The radical need for updating blockchain security protocols

Published at: June 25, 2021

Decentralized finance (DeFi) is here to stay with over $100 billion in total value locked (TVL), highlighting the evidence of faith in these new financial tools. This investment will continue to increase, but it appears that with each new record in TVL, there is another network attack being reported with astronomical losses.

Crypto crime dropped 57% in 2020, but DeFi hacks surged, costing companies and investors billions of U.S. dollars. In March alone, there were several attacks within just a five-day period, with Paid Network losing $180 million. Later in May, PancakeBunny lost more than $200 million in a flash loan exploit.

It is clear that there are far too many loopholes and hacks in current blockchain security protocols. From rug pulls to phishing scams, the security and technology of this space are not as mature as the numbers make them out to be. But there are critical practices that both developers and users can implement to close this gap.

Decentralized technology is still centralized

No matter how decentralized a protocol claims to be, the underlying structure is still centralized. Looking at one of our core features of the internet, DNS records, every domain name is still centralized — owned by either a government, state or company that has the ultimate authority over the domain, and could shut it off if they choose.

An example of centralization within decentralization is smart contracts. Those who write Ethereum or Binance smart contracts have the final say in what's in the code, and there are ways to code nefarious programs, like rug pulls, into smart contracts.

During the yield farming boom of summer 2020, we saw many protocols pop up to profit off of the money pouring into DeFi, and this continued into this year. In March, TurtleDex executed a rug pull, which was effectively a backdoor in the smart contract that resulted in $2.5 million stolen from investors. This intentional feature allows developers to program scams that are then executed depending on other events in the code, and TurtleDex is one of many projects this year that programmed a rug pull.

Related: Yield farming is a fad, but DeFi promises to change the way we interact with money

Smart contract audits are a good way to prevent rug pulls, but even then we see cases where the developers will switch the audited smart contract for an unaudited one. The case of Compounder demonstrates how easy it is for a scam project to gain clout off of known, reputable names in the space. They were able to quickly capitalize on Harvest Finance and Yearn.finance before pulling the rug on their users and walking away with millions of dollars in crypto.

Related: Default auditing for DeFi projects is a must for growing the industry

Recent trends in hacks

Apart from rug pulls, there are many popular attacks that can cause an entire company to crumble if they are not prepared. A 51% attack — which is when a group of miners controls more than 50% of the network’s mining hash rate, allowing them to exclude or manipulate transaction records to execute double-spends or disrupt a blockchain — is still frequent. Firo and Grin both recently suffered from 51% attacks.

Even some cryptocurrency projects with leading market cap sizes are still not secure. In February, it was reported that 200 days of XVG transactions on the Verge network were erased, effectively being the “deepest reorg that has ever taken place in a top 100 crypto.”

We accept these errors as a part of the blockchain experience, but what would be the reaction if the same thing happened to a major bank, for example? There would likely be a lot more media headlines and uproar from users and clients. These events go largely unnoticed in crypto because there are fewer users, but with the recent bull market, this is changing. Inevitably, more scrutiny will be placed on the security of public blockchains.

Practices to prevent hacks like rug pulls

Unfortunately for developers, hacks are always a possibility while working in crypto. The question is not how to prevent hacks, but how to prevent your chances of getting hacked. Some advancements in hardware wallets — like Gnosis Safe’s multisignature wallet, for example — are key elements to improving overall security.

Using a multisig wallet allows multiple users to hold keys for the same wallet and requires mutual participation to execute actions on the account. Because a wallet like this requires input from multiple users in order to make trades, it is almost impossible to execute rug pulls with this type of vault.

Another security practice to prevent rug pulls is timelocks. Many decentralized apps use timelocks so that if a developer tries to rug pull its users, you have a warning of about 12 to 24 hours to remove the funds.

These types of security practices will encourage wider trust in DeFi, and create a culture around security that will advance our industry.

Improving wallet security in crypto

Wallet security ultimately comes down to developers and users implementing smarter practices. Regular security audits and internal security practices can all contribute to safer wallets.

While security audits are a good solution, Uniswap and other automated market maker-based decentralized exchanges (DEXs) are permissionless, therefore it is impossible to perform regular audits. The best practice is to understand the specifics around “fair launch” coins — projects that are launched from a DEX. Although many of these projects are high quality, many have been known to have major exploits. Open-source code makes it easier for anyone to audit by themselves and verify whether the smart contract is safe, giving the users more tools to practice good security.

It may seem like a big feat to ask a user to practice good security, but it is required in order to access the many benefits of cryptocurrencies and, especially, DeFi. With traditional banks, the bank is responsible for security, but in crypto, security comes down to the practices of the developers and users.

If you forget your bank password or send funds to the wrong person, you can contact your bank to mitigate the transaction until it is resolved. But in crypto, if you lose your keys or send money to the wrong address, there is no backup option. One of many upsides, of course, is that you don't have to worry about whether your funds are available in crypto, while banks can close their doors and impose capital controls, like what happened in the 2015 Greece banking crisis.

Conclusion

As developers, we need to implement cross-validation and security audits, along with holding each other accountable for developing increasingly improved security practices.

Users should consider carrying out their own security protocols and understand the nuances in storage and potential hacking scenarios. A good practice for passive crypto holders is to have a hardware wallet disconnected from the internet or a paper wallet that is 100% offline and doesn’t require syncing online for any firmware updates.

Phishing attacks, one of the original types of internet hacks, are still common and frequent. The way to combat phishing attempts is to verify if the sender is genuine.

Do not enter your private keys or seed phrases on any website or send them to anyone in public channels or DMs. Generally, you should only enter your seed phrase when you initially set up your wallet. Moreover, you should only enter your seed phrase if you need to recover your wallet after forgetting your password, need to import an existing wallet to a new device or use the compatible wallet software. It is generally recommended to use hardware wallet devices that will never leak your seed to any kind of software — not even a trusted wallet application or software could be recommended in many cases.

As we continue to build our new global (mostly) DeFi economy, it is crucial that security is improved so that mainstream adoption and capital can continue to flow into the space, so that the next generation can access new frontiers of financial independence.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Kadan Stadelmann is a blockchain developer, operations security expert and Komodo Platform’s chief technology officer. His experience ranges from working in operations security in the government sector and launching technology startups to application development and cryptography. Kadan started his journey into blockchain technology in 2011 and joined the Komodo team in 2016.
Tags
Related Posts
The perfect storm: DeFi hacks will advance the crypto sector moving forward
The rise of decentralized finance, or DeFi, could be paving the way toward a fully decentralized financial ecosystem. Yet, given the innovative nature of DeFi, the sector remains in constant development and is therefore prone to a number of vulnerabilities. Unsurprisingly, one of the biggest challenges currently facing the DeFi sector is security threats. This has become apparent as more DeFi hacks continue to wreak havoc across the crypto community. Most recently, the largest DeFi hack within the crypto industry took place. The Poly Network hack resulted in over $600 million dollars removed, and then returned, from Binance Chain, Ethereum …
Decentralization / Aug. 17, 2021
Poly Network hacker appears ready to return stolen funds
Following a massive $600-million exploit of cross-chain protocol Poly Network, the Poly Network hacker has claimed his willingness to return the stolen cryptocurrency funds. At about 4:00 am UTC on Wednesday, the hacker sent an Ethereum transaction to themselves, stating that they were “ready to return the fund” in an embedded transaction message. In a subsequent message, the hacker asked for a multisig wallet address to return the funds to Poly Network. “Failed to contact the poly. I need a secured multisig wallet from you,” the hacker noted. Poly Network’s Twitter account posted an update on Wednesday, providing three separate …
Decentralization / Aug. 11, 2021
‘DeFi done right’: Layer-one protocol launches mainnet
A decentralized finance protocol has launched its mainnet — describing it as a crucial step on the journey to a frictionless financial future. Radix, which describes itself as a platform for smart money, is also launching Instapass with its Olympia mainnet — an optional user and developer service that delivers the world’s first single sign-on solution for building compliant DeFi. The Radix mainnet is being positioned as a generational improvement in the history of decentralized ledger computing — and one that delivers 100 times more executional efficiency than the Ethereum Virtual Machine. This comes hot on the heels of the …
Decentralization / July 29, 2021
The importance of decentralized oracles: Interview with Sergey Nazarov
Chainlink co-founder Sergey Nazarov believes that increasing the decentralization and scalability of oracle technologies are key to ensure trust in the DeFi ecosystem. Oracles play a key role in the correct functioning of DeFI protocols by connecting them to real-world data. However, the trustworthiness of oracles becomes compromised in instances where they rely on a single data source to retrieve information. For instance, according to Nazarov, excessively centralized oracles enabled five recent flash loan attacks, which resulted in DeFi protocols losing around $40 million. Flash loans, a form of loan that does not require any collateral, can be used to …
Decentralization / Dec. 19, 2020
Jump Crypto replenishes funds from $320M Wormhole hack in largest-ever DeFi 'bailout'
On Thursday, Jump Crypto, a crypto venture capital firm that owns Certus One, the developer of the Wormhole token bridge, announced it had deposited 120 thousand Ether (ETH) into a Solana-Ethereum bridge that suffered a devastating exploit. The day prior, hackers fraudulently minted 120 thousand wrapped Ether (wETH) worth $321 million on the Solana (SOL) platform, then redeemed 93,750 wETH for ETH on the Ethereum network while swapping the rest for other altcoins on the Solana network. The cross-chain ETH-wETH is supposed to have an exchange ratio of 1:1 against one another. Therefore, unauthorized minting of wETH leads to significant …
Technology / Feb. 3, 2022