Blog

DApps: Security Issues, Hacks, and Preventive Measures 

DApps

Table of Contents

Read Time: 4 minutes

Decentralization in every walk of life is the new code of the upcoming era. DApps are here to revolutionize how we operate apps, merging data privacy and ownership qualities. 

Let’s get into the depth of the blog.

What are DApps?

DApps are decentralized applications that use blockchain to process data through a distributed network and execute transactions. Unlike centralized apps, DApps are operated by peer-to-peer networks. 

Once the developer releases the codebase for the DApp, several apps can be built on top of it. There is no single authority, and hence no single point of failure as the P2P network runs them. 

DApp helps create numerous applications such as web applications, games & entertainment, social media apps, etc.       

Significant Characteristics Of DApp

Here are a few pointers on the key attributes of DApp

  • They are open-source code and are user-controlled. This means any changes or new additions are voted on and implemented. 
  • Decentralization is the core aspect through which all the details are held in the publicly distributed ledger.
  • DApps employ tokens native to the platform to reward users for participating or mining them.

News on DApps’ usage

According to the reports by DAppRadar, the number of users engaging in decentralized applications is growing by 396% every year, with now 2.4 million. 

Among which gaming DApps account for over 50% of the user activity in Q1 of 2022, and NFTs made a huge collection of about $12 billion. 

DApp Coding Security Issues

Having known about the overall idea of DApp, let us now explore some of the common technical errors associated with them.

Signature check: The use of check format “case_=> true” in the @verifier function of DApp coding prohibits the transfer transaction while allowing other transaction types.

{-# STDLIB_VERSION 3 #-}
{-# CONTENT_TYPE EXPRESSION #-}
{-# SCRIPT_TYPE ACCOUNT #-}

match (tx) {
	case t:TransferTransaction => false
	case _ => true # NEVER DO THIS!
}

But using this type of code, any user can perform transactions except transfer transactions. By entering the public key in the “senderPublicKey” field without adding signatures, it gives access to any users to run a transaction. 

{-# STDLIB_VERSION 3 #-}
{-# CONTENT_TYPE EXPRESSION #-}
{-# SCRIPT_TYPE ACCOUNT #-}

match (tx) {
	case t:TransferTransaction => false
	case _ => sigVerify(tx.bodyBytes, tx.proofs[0], tx.senderPublikey)
}

Therefore, it is crucial to ensure the presence of a signature check in the DApp coding to be devoid of the mentioned vulnerability.

Entering keys: The operations in the DApp involve the key-value storage. The common mistake is that a developer would write to one key and read that from another. So, care should be taken while writing keys. 

let NONE = "NONE"

func keyVoteByAddress(votingId: Int, address: String) = "voting_" + votingId + "_vote_" + address


@Callable(i)
func vote(id: Int) => {
	let voteKey = keyVoteByAddress(id, i.caller.toBase58String())
	let vote = getString(this, voteKey).valueOrElse(NONE)

	# alternative option

	let vote = match getString(this, voteKey){
    	case s: String => s
    	case _ => NONE
	}

	if (vote == NONE) then ...
	else ...
}

Another mistake is that instead of giving default values, attempting to read values from the variables such as value() or extract() is not suggestible.

Controlled transactions: DApp operations involves several interdependent operations to run in sequence. In such cases, it is safe to have the function “waitForTxWithNConfirmations” to receive confirmations once after the first transaction is added to the block.

Generic Issues Concerned With DApps

Low liquidity level of DApps: Low liquidity levels on decentralized applications make it difficult to buy or sell tokens at the expected price, causing slippage. Slippage is the difference between the expected and executed prices, which may lead to a loss in funds.

Users can track the liquidity of the assets based on their trading volumes and make smart decisions before buying or selling a token. 

Security breach or failure:  DApps function through smart contracts and those with bugs in their coding are ideal targets for hackers. Under extreme market conditions or due to code exploits, the devaluation or loss of funds in DApps becomes inevitable.

Auditing the code by third-party firms does greater good in overcoming this issue. 

Phishing DApp: If there is a compromise in the coding of the DApp, phishing links are circulated on their official sites. On clicking them unknowingly, they drain off all the funds from the user wallets. 

Therefore, double-check URLs before adding the funds from your wallets or entering the wallet information. 

Status Of DApp Hacks And Scams In 2022

The downside of DApps is the fact that they are vulnerable to hacks. From the data published by DAppRadar, the DApp scams alone accounted for a $1.2 billion loss. 

Highlights of the major hack events include,

Ronin bridge hack: Gaining access to the validator nodes, the hacker was able to forge fake transactions in Axie Infinity’s Ronin bridge network that led to a loss of $600 million. 

Wormhole protocol: The hacker exploited a security flaw in the Wormhole protocol code, resulting in a $325 million loss. 

Here’s How To Stay Secure And Preventive Methods To Adopt For DApp Security

Overcoming security flaws solves the major part of the problem for DApps. There are a few ways to sort it out. 

  1. Take up auditing services: A thorough coding analysis by an auditing firm like QuillAudits eliminates the bugs from the ground level. 
  2. Penetration testing: Penetration testing gains the upper hand in finding hidden/node vulnerabilities, testing APIs and discovering new attack paths. 

General Preventive Measures For DApp Security

  1. Maintain the secrecy of the private seed phrase to access the funds from the wallet
  2. Verifying the authenticity and legitimacy of the DApp website
  3. Be wary of links or texts with grammatical errors.
3,377 Views

Related Articles

View All

Leave a Comment

Your email address will not be published. Required fields are marked *

Trending

@PareenL 1. 2 VC partnerships, https://bit.ly/WAGSI_Grants

2. web3 security audit cohort, https://bit.ly/audit_with_us

3. 2 Twitter spaces on web3 security, smart contract auditing

4. Launched Quillcheck ( Rugg pull detector tool ) https://quillaudits.com/tools/quillcheck/

💜 The schedule for Lucknow Roadshow is now LIVE 💜

featuring @0xPolygon, @airchains_io, @QuillAudits, @LensProtocol and more!

📄: See the full program below 👇

I’m excited for tomorrow. 🤩

@vyakart @VishnuKorde @DeployOnStackOS Also we have Pradeep Damle @pradeeppdamle from @QuillAudits will talking abt Security in Web3 Space .

Look forward to meet you all along with @DeployOnStackOS team at @bicblr

Let' get the #indiablockchainweek n #DecodeWeb3 started shall we 🙌

#ethindia #punedao #decloud

💜 The schedule for Lucknow Roadshow is now LIVE 💜

We will feature talks from @0xPolygon, @airchains_io, @QuillAudits, @LensProtocol and more!

📄: See the full program below 👇

We’re excited to meet all of you tomorrow. 🤩

Our growing ecosystem

@SeiNetwork @tezos @zilliqa @akashnet_ @optimismFND @AssetMantle @JunoNetwork @QuillAudits @HashKey_Capital @NGC_Ventures @AscensiveAsset @MoonrockCapital @369Capital @StackerVentures @chainlink @dYdX @zksync @CoinSwitchKuber @FrontierDotXYZ @SupraOracles

Load More

Amidst FTX Saga, Hacker Swept More Than $25 Million in 2nd week of November

The contract reinvested (the earn function was not called) before the user pledged (depositAll function) without settling the reward, which means that when the user pledged, the contract did not settle the previous reward and instead conducted a new investment.

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $190K+