Article author:
QuillAudits
QuillAudits
Security State Of DeFi And Risk Mitigation Ideas
“DeFi” sounds like no alien term now. We are in a time where decentralized finance has engraved its significance as a blockchain-based alternative for financial systems and scaling its adoption rate at an incredible pace.
While the USD 1B locked in DeFi implies the spellbound validation of the new-formed technology by the users, there have been minor and major security break-outs quantifying whooping losses.
It’s shocking that 97% of the cryptos lost in the first quarter were from DeFi protocols. And that says a lot about how far the DeFi has to grow from a security perspective.
Let’s touch upon the recurring hacks practised in DeFi and how to smartly tackle the security of DeFi in this article.
It’s shocking that 97% of the cryptos lost in the first quarter were from DeFi protocols. And that says a lot about how far the DeFi has to grow from a security perspective.
Let’s touch upon the recurring hacks practised in DeFi and how to smartly tackle the security of DeFi in this article.
Some Common Brooding Grounds For Hackers
DeFi At The Danger Of Price Manipulation
The information passed from the external source to the smart contracts is effective during execution. This offers a lot of scope for performing activities however one wishes.
Flash loans are one such possibility where hackers confide in to make profits. Flash loans are borrowed from DeFi platforms without collateral but are obliged to return the funds within the same transaction. Please do so to avoid the transaction being cancelled or reverted.
Hackers utilize such loans to manipulate the prices by selling the tokens in bulk and lowering the costs in the trading exchange. With the price data fed into the smart contract from the external sources, which the hacker has manipulated, they manage to make huge gains while repaying the loan.
Flash loans are one such possibility where hackers confide in to make profits. Flash loans are borrowed from DeFi platforms without collateral but are obliged to return the funds within the same transaction. Please do so to avoid the transaction being cancelled or reverted.
Hackers utilize such loans to manipulate the prices by selling the tokens in bulk and lowering the costs in the trading exchange. With the price data fed into the smart contract from the external sources, which the hacker has manipulated, they manage to make huge gains while repaying the loan.
Dwell On Third-Party Protocols And Mishaps In Code’s Logic
The automatic tuning and simulation of the smart contract logic inevitably rely on advanced coding and third-party services for real-time data gathering.
Here again, diversified coding for exceptional performance may have severe bugs, which, if hackers spot, would be a jackpot for them to loot away the riches from the DeFi platform. For example, mathematical logic errors, inappropriate use of functions, etc., opens the gateway for hacks.
External services like Oracles supply timely data relevant to executing the function by smart contracts. Hackers can easily modify these data, which are externally fed, by understanding the nuances of it. With this, they can make the logic crash and win millions.
Here again, diversified coding for exceptional performance may have severe bugs, which, if hackers spot, would be a jackpot for them to loot away the riches from the DeFi platform. For example, mathematical logic errors, inappropriate use of functions, etc., opens the gateway for hacks.
External services like Oracles supply timely data relevant to executing the function by smart contracts. Hackers can easily modify these data, which are externally fed, by understanding the nuances of it. With this, they can make the logic crash and win millions.
Rug Pulls To Phishing Scams
It is very common in the crypto sphere where the hype for the token spikes in the beginning. This makes the investors believe that the tokens hold a solid value and dive into making a bulk purchase of them.
Mostly– not always- these over-hyped tokens are not an ideal option for investing as they are nothing but valueless tokens circulated to be rug-pulled later. Rug-pull scams are the new trend in DeFi that is performed by exploiting the user’s unfamiliarity with the immature space.
Phishing scams are always persistent, wherein users’ lack of knowledge and attention to detail makes it easier for hackers to grab hold of sensitive information and mess up the holdings.
Mostly– not always- these over-hyped tokens are not an ideal option for investing as they are nothing but valueless tokens circulated to be rug-pulled later. Rug-pull scams are the new trend in DeFi that is performed by exploiting the user’s unfamiliarity with the immature space.
Phishing scams are always persistent, wherein users’ lack of knowledge and attention to detail makes it easier for hackers to grab hold of sensitive information and mess up the holdings.
Front-End Attacks and Social Account Hijacks
Frontend Attacks on DeFi websites and social account takeovers have recently increased. Hackers are targeting the domain names or websites of projects to redirect users to attacker-controlled websites to gain financial profits.
Recently, hackers compromised a Curve website or domain name to redirect unwitting users or their transactions to a malicious destination. Hackers made around $570,000 in ETH from the attack.
Hackers also compromise projects' social accounts, especially Discord and Twitter accounts. The attack starts with the attacker compromising the Protocols discord servers. The attacker commonly uses phishing, social engineering, bots, etc., to compromise Discord servers. After compromising the servers, scammers succeed when they can trick users into connecting wallets to their malicious websites.
Recently, hackers compromised a Curve website or domain name to redirect unwitting users or their transactions to a malicious destination. Hackers made around $570,000 in ETH from the attack.
Hackers also compromise projects' social accounts, especially Discord and Twitter accounts. The attack starts with the attacker compromising the Protocols discord servers. The attacker commonly uses phishing, social engineering, bots, etc., to compromise Discord servers. After compromising the servers, scammers succeed when they can trick users into connecting wallets to their malicious websites.
Fake news and Influencer Pump and Dump
DeFi has attracted many scammers to scam users by circulating fake news for profit. Attackers create fake news about a project or token, and then once it gains popularity, they dump tokens and make profits.
DeFi projects pay a huge amount to influencers or celebrities for endorsements, helping to increase their price due to a surge in demand. Once investors start buying tokens, the price will go up. When the price reaches a certain point, the projects sell all of their shares. It causes a huge price drop, leaving all investors with nothing.
DeFi projects pay a huge amount to influencers or celebrities for endorsements, helping to increase their price due to a surge in demand. Once investors start buying tokens, the price will go up. When the price reaches a certain point, the projects sell all of their shares. It causes a huge price drop, leaving all investors with nothing.
Getting Straight Into Security Best Practices
The DeFi space is less mature than its numbers appear to be. Yet, security loopholes prevail in any technology field, and the intensity of the effect may differ.
However, the security gaps can be bridged through the enforcement of critical measures.Errors are part of the blockchain experience, but it is tremendously dangerous if these events go unnoticed, as it would disrupt the project altogether. To eliminate the risk of facing such an unimaginable scenario, security audits spot the threats coming beforehand, saving smart contracts. Smart contract audits focus on code efficiency before deployment and verify that all interactions are safe. It ensures meaningful security that is uncompromisable. Projects can host their bug bounty program or integrate with Bug Bounty Platforms like Immunefi or Hackerone. It adds an extra layer of security for the projects. Even if everything seems to be fine and the contract is running smoothly, it is very much required that it is protected. Decentralized insurance protects user funds locked in DeFi protocols, and they can be assured of the security of the capital.51% of projects hacked are unaudited. Therefore, paying attention to security as a part of the development can significantly bring down DeFi’s share of fund loss and strengthen web3 security.
The Importance of Auditing Smart Contracts
What is a smart contract audit?
Smart contracts are conditions programmed and encrypted in a blockchain to execute and run transactions automatically. They will refuse transactions upon any breaches of the conditions.
Read more: How do smart contracts work?
Smart contracts are conditions programmed and encrypted in a blockchain to execute and run transactions automatically. They will refuse transactions upon any breaches of the conditions.
Read more: How do smart contracts work?
Yet, smart contracts are immutable once deployed to a blockchain network. They can run improperly and be exposed to attacks, though, if the developers make mistakes in coding or fail to cover security improvements.
Auditing is critical, then. During the process, experienced auditors use a methodical inspection to uncover vulnerabilities and suggest solutions to improve the operation and security of the blockchain, following a checklist.
The Smart Contract Audit Checklist
A step-by-step smart contract audit checklist
Like every auditing, good preparation will save significant time and effort in implementing the whole process.
The auditors start with defining all agreements between the business and other participants: scope, parameters, acceptance criteria, and exceptions (if any.) Moreover, they also need to deeply study project documentation which describes how the blockchain is built and tested.
Also check: Top practices of smart contracts
The auditors start with defining all agreements between the business and other participants: scope, parameters, acceptance criteria, and exceptions (if any.) Moreover, they also need to deeply study project documentation which describes how the blockchain is built and tested.
Also check: Top practices of smart contracts
Then, carry out analysis and create a plan for auditing, focusing on the core checks as follows:
· Preventions against underflow and overflow
· Function visibility
· Fix nuance warnings to avoid problematic features
· Checking for all external calls such as reentrancy or short circuits
· Using trustworthy and audited dependencies
· Time manipulation within several minutes only
· Being aware of rounding errors and unexpected behaviors
· Cut down on pseudo-randomness
· Validation of public or external functions
· Preventions against unbounded loops
· Correct usage of push payments
· Frequent updates of old solidity constructs
· Change verification using the latest solidity versions
Above are high-risk areas that attackers often target.
· Preventions against underflow and overflow
· Function visibility
· Fix nuance warnings to avoid problematic features
· Checking for all external calls such as reentrancy or short circuits
· Using trustworthy and audited dependencies
· Time manipulation within several minutes only
· Being aware of rounding errors and unexpected behaviors
· Cut down on pseudo-randomness
· Validation of public or external functions
· Preventions against unbounded loops
· Correct usage of push payments
· Frequent updates of old solidity constructs
· Change verification using the latest solidity versions
Above are high-risk areas that attackers often target.
With all core checks in mind, build test cases accordingly. It is possible to use testing tools to save human efforts automatically.
What to check:
· Test coverage for 100% branches
· Run unit tests to cover critical edge cases
· Also, have additional tests for integrations
· Freeze recent code written under a tight deadline
What to check:
· Test coverage for 100% branches
· Run unit tests to cover critical edge cases
· Also, have additional tests for integrations
· Freeze recent code written under a tight deadline
Resilience means the capacity of a blockchain to adapt perfectly to real-life or chaotic conditions.
Blockchain also requires resilience because of the large number of data amount and participants worldwide. The technology is also at increased risk of attacks.
Resilience testing includes endurance, compliance, load, and recovery tests to ensure that smart contracts can bounce back after interruption or disturbance of some sort.
Blockchain also requires resilience because of the large number of data amount and participants worldwide. The technology is also at increased risk of attacks.
Resilience testing includes endurance, compliance, load, and recovery tests to ensure that smart contracts can bounce back after interruption or disturbance of some sort.
Depending on the project’s complexity and the development team’s experience, smart contract auditing involves several steps and stages with one or multiple auditors at a time.
Importantly, auditing is not all about the verification of code. During the process, auditors must also create reports including bugs, suggestions for fixing, potential changes to upgrade the smart contracts and the blockchain systems, coding practices, and documentation quality.
Smart contract auditing must also be done on a frequent basis, both manually and automatically, using tools.
Importantly, auditing is not all about the verification of code. During the process, auditors must also create reports including bugs, suggestions for fixing, potential changes to upgrade the smart contracts and the blockchain systems, coding practices, and documentation quality.
Smart contract auditing must also be done on a frequent basis, both manually and automatically, using tools.
How to Apply Smart Contract Audit Checklist?
What does your business do next?
Having a smart contract audit checklist is critical and good to start. However, following the checklist is not an easy task.
Having a smart contract audit checklist is critical and good to start. However, following the checklist is not an easy task.
We wonder whether you have an in-house development team. If not, your business needs to invest significantly in a team of experienced developers, testers, and auditors collaborating well. It also takes extra cost and time to train the team on the technology, implement frequent auditing, fix bugs, and make improvements.
Rather than that, we would suggest hiring an outsourced auditing firm that knows the smart contract audit checklist clearly and has experience in different projects.
You can directly hire experts from CyStack. The company is the leading company for security products and solutions to combat cybersecurity risks. Since it is based in Vietnam, you can expect an affordable cost than teams in other countries. The auditing quality is exceptionally good, though.
Wrapping Up
Never put your DeFi security down!
Besides the golden rules above, you should remember that there is hardly a comprehensive list to cover all potential vulnerabilities. The more blockchain and DeFi grow, the more sophisticated attempts hackers create to exploit the systems and steal your money.
Never put your DeFi security down!
Besides the golden rules above, you should remember that there is hardly a comprehensive list to cover all potential vulnerabilities. The more blockchain and DeFi grow, the more sophisticated attempts hackers create to exploit the systems and steal your money.
0XGUARD
Top Solana Vulnerabilities
Solana is a widely popular blockchain and attractively low transaction fees are certainly among the reasons developers choose it. Among Solana-based dApps are some of the most popular and valued projects. This is why knowing Solana and its weaker points is now more necessary than ever.
HASHEX
A Developer’s Guide: A Framework setup
Developers often ask how to correctly, efficiently, and securely set up a framework for developing smart contracts. This guide aims to help new developers do it quickly and conveniently.