Decentralized finance (DeFi) is here to stay with over $100 billion in total value locked (TVL), highlighting the evidence of faith in these new financial tools. This investment will continue to rise, but it appears that with each new record in TVL, there is another network attack being reported with astronomical losses.
Crypto crime dropped 57% in 2020, but DeFi hacks surged, costing companies and investors billions of U.S. dollars. In March alone, there were several attacks within just a five-day period, with Paid Network losing $180 million. Later in May, PancakeBunny lost more than $200 million in a flash loan exploit.
It is clear that there are far too many loopholes and hacks in current blockchain security protocols. From rug pulls to phishing scams, the security and technology of this space are not as mature as the numbers make them out to be. But there are critical practices that both developers and users can implement to close this gap.
Decentralized technology is still centralized
No matter how decentralized a protocol claims to be, the underlying structure is still centralized. Looking at one of our core features of the internet, DNS records, every domain name is still centralized — owned by either a government, state or company that has the ultimate authority over the domain, and could shut it off if they choose.
An example of centralization within decentralization is smart contracts. Those who write Ethereum or Binance smart contracts have the final say in what’s in the code, and there are ways to code nefarious programs, like rug pulls, into smart contracts.
During the yield farming boom of summer 2020, we saw many protocols pop up to profit off of the money pouring into DeFi, and this continued into this year. In March, TurtleDex executed a rug pull, which was effectively a backdoor in the smart contract that resulted in $2.5 million stolen from investors. This intentional feature allows developers to program scams that are then executed depending on other events in the code, and TurtleDex is one of many projects this year that programmed a rug pull.
Smart contract audits are a good way to prevent rug pulls, but even then we see cases where the developers will switch the audited smart contract for an unaudited one. The case of Compounder demonstrates how easy it is for a scam project to gain clout off of known, reputable names in the space. They were able to quickly capitalize on Harvest Finance and Yearn.finance before pulling the rug on their users and walking away with millions of dollars in crypto.
Recent trends in hacks
Apart from rug pulls, there are many popular attacks that can cause an entire company to crumble if they are not prepared. A 51% attack — which is when a group of miners controls more than 50% of the network’s mining hash rate, allowing them to exclude or manipulate transaction records to execute double-spends or disrupt a blockchain — is still frequent. Firo and Grin both recently suffered from 51% attacks.
Even some cryptocurrency projects with leading market cap sizes are still not secure. In February, it was reported that 200 days of XVG transactions on the Verge network were erased, effectively being the “deepest reorg that has ever taken place in a top 100 crypto.”
We accept these errors as a part of the blockchain experience, but what would be the reaction if the same thing happened to a major bank, for example? There would likely be a lot more media headlines and uproar from users and clients. These events go largely unnoticed in crypto because there are fewer users, but with the recent bull market, this is changing. Inevitably, more scrutiny will be placed on the security of public blockchains.
Practices to prevent hacks like rug pulls
Unfortunately for developers, hacks are always a possibility while working in crypto. The question is not how to prevent hacks, but how to prevent your chances of getting hacked. Some advancements in hardware wallets — like Gnosis Safe’s multisignature wallet, for example — are key elements to improving overall security.
Using a multisig wallet allows multiple users to hold keys for the same wallet and requires mutual participation to execute actions on the account. Because a wallet like this requires input from multiple users in order to make trades, it is almost impossible to execute rug pulls with this type of vault.
Another security practice to prevent rug pulls is timelocks. Many decentralized apps use timelocks so that if a developer tries to rug pull its users, you have a warning of about 12 to 24 hours to remove the funds.
These types of security practices will encourage wider trust in DeFi, and create a culture around security that will advance our industry.
Improving wallet security in crypto
Wallet security ultimately comes down to developers and users implementing smarter practices. Regular security audits and internal security practices can all contribute to safer wallets.
While security audits are a good solution, Uniswap and other automated market maker-based decentralized exchanges (DEXs) are permissionless, therefore it is impossible to perform regular audits. The best practice is to understand the specifics around “fair launch” coins — projects that are launched from a DEX. Although many of these projects are high quality, many have been known to have major exploits. Open-source code makes it easier for anyone to audit by themselves and verify whether the smart contract is safe, giving the users more tools to practice good security.
It may seem like a big feat to ask a user to practice good security, but it is required in order to access the many benefits of cryptocurrencies and, especially, DeFi. With traditional banks, the bank is responsible for security, but in crypto, security comes down to the practices of the developers and users.
If you forget your bank password or send funds to the wrong person, you can contact your bank to mitigate the transaction until it is resolved. But in crypto, if you lose your keys or send money to the wrong address, there is no backup option. One of many upsides, of course, is that you don’t have to worry about whether your funds are available in crypto, while banks can close their doors and impose capital controls, like what happened in the 2015 Greece banking crisis.
As developers, we need to implement cross-validation and security audits, along with holding each other accountable for developing increasingly improved security practices.
Users should consider carrying out their own security protocols and understand the nuances in storage and potential hacking scenarios. A good practice for passive crypto holders is to have a hardware wallet disconnected from the internet or a paper wallet that is 100% offline and doesn’t require syncing online for any firmware updates.
Phishing attacks, one of the original types of internet hacks, are still common and frequent. The way to combat phishing attempts is to verify if the sender is genuine.
Do not enter your private keys or seed phrases on any website or send them to anyone in public channels or DMs. Generally, you should only enter your seed phrase when you initially set up your wallet. Moreover, you should only enter your seed phrase if you need to recover your wallet after forgetting your password, need to import an existing wallet to a new device or use the compatible wallet software. It is generally recommended to use hardware wallet devices that will never leak your seed to any kind of software — not even a trusted wallet application or software could be recommended in many cases.
As we continue to build our new global (mostly) DeFi economy, it is essential that security is improved so that mainstream adoption and capital can continue to flow into the space, so that the next generation can access new frontiers of financial independence.