June 7, 2022 Ali Ashar

DeFi Security – Introduction to Decentralized Finance

Understand the Vulnerability of DeFi Ecosystem


DeFi stands for Decentralized Finance. Decentralized finance eliminates intermediaries by allowing people, merchants, and businesses to conduct financial transactions through emerging technology.

Decentralized Finance operates without a central service exercising control over the entire system which is where it differentiates from traditional financial systems. DeFi applications aim to recreate traditional financial systems, such as banks and exchanges, with cryptocurrency. The recognition of DeFi has been growing profoundly in recent times, as a result of which it has been drawing in substantial volumes of capital.

DeFi Benefits

So now that we understand what DeFi is, what are the benefits of it? DeFi promises to bring a lot of benefits to customers and investors, including eliminating intermediaries and central oversight, making financial markets more accessible to retail investors and creating new investment opportunities. Some other benefits DeFi provides are:

  • Permissionless
  • Immutability
  • Transparency
  • Lending and Borrowing Applications
  • Tokenization

Common Vulnerabilities

Admin Key Compromise

With smart contracts, modifiers restrict who is allowed to invoke certain functions. Such functions are typically privileged functions used to modify the contract configuration or manage funds held in the smart contract. If an attacker compromises an admin key, they can have complete control over the smart contract and steal user funds.

How can a Key be compromised?

The first possibility is through a computer trojan. An attacker can use a trojan to steal private keys stored on a computer. An attacker can also conduct a phishing attack to trick the users into sending their private keys to the attacker. For DeFi projects, sometimes several project stakeholders will share one private key. This allows a malicious insider to use the key to call admin functions and transfer the project’s tokens to their own wallet address. Projects should store their private keys securely.

We recommend creating a Multisig (account) using hardware wallets. This prevents an attacker from being able to call any privileged functions should they gain access to one of the keys. For a token contract, avoid allowing the minting of new tokens, if possible. If that is not a possibility, try to use a DAO contract or timelock contract as the owner instead of an EOA account.

Coding Mistakes

Some vulnerabilities in DeFi are complex, but that is not always the case. Sometimes a small coding mistake in smart contracts can turn into a major disaster that causes assets worth millions to be compromised. A smart contract audit can alleviate this, but not every project gets one.

Some common coding mistakes include:

  • Function permission(modifier)
  • Typos
  • Incorrect number of digits
  • Missing/incorrect variable value assignment

These types of mistakes can be easily eliminated with proper peer reviews, unit testing, and smart contract audits.

Wrong Liquidity Pool Estimates

The most general issue leading to security risks in DeFi is the incorrect calculation of the value of tokens in the liquidity pool. DeFi users invest their tokens in a liquidity pool and receive a stake which helps them in obtaining value in the future. Generally, the liquidity pools evaluate the value of tokens in the pool according to the existing composition of the pool rather than depending on external oracles.

Attackers could capitalize on this discrepancy in one of the common DeFi attacks, such as flash loan attacks. Attackers could introduce radical imbalances in the pool for the duration of a specific transaction. The unbalanced pool could result in incorrect calculation of token value while enabling attackers to compromise value in the pool.

Flash Loans and Price Manipulation

Flash loans are a way to borrow large amounts of money from a protocol. To prevent this from happening, we recommend using Time-Weighted Average Price (TWAP). The TWAP represents the average price of a token over a specified time frame. If an attacker manipulates the price in one block, it will not affect the average price.

The other suggestion is to use a reliable on-chain price oracle, such as Chainlink.

Misuse of Third-Party Protocols and Business Logic Errors

These kinds of issues are harder to detect and you should proceed cautiously when using a project that communicates with any third-party protocol. Team Frontal does not recommend blindly copying and deploying code that a developer doesn’t understand.

We advise developers to fully understand third-party protocols and how a forked project works before integrating them and deploying them into production. We also recommend developers deploy their projects on a testnet first and do test runs to check for abnormalities in transaction records.

How can Frontal combat DeFi attacks

With the number of funds lost in 2021 and the number of scams being conducted daily, it is clear that DeFi still has to mature a lot in order to gain widespread adoption. There is no guaranteed method to avoid software risk in a DeFi investment, but there are ways to reduce it. Frontal services include smart contract audits, PenTesting, on-chain monitoring, vulnerability assessment, and more.

Smart contract audits are one of the best ways to combat the security risks inherent in Defi. Smart contract audits can help identify errors & risks, remediate vulnerabilities, and verify contracts.

In addition to smart contract audits and other services, Frontal also offers regulatory compliance for projects to provide users and community members with an extra sense of security. Frontal’s compliance service is designed to deanonymize project teams and create greater accountability through a rigorous vetting process & align them along the authorities.

, , , , , , , ,

Stay in touch

Join the community