Security in DeFi
With a surge in DeFi usage, security has become of even greater concern than before. In this article we will address some typical risks associated with DeFi for users and explain how Neuron Fund solves these issues.
Before we dive into the discussion of risks, let’s talk about the core benefits of DeFi to create broader context. The code of DeFi apps specifies resolution of every possible dispute, which means that a user can keep control over the funds at all times. The very same architecture that makes interruption impossible also makes it difficult to apply updates for good. Threats have to be foreseen since every successful hack of a DeFi app is more serious than that of a traditional financial one.
Let us discuss typical attack vectors in DeFi space. They include:
Admin key compromise
First attack that we’ll discuss is performed through private key compromise on admin’s computer.
With smart contracts, modifiers restrict who is allowed to invoke certain functions. Such functions are typically privileged functions to modify contract’s configurations or manage funds. If the admin’s key is compromised, an attacker can gain full control over the project’s token and steal funds.
An attacker can use a trojan to steal private keys for admin’s wallet from a computer. An attacker can also perform phishing attack and trick the admin into sending the private key. Some examples of such attacks are PAID Network exploit and EasyFi hack.
Neuron Fund solves this potential security issue by using Multisig account for emergency management of the protocol. Such a wallet involves 5 addresses and for every transaction at least three addresses are required to sign a transaction. So even if a hacker is able to gain access to one of the admin keys, he is unable to call any privileged function.
Sometimes attacks are merely due to inattentive or inexperienced Solidity usage.
Some common mistakes include:
- Function permission(modifier)
- Incorrect number of digits
- Missing/incorrect variable value assignment
Prominent examples include Value DeFi and Uranium Finance hacks.
Neuron Fund manages these kinds of threats through several audits (in rare cases, auditors also lack sufficient attention to notice the mistake, so diversified audits from different blockchain security companies should be taken) and bug bounty program.
Under bug bounty program, the protocol is continuously tested by a large army of ethical hackers. After a vulnerability is found and identified, the ethical hacker is awarded with protocol treasury funds, the threat is closed and, in serious cases, new audit for smart contracts is taken to ensure that the vulnerability is closed and novel vulnerabilities were not introduced.
Flash loans and price manipulation
Flash loan is a way to borrow a large amount of money for a relatively small fee for one transaction only. Flash loans are unique to decentralised finance and can only be performed on blockchain.
The basis requirement for flash loans is that the loans need to be returned until the end the same transaction. If not, the transaction will be reverted. The general exploit involving flash loan manipulates price for certain tokens and is performed as follows:
- Borrow a large amount of token A using flash loans
- Swap token A for token B on a decentralised exchange (lowering price of token A and increasing price of token B drastically)
- Exploit a DeFi project that relies on the price of A/B
- Repay the flash loan
Many big projects suffered from flashloan attacks: PancakeBunny ($40M), Harvest Finance ($25M), Yearn ($11M), Value DeFi ($7M) and so on.
Neuron does not depend on price oracles in its code, so there is no point in manipulating the price of the NEUR token. Therefore, users are safe regarding flash loan attacks on the protocol.
Security is a primary focus of Neuron Fund. We developed the protocol to let a user focus on choosing investment pools based on their financial reasoning, while staying confident in project’s code integrity and security.