In our State of Defi Security 2021 report, we shared that over $1.3B in user funds were lost across just 44 hacks in DeFi which more than doubled the amount lost in 2020. The total TVL (Total Value Locked) in DeFi protocols reached over $75B in 2021. With these kinds of numbers, the importance of DeFi security is clear. There are numerous measures in place to help combat these hacks and exploits, such as CertiK smart contract audits, Skynet, and more.
To really understand the importance of DeFi security, we must first understand what DeFi is. DeFi stands for Decentralized Finance. Decentralized finance eliminates intermediaries by allowing people, merchants, and businesses to conduct financial transactions through emerging technology. This is accomplished through peer-to-peer financial networks that use security protocols, connectivity, software, and hardware advancements. So DeFi operates without a central service exercising control over the entire system which is where it differentiates from traditional financial systems. DeFi applications aim to recreate traditional financial systems, such as banks and exchanges, with cryptocurrency. The recognition of DeFi has been growing profoundly in recent times, as a result of which it has been drawing in substantial volumes of capital.
The DeFi movement promises to bring a lot of benefits to customers and investors, including eliminating intermediaries and central oversight, making financial markets more accessible to retail investors and creating new investment opportunities. To achieve their lofty ambitions, DeFi developers are making use of some fundamental properties of blockchain technology.
So now that we understand what DeFi is, what are the benefits of it? DeFi promises to bring a lot of benefits to customers and investors, including eliminating intermediaries and central oversight, making financial markets more accessible to retail investors and creating new investment opportunities. Some other benefits DeFi provides are:
While DeFi has many benefits and growth potential, there are still some things hindering its full potential. Co-head of foreign exchange strategy for Goldman Sachs Research says “DeFi is easier to access for underbanked populations and provides faster settlements for users, but it’s still a work in progress with flaws like hacks, bugs and “outright scams”. The SEC has begun to crack down on DeFi saying that there is a need for regulation after a worry about users' investments in the space and the dangers of it. DeFi’s greatest strengths can also be used as arguments against it. CNBC reported that “It is important to understand that investing in DeFi is highly risky”.
So, what are some of the biggest security risks in DeFi and what can be done to prevent them?
With smart contracts, modifiers restrict who is allowed to invoke certain functions. Such functions are typically privileged functions used to modify the contract configuration or manage funds held in the smart contract. If an attacker compromises an admin key, they can have complete control over the smart contract and steal user funds.
How Can A Key be Compromised?
The first possibility is through a computer trojan. An attacker can use a trojan to steal private keys stored on a computer. An attacker can also conduct a phishing attack to trick the users into sending their private keys to the attacker. For DeFi projects, sometimes several project stakeholders will share one private key. This allows a malicious insider to use the key to call admin functions and transfer the project’s tokens to their own wallet address. Projects should store their private keys securely. We recommend creating a Multisig(account) using hardware wallets. For example, for a five-person team, each team member should have their own hardware wallet. When they attempt to send privileged transactions, it should require at least three out of the five team members to sign the transaction. This prevents an attacker from being able to call any privileged functions should they gain access to one of the keys. For a token contract, avoid allowing the minting of new tokens, if possible. If that is not a possibility, try to use a DAO contract or timelock contract as the owner instead of an EOA account.
Some vulnerabilities in DeFi are complex, but that is not always the case. Sometimes a small coding mistake in smart contracts can turn into a major disaster that causes assets worth millions to be compromised. A smart contract audit can alleviate this, but not every project gets one.
Some common coding mistakes include:
These types of mistakes can be easily eliminated with proper peer reviews, unit testing, and smart contract audits.
Flash loans are a way to borrow large amounts of money from a protocol. To prevent this from happening, we recommend using Time-Weighted Average Price (TWAP). The TWAP represents the average price of a token over a specified time frame. If an attacker manipulates the price in one block, it will not affect the average price. The other suggestion is to use a reliable on-chain price oracle, such as Chainlink.
These kinds of issues are harder to detect and you should proceed cautiously when using a project that communicates with any third-party protocol. We do not recommend blindly copying and deploying code that a developer doesn’t understand. We advise developers to fully understand third-party protocols and how a forked project works before integrating them and deploying them into production. We also recommend developers deploy their projects on a testnet first and do test runs to check for abnormalities in transaction records.
As end users, it is sometimes difficult to find out detailed information on projects before interacting with them using your personal assets. To democratize access to security, we at CertiK built the world’s first Security Leaderboard for blockchain and smart contract projects where you can find extensive and real-time security-centric insights that can help fulfill your due diligence requirements.
Overall, DeFi protocols are software applications that run on the internet, generally with very little human oversight, and often with millions or billions of dollars flowing through them. Like all software, DeFi protocols have two main software risks – coding errors, "bugs," that may cause the software to malfunction, and security vulnerabilities that allow thieves, "hackers," to break in and steal funds from the protocol.
With the amount of funds lost in 2021 and the number of scams being conducted daily, it is clear that DeFi still has to mature a lot in order to gain widespread adoption. There is no guaranteed method to avoid software risk in a DeFi investment, but there are ways to reduce it. Companies such as CertiK are working to combat these scams and hacks and help secure the crypto world. CertiK is the leading blockchain security company and has secured billions of dollars through our security services. These services include smart contract audits, Skynet, KYC Services, SkyTrace, PenTesting, and more.
Smart contract audits are one of the best ways to combat the security risks inherent in Defi. Smart contract audits can help identify errors & risks, remediate vulnerabilities, and verify contracts. A smart contract audit evaluates smart contracts for vulnerabilities and certifies their behavior with respect to a custom function specification. The recommendations made by the auditors are conveyed in advance to the project team and their actions in response are noted in the final report.
A smart contract audit also gives the users and community an extra sense of protection and gives the project more credibility. With the fast pace of DeFi and how fast project launch, as well as the money going through it, smart contract audits are very important and can save the project and community a ton of money. Through CertiK, with every successful audit we’ll provide you with a listing on the CertiK Security Leaderboard that is shared publicly with the entire crypto community. The Leaderboard contains the details of projects alongside their audit reports, as well as the community’s security sentiment of the project.
CertiK’s Skynet powers on-chain security monitoring and data insights for smart contracts. Skynet actively monitors and displays on-chain insights for smart contracts using industry-leading technologies built by CertiK’s team of security researchers. Skynet provides easy to read security scores based on six security primitives including social sentiment, on-chain monitoring, governance, market analysis, safety analysis, and security oracle. CertiK Skynet provides peace of mind when it comes to security. With its security intelligence engine running 24/7, it provides accurate results that anyone can see on the Security Leaderboard. While a smart contract audit is a big step to having a secure project, a smart contract audit paired with Skynet is next level security.
In addition to smart contract audits and Skynet, CertiK now offers a KYC service for projects to provide users and community members with an extra sense of security. CertiK’s KYC is designed to deanonymize project teams and create greater accountability through a rigorous vetting process.