Decentralized Funding (DeFi) is here to stay with a total value of over $ 100 billion (TVL), which underscores the evidence of confidence in these new financial instruments. These investments will continue to grow, but it seems that with each new record at TVL, another network attack is reported with astronomical losses.
Cryptocurrency decreased 57% in 2020, but DeFi hacks increased, costing businesses and investors billions of dollars. In March alone, there were multiple attacks in just five days, in which Paid Network lost $ 180 million. Later in May, PancakeBunny lost more than $ 200 million in a flash credit exploit.
It is clear that there are far too many loopholes and hacks in current blockchain security protocols. From rug-pulls to phishing scams, the security and technology of this area are not as sophisticated as the numbers suggest. However, there are critical practices that both developers and users can implement to fill this void.
Decentralized technology is still centralized
No matter how decentralized a protocol claims to be, the underlying structure is still centralized. Looking at one of our core functions of the Internet, DNS records, every domain name is still centralized – either owned by a government, state, or company that has ultimate authority over the domain and can shut it down if desired.
Smart contracts are an example of centralization within decentralization. Those who write Ethereum or Binance smart contracts have the final say on the code, and there are ways to code nefarious programs like rug pulls into smart contracts.
During the summer 2020 yield farming boom, we saw many logs emerge to capitalize on the money that was flowing into DeFi and this continued this year. In March, TurtleDex conducted a rug pull that was practically a back door in the smart contract that resulted in $ 2.5 million being stolen from investors. This deliberate feature allows developers to program scams that are then run based on other events in the code, and TurtleDex is one of many projects this year that programmed a rug pull.
Connected: Yield farming is a fad, but DeFi promises to change the way we handle money
Smart contract audits are a great way to prevent rug pulls, but even then we see cases where developers swap the audited smart contract for an unchecked one. The Compounder case shows how easy it is for a fraud project to evade well-known, reputable names in the room. They were able to quickly capitalize on Harvest Finance and Yearn.finance before pulling the carpet on their users and walking away with millions of dollars in crypto.
Connected: Standard auditing for DeFi projects is a must for the industry to grow
Current hacks trends
Aside from rug pulls, there are many popular attacks that can collapse an entire business if not prepared. A 51 percent attack – in which a group of miners controls more than 50% of the network’s mining hash rate, allowing them to foreclose or manipulate transaction records to double-spend or disrupt a blockchain – is still common . Firo and Grin both suffered from 51% attacks recently.
Even some cryptocurrency projects with leading market cap sizes are still unsafe. In February it was reported that 200 days of XVG transactions were deleted on the Verge network, which is effectively the “deepest reorg that has ever occurred in a top 100 crypto”.
We accept these mistakes as part of the blockchain experience, but what would the reaction be if the same thing happened to a major bank, for example? There would likely be a lot more media headlines and riot from both users and customers. These events go largely unnoticed in crypto as there are fewer users, but with the recent bull market this is changing. The security of public blockchains will inevitably be scrutinized more closely.
Practices to prevent hacks like rug pulls
Unfortunately, hacks are always an option for developers while working in crypto. The question is not how to prevent hacks, but how to prevent your chances of being hacked. Some advances in hardware wallets – such as Gnosis Safe’s multi-signature wallet – are key elements in improving overall security.
Using a multisig wallet allows multiple users to hold keys for the same wallet and requires mutual participation to perform actions on the account. Since a wallet like this one requires multiple user input in order to place trades, it is almost impossible to do rug pulls with this type of vault.
Another security practice to prevent carpets from being pulled is time locks. Lots of decentralized apps use time-outs so you have around 12 to 24 hours of warning to remove the funds if a developer tries to outsmart their users.
These types of safety practices will foster greater trust in DeFi and create a safety culture that will advance our industry.
Improving wallet security in crypto
Wallet security ultimately depends on developers and users who implement smarter practices. Regular security audits and internal security practices can all contribute to safer wallets.
While security audits are a good solution, Uniswap and other automated market maker-based decentralized exchanges (DEXs) do not require permission, so it is impossible to conduct regular audits. The best practice is to understand the specifics of “fair launch” coins – projects launched by a DEX. While many of these projects are high quality, many are known to have large exploits. Open source code makes it easier for anyone to self-audit and verify that the smart contract is secure, and gives users more tools to practice good security.
It may seem like a great accomplishment to ask a user to practice good security, but it is required in order to access the many benefits of cryptocurrencies and DeFi in particular. With traditional banks, the bank is responsible for security, but with crypto, security depends on the practices of the developers and users.
If you forget your bank password or send money to the wrong person, you can contact your bank to mitigate the transaction until it is resolved. But in crypto there is no backup option if you lose your keys or send money to the wrong address. One of the many benefits, of course, is that you don’t have to worry about your funds being available in crypto while banks can close their doors and put capital controls in place, as happened with the 2015 banking crisis in Greece.
As developers, we need to implement cross-validation and security audits and hold each other accountable for developing better and better security practices.
Users should consider running their own security protocols and understanding the nuances of storage and potential hacking scenarios. Good practice for passive crypto holders is to have an internet-disconnected hardware wallet or a paper wallet that is 100% offline and does not require online syncing for firmware updates.
Phishing attacks, one of the original types of Internet hacks, are still widespread and common. One way to combat phishing attempts is to verify that the sender is genuine.
Do not enter your private keys or seed phrases on any website or send them to anyone on public channels or DMs. In general, you should only enter your seed phrase the first time you set up your wallet. In addition, you should only enter your seed phrase if you want to restore your wallet after forgetting your password, import an existing wallet to a new device, or use the compatible wallet software. It is generally recommended to use hardware wallet devices that will never give your seed to any type of software – not even a trusted wallet application or software can be recommended in many cases.
As we continue to build our new global (mostly) DeFi economy, it is vital that security be improved so that general acceptance and capital can continue to pour into space so that the next generation can explore new frontiers of financial independence .
This article does not provide investment advice or recommendations. Every step of investing and trading involves risk, and readers should do their own research when making a decision.
The views, thoughts, and opinions expressed herein are those of the author alone and do not necessarily reflect the views and opinions of Cointelegraph.
Kadan Stadelmann is a blockchain developer, operational security expert and chief technology officer of the Komodo platform. His experience ranges from working in operational security in the government sector to setting up technology startups to application development and cryptography. Kadan began his journey into blockchain technology in 2011 and joined the Komodo team in 2016.