Fast-food franchises are one of the best real-world examples of decentralization. Each restaurant in the chain is responsible for its operation.
In the similar way, is it possible to disrupt the traditional centralized financial instruments? YES, it is.
Decentralized Finance (or) DeFi is the term coined to denote Blockchain based finance that is independent of any central financial authority. But what do WE get from this??
Well, what if we remove the trusted third parties/intermediaries like banks & agents? It will slash off all the interest rates and significantly reduce the cost & complexity of the transactions across the globe. This peer-to-peer transaction would be enabled by a Distributed Ledger Technology (DLT) and would ease the cross-border payments remarkably.
Is DeFi VULNERABLE ?
The present digital ecosystem & advent of Ethereum & smart contracts gave a meteoric rise to the DeFi.
According to Forbes, DeFi has touched a market cap of $148 billion, & these protocols have held more than $90 billion in locked up assets this year in smart contracts. Up from $18 billion at the beginning of this year. This is the real traction & valuation carried by these platforms.
But then what about the clouds of uncertainty & security hovering over the DeFi buzz?
DeFi and smart contracts scams on the RISE
According to global blockchain analytics firm, CipherTrace fraudsters have globally shelved out $432 million between January-April this year. Comparing this period with the same last year, the graph of scam reports increased to 12%. The amount that churned out is estimated to be 1000% more as compared to last year. It is true that 55% of all major cryptocurrency scams were DeFi hacks. That implies, out of $432 million, $240 million are specifically attributed to DeFi.
Well, the root cause behind these exploits is any loophole left unnoticed during the development phase. Thus, the need for security of these DeFi solutions gave birth to “Smart Contract Security”. And thus, providing robust & comprehensive smart contract audits started pacing up. Though audits are a very crucial part to ensure the security, and privacy of your smart contract, it is also important to look for a trustworthy firm such as QuillAudits.
Although many vulnerabilities may exist in your smart contract, here are a few most common ones you can look for:
VULNERABILITIES to look for:
Blockchain and all the related technologies are still maturing which means proper standards and new bugs are being discovered every day. In such a volatile environment project owners have to be a step ahead and be faster than exploiters. Many exploits have surfaced through the DeFi lifecycle some of the most notorious are listed below :
- Flash Loans Exploitation :
Maybe the most notorious of the bunch. Flash Loans are a new type of loans only possible via the power of DeFi and blockchain.
Flash Loans require the payment of both the borrowed amount and interest within a single transaction. As this ensures that the lender receives his principal and interest without risk. Huge amounts of loan can be given without any collateral. Originally developed as a tool for developers, Flash loans have now become a thing of dread.
Many DeFi projects have come up saying they are flash loan resistant only to be exploited for millions by the same technique. Value DeFi tweeted about their flash loan resistant architecture just a day before they lost about $10 million in a flash loan exploit.
Exploiters take advantage of higher loans to destabilize a decentralized exchange pool and then attack the project that uses that pool for price. Causing prices to either skyrocket or become dirt cheap. Some victims of these attacks are : PancakeBunny, Value DeFi.
- Reentrancy Attacks:
Simply stated; a reentrancy attack is a malicious contract that makes a contract execute multiple times before it is done updating its state.
These are specially dangerous attacks as they have the potential to drain any smart contract of all the cryptocurrency that is stored in it. The execution of the contract will continue till the smart contract is empty of ether.
Image Source: https://quantstamp.com/blog/what-is-a-re-entrancy-attack
- Coding Mistakes / Bugs:
Smart Contracts are publicly visible through the blockchain and hence the code is under the scrutiny of malicious actors all the time. This means that every line of code must be studied over many times. As a simple typo, or a wrong identifier may result in an exploit. Such an example can be seen in Value DeFi who lost 10 million dollars just because they didn’t initialize a single variable.
Vulnerable Code :
The Fix :
- Oracle Exploitation:
Smart Contracts are on chain entities and have no information that is off chain. Yet most often things happening off chain influence the chain more than anything else.
To get this information, contracts use something that is known as oracles. Oracle sources important data off chain which helps the smart contract functioning. They provide price data and influence events like liquidation of loans and current interest rates.
For many smart contracts these are the only off chain information that they have. Hence oracles provide a single point of failure which may result in the entire smart contract malfunctioning.
Oracles are an important piece of the puzzle but it requires trusting other people’s code for projects that deal with millions of dollars. Oracles are most commonly manipulated in conjecture with flash loans using them to influence prices.
An example of an exploit that happened through oracle manipulation was Warp Finance where about $7 million dollars were stolen through the use of flash loans to influence the Uniswap oracle that was employed by Warp Finance giving the hacker an influenced amount of tokens.
Possible solutions to SMART CONTRACT SECURITY:
With the advent of more exploits Smart Contract Security has picked up pace. DeFi projects with their need to get secure have given birth to smart contract auditing, newer standards and coding practices. Many new techniques and methods have come up to deal with these attacks:
- Pausable Contracts:
Pausable Contracts are something that would completely stop any hacker in its tracks by stopping all the contract activity till the exploit is fixed. This is a fail-safe mechanism that is being implemented in many newer DeFi projects to ensure that in case of exploits the developers can do something to stop the hacker.
- Bug Bounties:
DeFi projects keeping in line with decentralized principles have taken to asking the community for help and are rewarding people with cryptocurrencies for finding exploits in their code. This has induced an influx of WhiteHat hackers into the community who find exploits for DeFi projects.
- Community Transparency:
DeFi differs from traditional finance and hence most DeFi projects make a conscious project to be more vocal with their communities and build trust.
Active social media presence and clear and concise communication has helped the community build trust in DeFi projects stuck with them through thick and thin. This is the true power of Decentralized Finance and how it differs from traditional finance where others have control over your money and you don’t have any say in it.
- Smart Contract Audits:
Smart Contract Audits have Solidified themselves as the go to for building trust between the community and upcoming projects. Audited contracts are better optimized and more trusted by the community. Many new companies have come up in the space guaranteeing to provide the best audits.
DeFi is a relatively new space with innovations, use cases and bugs being discovered daily. DeFi holds a lot of promise but it has an uphill road to climb in becoming trustworthy and come at par with traditional finance in terms of security, but with such a dedicated community and more mainstream attention it’s just a matter of time before we talk of decentralized finance in the same breath as traditional finance.
Reach out to QuillAudits
QuillAudits is accomplished in delivering efficient smart contract audits. If you need any assistance in the smart contracts audit, feel free to reach out to our experts here!
Follow QuillAudits for more updates