As we close out 2021 and ponder a world of Meta, web3, blockchain, crypto and defi all coming very fast and furious. I ask myself, are we ready for the future and how are we going to close the loop in security in this new world?
As a crypto advocate and passionate follower of the space for over seven years, my eyes were opened to a new world called “Decentralized Finance” (commonly referred to as DeFi).
Defi does not rely on central financial intermediaries such as brokerages, exchanges, or banks to offer traditional financial instruments, and instead utilizes smart contracts on blockchains. The most popular common blockchain runs on Ethereum and a slew of other compelling chains trying to close the gap with lower fees, speed, security and other interesting and compelling features and functionalities.
DeFi market capitalization is over $182 billion… Subject to change very quickly!
This new ecosystem is still at its infancy and growing, DeFi has grown at an impressive pace since the summer of 2020. While this new realm of finance is very exciting, the ecosystem represents a community-governed by a vast growing network of integrated protocols, financial instruments, and open-source software worth more than $80B and is poised to explode.
Through such a massive growth and adoption coupled with billions of digital assets crisscrossing semi secure pools and protocols garnering massive attention in the security research communities. Recent hacks have exposed upwards of $600M USD due to luck luster cyber security controls, governance, and loose secure software development practices. The adversary is reaping the rewards of technological and human errors.
Hackers and Cybercriminals are taking notice:
A recent article by Cointelegraph highlighted some eye-popping statistics. A total of 169 blockchain hacking incidents have taken place in 2021, with nearly $7 billion in funds lost. Since 2012, 534 blockchain hacking incidents have taken place with 169 events coming in 2021. Majority of these hacks have targeted Defi due to vendors rushing to market to meet the growth demand.
Exploit breakdown by chain:
· Ethereum: 50
· Binance Smart Chain: 20
· Avalanche: 2
· Polygon: 2
· Some exploits occur on multiple chains
Smart contracts can be complex with many lines of code interacting with different protocols and blockchains. Such complexity opens the door for security issues that aren’t always easy to spot, while well-known security vulnerabilities can be usually identified, business logic issues are very difficult to identify and requires great expertise and deep knowledge about the technologies used and the complex interactions.
There are wrong incentives in place, individuals and institutions are eager to put their money in new promising DeFi projects, while the teams behind the projects want to get it ready and out the door ASAP to capture those millions of dollars flowing in. The same problem that affects technology in general “build and release fast” is present in DeFi ecosystem. Greed sometimes overshadows basic security hygiene on some DeFi projects resulting in investors and the platform losing millions of dollars.
Few DeFi projects implement SDL and do incremental security audits considering cyber security from the very beginning, most projects will just run audits at the very end, while this adds security, it’s not the best approach.
So, how do you assess risks in this new economy?
Public information:
Any history of a hack? How did the vendor manage, resolve, and learn from the experience? Anything on the dark web, social media, and communities of interests to garner intelligence about the company, and its processes?
Vulnerability Disclosures:
Does the protocol, application, interfaces, and services providers, have a vulnerability disclosures program? What is the vendor's intake process? Is the vendor participating in bug bounty programs? And is the bounty program internal or through an external vendor?
Technical controls:
How are they doing custody? How do they manage privacy and how and where are they using encryption? Any API risks that need to be addressed?
Independent Audits:
Has the smart contract endured an audit, usually through independent auditors? An audit could help detect and possibly rectify smart vulnerabilities in code and check the reliability of the
smart contract's interactions. Are the audits compliance or security driven?
Software development practices:
The underlying foundation of crypto and Defi is software with millions of lines of code, in some cases open-source software managed by a community of internists. What are the vendor's software development practices? Are they using independent 3rd parties to assess the code? How frequently is the code assessed?
Supply Chain:
When it comes to supply chain risks, either you are a target of choice or target of chance. How is the vendor managing its partner ecosystems? How are partners connecting the systems? What are the end-to-end security requirements for the vendor or supplier?
Besides these risks there are a lot of bad practices being implemented in DeFi as well:
Fake security audits: some projects will just release complete fake security audits, or they remove identified vulnerabilities and release a “nice-looking report” indicating there are no problems or just some minor issues.
Different version audited than released: Version 1.0 is audited and while the version is audited, they continue with development adding features and then the 1.1 version is released instead of version 1.0. Then the new features are released without any audit.
Multiple audits until a favorable report: some projects will do more than one audit and then publish the nicer one (the one with fewer problems), hiding from people some security problems.
Audits paid with tokens: some projects will pay the security audit firm in tokens from the project, this is not bad, but it could be a wrong incentive to hide things looking for big profits from the tokens.
Smart contract only audits: while DeFi smart contracts are usually audited the whole DeFi tech stack and infrastructure aren’t. For instance, if key management is not audited then this opens the door for possible private key compromise which could end up in loss of funds too. Third party libraries/code is also not auditing assuming they are secure or someone else already audited them.
The industry continues to evolve day-to-day. If the past is any indicator of future, then it’ll be hard to stop the DeFi train approaching its destination. In the meantime, understand the evolving risks while minimizing the attack surface.
Matt Rahman is Chief Operating Officer of IOActive and Co-Founder of Coindex Capital
References:
https://decrypt.co/78355/poly-network-hacker-returns-million
https://cryptosec.info/defi-hacks/
https://cointelegraph.com/news/cointelegraph-consulting-recounting-2021-s-biggest-defi-hacking-incidents