The Current State of DeFi Security
Odds are, if you’ve been involved in the cryptocurrency scene for any significant length of time, then you’ve noticed that hacks are relatively commonplace. Indeed, it is rare that several months go by without a major protocol suffering some form of exploit.
As a rapidly burgeoning industry filled with players that are consistently pushing the envelope with what blockchain technology is capable of, in addition to the large incentives for blackhats and criminals, who see vulnerable platforms as opportunities to cash in with little to no legal recourse, DeFi has emerged as risky territory for the uninitiated.
But progress is being made toward building a more secure, more intuitive ecosystem of products that don’t require technical expertise to successfully and safely navigate.
The Importance of Security
For all its innovation and potential benefits, DeFi also presents an array of potential security concerns that can put user funds at risk when not properly considered.
Unfortunately, few users and developers pay adequate attention to security when interacting with and building DeFi protocols, and a small fraction inevitably fall victim to attacks — the vast majority of which could have been avoided by simply implementing basic security practices.
Given that DeFi allows counterparties to interact with one another without a centralized intermediary, and conduct peer-to-peer transactions through decentralized smart contracts, they allow users to benefit from traditional banking-like and investment services, while still retaining self-sovereignty of their assets.
However, DeFi protocols also pose an array of security challenges that users need to get to grips with to stay safe while interacting with these new technologies — and several major DeFi protocols have already been hacked, leading to significant losses for their users.
These include the recent Wormhole exploit, which saw $326 million worth of asset stolen from the cross-chain bridge; the Qubit hack, which saw $80 million drained by minting an unlimited amount of xETH to borrow; and the Lympo hack, whereby $18.7 million was stolen from the hot wallet of the Animoca Brands subsidiary. These three hacks occurred in the last two months alone.
For a visual representation of recent hacks, see CryptoSecs ordered hacks timeline.
Unfortunately, given the nascence of the DeFi industry, new attack vectors are frequently discovered. Nonetheless, some of the most common weak targets are outlined below:
- Ice phishing: Also known as signature phishing, this is an attack that is used to trick a target into delegating control of their tokens to a hacker, allowing them to use, transfer, or spend their tokens at will. More often than not, attackers will use this technique to gain a large number of approvals over time, before executing the withdrawals all at once to maximize their returns.
- Compromised admin keys: One of the more potentially devastating attacks, an attacker uses one of the various methods to gain access to an admin’s private keys, which may give them control over token emission, staking functions, liquidity pools, and various other sources of funds. The attacker then uses this key to call admin functions on affected smart contracts and drain user/project funds.
- Re-entrency attacks: Re-entrency attacks are one of the more common types of exploit, and occur when a smart contract is used to call a function in a separate untrusted smart contract before the original contract finishes its execution. When the hacker has control over the unsecured smart contract, this can potentially be used to drain assets controlled by the original contract.
- Smart contract bugs: Many smart contracts are incredibly complex, while some are unique and are used to establish novel functionality, others are simple yet powerful. Whatever the case, errors in the smart contract code can lead to bugs that can be exploited, potentially putting assets worth millions at risk.
- Overflow attacks: When a value provided by a smart contract value exceeds the maximum allowed value due to a bug in the code, the contract might then circle back to zero. This can cause a huge array of potential problems when other smart contract functions rely on this integer to perform their operations — such as repricing an asset to the provided integer (i.e. zero) and allowing the attacker to purchase it for free.
- Underflow attacks: Underflow exploits are the exact opposite of overflow attacks, in that a smart contract function is forced to return a value below a minimum threshold, again resulting in an array of potentially deleterious situations that can be exploited by an attacker.
- Rug pulls: One of the more common attacks/scams in recent years, rug pulls occur when a project either directly makes off with investor money after accumulating as much as possible. Rug pulls can take a variety of different forms, ranging from straight-up theft, to more nuanced approaches like transaction tax manipulation, liquidity pulls, pump and dumps, and more.
The Current State of Affairs
As decentralized finance becomes increasingly popular and the number of DeFi tools, platforms, and protocols increases, so too has the number of potential targets. With the barrier to entry to the DeFi landscape gradually lowering, a huge number of clones, copycats, and half-baked DeFi protocols have emerged — a small fraction of which suffer from vulnerabilities.
In the last year alone, the total value locked in DeFi protocols has grown by a staggering 330%, climbing from $58 billion to almost $200 billion as of writing. Much of this is attributed to just a handful of hyper-successful DeFi protocols, which have seen their TVL skyrocket in line with growing popularity. This has the unfortunate effect of dramatically increasing the size of the target painted on the back of these protocols, making them extremely attractive to would-be hackers, who can expect to secure potentially tens-to-hundreds of millions of dollars worth of assets if they can exploit the protocol.
According to a recent report by ImmuneFi, a total of $10 billion was lost as part of DeFi hacks in 2021 alone — up from $3.8 billion the year before. The single highest attack saw $613 million exfiltrated from Poly Network, and there were several other attacks in which more than $100 million was lost.
The elaboration of DeFi protocols on non-Ethereum chains has compounded the attack surface, while cross-chain protocols and bridges can weaken otherwise secure assets and platforms. Meanwhile, a lack of talented developers and a fast-paced development environment has seen an increase in the number of bugs and loopholes — many of which are known problems that have been exploited before, due to unpatched forked code.
Smart contract audits are rapidly gaining popularity as a simple way to minimize attacks, but they are not a silver bullet. There have been dozens of examples where smart contracts have been audited, and no major vulnerabilities were found, only for the protocol to later be exploited. One prominent example of this is the recent MonoX hack, which saw $31 million stolen from the protocol despite two recent smart contract audits.
The vast majority of DeFi hacks and exploits rely on bugs and vulnerabilities in smart contract code or duping an important member of the project team in order to gain access to their admin capabilities.
Fortunately, it’s usually a relatively simple task to harden smart contracts against potential exploits and ensure that even in the event of a breach, measures to contain and minimize it are implemented swiftly.
Some best practices that developers and projects should consider implementing include:
- Multi-signature verification: Where possible, use multi-signature authentication for any actions that involve spending, moving, issuing, burning, or interacting with funds, upgrading, and modifying smart contracts, or any other tasks that could be exploited.
- Cold storage: Admin keys, passwords, credentials, and other sensitive materials should be kept in cold storage, leveraging battle-tested hardware wallets and anti-malware solutions to minimize the possible attack surface.
- Phishing education: For any team members with access to critical smart contract functions and/or funds, consider implementing a simple training routine that educates team members on potential phishing vectors and methodologies.
- Security audits: Before deploying on mainnet, ensure your code has been thoroughly audited for potential bugs, glitches, inefficiencies, and threat vectors, and ensure these are corrected and re-reviewed before the smart contract is launched. Multiple audits are preferable.
- Bug Bounties: Bug bounties can be a cost-effective means to identify bugs before they’re exploited by a black hat. Consider offering graded rewards based on the threat level of exploits discovered, and ensure that the reward for critical issues is sufficient to incentivize white hats.
- Disaster recovery plans: In the unfortunate event that your protocol is exploited, it is best to have a plan of action ready to execute swiftly, helping to limit the damage, reduce panic, and resume operations faster. At the very minimum, this should include a complete shutdown procedure, smart contract review, fork option, damage control plan, and community/investor messaging guidelines.
- Use a tamper-resistant oracle: Many smart contracts leverage intrinsic blockchain data (e.g. block hashes) or the outputs of other DApps (e.g. pricing data) as a data source. These can often be manipulated, such as through a flashloan attack or through a priority gas auction, which can open up attack vectors. These can generally be avoided by using a decentralized, tamper-resistant oracle, such as Chainlink or Band Protocol.
The Way Forward
Right now, DeFi can still be considered a lucrative target for hackers, who can make potentially considerable sums by exploiting protocols with lax security.
Unfortunately, users continue to trust platforms that are not hardened against even basic exploits, and developers often lack the technical expertise to both identify and fix potential loopholes. This, combined with a general lack of accountability in the DeFi industry, has made it a breeding ground for black hats.
Nonetheless, progress is beginning to be made in shielding both projects and users against potential attacks by making it easier to spot insecure platforms in advance or outsource security to a reliable and reputable third-party provider.
Certik is one of the platforms leading the charge in this regard since it offers an array of tools and services designed to help projects and users stay safe. These include its automatic vulnerability checker, known as Certik Skynet, as well as its asset tracing solution known as SkyTrace — which helps projects avoid fraudulent funds.
Other platforms, like Poocoin, make it easy to see if a project has been rug pulled through its simple rug checker tool, whereas Lossless Protocol, which provides hack mitigation services to projects — allowing them to detect, freeze and reverse stolen funds automatically.
Likewise, people are starting to demand more accountability from DeFi protocols, and class action lawsuits are being increasingly leveled against the founders and developers of exploited platforms — though most still have limited success.
In time, as security standards become better established, and security best practices become better known among users, the industry should become better hardened against attacks while making pursuing potential exploits less attractive for hackers.
About Master Ventures
Master Ventures is a blockchain-focused venture studio helping to build the next generation of blockchain-based Web 3.0 system innovations within the crypto industry. Launched in 2018 by Founder and CEO Kyle Chassé, the company’s ethos can best be summarized in the acronym #BeBOLD: Benevolent, Open, Love, Decentralized.
Master Ventures co-creates with entrepreneurs and businesses worldwide to turn the best ideas into innovative and disruptive products. They do this by investing as strategic partners through offering advisory services to the projects they believe in. To date, Master Ventures has invested in over 40 crypto projects, including the likes of Kraken, Coinbase, Bitfinex, Reef, DAO Maker, Mantra DAO, Thorchain, and Elrond.
For any questions, please feel free to reach out to us on: