team of experts, QuillHash is a leading blockchain development company offering a variety of industry solutions, including DeFi. If you need help auditing smart contracts, feel free to contact our experts here!
Follow QuillHash for more updates