DeFi Security Audit: How to Prevent Your DeFi Project From Hacking?

Even though DeFi is one of the most fast-paced industries these days, it also remains one of those with the most hacker attacks. In Q1 2022 alone, the industry lost $1.6B due to malicious activity. And this number is going to double if protocol owners don’t start taking security audits for DeFi projects seriously.

At the moment, a proper security audit is one of the few things that can prevent a DeFi project from hacking and a huge money loss. 
As a team of experienced blockchain developers who have deployed over 400 smart contracts, Blaize knows the real value of a thorough security audit. Moreover, our team has conducted DeFi safety audits for many world-known companies, including 1inch, PEAKDEFI,and Aurora. In this article, we want to tell you how to prevent DeFi hacks, secure your DeFi protocol, check DeFi smart contracts for vulnerabilities, and help you to perform DeFi audits.

FAILURES AND RISKS ASSOCIATED WITH DEFI

There are plenty of ways your smart contract can be jeopardized and hacked. Have you missed a tiny bug in the code before deploying a smart contract? Is there a problem with the business logic? An experienced team auditing DeFi security of your project can find all the potential vulnerabilities. Here’s a brief list of the most common ones:

Code vulnerabilities

Even the tiniest error can cause serious data or funds loss if the team has neglected security audits.

Lack of smart contract logic

In case smart contracts were created without a profound knowledge of business processes and traditional financial instruments, there might be significant loopholes in their logic.

Inefficient access control

If smart contract access control is implemented inefficiently or not at all, malefactors can easily exploit the contract.

Inaccurate liquidity pool estimates

Inaccurate calculations of the token value in the liquidity pool can lead to flash loan attacks.

Compromised private keys

There might be several reasons for compromised private keys, but most often, these are poor key generation practices and a simple loss or theft of the seed phrase.

Ponzi schemes and rug pulls

Dishonest protocol owners and project teams can also pose a threat and undermine the overall credibility of the DeFi industry.

Incorrect integrations

Projects might lose funds because of faulty calculations or get their assets blocked due to incorrect integration with other DeFi products.

If you’d like to learn more, make sure to look through our detailed article on How to Boost Smart Contract Security and Mitigate Risks in DeFi.

RECENT DEFI HACKS

The TVL locked in DeFi grows exponentially and has recently exceeded $32B. Such a fast-developing market clearly gathers a lot of attention and attracts hackers who want to make a fortune. 

The higher the stakes, the more players want to take part in the game. So it’s no surprise that some of the biggest DeFi hacks have happened in 2022. 

Let’s take a look at a few honorable mentions and see how DeFi contract audits could have helped prevent them.

RONIN NETWORK ATTACK

The Ronin Network attack is one of the recent exploits and the biggest hack in the DeFi history so far. It happened on March 29, 2022, and led to the loss of $624M.

With the rising popularity of Axie Infinity, Ronin was launched as an Ethereum side-chain in February 2021 to provide the fast, cheap transaction throughput necessary for a P2E game to function.

In order to maximize TPS, decentralization and trustlessness were neglected in favor of a Proof of Authority model in which just nine validators put their reputation at stake rather than processing any power or funds.

Of these nine validators, a consensus of five is necessary to approve deposits and withdrawal transactions. Four of the validators are operated by Sky Mavis, meaning that in the event of a security breach, just one more signature was needed to control the network.

The attacker was able to gain access to the additional validator due to an arrangement made between Sky Mavis and the Axie DAO in November 2021. A gas-free RPC node was established to ease costs for users during a period of heavy network traffic in which the AXS price peaked. This required Axie DAO to approve Sky Mavis validators to sign transactions on their behalf.

As the attacker compromised Sky Mavis validators, they used the additional (Axie DAO) signature to approve transactions. However, a proper smart contract audit would help the protocol detect such a massive vulnerability in the contract logic, which only proves the importance of an audit before product deployment.

WORMHOLE ATTACK

The Wormhole hack happened on February 2, 2022, and cost the team $326M. The bridge was manipulated into crediting 120k ETH as having been deposited on Ethereum, allowing for the hacker to mint the equivalent in wrapped whETH (Wormhole ETH) on Solana.

The attacker called the ‘verify_signatures’ function of the contract and delegated the actual verification of the ‘SignatureSet’ to a separate Secp256k1 program. Due to a discrepancy between ‘solana_program::sysvar::instructions’ (a precompile of sorts) and the ‘solana_program’ Wormhole was using, the contract didn’t correctly verify the address being provided, and the attacker was able to provide an address containing just 0.1 ETH. Then, they were able to fake the ‘SignatureSet’, call ‘complete_wrapped’ and fraudulently mint 120K whETH on Solana using VAA verification that had been created in a previous transaction.

Such loopholes in the smart contract code would have been detected by an experienced auditing team during the manual testing stage. Eventually, this exploit could have been prevented.

NOMAD BRIDGE ATTACK 

The Nomad Bridge accident is a very recent case that happened on August 2, 2022, and resulted in the loss of $190M. This is another cross-chain bridge that has been exploited over the last few months, and it has become another example of why bridges require extra precision when it comes to security and smart contract audits.

This permissionless hack happened due to a simple bug in the smart contract code, which was exploited by multiple users and took only 2,5 hours to drain the protocol.

DEFI ATTACKS CLASSIFICATION 

Due to the impressive amount of “a big win” attacks, we can even classify those. And even though there are no two similar DeFi hacks, we can still notice a certain pattern. Thus, we’d like to dwell in detail on the most commonly exploited vulnerabilities.

Read also: How to Prevent Liquidity Vampire Attacks in Defi.

CODE VULNERABILITY

The first type of DeFi protocol hack is performed simply due to coding mistakes. Those arise out of carelessly performed quality assurance or even unchecked smart contract vulnerabilities that could be easily detected during a DeFi safety audit.

Want to know how to boost your protocol security? Find out more about smart contract audits in this article.

Unfortunately, a lot of DeFi project owners decide to run the protocol with insufficient coverage of unit tests and neglect smart contract security audits. This considerably increases the possibility of an attack and money loss. 

I am and I always will point out the importance of smart contract auditing services. Do not try to reduce the development time trying to reduce time for DeFi audit or full test coverage. Remember, if you don’t check your project, the hacker surely will!

Sergey Onyshchenko, CEO of Blaize

SMART CONTRACT LOGIC 

The next type of DeFi project hacking does not deal with the standard code vulnerabilities but the whole smart contract logic. We can often see the opinion that the proper contract trial in a testnet may surely reduce the possibility of such an attack, yet not for someone who does not see it. 

Broadly, there might be an opportunity for hacking that auditors or protocol developers do not see due to a lack of experience and knowledge of business processes. The understanding of traditional financial instruments and their application is a must while dealing with such a sector as DeFi.

Security audits for DeFi projects are essential if you want to check the smart contract logic of your protocol and make sure that it is built properly.

FIND MORE INSIGHTS IN OUR ARTICLE: TOP THINGS TO KNOW TO DEVELOP A SUCCESSFUL DEFI PROJECT

PRIVATE KEY LOSS 

Private key ownership is a critical aspect of any DeFi project. It is important to clarify right away that the private key of any dApp must be created by the project owner and not by the developers’ team, online generators, or any other third party.

At Blaize, we have a common established practice for ensuring the proper ownership of the private key. As our team delivers the completed project, we also prepare documentation describing the entire deployment and setting up process. This way, the customer becomes the only owner of the private key.

Since private key loss is a very common reason for DeFi hacks, it is essential to keep it safe and never grant access to any third party. The thing is that any owner of the private key can use the kill function or withdraw all funds from the dependent contracts in a second. 

This DeFi attack is similar to traditional social engineering when human behavior and way of thinking get exploited rather than tech vulnerabilities. We have encountered multiple protocol owners creating the position of the protocol administrator and giving them private keys. Unless such authorities have “limited” access to the key and, therefore, smart contract functions, our team does not recommend introducing such a practice into your protocol governance.

As a project owner, you should be very careful when planning administrative roles in your project. Build the system in such a way that even if one of the admins’ accesses is compromised, the whole system remains safe and intact. Under no circumstances should you give all the power to a single operator.

When it comes to storing admin keys and automating operators’ actions, Blaize developers recommend using the OpenZeppelin Defender tool kit.

Source: OpenZeppelin Defender Blaize example

DOUBLE TROUBLE HACKING OPPORTUNITY 

Sometimes, hackers can exploit a couple of vulnerabilities at once to get access to the data and funds stored on the protocol. The infamous case of the Parity Library would be a good example of such. In this case, the malefactors used the lack of smart contract logic and a stolen private key to get access to 587 Ether wallets with a total amount of 513,774.16 Ether loss. 

Even though the security of the DeFi contract was checked a few times, the audits were conducted by different subcontractors with very little experience in the industry. This fact just highlights the idea that the audit itself is not the point, but the team of experienced developers with a deep understanding of the core system architecture and logic is what you should be looking for. 

HOW TO PROTECT YOUR DEFI PROJECT FROM HACKING? 

As you have probably understood by now, there are dozens of potential vulnerabilities to be detected in the existing DeFi projects. Yet, it doesn’t mean that your protocol is doomed. The thing is, you can significantly improve your DeFi protocol security by following several simple steps. Let us tell you more about it.

1. FULL UNIT TESTS COVERAGE 

Unit tests are an integral part of any detailed project testing. They help developers detect functionality problems in different parts of the contract and eliminate them at the very beginning. The important thing is that the contracts require full unit test coverage, not just 60{42b5f59b3ab5133d6097ddc47ebce2180046fc8c7e54102a39597d40d1358fb0} or 70{42b5f59b3ab5133d6097ddc47ebce2180046fc8c7e54102a39597d40d1358fb0} covering “the most important parts of code”. 

2. SMART CONTRACT SECURITY AUDITS 

Yet, no matter how well you perform the tests for all methods, classes and modules, it still does not guarantee the full security of your contract. Unfortunately, the entire unit test coverage cannot define all possible paths and combinations the user will hit. That’s why you should consider a security audit as the next step. 

Conducting a smart contract security audit for DeFi projects helps you detect uneven and unexpected vulnerabilities of smart contracts before project deployment and, thus, prevents potential exploits.

Ideally, you should hire at least two reputable auditors to inspect your smart contracts. This way, you will be sure that they haven’t missed anything and that the project is ready to be deployed. 

3. CODE UNIQUENESS

Very often, if the team does not fork the entire blockchain project, they will try to copy and “fit in” separate parts of the code, which will often be incompatible with what they already have. This frequently becomes the main reason for future exploits. That is why, when starting a new project, you need to make sure that your code is written from scratch and completely unique. 

4. CONTRACTS’ ACCESS PROTECTION

In order to prevent unnecessary private key access or protect your DeFi protocol in case of key loss, we highly recommend using the multisig scheme. There are two ways how Blaize developers implement this – the first is to create a separate multisig contract, and the second is to create the multisig logic within your protocol. 

IF YOU’D LIKE TO INTEGRATE MULTISIG PROTECTION INTO YOUR PROTOCOL, CONTACT BLAIZE FOR MORE DETAILS  

The multisig contract requires (n) amount of signatures out of (m) amount of proxy users (for ex. 3/5) to approve the transaction or protocol operations. So in case of the key loss or unwanted access by a third party, the contract will be safe. Moreover, such a solution enables fast elimination and replacement of the lost keys. 

5. EXPERIENCED DEFI DEVELOPMENT TEAM

As you can see, it is necessary to think of cybersecurity issues even before the project development. Thus, hiring a team of experienced blockchain developers with extensive expertise and profound knowledge of DeFi project vulnerabilities and specifications is essential. 

Blaize engineers have completed over 70 projects, deployed 400+ smart contracts, and audited 120+ more, including 1inch, PEAKDEFI, and Aurora. Our specialists can provide a full smart contract security audit that will help you detect all the potential vulnerabilities and protect your DeFi project from hacking. 

6. COMMUNITY SUPPORT

As the final step of your protocol’s security boost, Blaize developers recommend turning to the community. Conducting all those steps to eliminate existing security risks is a crucial thing to do, but you should also engage a dedicated audience to help you enhance the result. Establishing a bug bounty will encourage users to report any detected problems. Thus, you will improve the user experience within the protocol and successfully prevent DeFi hacks. 

THE FUTURE OF DEFI SECURITY AUDITS

DeFi projects are getting more complex day by day, and hackers come up with new, more elaborate ways to attack protocols. The industry is rapidly developing, and you should watch it closely to stay on top of the news.

Blaize experts keep abreast of all the industry trends and can forecast the future development of DeFi contract audits. Today, we’d like to share our vision with you.

1. Hybrid smart contract audits. As the protocols get more complex on their way to DeFi 2.0, they need additional support from oracles, off-chain workers, bridges and other third parties, turning into hybrid protocols. Thus, smart contract audit will also soon require a hybrid approach:
   1. A full analysis of the business logic of smart contracts as a part of the system.
   2. An inspection of the off-chain part of the protocol that smart contracts interact with.
   3. A deep immersion and analysis of the cryptography that smart contracts’ formal logic is based on.
2. More focus on business logic. Taking care of smart contract security requires profound experience in working with problems related to business logic. These include the analysis of cash flow, organization of the role systems, identifying if there is deadlock or any other blockers. As the industry evolves, there are fewer bugs related to Solidity vulnerabilities and more of the ones connected to smart contract system architecture.
3. Integration testing. Since DeFi protocols are not isolated systems anymore and work with oracles, bridges, and other third-party solutions, they definitely require more in-depth integration testing.
4. New types and vectors of hacker attacks. We can already see more sophisticated attacks taking place from time to time, and we believe that in the near future, there will be even more elaborate hacks connected with flash loans, complex transitions, DAO and oracle hacks, economic attacks, etc.

BLAIZE.TECH EXPERIENCE

Blaize has over 5 years of experience working with different blockchain ecosystems and has successfully delivered more than 145 crypto projects. Our engineers have audited 120+ smart contracts and deployed over 400 more. We are proud to say that we saved protocol owners over $100M from hacking, and every day we accept new challenges to save even more funds.

Our team has conducted DeFi safety audits for such companies as 1inch, PEAKDEFI, Aurora, and much more. 

Besides, we have designed and deployed a few of our own products, including DeHive, and have taken care of their full protocol security.

Currently, we offer the following auditing services:

• Smart contract audits;
• Code analysis and code review;
• Blockchain audits;
• Technical due diligence;
• Smart contract audit consulting.

We are always open to customs orders and solutions, so make sure to drop us a line or book a call if you have something particular in mind.

CONCLUSION

As the DeFi industry is evolving, hackers do, too. That’s why it is essential to stay on top of the news, take all the necessary safety measures, and regularly update your protocol security solutions.

One of the most efficient ways to ensure the security of your smart contracts is by hiring an experienced auditing firm and conducting a few smart contract audits. A proper smart contract security audit for DeFi can detect any possible threats and vulnerabilities of your contracts and prevent many potential hacker attacks. 

Get your smart contracts checked today – hire Blaize and make sure that your protocol is safe!

FAQ

How to check the security of the DeFi contract?

To check if your DeFi protocol is secure enough and doesn’t pose a threat to user data and funds, you should conduct a smart contract security audit. The best option is to hire two or three reputable smart contract auditing companies to conduct independent audits and fix all potential vulnerabilities according to their recommendations.

What is a smart contract security audit?

A smart contract audit is a thorough review of the smart contract code by experienced auditors in order to boost smart contract security. The main aim of such an audit is to detect and eliminate smart contract vulnerabilities as well as check the reliability of the contracts’ interactions with each other.

How do security audits work in decentralized finance?

A smart contract audit is a complex process that includes many steps, such as code consistency check, automatic and manual review, detailed business logic review, gas usage analysis, etc. You can find more details on how to conduct a smart contract audit in this article.

What does a security audit include?

These are the main steps of a smart contract audit conducted by Blaize:

• code consistency check;
• undocumented features check;
• test against the standard list of vulnerabilities;
• detailed business logic review, search for deadlocks and backdoors or potential exploits;
• preparation of the detailed schemes of user flows, access control map and funds flow chart;
• static analysis by automated tools;
• unit tests coverage check and running a custom set of manual and exploratory tests;
• gas usage analysis;
• manual code review by at least two experienced auditors;
• code quality and best practices review;
• providing a detailed report of detected issues;
• verification of fixes after providing consultations for the team;
• final audit report preparation and publishing.

How to find an experienced company conducting security audits for DeFi projects?

You can hire Blaize – an experienced team of blockchain developers, analytics and auditors who have conducted over 120 smart contract security audits in 5 years. We have reviewed 500K+ lines of code and saved more than $100M from hacking attacks.

Post author

Aleksei Korobeinikov

CTO of Blaize & Blockchain Solutions Architect

Expert on blockchain systems research & development