The DeFi space has an “Achilles heel” hackers and bad actors have exploited: security. The ever evolving nature of the space itself has given little room for the issues that enable exploits to occur rather often.
This has led to a loss of confidence in the space and has slowed down adoption significantly.
Yet, there is still hope.
With new solutions, DeFi users can change the paradigm, enjoy the opportunities of decentralization and improve adoption.
Dr. Shira Brezis, CEO and Co-founder of Redefine,a boutique DeFi solutions ecosystem explains.
Dr. Shira Brezis, CEO & Co-founder of Redefine
What are the most common security issues that plague the DeFi space?
Prior to DeFi, in what I like to call “traditional crypto” (which basically means mostly holding Bitcoins in your wallet), the only risk existing was to the custody. Money could have been lost then either by stealing the private keys directly from the user or through compromising the centralized custody provider. There are many ways to go about it, for example social engineering attacks that trick individuals into revealing their sensitive information or tricking an employee of the exchange in a similar way, thus losing access to the digital assets. In DeFi however, in addition to all the existing custody risks, there are many more.
Some of the most common security issues that plague the space include smart contract vulnerabilities, risks associated with centralized governance, active token approval threats and phishing scams. Smart contracts form the backbone of DeFi and vulnerabilities within them can cause significant losses. Centralized governance poses risks of manipulation, active token approvals could be exploited by malicious or compromised spenders. Lastly, price oracle manipulation and front-running attacks can manipulate market data for illicit gain.
How has a lack of awareness caused harm for DeFi users?
Many participants in DeFi are not fully aware of the technological intricacies and potential risks around this emerging space. This knowledge gap has led to many instances of individuals falling for phishing scams. The complex interplay between different smart contracts often goes unnoticed, leading people to invest in projects without fully understanding all these potential vulnerabilities. This lack of understanding and awareness allows malicious actors to exploit these investors and spread panic throughout the ecosystem. Education around all these different risk factors are important to good key management and safe on-chain DeFi interactions. I like to say that awareness of risks is the first necessary step towards self-protection.
What best practices can developers deploy to secure their projects?
Developers must embed a security-first approach when creating DeFi projects. This involves conducting regular security audits, using well-vetted code libraries, and adhering to a modular design pattern for safer and more comfortable code updates. It’s crucial to safeguard administrative keys using multi-sig wallets and ensure data reliability by employing oracles that pull data from multiple trusted sources. Developers should also create a transparent environment that encourages peer reviews, allows users to understand the risks better, and contributes to the overall security of the project.
What are some of the most common types of DeFi attacks?
There are several attack types plaguing the DeFi space. Re-entrancy attacks, where a function within a single transaction is repeatedly called to drain funds, are common. Flash loan attacks, though not attacks per se, provide an avenue for attackers to exploit vulnerabilities in oracles or governance voting mechanisms by borrowing a large amount of tokens, manipulating the market, and paying back the loan within one transaction, often causing substantial losses for other users. Price oracle manipulations and front-running attacks have also become rampant in DeFi. Additionally, front-end attacks where attackers take control over the domain of a decentralized application, giving the attackers the technical ability to inject any data payload they want into any wallet connecting to the compromised site.
How can users protect themselves?
I always stress that users should perform their own due diligence on the assets they own and the protocols they want to interact with. During the execution phase of transacting – there needs to be a watchful eye to ensure that the user fully understands the implication of signing that specific transaction. Then post-transaction, there is the responsibility to manage your on-chain positions by keeping track of transactions that are interacting with the protocol that you are exposed to.
How can smart contracts be secured?
Securing smart contracts requires rigorous testing and audits where every line of code is scrutinized for loopholes or vulnerabilities. Formal verification can help establish the correctness of the code for critical properties and bolster security. By designing smart contracts with upgradability, developers can then patch vulnerabilities and adapt to emerging threats faster. Clear, user-friendly interfaces can help reduce the risk of user errors leading to security breaches.
What are the main issues related with copying code verbatim and forking?
While copying code or forking existing projects accelerates the development process, it also bears the risk of replicating any vulnerabilities within the original code. Developers, without a comprehensive understanding may overlook or underestimate these vulnerabilities. Moreover, maintenance and security enhancements become challenging due to lack of original code expertise. Furthermore, code copying fosters complacency and discourages innovation as developers reuse, instead of improving existing projects or invent new ones. This approach can lead to a domino effect of systemic vulnerabilities across multiple projects derived from the same base code.
Please can you tell us about Redefine and your products?
Redefine provides a comprehensive security solution for institutions such as banks, hedge funds, family offices and wealth managers to responsibly interact with Web3. Redefine’s suite of tools combines cybersecurity and blockchain analytics expertise to provide critical risk insights for informed decision-making to prevent fund loss, save time, and streamline transaction execution processes.
What is Redefine doing to address the risks that exist in the Web 3 community?
Redefine is working to provide institutions with tools that allow them to deploy and manage their on-chain capital in a secure and responsible manner. Through other distribution partners, like custody providers for institutions. We are increasing the amount of users and entities that will be able to leverage our security tools to improve their overall operational experience and security in DeFi and Web3.
What concerns do financial institutions have about the safety and security of the Web3 space? How do these concerns affect investment decisions?
Financial institutions, used to highly regulated environments, view the Web3 space with apprehension due to an emerging regulatory landscape and high-profile hacks and frauds. This lack of regulatory clarity, especially in the US, encourages companies to explore more favorable jurisdictions, resulting in a fragmented, inconsistent global market. This insecurity impacts investment decisions, since institutions often adopt a ‘wait and see’ approach to avoid potential risks and miss out on early investment opportunities. To alleviate these concerns, we’re focused on providing robust security solutions and transparent guidance to help ease these institutions’ journey in the Web3 space.
Why does the Department of Justice need to step up to investigate and prosecute DeFi hack cases?
The DOJ needs to focus heavily on this emerging threat. The government’s involvement not only ensures justice, but also helps shape robust legal and regulatory frameworks for other countries to follow. What we’re seeing is that many significant crypto and DeFi hacks are orchestrated by nation-state actors such as North Korea, meaning the proceeds of these hacks directly fund sanctioned entities. Prosecution and investigation of these cases should be treated seriously if we want to see increased Web3 adoption.
What can the Web3 community do to promote safety standards?
The Web3 community can start a collective effort right now to help establish safety standards across the industry. Education about potential risks and mitigation strategies is fundamental. Audits and peer reviews should be routine, enhancing code quality and security standards should also be top of mind. Best practices sharing and incident learnings can foster a security-focused culture. An open dialogue and collaboration promote a proactive approach towards safety. The Web3 community should integrate transaction screening services into wallet interfaces and better reporting mechanisms for scams and bad actors, strengthening the overall security posture.
How can regulatory standards help improve DeFi security?
Regulatory standards can significantly enhance security throughout DeFi. They provide a structured framework for projects and ensure mandatory baseline security measures. This not only curbs negligence but also instills user trust, which is important for the wider adoption of digital assets. Regulators can function as external auditors, identify overlooked security risks, and establish regulatory guidelines which allow companies to operate in a compliant manner. All of this will drive more institutional capital into markets and foster a more robust and secure DeFi ecosystem.
What are the risks associated with crypto transactions? What strategies are projects deploying to address them?
Crypto transactions pose risks such as transactional errors, market volatility exposure, and hacks. Existing wallets often force users to blindly sign transactions without fully explaining the implications, presenting non-human-readable hexadecimal ‘blobs’. Users inadvertently authorize compromised transactions and create security pitfalls. To mitigate this, projects are beginning to integrate automated transaction screening solutions, making transaction implications clearer to the user. This is the primary purpose of Redefine’s DeFirewall product.
What are the most common types of issues faced by cross-chain projects? How can they be addressed?
Cross-chain projects struggle with issues like interoperability challenges, liquidity shortages, and increased risks from intricate inter-chain interactions. A careful design of bridges and the use of wrapped tokens can add an extra layer of security in inter-chain transfers and liquidity sharing mechanisms can counteract shortages. With careful planning and innovative solutions, I believe the vast potential of cross-chain projects can be unlocked without compromising security.
How does decentralized governance help secure projects?
Decentralized governance enhances security by distributing decision-making power across numerous stakeholders and eliminating single points of failure. This democratic process ensures diverse perspectives are considered and leads to more comprehensive and robust decisions. It fosters transparency as each decision is open to scrutiny and encourages accountability. However, the level of decentralization should be verified. For example, by examining whether a large portion of voting tokens are held by a few entities and ensuring the multi-sig wallets used are truly decentralized.
What are the risks associated with Oracle usage?
Oracles, a vital component of many DeFi projects, bring off-chain data to on-chain smart contracts. Yet, they introduce potential security risks as they can be manipulated. If an Oracle is compromised, it can feed distorted data to smart contracts and cause severe damage. Single points of failure and reliance on third parties can accelerate this threat. Oracles are often used as price feeds for setting mark prices on AMMs. If the price setting mechanism, TWAP (time-weighted average price) mechanism, or other flash-loan exploit prevention measures are not appropriately implemented, they could lead to major security breaches.
Why are off-chain security solutions seen as high risk?
On-chain transactions offer more security and transparency because they’re verified and recorded on a public distributed ledger. Off-chain transactions, operate outside of the blockchain, making those networks more vulnerable to fraudulent activity. The trading within markets created by centralized entities, which are “off-chain” transactions, in almost all cases require users to be KYC’ed. They often have many measures in place to look out for wash-trading, money laundering, and other fraudulent activities. But the centralized entity itself is the major risk. So while DeFi on-chain transactions do not have all the regulatory and counter-party risk assessment tooling built in by default yet, it is what companies like Redefine are building today to secure the space and bring peace of mind to the wider ecosystem.
What are your predictions per crypto security in the next 12 months?
I predict the crypto security space will go through stages we’ve seen in the past in the traditional Fiat cyber security space. Meaning attackers will get better and more sophisticated. Attacks will intensify as more liquidity is deployed in the space encouraging new malicious actors to join. At the same time, efforts to secure the space will advance significantly as well – we’ll see more players building security solutions, better adoption of security measures across the board, more standardization in building protocols that helps enhance security, and a more educated market with customers awareness to the problems expressly demanding more transparency and clarity from wallet providers and other participants. I expect to see early stages of regulation specifically requiring the installment of security measures from financial institutions participating in the space, as well as centralized entities such as exchanges. Both as a measure of protecting consumers and also as an effort to deal with national security concerns.