CertiK DeFi Security Roundtable
Security is a conversation that’s frequently only had after attacks happen. Here at CertiK we want to change that. That’s why we recently hosted a security roundtable with some of the other top teams in the security industry to share their thoughts on the current state of DeFi and where they see it heading.
Our own Aaron Leibowitz, Daryl Hok, and Mario Calicchia were joined by:
Rob Behnke — CEO at Halborn
Steve Walbroehl — CISO & Co-Founder Halborn
Ivan Martinez — Prysmatic Labs, COVER Protocol
Will Shahda — Founder APY.Finance
If you weren’t able to make it to the Clubhouse roundtable, you haven’t missed out. Here’s a review of what was discussed.
The State of Attacks
The main takeaway from the discussion of recent DeFi exploits is that the rapidly-evolving space requires (and attracts) a whole new breed of attacker. Previously, black hat hackers didn’t necessarily need to be particularly financially sophisticated.
But in DeFi, a deep technical knowledge of the smart contract code is not enough. Attackers also need to possess a comprehensive financial understanding of many different platforms and how they interact. Flash loan attacks that borrow from one protocol, manipulate the price on another, then drain liquidity on a third platform that relies on the second as a price oracle are a great example of this combination of technical and financial knowledge.
Whereas in legacy tech systems it can be difficult to monetize an exploit, in DeFi the exploit is the monetary incentive. If a hacker comes across a vulnerability in a browser or other piece of legacy software they could report it to the creator in the hope of earning a bug bounty, or maybe sell it to an interested third party. But when dealing with platforms that hold millions of dollars worth of cryptocurrency, a successful exploit provides immediate returns.
This complicates the offering of bug bounties, which have often been used as a way for white hat hackers to demonstrate their skills and earn rewards in the process. If a project offers $500,000 in bug bounties but has $10MM locked in their protocol, the incentive to report a vulnerability is dwarfed by the reward for taking advantage of it.
One thing that the speakers all agreed on is that it’s important to recognize DeFi has come a long way. The high standard of developers in the space means that now it’s less about bugs in the code and more about flaws in the complicated financial characteristics of platforms. Due to the composability and rapid rate of change in DeFi, it’s often impossible to predict how one platform will interact with others which may not even yet be in existence.
Yet there is a solid set of tools at developers’ disposal. The OpenZeppelin Contract libraries which protect against injection and reentrancy attacks got a notable mention, as did the robust Solidity compiler and the fact that any bugs in the Ethereum Virtual Machine (EVM) bytecode are quickly patched.
The rate of change in DeFi, where time seems to pass faster than anywhere else seems to be a feeling that all of the speakers felt. This was demonstrated when someone said ‘in the old days before yield farming’ and then laughed about how that was months not even years ago. This can lead to very different perceptions of risk compared to legacy finance and other slower playing fields. A platform that has been around for two months — or even two weeks — without getting hacked may be considered to have a sufficiently established Lindy effect to be considered “safe”. This isn’t necessarily an incorrect assumption, it’s just an indicator of the unprecedented speed at which the DeFi space moves.
One speaker brings up the Great Averaging of Innovation. Truly revolutionary innovation quickly gains adoption throughout its field, leading to a dilution of the initial effect. What was once groundbreaking and new soon becomes the industry standard, meaning further innovation is required to keep things moving. The nature of DeFi promotes this effect: there’s nothing stopping you from simply forking another project’s code and adding your own tweaks and improvements.
While this averaging of innovation can result in a rapid rate of progress, it also has a flip-side. Any inherent flaws in the original idea are not contained to just the first iteration, they are spread across and magnified by all the copycats that come after.
And near enough is not good enough when it comes to security. The slightest risk is a vulnerability: cracks quickly become canyons, as Will puts it, and a single line of code can take a contract from secure to completely exposed.
This brings us to auditing. Auditing has gone from an afterthought a few years ago to now an essential part of the process.
Comprehensive security takes time and cutting corners is too great a risk. That’s why CertiK likes to work with projects from as early on in the development process as possible.
Despite broad agreement on the necessity of auditing, everyone has a story to tell about projects falling short of the mark. There is an astounding number of projects that fork another’s code and make their changes, then claim that since they’re based on the original — audited — project they don’t really need to go through an audit of their own.
And there has been a proliferation of bottom-of-the-barrel auditing houses which exist just to sell stamps of approval that have very little to do with the actual quality of the code under review. While it goes to show that auditing is now considered a requirement, there are definitely varying levels of quality. CertiK and Halborn auditing are approved by all major exchanges as satisfactory proof of a potential listing’s security.
Yet there’s consensus on the fact that auditing is not the be all and end all of smart contract security. Marco tells the story of one client who was working with a third-party developer team. Their code passed CertiK’s audit, but when examining the hashed code after deployment it differed from the original, audited code. The external developer had taken advantage of their trusted role to slide in malicious code after auditing but before deployment.
People are always the weakest link in any security approach. Whether it’s a phishing attack, developers injecting malicious code as mentioned above, or a rugpull, misplaced trust can circumvent even the strictest code review.
This highlights the need for a layered approach to security. On-chain coverage and decentralized mutuals are an increasingly popular form of protection for project owners and users alike.
Cover Protocol supports guarded launches, where a project launches with coverage already available. And there are platforms that are protected by Cover, CertiKShield, and Nexus Mutual, or some combination of the three. This kind of healthy competition helps bring about more security for everyone. A rising tide lifts all boats, to quote JFK.
Just as auditing has become a fundamental requirement, on-chain insurance alternatives are quickly moving from fringe use-cases to the mainstream. It’s really a no-brainer. DeFi offers high yields but comes with certain security risks. These risks can be offset with the purchase of on-chain coverage, with plenty of APY left over after paying the premium.
Keeping the De in DeFi
The roundtable finishes with a discussion of the interplay between decentralized finance and centralized systems. The panel agrees that the gray area will likely persist for some time, and potentially even grow more indistinct.
Yet there is a distinction between permissionless and decentralized. There is of course the attitude that sees both as indispensable and works to build fully decentralized and permissionless platforms. But there is also a lot of potential in permissioned but still decentralized systems, such as on-chain credit scores or decentralized identity.
The challenge will be to build systems that open up new possibilities while still keeping the De in DeFi.
All in all, it was a fascinating discussion.
If you want to listen in on future CertiK roundtables, keep an eye on our Twitter or follow us on Clubhouse.
If you’re looking for a weekly forum where you can have any and all DeFi-related questions answered, Rob runs a DeFi AMA on Clubhouse every Thursday. Check out the DeFi Clubhouse Telegram for more details.