In 2021, over $10 billion worth of user funds has been stolen as a result of fraud and theft on DeFi products. This translates into a 7x increase from last year.
In 2022, the UK tax authority opened 20 criminal investigations involving digital assets. This action has been prompted by a spike in money laundering and fraud.
According to another
It seems like the serene existence of decentralized finance has been an illusion, hasn’t it? But while these numbers run counter to the utopia of the crypto world, they still don’t reflect the whole picture of DeFi security and lawfulness.
With that said, let’s get a deep dive into the security issues of decentralized finance and popular scams known to us so far.
In case it’s your first time reading about decentralized finance, I’ll take you on a brief tour of the DeFi universe, based on our blog post.
Decentralized finance or DeFi is a set of specialized applications and financial services based on blockchain. It is also often heralded as a movement that aims to make finance decentralized and open to everyone.
That is, DeFi transactions do not require intermediaries like banks or any other kind of centralized processing. On this note, DeFi relies on the use of smart contracts, cryptography, and blockchain to automate processes and protocols, making it more efficient and secure than traditional banking structures. Formally, you become your own bank since you can perform financial services in lending, borrowing funds, insurance, and others, but with no document hassle.
DeFi products include but not limited to:
Most of DeFi products are built on Ethereum since this blockchain platform empowers the Solidity programming language which helps create advanced smart contracts.
At the moment of writing, the amount of cryptocurrency held in decentralized finance has climbed to over
Thus, in the best case scenario, smart contracts enable unmatched noncustodial financial services. However, they are as safe as their code. As a result, smart contracts can often be plagued with bugs or gaping security vulnerabilities that allow hackers to drain the wallets. And let’s not forget the power of open-source and composability, which can be both a blessing and a curse.
Over the last two years, the cryptocurrency community has been spooked by an assault of phishing schemes, which has many questioning the very foundations on which it was based. As a result, DeFi applications are becoming increasingly associated with the “Wild West” of cryptocurrencies due to the
With that said, let’s have a look at some widespread attack types.
Flash Loans are a feature in a number of popular DeFi protocols that allow you to borrow cryptocurrency assets without collateral, provided that the loan will be reimbursed in the same block of transactions.
In this case, a cyberthief manipulates the market by taking out a flash loan from a DeFi protocol and then arbitraging it by driving the value of the borrowed token underwater thanks to excess slippage. After that, the hacker quickly returns the loan and keeps the profit to themselves by selling the tokens on other markets for real price.
Let’s revisit Cream Finance and its fatal attraction for hackers. In 2021, the flash loan exploit whipped the company for $130 million worth of liquidity provider tokens. Earlier that year, the hackers pocketed $37.5 million in February and $18.8 million in August in other flash loan exploits.
Rug Pull is a type of DeFi scam when blockchain developers first pump their project’s token and then abandon a project, walking away with investor funds and leaving a valueless token. Main types of rug pulls include liquidity stealing, limiting sell orders and dumping.
This particular type of malicious maneuver resulted in almost $3 billion in lost money for victims in 2021,
This cyberattack is one of the most destructive ones in Solidity smart contracts since it can completely drain your smart contract of funds. In this case, an attack contract calls a victim’s contract in such a way that it gets more control over code execution, thus disrupting the victim’s contract and gaining unauthorized access. When the victim’s contract fails to update its state, the attacker calls the withdrawal function to make easy money.
The difficulty however is that the re-entrancy vulnerability is tricky to spot since the implementation of smart contract differs and so do possible scenarios. Moreover, since there is no specific pattern in the context of Smart-Contracts, this vulnerability cannot be recognized accurately. And analyzing with a simple and straightforward pattern may produce
The most famous example of this was the DAO Hack, where $70million worth of Ether was siphoned off.
A 51% attack is a scenario that could play out if a malicious actor gained control of more than half of the processing power of a cryptocurrency network. By having the majority control over the network, the actor could then begin double-spending coins, censor transactions, or even take over the network entirely.
The risk of a 51% attack is real and has already played out against smaller cryptocurrency networks in the past. Additionally, this also allows the attacking node to prevent new transactions from being confirmed, acting as if it was the legitimate network.
It means that the legitimate blockchain grows slower than the malicious one, which allows the attacker to rewrite the contents of the distributed ledger. 51% attacks aren’t widely used since they are expensive to pull off.
In 2020, DeFi platform PegNet suffered a 51% attack where top miners fraudulently created $6.7 million in stablecoins.
And these are just a sliver of security issues that haunt DeFi platforms and applications.
Short answer: No.
Now let’s get into more details. Cryptography is the old news in the world of secure monetary transactions. The truly disruptive concept of DeFi is full and complete decentralization, where compromised nodes reappear like the Hydra of Lerma.
And a lion’s share of DeFi vulnerability stems from its decentralized and open foundation as well. Along with limitless potential, we get completely transparent smart contracts where loopholes and vulnerabilities become public knowledge. Also, considering the far-reaching DeFi structure where apps involve multiple smart contracts connecting across multiple protocols, one vulnerability can drag down a myriad of protocols.
But it’s not all doom and gloom. Just like any other new kid on the block, DeFi just needs to grow up and spread its wings. Any new technology is prone to imperfection, and it’s up to you to decide whether the trade-off is worth it. In the case of decentralized finance, security relies on the technology you are using.
2P2 financial services is a path of security choices.
And while experts and governments are debating over the DeFi regulation, we should all follow the buyer beware approach - pay due diligence before getting into the field. With that being said, let’s go over some accepted security practices to reduce the vulnerability rate of your DeFi application.
Although there is a specific protection measure against each hacking style, I’ve curated the most popular security practices to keep your DeFi assets safe and sound.
Unit tests are a salient testing technique necessary for any high-quality project, including decentralized finance. This type of testing functionality problems in separate parts of smart contracts. Why bother with boring testing? Once deployed, smart contracts are immutable, which means that your code must be bug-free BEFORE it gets on the DeFi platform. Most importantly, contracts require full test coverage, meaning that there shouldn’t be any gray zones.
Full unit test coverage is great, yet it cannot predict unexpected vulnerabilities or all possible interaction paths. Security audit, on the contrary, allows developers to analyze areas that could be manipulated by threat actors. Beside obvious security benefits, audits can also help the team to enhance the efficiency of your DeFi application as a whole. However, audits can guzzle up a lot of financial and time resources, which may scare some companies. Yet, it is a must to thwart reentrancy, oracle, and other types of attacks.
Deploying smart contracts shouldn't be manual copy/pasting. Since the byte code for every contract on the network is public, it’s fairly easy to use it for another contract. However, unless you fork the whole project (which is also not the best scenario), you will end up with separate pieces of code that may not be compatible with the rest. Also, it will be hard to change or add anything even mildly significant in the code. Therefore, copy and paste is extremely detrimental to the security and opens your DeFi app to potential attacks.
DeFi protocols are relatively young and complex systems, and so does the blockchain. The duo of immaturity and advancement make both susceptible to exploits. Therefore, before securing a DeFi project, you need to have a holistic and accurate image of possible threats and security policies. Obtaining this accurate image, in turn, requires a comprehensive security audit. When done right, DeFi projects turn from vulnerable systems into unique, transparent and direct transaction applications with no dependency on third-party institutions for oversight.