Brian Passfield Is the CTO of Fringe finance, A platform that seeks to unlock billions of dollars of dominant capital tied to cryptocurrencies by offering loans guaranteed by them. The platform aims to accept the widest variety of altcoins on the market as collateral.
With over 20 years of experience in the industry, Pathfield is an expert on the current security issues facing DeFi. He picked his brains on the most common attack vectors exploited this year, identifying specific vulnerabilities related to centralization, how to prevent them, and the steps to take to carry out a thorough audit.
As far as DeFi security is concerned, which are the major challenges you are facing today?
DeFi is a very new industry. Ethereum introduced the Turing-complete smart contract within eight years. For this reason, the security of smart contracts requires orders of magnitude more attention and effort than building a traditional financial system. In addition, transactions are irreversible and stolen funds can be hidden by mixers and tumblers. If hackers can identify and exploit rigorous oversight by a team of developers, billions of people can get it.
Developers, on the other hand, often succumb to external pressure to rush new features without proper auditing and extensive testing. This is an important issue for DeFi security today. We guarantee that this is a top priority for new and long-term DeFi projects.
What are the most common attack vectors exploited this year?
To name a few, after changing important variables, the function does not issue an event, it is the issuance of a missing event. You can generate different bytecodes for the same code without locking the compiler version. There is also improper input validation, which causes unintended behavior when the contract receives invalid input.
Although experienced in creating non-blockchain applications, some developers may not consider the nuances of smart contract development when creating dApps. One such nuance does not consider reentrant attacks. In those cases, Contract A calls Contract B before updating the state. When this happens, B can repeat the previous operation as if the situation (for example, A’s ETH balance) has not changed.
Another class of exploits involves relying on data that can be manipulated for internal logic. Miners and mining pools have a great deal of power in tinkering with block hashes, timestamps, and transaction order, which causes their unreliable randomness. Using the AMM liquidity pool as a price oracle is also very problematic. The AMM liquidity pool is easy to operate with a cheap flash loan that can destroy the entire protocol. For this reason, solutions such as distributed oracles and sources of randomness are important to the development of the industry.
Relying on third-party dependencies is also quite common. They are subject to change, which changes the behavior of the contract without notice. The most common vulnerability is centralization. This makes it possible to steal funds as easily as accessing some mismanaged private keys, with the exception of rug pull.
Can you tell me the details? For example, would you name a specific vulnerability related to centralization? How can these be fixed or prevented?
Centralization introduces a single point of failure and opens multiple attack vectors. The most obvious one is rug pull. Mismanaged keys can be used by hackers to steal funds. Keychains can lose or die of their keys and permanently lose access to their funds.
The issue of centralization is not always immediately apparent. Appropriate auditing is required to identify the widest possible range of vulnerabilities, and unfortunately most DeFi platforms do not have such a comprehensive audit.
Of course, the answer to centralization is decentralization. DAO is essential to that goal, but protocol design can completely eliminate the intervention of centralized entities.
What are the steps to perform a thorough audit?
The party that outsources the audit sets the scope of the process. In other words, what contracts and how much do audit companies scrutinize? Ideally, you should audit the entire protocol, not just some contracts, but there is always the potential to be strategic about this.
From this point on, audit firm experts will investigate the code base and use automated testing tools to identify malfunctioning components and identify various known exploits that defective code may enable. Apply and manually check for vulnerabilities line by line at a time. This process aims to generate reports for the team to address, prioritize the most important ones, and fix the vulnerabilities.
After resubmitting the code, the auditing firm rechecks and retests all previously identified issues and also looks for newly introduced vulnerabilities. Ideally, the project would have to go through this process before and after until the audit company couldn’t find the vulnerability.
Please note that this is how auditing should be Ideally Run. Each round of auditing is costly and it’s not uncommon to see people trying to cut corners to save costs. Therefore, in many cases, “audited” should be interpreted with nuance, not as a binary statement.
Decentralization has placed additional responsibility on users, so let’s talk a bit about client-side security. What can you do to protect your investment in DeFi?
First of all, your private key is your greatest treasure. Don’t share them with anyone. If possible, keep it in your hardware wallet. Of course, the same applies to recovery phrases. This is simply because it is a different form of private key. Please read the transaction carefully before signing off. It is possible that the scammer is allowing the token to be stolen.
From tokenomics to team reputation, you need to understand what you’re investing in. Pay attention to meme coins. Dozens are created each day, and the indisputable majority are rug pulls. Last but not least, use only platforms that have recently been audited by a reputable company.
And finally, what are the tips for choosing a reliable DeFi product?
Look for a DeFi platform with a solid reputation, a history of security, and an experienced team to show off your recent successful audits. Double audit is a gold standard.