DeFi Platforms Are ‘Only as Safe as the Code They Have’: Analysis

Friday, 24/04/2020 | 08:10 GMT by Rachel McIntosh
  • DeFi platforms are supposed to be much more secure than their centralized counterparts, but the real story isn't so simple.
DeFi Platforms Are ‘Only as Safe as the Code They Have’: Analysis
FM

The discussion around DeFi platforms came to the center of the cryptocurrency world throughout 2019 and into 2020. A wave of new applications were built on top of the Ethereum network; other networks were also created specifically for the purpose of hosting DeFi applications.

For many, DeFi represented (and represents) a natural evolution of the promises of Bitcoin: decentralized financial platforms offering all kinds of financial services that had previously been limited to the traditional banking sector: giving and receiving loans, currency exchange, Payments --the list goes on.

The concept of DeFi was and is especially appealing to the cryptocurrency world because of the lack of KYC checks on DeFi platforms: the dream of DeFi represents the opportunity to provide financial services to the unbanked, and to allow anyone who wants to operate outside of the purview of financial regulators the freedom to do so.

However, as idealistic as dreams of a DeFi-enabled future may have been, there have been some pretty big bumps along the road.

The dForce exploitation is the latest example in an ongoing pattern of vulnerabilities

One of DeFi’s biggest selling points is the idea that DeFi platforms are extremely secure: because they are not centralized, and don’t rely on any singular third-party to operate, they are slated to be extremely secure; however, in reality, this hasn’t always been the case.

Indeed, there have been several instances in recent history that have revealed that while DeFi platforms may not be at risk of security breach in the same kinds of ways that centralized platforms are--but they certainly aren’t completely safe from harm.

The most recent case of a security breach on a DeFi platform took place earlier this week, when Lendf.me, a subsect of the dForce DeFi platform, was exploited to the tune of $25 million.

In this particular case--as in most (if not all) of the other DeFi hacks that have taken place over the last year--the funds were able to be removed from the platform because of a vulnerability in the platform’s software.

Specifically, “the main cause [was] an exploit in the ERC-777 standard and the dForce protocol,” explained Jose Llisterri, chief product officer and co-founder of cryptocurrency derivatives exchange Interdax.

Interdax co-founder and Chief Product Officer Jose Llisterri.

“Known as a re-entrancy attack, it allowed the hacker to supply and withdraw a balance repeatedly in an ERC-777 token called ‘imBTC’ using its callback mechanism before the balance was updated;” in other words, “the hacker manipulated the accounting books of the Lendf.Me contracts, which enabled them to register imBTC tokens without depositing them.”

Using this particular strategy, the hacker was able to make off with $25 million worth of various cryptocurrencies. In a bizarre turn of events, the hacker eventually returned the stolen funds, but the incident still caused quite a shake-up.

Llisterri explained that “Lendf.me contracts did not have any re-entrancy guards, which is what is usually used to protect contracts from these attacks.”

A lack of protection around re-entrancy attacks allowed the ecploitation to happen

This isn’t the first time that an unguarded platform fell victim to a re-entrancy attack: “the execution of the Lendf.me hack was also similar to the DAO exploit in June 2016, where both were based on re-entrancy attacks,” Llisteri said.

Why weren’t these protections in place in dForce’s protocol? Llisteri explained that “dForce apparently took their code from a Uniswap smart contract which had a known vulnerability and is detailed in a ConsenSys audit in 2019.”

Anton Mozgovoy, chief technical officer of fintech firm Humaniq, explained to Finance Magnates that there are other issues with dForce’s protocol: specifically, “Lendf.me has been accused of copying the code from Compound,” another DeFi platform, “which can be an indicator to the quality of the development processes”--in other words, the developers who built the protocol may not have been doing their due diligence.

Anton Mozgovoy, chief technical officer of fintech firm Humaniq.

“DeFi platforms are only as safe as the code they have.”

However, stolen code or not, re-entrancy attacks and other kinds of exploitations of DeFi platforms are becoming an increasingly regular occurrence: “we’ve seen how vulnerabilities on the protocol level can impact the security risks on decentralised platforms, with examples such as the bZx exploit in January 2020, as well as Bisq and Lendf.me more recently,” Jose Llisterri explained.

This highlights a greater issue regarding DeFi platforms more generally: “there is no quality assurance process, like non-Blockchain software applications,” Anton Mozgovoy explained. “Your code has to be 100% correct before you deploy it, otherwise it becomes vulnerable.”

In other words, “DeFi platforms are only as safe as the code they have.”

Therefore, according to Kadan Stadelmann, chief technical officer at Komodo, it is critical that DeFi platforms take as many steps as possible toward assuring that their platforms do not have any exploitable vulenerabilities. “DeFi platforms should not offer any sort of central attack surface,” he said.

Kadan Stadelmann, chief technical officer at Komodo.

“By not offering any point of central attack, hackers can only target specific nodes and network participants,” Stadelmann explained. In other words, “their attack would be against a single individual instead of directly against the entire DeFi platform.”

“For example, in a truly decentralized network, if one user has a security vulnerability on his smartphone, and a hacker manages to attack that one smartphone, the other smartphones in the network would not be compromised.”

DeFi is “a huge tech bet that needs polishing.”

However, this may be easier said than done--after all, DeFi is still in its early stages; the entire cryptocurrency industry is still in its early stages.

Therefore, while many open-source and decentralization fanatics may sing the praises of DeFi platforms, it may well be that the ecosystem needs time to catch up to its centralized counterparts in terms of security and usability: indeed, “some ecosystems as a whole (such as DeFi) are a huge tech bet that needs polishing, while centralized platforms are generally built with battle-tested solutions,” Jose Llisterri said to Finance Magnates.

Indeed, “centralized platforms vary in their security measures but are mainly based on proven systems utilized by large financial companies,” Llisterri said.

“Most of the hacks of centralized exchanges have been because of lax security around hot wallets (shielded multi-signature tackles this problem) or internal issues such as embezzlement.”

DeFi platforms aren’t completely ‘trustless'

Of course, “there’s an element of trust involved with a centralized platform, since they take custody of your assets and which is why cryptocurrency users should always do their research on the platforms they are using,” Llisteri continued.

However, “there’s also an element of trust with decentralized platforms (unless you are competent in reading the code of smart contracts).”

“While users do not have to trust the platform regarding the custody of their assets, there is an element of trust in that there are no vulnerabilities which could open the platform up to an attack,” he said. “You have to be sure their codebase doesn’t have any vulnerabilities or whether the third-party libraries that are used open up any attack vectors.”

“Given that centralized exchanges and centralized platforms have been around for a longer time, there’s been more scope for improving security whereas DeFi is still in its early stages, and will go through the same process. These exploits provide opportunities to learn from mistakes and make DeFi more secure to prevent more attacks in the future.”

How can users know if a DeFi platform is safe?

How can users be safe in the meantime, though?

It all comes down to understanding: “wow users interact with DeFi platforms and centralized platforms is very different,” Llisteri said.

“Users interact with Decentralised Applications (or DApps) to access DeFi services, which are connected to their crypto wallets. When a user connects their wallet to a DApp, the user is asked to approve access to their tokens, allowing the DApp to interact with the wallet.”

“The security issue here is that most DApps users grant access to all of their holdings in that token. So if a DApp is vulnerable or malicious to begin with, attackers can abuse these privileges to steal all the user's holdings without their consent,” he explained.

Therefore, users could take precautions such as holding separate wallets that interact with separate platforms: ideally, then, a compromised DeFi platform wouldn’t have access to all of a users’ funds.

Similar precautions can be taken when interacting with centralized platforms, although centralized platforms don’t generally have access to users’ funds in the same way: “on centralized platforms, the provider controls your assets for you and takes actions on your behalf, i.e. you tell the exchange to buy or sell bitcoin,” Llisterri said. “In this case, the security of the platform and the credibility of the team are the major risks.”

The simple fact of the matter is, though, that “some DeFi platforms are built on top of poorly audited, insufficiently tested codebases or make blind use of third-party libraries that introduce attack vectors.”

“As more value is stored in DeFi protocols, there will be a greater incentive for hackers to find these attack vectors and exploit poorly audited codebases.”

DeFi platforms are uninsured

This is a serious problem--the average user of a DeFi platform probably doesn’t have a reliable method of checking the security of the DeFi platforms and dApps that they’re interacting with.

This is especially important to consider because of the fact that “DeFi platforms are non-custodial and unregulated,” Anton Mozgovoy explained.

“This means that if a regulated bank faces a loss of funds due to the attack, owners will be reimbursed by the government and insurance companies.” Additionally, “DeFi platforms at most times do not have insurance pools, and can expose a bigger risk to the stakeholders.”

So, how can users be sure that the DeFi platform they’re interacting with is safe? For one thing, reliable third-party audits of the platform’s software are a must: after all, DeFi projects “are public and therefore their code is auditable,” said Itay Malinger, chief executive of Curv, to Finance Magnates.

Itay Malinger, chief executive of custody firm Curv.

Indeed, Kadan Stadelmann added that “conducting research on whether the DeFi platform you are using is truly decentralized is key.”

Users can also take individual precautions to make their own end of things more secure: “it’s also important to ensure that whichever device you are using (smartphone, computer) is connected to a secure network in order to prevent the possibility of any sort of hack,” Stadelmann said.

While the DeFi ecosystem is still developing, centralization may be a safer bet

However, if you’re unsure about the safety of a DeFi platform, it may be a better bet to make use of a trusted centralized platform instead.

“Decentralized platforms have advantages and disadvantages, but in some cases, centralized platforms like exchanges are better as they provide what users really want: a simple-to-use platform that is scalable and has significant volume and liquidity,” Jose Llisterri explained.

On the other hand, though, DeFi can provide a level of self-sovereignty and accessibility that is impossible on their centralized counterparts.

“Decentralized platforms, while mostly providing a clunky user experience and being relatively illiquid, put power into the hands of individuals.” Llisterri said. “By providing an alternative to traditional finance, decentralized platforms are helping people to resist financial censorship and reclaim their monetary sovereignty.”

What are your thoughts on the security of DeFi platforms? Let us know in the comments below.

The discussion around DeFi platforms came to the center of the cryptocurrency world throughout 2019 and into 2020. A wave of new applications were built on top of the Ethereum network; other networks were also created specifically for the purpose of hosting DeFi applications.

For many, DeFi represented (and represents) a natural evolution of the promises of Bitcoin: decentralized financial platforms offering all kinds of financial services that had previously been limited to the traditional banking sector: giving and receiving loans, currency exchange, Payments --the list goes on.

The concept of DeFi was and is especially appealing to the cryptocurrency world because of the lack of KYC checks on DeFi platforms: the dream of DeFi represents the opportunity to provide financial services to the unbanked, and to allow anyone who wants to operate outside of the purview of financial regulators the freedom to do so.

However, as idealistic as dreams of a DeFi-enabled future may have been, there have been some pretty big bumps along the road.

The dForce exploitation is the latest example in an ongoing pattern of vulnerabilities

One of DeFi’s biggest selling points is the idea that DeFi platforms are extremely secure: because they are not centralized, and don’t rely on any singular third-party to operate, they are slated to be extremely secure; however, in reality, this hasn’t always been the case.

Indeed, there have been several instances in recent history that have revealed that while DeFi platforms may not be at risk of security breach in the same kinds of ways that centralized platforms are--but they certainly aren’t completely safe from harm.

The most recent case of a security breach on a DeFi platform took place earlier this week, when Lendf.me, a subsect of the dForce DeFi platform, was exploited to the tune of $25 million.

In this particular case--as in most (if not all) of the other DeFi hacks that have taken place over the last year--the funds were able to be removed from the platform because of a vulnerability in the platform’s software.

Specifically, “the main cause [was] an exploit in the ERC-777 standard and the dForce protocol,” explained Jose Llisterri, chief product officer and co-founder of cryptocurrency derivatives exchange Interdax.

Interdax co-founder and Chief Product Officer Jose Llisterri.

“Known as a re-entrancy attack, it allowed the hacker to supply and withdraw a balance repeatedly in an ERC-777 token called ‘imBTC’ using its callback mechanism before the balance was updated;” in other words, “the hacker manipulated the accounting books of the Lendf.Me contracts, which enabled them to register imBTC tokens without depositing them.”

Using this particular strategy, the hacker was able to make off with $25 million worth of various cryptocurrencies. In a bizarre turn of events, the hacker eventually returned the stolen funds, but the incident still caused quite a shake-up.

Llisterri explained that “Lendf.me contracts did not have any re-entrancy guards, which is what is usually used to protect contracts from these attacks.”

A lack of protection around re-entrancy attacks allowed the ecploitation to happen

This isn’t the first time that an unguarded platform fell victim to a re-entrancy attack: “the execution of the Lendf.me hack was also similar to the DAO exploit in June 2016, where both were based on re-entrancy attacks,” Llisteri said.

Why weren’t these protections in place in dForce’s protocol? Llisteri explained that “dForce apparently took their code from a Uniswap smart contract which had a known vulnerability and is detailed in a ConsenSys audit in 2019.”

Anton Mozgovoy, chief technical officer of fintech firm Humaniq, explained to Finance Magnates that there are other issues with dForce’s protocol: specifically, “Lendf.me has been accused of copying the code from Compound,” another DeFi platform, “which can be an indicator to the quality of the development processes”--in other words, the developers who built the protocol may not have been doing their due diligence.

Anton Mozgovoy, chief technical officer of fintech firm Humaniq.

“DeFi platforms are only as safe as the code they have.”

However, stolen code or not, re-entrancy attacks and other kinds of exploitations of DeFi platforms are becoming an increasingly regular occurrence: “we’ve seen how vulnerabilities on the protocol level can impact the security risks on decentralised platforms, with examples such as the bZx exploit in January 2020, as well as Bisq and Lendf.me more recently,” Jose Llisterri explained.

This highlights a greater issue regarding DeFi platforms more generally: “there is no quality assurance process, like non-Blockchain software applications,” Anton Mozgovoy explained. “Your code has to be 100% correct before you deploy it, otherwise it becomes vulnerable.”

In other words, “DeFi platforms are only as safe as the code they have.”

Therefore, according to Kadan Stadelmann, chief technical officer at Komodo, it is critical that DeFi platforms take as many steps as possible toward assuring that their platforms do not have any exploitable vulenerabilities. “DeFi platforms should not offer any sort of central attack surface,” he said.

Kadan Stadelmann, chief technical officer at Komodo.

“By not offering any point of central attack, hackers can only target specific nodes and network participants,” Stadelmann explained. In other words, “their attack would be against a single individual instead of directly against the entire DeFi platform.”

“For example, in a truly decentralized network, if one user has a security vulnerability on his smartphone, and a hacker manages to attack that one smartphone, the other smartphones in the network would not be compromised.”

DeFi is “a huge tech bet that needs polishing.”

However, this may be easier said than done--after all, DeFi is still in its early stages; the entire cryptocurrency industry is still in its early stages.

Therefore, while many open-source and decentralization fanatics may sing the praises of DeFi platforms, it may well be that the ecosystem needs time to catch up to its centralized counterparts in terms of security and usability: indeed, “some ecosystems as a whole (such as DeFi) are a huge tech bet that needs polishing, while centralized platforms are generally built with battle-tested solutions,” Jose Llisterri said to Finance Magnates.

Indeed, “centralized platforms vary in their security measures but are mainly based on proven systems utilized by large financial companies,” Llisterri said.

“Most of the hacks of centralized exchanges have been because of lax security around hot wallets (shielded multi-signature tackles this problem) or internal issues such as embezzlement.”

DeFi platforms aren’t completely ‘trustless'

Of course, “there’s an element of trust involved with a centralized platform, since they take custody of your assets and which is why cryptocurrency users should always do their research on the platforms they are using,” Llisteri continued.

However, “there’s also an element of trust with decentralized platforms (unless you are competent in reading the code of smart contracts).”

“While users do not have to trust the platform regarding the custody of their assets, there is an element of trust in that there are no vulnerabilities which could open the platform up to an attack,” he said. “You have to be sure their codebase doesn’t have any vulnerabilities or whether the third-party libraries that are used open up any attack vectors.”

“Given that centralized exchanges and centralized platforms have been around for a longer time, there’s been more scope for improving security whereas DeFi is still in its early stages, and will go through the same process. These exploits provide opportunities to learn from mistakes and make DeFi more secure to prevent more attacks in the future.”

How can users know if a DeFi platform is safe?

How can users be safe in the meantime, though?

It all comes down to understanding: “wow users interact with DeFi platforms and centralized platforms is very different,” Llisteri said.

“Users interact with Decentralised Applications (or DApps) to access DeFi services, which are connected to their crypto wallets. When a user connects their wallet to a DApp, the user is asked to approve access to their tokens, allowing the DApp to interact with the wallet.”

“The security issue here is that most DApps users grant access to all of their holdings in that token. So if a DApp is vulnerable or malicious to begin with, attackers can abuse these privileges to steal all the user's holdings without their consent,” he explained.

Therefore, users could take precautions such as holding separate wallets that interact with separate platforms: ideally, then, a compromised DeFi platform wouldn’t have access to all of a users’ funds.

Similar precautions can be taken when interacting with centralized platforms, although centralized platforms don’t generally have access to users’ funds in the same way: “on centralized platforms, the provider controls your assets for you and takes actions on your behalf, i.e. you tell the exchange to buy or sell bitcoin,” Llisterri said. “In this case, the security of the platform and the credibility of the team are the major risks.”

The simple fact of the matter is, though, that “some DeFi platforms are built on top of poorly audited, insufficiently tested codebases or make blind use of third-party libraries that introduce attack vectors.”

“As more value is stored in DeFi protocols, there will be a greater incentive for hackers to find these attack vectors and exploit poorly audited codebases.”

DeFi platforms are uninsured

This is a serious problem--the average user of a DeFi platform probably doesn’t have a reliable method of checking the security of the DeFi platforms and dApps that they’re interacting with.

This is especially important to consider because of the fact that “DeFi platforms are non-custodial and unregulated,” Anton Mozgovoy explained.

“This means that if a regulated bank faces a loss of funds due to the attack, owners will be reimbursed by the government and insurance companies.” Additionally, “DeFi platforms at most times do not have insurance pools, and can expose a bigger risk to the stakeholders.”

So, how can users be sure that the DeFi platform they’re interacting with is safe? For one thing, reliable third-party audits of the platform’s software are a must: after all, DeFi projects “are public and therefore their code is auditable,” said Itay Malinger, chief executive of Curv, to Finance Magnates.

Itay Malinger, chief executive of custody firm Curv.

Indeed, Kadan Stadelmann added that “conducting research on whether the DeFi platform you are using is truly decentralized is key.”

Users can also take individual precautions to make their own end of things more secure: “it’s also important to ensure that whichever device you are using (smartphone, computer) is connected to a secure network in order to prevent the possibility of any sort of hack,” Stadelmann said.

While the DeFi ecosystem is still developing, centralization may be a safer bet

However, if you’re unsure about the safety of a DeFi platform, it may be a better bet to make use of a trusted centralized platform instead.

“Decentralized platforms have advantages and disadvantages, but in some cases, centralized platforms like exchanges are better as they provide what users really want: a simple-to-use platform that is scalable and has significant volume and liquidity,” Jose Llisterri explained.

On the other hand, though, DeFi can provide a level of self-sovereignty and accessibility that is impossible on their centralized counterparts.

“Decentralized platforms, while mostly providing a clunky user experience and being relatively illiquid, put power into the hands of individuals.” Llisterri said. “By providing an alternative to traditional finance, decentralized platforms are helping people to resist financial censorship and reclaim their monetary sovereignty.”

What are your thoughts on the security of DeFi platforms? Let us know in the comments below.

About the Author: Rachel McIntosh
Rachel McIntosh
  • 1509 Articles
  • 60 Followers
Rachel is a self-taught crypto geek and a passionate writer. She believes in the power that the written word has to educate, connect and empower individuals to make positive and powerful financial choices. She is the Podcast Host and a Cryptocurrency Editor at Finance Magnates.

More from the Author

CryptoCurrency