Security in DeFi: How Are Dapps and Projects Trying To Improve?
Trust and security are two of the most important things in DeFi, for both users and developers in the space. At the core of crypto and DeFi is blockchain technology which maintains an immutable digital ledger that stores all transaction data. Smart contracts are then built on top of this to process the data stored within it. Errors in data management here can have big impacts on the smart contracts of dapps, so how can this be minimised? Dapps and projects operating in DeFi are always trying to improve in their security.
What is DeFi security?
Like all software, Dapps and protocols have two main vulnerabilities:
- ‘bugs’ or coding errors that may cause the software to malfunction
- weaknesses in security that make protocols compromised and more liable to ‘hacks’
Smart contracts are the bridge between the blockchain and the front-end products and need to have rigorous security foundations in place. DeFi security broadly covers numerous measures and audits that are put in place and used to help combat the potential for errors, hacks and exploits that can compromise security.
Security is so important because there is a huge amount of money locked in DeFi. Many large transactions happen through DeFi protocols and there are millions of dollars on the line. There are many benefits to using DeFi rather than traditional financial systems. It is attractive because of the permissionless nature and the basis of self-custody financing. But with all of these upsides, there are also always several potential risks to be considered.
There are different types of errors and exploits that can happen through internal and external problems, such as coding mistakes, flash loan attacks and price oracle manipulation. We will look at some examples further below.
What can happen in a security breach? Example cases
There are cases where companies have been compromised due to hacks and errors, so limiting these risks are vital. Perhaps developers have been under pressure to release new features without extensive testing and proper audits, or users have been misinformed about a product, these will all increase the risk of an error.
- Flash loans are one example of an economic exploit or ‘arbitrage’ attack. Flash loans alone are non-malicious as they are a type of uncollateralized loan, however, they have been used to leverage loopholes in code and manipulate pricing to make profit. This, for example, happened to Harvest Finance in 2020 where an attacker targeted the protocol’s liquidity pools and performed an arbitrage attack using a flash loan. In an attack the large loans are used to manipulate one pool’s prices and then drain another pool's funds. In this case the attacker drained $24m from Harvest which quickly led to users retrieving their own funds causing further domino effects and price drops.
- The ‘rug pull’ is another method of attack where the price is internally increased before suddenly removing the majority of funds from a liquidity pool. This happened to Meerkat Finance in 2021 where a hack caused $31m to be drained from the project on Binance Smart Chain.
There are now companies and programs available that help developers and users protect their funds and run thorough checks on their products.
What can companies do to build trust around security?
Although security events have happened in the past and will continue into the future, DeFi projects can take a proactive approach to smart contract security and continue their best practices to evolve with the growth of crypto.
Trust is a very important thing in DeFi and the wider crypto community, and it is also vital for brand perception for both companies and users. Below are some points you can look out for in companies. These are also some of the things we identify as being important for Oasis.app.
- Check smart contracts before the release with audits made by specialised third party companies
- Check smart contract on an on-going basis with Bug Bounties Programs
- Informing users about the potential risks and security measures in place
- Having a user-centred approach and building a product the team want to use
- Offering intelligent info and guidance about using products
- Introducing the team so users know who you are
- Being reliable for user queries through customer care
What is important for the future of DeFi security?
Vigilance and awareness. In an open-source environment it is up to both developers and users to ensure the best possible experience in DeFi. For dapps and projects doing thorough back-end testing all the way through to execution of features and products, running smart contract audits and having bug bounty programs to find vulnerabilities all contribute to maximising the best practices to ensure the safest products are on the market.
For users, learning and understanding the software and products you are choosing to use is fundamental to using self-custody solutions. Reading news from a range of sources, checking out the team behind the projects you use, and being vigilant about your wallet and key management are all useful practices to reduce risks. And if you are ever unsure about something, reach out to a customer care team to get your questions answered.
About Oasis.app security
*At Oasis.app, we now have a Security Page on our website dedicated to sharing why our users trust us, and how we approach security.
We collaborate with best in class third companies, such as:
- Immunefi, with whom we started a bounty program giving rewards of up to $100k to identify any bugs to a community of code reviewers, ethical and white hat hackers.
- Chain Security, in charge of the independent audit of all of our major smart contracts
Read more about Oasis.app security here.
October 21, 2022