How can a finance platform that’s available 24/7 to users stay secure at all times? Eric Ma, CEO of TIDEX, comments…
Smart contracts are an integral part of blockchain technology, being the foundation of blockchain projects themselves — but if something were to happen to them, things can go very bad. Smart contracts unfortunately can potentially be packed with vulnerabilities and security threats, making the way for possible hacks by bad actors to happen, spelling danger for a lucrative, high-stakes industry.
As exploiters can utilise bugs, exceptions, and other methods to steal digital assets from users, DeFi firms have to implement appropriate cybersecurity measures to keep them, their platform, and their customers safe.
However, DeFi faces a problem that most fiat financial institutions don’t have to consider: how they can stay safe, 24/7, and available at all times to users all over the world.
Commenting, Eric Ma says: “In a private corporation there are platform business hours. Things are controlled centrally and there’s a window when users are able to carry out their transactions during the day. Outside of that window, things are closed. However, in the decentralised world, nothing closes. Users are able to carry out transactions anytime they want. There are no business hours, time zones or people to deal with.
Security audits
Security experts can be hired to audit a platform, performing manual and automatic checks for vulnerabilities in smart contracts. There are services that can also provide detailed reports to clients, outlining what needs to be done to fix such vulnerabilities.
In a DeFi audit, the auditor scores the severity of each detected issue, leaving the client to act on fixing such bugs by enlisting the help of a security engineer or by posting up a bug bounty.
These audits should also be done routinely, alongside the regular security testing of DeFi projects to make sure that new updates, patches, and more are not packed with security vulnerabilities. So before you get into a DeFi project, be sure to check who’s auditing it — and how often they’re doing so. The rekt.news exploit leaderboard shows a list of unaudited DeFi projects, making it a good place to start to find projects to avoid.
Bug Bounty Programme’s
Independent security engineers typically poke around the back-end of Web3 projects looking for a programming bug to solve in hopes to reap cash rewards. Also known as white hat hackers, these individuals seek to catch exploitable errors before they can turn into a hack by bad actors.
Bug bounties have been gaining popularity as they are known to be effective in compensating white hat hackers for their work in disclosing vulnerabilities.
The bug bounty ecosystem is also a slightly complicated one. White hat hackers can report vulnerabilities, but for someone to actually respond to a report to fix it is another issue entirely. As DeFi demands a system that’s functionally operating 24/7, staffing costs can get fairly expensive if a DeFi firm just decides to have an in-house security team.
What’s next for DeFi cybersecurity?
As technologies like ChatGPT and MidJourney become ever more ingrained in the zeitgeist, naturally, its potential as a tool for the good and bad within the realm of cybersecurity is becoming an ever more salient issue.
Compared to traditional finance, DeFi is still nascent. New protocols for infrastructure and user-centered solutions pop up every week. However, the race for rapid innovation can overshadow security concerns as founding teams strive to keep up with the fast-paced industry.
In DeFi, balancing the need for swift product development with comprehensive testing before deployment is crucial. But how can developers ensure both aspects are addressed effectively? The answer is community engagement, open-source libraries, and trusted security auditors.
Decentralised Finance’s Need for Enhanced Security
Decentralised finance has transformed the financial landscape by offering individuals and institutions an alternative to centralised entities. Between 2008 and 2023, the DeFi space has amassed a whopping $50 billion.
The latest research predicts the market will hit a gross revenue of $231 billion by 2030. However, like any financial market, DeFi presents significant risks such as regulation and security challenges. The way these challenges are managed today will determine the future of the crypto industry.
Increasing Value Hacked In DeFi
The increasing cash flow to DeFi has inevitably attracted both good and bad actors. In a shocking 2016 DAO hack, the attacker stole over 3.6 million ether ($5.9 million at time of writing). The sums lost only got higher. In 2022, Binance Bridge was exploited for $570 million. The total amount hacked in DeFi has grown over the years, and the margin keeps increasing.
In 2022, a significant portion of cryptocurrency theft, amounting to $3.1 billion, was attributed to DeFi protocols, which accounted for 82.1% of the total stolen funds — yet another increase from the previous year’s 73.3%. Notably, 64% of the stolen funds were attributed to cross-chain bridge protocols.
This trend highlights the urgency for robust security measures in DeFi platforms to safeguard users’ digital assets.
The Complexity Of DeFi Applications
DeFi applications often require different tech stacks and frameworks. Most applications depend on others for infrastructure.
Most DeFi apps use external libraries, i.e., dependencies. A single outdated or vulnerable dependency will expose all apps to the same security loophole.
A great example is the TimelockController.sol inside the OpenZeppelin Contracts library. The smart contract for a time-locked controller contained a critical vulnerability at some point, putting all dependent DeFi apps at risk.
Evaluating DeFi security goes beyond merely assessing the internal contracts. Auditing the underlying infrastructure and inherited components is essential to ensure a comprehensive analysis. Again, time-constrained founders don’t usually have the scope for that.
With millions of dollars at stake, leveraged against decentralised, open-source architecture, DeFi protocols are an attractive target for hackers and scammers. People wanting to build a secure and sustainable DeFi ecosystem should pay attention to these risks.
Concluding, Eric says: “Investing in new technologies comes with inherent risks. However, the high rewards in taking these risks is often worthwhile for investors. Hackers follow the money and take advantage of immature platforms to collect their rewards. Be proactive and do research to learn and understand the history and background of each project before you invest into it.”
