Achieving Security & Confidence in DeFi
Filling security gaps in decentralized projects and gaining credence amongst DeFi skeptics with Conflux Network
With the recent dForce headlines, and the recurring issue of re-entrancy attacks and other security worries regarding DeFi and blockchain protocols, we have to ask the important question of how to achieve security and user-confidence in decentralized projects.
At Conflux Network, we are constantly asking ourselves what we can do to secure our upcoming decentralized applications, like our recently launched MoonDEX. We are taking extensive precautions to prevent these kinds of attacks for DeFi projects launching on the Conflux Network. These include re-entrancy security measures and full audits that are currently underway by Canadian smart contract security-auditing protocol, Quantstamp.
Re-entrancy Problem
Although re-entrancy is well known across the DeFi ecosystem, the recent 25 million USD Lendf.Me drain still happened due to similar vulnerabilities in the ERC-777 standard — a more flexible version of ERC-20. One of its features, a “hook”, streamlines transactions but also makes re-entrancy attacks easier. Consensys has an audit report on how the “hook” makes re-entrancy attacks possible for projects who implement the ERC-777 standard. At an overview level, re-entrancy attacks are not conceptually complicated — a contract interacts with another contract, but the second contract chooses to call (or re-enter) the first contract and is able to achieve a goal that is different from the developer’s original intent. However, in an application they can be much harder to detect and can be hidden behind multiple layers of code. This makes it an enticing attack vector in the world of blockchains, and specifically Ethereum. Hence, the infamous DAO exploit that relied on re-entrancy on a single function, and most recently the dForce exploit which involved cross-function re-entrancy (re-entering the contract by calling a different function).
Example & Implications on Blockchain
The reactions from the DeFi and dForce community after the $25 million drain has varied across the Asia and the North American market. Based off WeChat discussions and traction since the drain, China has seemed rather optimistic and the volume is slowly picking back up in the market. One user said, “After the team retrieved the hacked assets yesterday, a friend asked me, would I still use Lendf.me? I said, it depends on how Lendf.me will resume and correct itself afterward. I will still use it with a high probability, but will redistribute my positions. This crisis has made me see a more clear reality.”
On the other side of the globe, in western markets, this attack may further hinder the outlook on Chinese DeFi protocols. With the scale of this recent drain, along with previous accusations about the company’s code; paired with headlines of Chinese projects running out of money, trade freezing, and fleeing with users’ money, DeFi projects in the Chinese market may feel the effects in North America in the short term. However, in the long term, North America should not discredit the DeFi innovations coming out of Asian markets. When DeFi was first getting started in America, the issues were endless and the tracking the roots back to some infamous ICOs, it is only fair we let new markets test and develop their innovations with an open mind, knowing that it will soon have a key role in the DeFi ecosystem.
DeFi has picked up in Asia, but still it is nowhere near the level American projects have reached. Of the approximate one billion USD locked in DeFi currently, Asian projects have managed to curate less than ten percent of that, mostly by being influenced from leaders in the space and applying similar concepts to the Asian market, like Lendf.me and Compound. In order for Asia to develop their DeFi ecosystem and capitalize on a larger share of the market, projects should learn from not only dForce’s mistakes, but also the mistakes of DeFi and other fintech startups when they were first trying to pave their way, some of which have gone on to be multi-billion dollar innovations. Aiming to not only create new and curate ideas, but also be able to provide more transparency in regards to audits, and other security measures.
The majority of China is currently still holding their crypto assets with centralized exchanges, it is easy to put the pieces together as to why that is so.
The Chinese market clearly values security as much as the North American market, and if the general population is comfortable with a third-party holding their assets so that they don’t have to worry about DEXs and other DeFi protocols losing their funds, it leads to the conclusion that the next big push DeFi is to lure liquidity away from CEXes by improving its security and work towards a future where attacks like this cannot happen.
Gaining Trust From Potential Users Problem
While blockchain projects have always promised security, successfully deploying DeFi solutions have proved to be quite the task and resulted in a generally discouraged community. However, the outlook and idea of implementing blockchain to companies remains positive, according to the results of 2019 Deloitte Global Blockchain Survey, more than 50% of companies surveyed rank blockchain technology as a critical priority. Of the organizations that see blockchain as a priority, the majority expressed privacy and security as the main matter of concern.
Importance
We in the industry recognize the security blockchain offers when compared to the risks associated with a centralized database like SQL Injection attacks and stack buffer overflow attacks. Although blockchain has its issues with 51% attacks and re-entrancy, we must respond accordingly and move to prevent these attacks by promoting security measures such as decentralized insurance, oracles, ZKSnarks, and more specifically, audits. Without utilizing more security tools, we are limiting ourselves to one billion dollar market cap and most likely will fail in attracting more users from today’s centralized systems.
How Conflux is Filling the Security Gap in Defi
The issues of re-entrancy in the blockchain ecosystem have influenced developers at Conflux Network to eliminate re-entrancy on the virtual machine (VM) level. That means there is no need for specific code patterns, mutex states, or any other temporary fixes. If re-entrancy occurs, the network simply aborts the transaction — thus closing off the attack vector completely. As well, we audit all of our work so that we can assure users and developers that interacting with our protocols will ensure safety for all parties involved, we utilize trusted third-parties to test our contracts and make sure that we are not prone to 51% attacks and re-entrancy.
Conflux provides network security against 51% attacks (double-spend) through the integration of a DAG-based Nakamoto consensus, pivot chains, and PoW. In a network such as Bitcoin or Ethereum, consensus is handled by PoW and accepting the longest chain as the valid chain; consequently, all other chains are discarded. In the simplest form and assuming the attacker has 51% of the hashing power, the attack will succeed once the attacker forms the longest chain. On Conflux, the pivot chain is chosen by the GHAST rule (the heaviest subtree) and the pivot blocks are connected to a network of other blocks & chains along with the previous pivot block. In order to revert the chain, the attacker must generate a block subtree that is heavier than the subtree of the target block. Compared to generating the longest chain, creating a heavier subtree involves connections of multiple chains and thus a much more difficult attack to accomplish.
The ultimate goal at Conflux is to provide a safe, stable platform for virtual currencies and digital assets — and one of the steps is to eliminate the root cause of many large scale exploits in blockchain history. This provides built-in protection for developers and smart contracts on the Conflux network. As Ethereum was built on the lessons learned from Bitcoin, Conflux is built on the lessons of Ethereum to help all users safely advance the decentralized commerce ecosystem.
Written by Conflux Network team members, Sami Tannir and Aaron Lu
