In 2021, over $10 billion worth of user funds has been stolen as a result of fraud and theft on DeFi products. This translates into a 7x increase from last year. In 2022, the UK tax authority opened 20 criminal investigations involving digital assets. This action has been prompted by a spike in money laundering and fraud. According to another , cryptocurrency-based crime hit a new all-time high in 2021, accounting for $14 billion of value received by illegal addresses. report It seems like the , hasn’t it? But while these numbers run counter to the utopia of the crypto world, they still don’t reflect the whole picture of DeFi security and lawfulness. serene existence of decentralized finance has been an illusion With that said, let’s get a deep dive into the security issues of decentralized finance and popular scams known to us so far. Journey into the DeFi past In case it’s your first time reading about decentralized finance, I’ll take you on a brief tour of the DeFi universe, based on our . blog post Decentralized finance or DeFi is a set of specialized applications and financial services based on blockchain. It is also often heralded as a movement that aims to make finance decentralized and open to everyone. That is, DeFi transactions do not require intermediaries like banks or any other kind of centralized processing. On this note, DeFi relies on the use of smart contracts, cryptography, and blockchain to automate processes and protocols, making it more efficient and secure than traditional banking structures. Formally, you become your own bank since you can perform financial services in lending, borrowing funds, insurance, and others, but with no document hassle. DeFi products include but not limited to: decentralized exchanges (DEXs), peer-to-peer lending platforms, stablecoins, prediction markets, etc. Most of DeFi products are built on Ethereum since this blockchain platform empowers the Solidity programming language which helps create advanced smart contracts. At the moment of writing, the amount of cryptocurrency held in decentralized finance has climbed to over , which undoubtedly makes it a viable financial phenomenon with a solid user base. However, the DeFi infrastructure and its regulation is still under development which makes it vulnerable to attacks, ponzi schemes, and other security threats. $80 million Thus, in the best case scenario, smart contracts enable unmatched noncustodial financial services. However, they are as safe as their code. As a result, smart contracts can often be plagued with bugs or gaping security vulnerabilities that allow hackers to drain the wallets. And let’s not forget the power of open-source and composability, which can be both a blessing and a curse. Top DeFi Hacking Styles Over the last two years, the cryptocurrency community has been spooked by an assault of phishing schemes, which has many questioning the very foundations on which it was based. As a result, of cryptocurrencies due to the . DeFi applications are becoming increasingly associated with the “Wild West” growth of cryptocurrency criminality With that said, let’s have a look at some widespread attack types. Flash loan attack Flash Loans are a feature in a number of popular DeFi protocols that allow you to borrow cryptocurrency assets without collateral, provided that the loan will be reimbursed in the same block of transactions. In this case, a cyberthief manipulates the market by taking out a flash loan from a DeFi protocol and then arbitraging it by driving the value of the borrowed token underwater thanks to excess slippage. After that, the hacker quickly returns the loan and keeps the profit to themselves by selling the tokens on other markets for real price. Let’s revisit Cream Finance and its fatal attraction for hackers. In 2021, the flash loan exploit whipped the company for $130 million worth of liquidity provider tokens. Earlier that year, the hackers pocketed $37.5 million in February and $18.8 million in August in other flash loan exploits. Rug pulls or ponzi schemes Rug Pull is a type of DeFi scam when blockchain developers first pump their project’s token and then abandon a project, walking away with investor funds and leaving a valueless token. Main types of rug pulls include liquidity stealing, limiting sell orders and dumping. This particular type of malicious maneuver resulted in almost $3 billion in lost money for victims in 2021, , a blockchain analysis company. is one of the biggest rug pulls ever in the crypto market. Thus, the developers got away with more than . Squid game token is another ponzi scheme. The token was a play-to-earn token inspired by the Netflix TV series and brought up over 43,000 investors short. according to Chainalysis OneCoin $4 billion from unsuspecting investors Re-entrancy attack This cyberattack is one of the most destructive ones in Solidity smart contracts since it can completely drain your smart contract of funds. In this case, an attack contract calls a victim’s contract in such a way that it gets more control over code execution, thus disrupting the victim’s contract and gaining unauthorized access. When the victim’s contract fails to update its state, the attacker calls the withdrawal function to make easy money. The difficulty however is that the re-entrancy vulnerability is tricky to spot since the implementation of smart contract differs and so do possible scenarios. Moreover, since there is no specific pattern in the context of Smart-Contracts, this vulnerability cannot be recognized accurately. And analyzing with a simple and straightforward pattern may produce , whereas rigorous patterns may fail to detect the presence of a re-entrancy vulnerability. false positives The most famous example of this was the , where $70million worth of Ether was siphoned off. DAO Hack 51% attacks A 51% attack is a scenario that could play out if a malicious actor gained control of more than half of the processing power of a cryptocurrency network. By having the majority control over the network, the actor could then begin double-spending coins, censor transactions, or even take over the network entirely. The risk of a 51% attack is real and has already played out against smaller cryptocurrency networks in the past. Additionally, this also allows the attacking node to prevent new transactions from being confirmed, acting as if it was the legitimate network. It means that the legitimate blockchain grows slower than the malicious one, which allows the attacker to rewrite the contents of the distributed ledger. 51% attacks aren’t widely used since they are expensive to pull off. In 2020, DeFi platform PegNet suffered a 51% attack where top miners fraudulently created $6.7 million in stablecoins. And these are just a sliver of security issues that haunt DeFi platforms and applications. Is DeFi THAT vulnerable? Short answer: No. Now let’s get into more details. Cryptography is the old news in the world of secure monetary transactions. The truly disruptive concept of DeFi is full and complete decentralization, where compromised nodes reappear like the Hydra of Lerma. And a lion’s share of DeFi vulnerability stems from its decentralized and open foundation as well. Along with limitless potential, we get completely transparent smart contracts where loopholes and vulnerabilities become public knowledge. Also, considering the far-reaching DeFi structure where apps involve multiple smart contracts connecting across multiple protocols, one vulnerability can drag down a myriad of protocols. But it’s not all doom and gloom. Just like any other new kid on the block, DeFi just needs to grow up and spread its wings. Any new technology is prone to imperfection, and it’s up to you to decide whether the trade-off is worth it. In the case of decentralized finance, security relies on the technology you are using. 2P2 financial services is a path of security choices. And while experts and governments are debating over the DeFi regulation, we should all follow the buyer beware approach - pay due diligence before getting into the field. With that being said, let’s go over some accepted security practices to reduce the vulnerability rate of your DeFi application. How can you protect your DeFi assets? Although there is a specific protection measure against each hacking style, I’ve curated the most popular security practices to keep your DeFi assets safe and sound. Full unit test coverage Unit tests are a salient testing technique necessary for any high-quality project, including decentralized finance. This type of testing functionality problems in separate parts of smart contracts. Why bother with boring testing? Once deployed, smart contracts are immutable, which means that your code must be bug-free BEFORE it gets on the DeFi platform. Most importantly, contracts require full test coverage, meaning that there shouldn’t be any gray zones. Smart contract security audit Full unit test coverage is great, yet it cannot predict unexpected vulnerabilities or all possible interaction paths. Security audit, on the contrary, allows developers to analyze areas that could be manipulated by threat actors. Beside obvious security benefits, audits can also help the team to enhance the efficiency of your DeFi application as a whole. However, audits can guzzle up a lot of financial and time resources, which may scare some companies. Yet, it is a must to thwart reentrancy, oracle, and other types of attacks. No copycats Deploying smart contracts shouldn't be manual copy/pasting. Since the byte code for every contract on the network is public, it’s fairly easy to use it for another contract. However, unless you fork the whole project (which is also not the best scenario), you will end up with separate pieces of code that may not be compatible with the rest. Also, it will be hard to change or add anything even mildly significant in the code. Therefore, copy and paste is extremely detrimental to the security and opens your DeFi app to potential attacks. The Bottom Line DeFi protocols are relatively young and complex systems, and so does the blockchain. The duo of immaturity and advancement make both susceptible to exploits. Therefore, before securing a DeFi project, you need to have a holistic and accurate image of possible threats and security policies. Obtaining this accurate image, in turn, requires a comprehensive security audit. When done right, DeFi projects turn from vulnerable systems into unique, transparent and direct transaction applications with no dependency on third-party institutions for oversight.

Ethereum

MakerDAO

Netflix

Oracle

Twitter

Zones

2022 - HackerNoon Contributor of the Year - Healthcare

2022 - HackerNoon Contributor of the Year - Healthtech

Make Healthcare more accessible together!

Nominated for 2022 - HackerNoon Contributor of the Year - Healthcare

Nominated for 2022 - HackerNoon Contributor of the Year - Healthtech

Too Long; Didn't Read

Discover Saakuru: Web3 Mass-Adoption with 0-FEES

The Dark Side of DeFi: The Wild West of Decentralization 

The Dark Side of DeFi: The Wild West of Decentralization

Too Long; Didn't Read

Companies Mentioned

Coin Mentioned

Pavel Tantsiura

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

The Dark Side of DeFi: The Wild West of Decentralization

Too Long; Didn't Read

Companies Mentioned

Coin Mentioned

Pavel Tantsiura

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES