The State of DeFi and Crypto Cybersecurity
Decentralized Finance, better known as DeFi, aims to reshape the traditional finance model in many ways. In short, DeFi’s aim is to do away with relying on the trust of traditional finance, such as private banks, to create “trustless applications” that are “not controlled or hosted by a central party such as a bank or a government”. But this begs the question: How safe is DeFi?
In this article, we will be going through the nooks and crannies of the current state of DeFi, especially when it comes to security. It will explain if blockchain technology, cryptography, and smart contracts live up to the promise of having a secure and trustless fiscal medium. Moreover, it will include comments on what should happen next in the world of DeFi to ensure better safety within this space.
What is a DeFi project?
The first flint which started the flame of DeFi was in the hands of Rune Christensen of Denmark, who conceived MakerDAO in 2014. In essence, MakerDAO allows users to lock cryptocurrency to generate $DAI, a stablecoin pegged to the US dollar. In turn, this allowed lending and borrowing to commence in the DeFi space.
Since the creation of MakerDAO, numerous projects have been conceived, and the idea spread like wildfire. It allowed for much higher yield rates than traditional banks could provide. This is because running a smart contract is much more cost-effective. Since interest rates in traditional finance are known to be low, DeFi promises to provide a solution. Here is a list of some of the DeFi projects that have emerged:
Here is a video explaining DeFi in more detail:
DeFi Security: Current Issues
Since DeFi is a relatively new concept some risks to protocols are bound to be discovered. Certik, one of the on-chain and smart contract security companies, released The State of DeFi Security 2021, identifying what they have learned from over 1,737 audits they conducted on crypto projects in 2021. What were the findings?
In the report, they highlight that the most common vulnerability they found was centralization risks, something that ironically goes against the spirit of DeFi. They note that “single points of failure” can easily be exploited by “dedicated hackers and malicious insiders alike.” In one case, they point out that a DeFi protocol was exploited for more than $55 million due to private key mismanagement.
In such cases, they point out that “a single, non-multi signature setup is insufficient”. Generally, privileged functions need to be protected by a timelock which would be “delegated to a DAO”, or managed by a multi-signature wallet. Other issues highlighted by the report were missing event emissions, utilization of unlocked compiler versions, lacking proper validating inputs, and reliance on third-party dependencies. “A byte-sized piece of code can have multi-million dollar ramifications,” they noted.
Another notable project aiming to identify faults or possible security and safety issues is the independent rating systems company DeFi Safety. It provides percentage scores to crypto projects in terms of how they follow best practices for safety and security. Such a case is with Ronin, which scored worst on their ratings after Axie Infinity was drained of $622 million through their Ethereum sidechain.
In other cases, the classic ways of hacking and scamming such as Social Engineering are also still very prevalent. As we pointed out in a previous article, scams and hacks are running riot in the crypto space. There were more than $1 billion in reported scams to the FTC between 2021 and 2022 Q1 and $7.7 billion in 2021 worldwide.
The most notable way of Social Engineering scams is through phishing. Here at Interlock, we are aiming to prevent these types of scams through Bouncer – a security Discord bot – as well as through a browser extension that detects phishing sites. Both of these leverage Interlock’s Visual AI and will work with $ILOCK, a DeFi security token.
Rug Pulls and Honeypots are another notable way of scamming people and threatening the safety and security of DeFi for users. When it comes to rug pulls, these are when crypto projects pump their tokens before taking off with the funds of other people, leaving investors with assets of no value. 2021 saw an incredible increase in these types of scams. The aforementioned Chainanalysis report noted that rug pulls accounted for 37% of all crypto scams in 2021, equivalent to $2.8 billion.
Honeypots, on the other hand, are also an emerging trend. Savvy users have started using smart contracts that appear to have a design flaw that would allow an arbitrary user to drain Ether from the contract. However, when the user tries to exploit this apparent flaw, a trapdoor opens and prevents the ether draining from succeeding. This is when “the user's cash will be imprisoned, and only the honeypot creator (attacker) will be able to recover them”.
The Future of DeFi Security
If we want a budding DeFi future, we need to keep a number of things in mind when it comes to security. If DeFi protocols lack security, there will be breaches. In the end, DeFi would lose trust from the community that is needed for its successful future. That is why more action needs to be taken on the security front. Interlock’s CEO, Rick Deacon, had his own say on this.
“The greatest threat will always be Social Engineering, phishing, and attacks that focus on accessing an unwitting user's or company's DeFi wallet,” Deacon said.
Moreover, he believes that the world will always be “chasing smart contract security” and scammers will pluck any potential holes which could lead to exploitation. DeFi protocols “will need to continually work to improve bugs that cause manipulation,” he remarked.
Deacon noted that he would like to see more DeFi security standardization across all platforms. This would enable a set of guidelines for DeFi platforms to follow in order to ensure that users are safe. Then there should also be a “minimum requirement” that platforms, coins and users should follow so that any breaches, hacks, or scams are mitigated as much as possible.
As we highlighted in a previous AMA, there are plenty of key factors that will play a role in the future of DeFi and where it heads to. Here is a list of the most pertinent things that were discussed with some of the projects aiming to make DeFi more secure:
- Audits need to be taken seriously
- Problems highlighted in audits need to be addressed
- Less focus on marketing audits, but rather on solving issues
- More proactivity to prevent hacks
- Awareness that hacks often cost more than taking security measures
If we want to have a safer space for people to explore the potentialities of DeFi, crypto projects will need to make security one of the top priorities on their to-do list.