Security in DeFi: Insights and Highlights from the 1inchHW AMA session with Symbiosis Finance
We recently teamed up with Symbiosis Finance to chat about something super important: Best Practices and Innovative Approaches to Security in DeFi.
Nik Sokolov, the COO of 1inch Hardware Wallet, and Nick Abramov, the Co-Founder of Symbiosis Finance, shared some insights. You can listen to the audio session here.
For those who prefer reading, we’ve got a text recap of the discussion ready for you. Enjoy!
SEGMENT 1: INTRODUCTION QUESTIONS
Question 1: Introduction of 1inchHW and Symbiosis Finance: goals, key features, and advantages of each project.
║Nick Avramov: So, my name is Nick. I’m one of the founders of Symbiosis. I’m not a technical founder because I’m not that smart, but I have people on the team who cover the technical side of things.
Practically, we are a cross-chain DEX. We support over 30 networks and enable users to swap any token from chain A into any token in chain B. Plus, we also support other businesses with this functionality, like Refinance, Socket, OpenOcean, Exeggator, and some other players in the market, using our API to facilitate the swaps. So, that’s a brief introduction to what we do.
║Nik Sokolov: Hi everyone, it’s one more Nik from 1inch Hardware Wallet. We are building a solution for DeFi people to use a slim, cool, well-designed hardware wallet with a big screen to sign transactions and feel safe in this dangerous DeFi space. That’s what we do.
Question 2: Can you briefly talk about the current threats facing DeFi? What’s out there that we should be aware of?
║Nick Avramov: Well, for cross-chain swaps and bridges generally, in the past three years, we’ve seen over three billion of funds being stolen from different bridges. That’s why the problem is really huge and it goes beyond just the liquidity pool concerns and design and so on. Typically, this also aligns with some smart contract issues. The greatest thing any project can do is to have a reliable number of partners among smart contract auditing firms, especially those with experience working with some L1s and even some new, non-EVM chains like TON. It’s super important to have these partnerships and to enact practices within your team to constantly monitor any security threats and issues.
║Nik Sokolov: I think I agree. We need more quality in this space. For example, I think about the Atomic Wallet hack where more than 100 million were drained. Even if you rely on self-custody and don’t want to store your funds on FTX, it’s crucial to choose a reliable partner, a partner that has great processes in place and at least had an audit. Most non-custodial wallets have never had penetration tests, and that’s why it’s scary for me. So, that’s a major issue — hacks.
Question 3: What best security practices would you recommend for DeFi projects and users in general?
║Nick Avramov: Well, there is no single silver bullet to solve all the potential issues and threats, but definitely, all things related to crypto are about key management. Whether it’s your private key management for a hardware wallet or a non-custodial or self-custody wallet, it’s the same problem when managing the treasury of the project. Typically, projects use multi-sig, splitting the key into several parts. The control over this is key to the security of the protocol. If the key is compromised, the project is doomed. Key management is crucial for both private usage and project deployment.
║Nik Sokolov: My favorite advice is to build a security-oriented mindset, almost paranoid, where you expect something wrong always to happen. This applies to both DeFi projects and users. The space is not new anymore, but there are so many threats. You should expect them to happen and have some best security practices in your mind. Choose a project with a reliable team, that is security-oriented rather than just product-oriented in terms of selling and marketing.
Question 4: How do 1inch Hardware Wallet and Symbiosis Finance ensure the security of the users?
║Nick Avramov: For Symbiosis, we use two things: threshold signature scheme (TSS) and multi-party computation (MPC). TSS is similar to multi-sig but more complex, splitting the key into several parts so no single party has the whole key. Only a consensus of nodes can validate a transaction. MPC ensures nodes decide on each transaction, validating its legitimacy. We also use verified stablecoins and gas tokens in our pools, avoiding third-party risk, which helps us prevent potential attacks.
║Nik Sokolov: For 1inch Hardware Wallet, we engage security auditors as early as possible to review our designs and make necessary changes. We also follow best practices in developing our infrastructure. We protect our users by building a secure device with as many security features as possible. For example, hidden wallets, Shamir backups, multiple pin codes for signing, and air-gapped connection method. Users can choose their settings for optimal security or ease of use.
SEGMENT 2: COMMUNITY QUESTIONS
Question 1: Can you explain the process behind the multi-seed functionality of the 1inch Hardware Wallet? How does it ensure security for users managing multiple wallets with different seed phrases?
║Nik Sokolov: The functionality is quite easy. Basically, you can have one device, let’s call it a wallet, and on this device, you can have multiple wallets (seeds on your device), and that’s why it’s called multi-seed.. The wallet stores different seeds, and you can use a specific password for each seed to access a specific wallet. This allows users to have multiple wallets without needing multiple devices. It democratizes access to hardware wallets and saves user funds.
Question 2: An exploit happened in the form of a Velocore security breach. In what ways can Symbiosis prevent this scenario?
║Nick Avramov: Honestly, I’m not that much into the details of the Velocore breach. But as I mentioned, we rely on TSS and MPC to secure our protocol. We don’t have third-party risk because we use verified stablecoins and gas tokens in our pools. This helps us prevent potential attacks. The only way to attack Symbiosis is through the pools themselves, but our setup minimizes that risk.
Question 3: As an open-source hardware wallet, what are the advantages for users in terms of transparency, security verification, and community-driven improvements?
║Nik Sokolov: I think this question already has an answer, right? It’s about community-driven improvements. So, technically, what’s happening in the hardware wallet space right now? Most hardware wallets simply copy and paste Trezor’s code. We also rely on some parts of Trezor’s code, but we do things a bit differently. What I mean is that even when you rely on an open-source project like Trezor, you always review and improve the code. The original project can then see your improvements and incorporate them as well.
It also depends on the type of open-source license. Many licenses allow for innovation and don’t restrict distribution for security purposes.
Open source is great because anyone can look at the code, understand what’s going on, and ensure there are no surprises. It also allows for community-driven improvements and bug bounties. Instead of having audits once or twice a year, you can have white-hat hackers continuously checking your code for vulnerabilities. This helps improve security and build trust.
Question 4: What steps are being taken by 1inch Hardware Wallet to educate and empower users on best security practices in managing and safeguarding their digital assets in the DeFi landscape?
║Nik Sokolov: I’ve already spoken about our attitudes and our willingness to provide many different features. Personally, one of the best features is the ability to interpret call data. We want to ensure that when you sign a transaction, you can understand what you’re signing. That’s why we will be working hard to collaborate with as many protocols as possible to make it safe for DeFi users to use these protocols.
For example, we are working with the 1inch protocol. If there is a fake message or a fake 1inch website with a malicious smart contract, using a hardware wallet will help you recognize the fraud. If the 1inch hardware wallet shows that it doesn’t recognize a 1inch smart contract or dApp, it means something is wrong. This feature can help you avoid hacks.
Also, having hidden wallets, Shamir backups, and multiple pins empowers users to choose their preferred level of security. It’s all about educating users on using these features and understanding transaction data before signing.
Join the waitlist and stay connected with us!
Website: https://hw.1inch.io/
Twitter: https://twitter.com/1inchHW
Discord: https://discord.gg/eFudQjaemy
Telegram Announcement Channel: https://t.me/OneInchHW
Medium: https://medium.com/@OneInchHW
LinkedIn: https://www.linkedin.com/company/hwlt
