Crypto's Decentralized Finance Security ProblemAuditing Itself Can't Ensure Security
Cryptocurrency has a decentralized finance problem: It's not very secure.
Few cybersecurity experts dispute that the technology underlying cryptocurrencies - the blockchain - is secure. Wrapped in layers of encryption and verification, the distributed ledger resists attacks.
Yet, record-breaking hacking losses for cryptocurrency holders occurred this past year. Hardly a week passed without news of one pillaging or another, often accompanied by pleas from bereft account holders for the hacker to return their stolen funds, minus a hefty "white hat" reward.
Holding cryptocurrencies in anything but a memory drive inside a box shielded with a Faraday cage seemed to tempt fate during 2022. And for that - apart from the outright (alleged) larceny behind the collapse of FTX - the cryptocurrency world in large measure can finger decentralized finance platforms, which ride atop the blockchain. In 2022, a record-breaking $3 billion was stolen from those applications.
One reason for the increase in DeFi hacking is that deposits rose exponentially from about $13 billion in late 2020 to $50 billion now, despite the ongoing crypto winter.
Web3 hackers are no different from their peers across industries: They go where the money is, says Martin Derka, head of new initiatives at Quantstamp. The amounts can be eye-popping. Digital thieves descended on cross-chain platform Nomad in August after discovering a flaw that allowed transaction messages to be validated immediately instead of going through a verification process. Dozens of attackers extracted $200 million in a mass theft. North Korean hackers last year stole more than $600 million from Axie Infinity's Ronin bridge hack.
But the intensity of hacking and sheer ease with which bad actors were able to find and exploit vulnerabilities on DeFi platforms suggests a problem larger than hackers on the prowl for payouts. Nine out of every 10 cryptocurrency hacking incidents during 2022 involved a decentralized platform, found year-end analysis from TRM Labs.
There's something wrong with the state of DeFi security.
DeFi Is Easy - Maybe Too Easy
For those in the know, starting a DeFi platform isn't a challenge. That's great for founders eager to advance their unique spin on cryptocurrency trading. It's also a source of buried loopholes that can be used to, say, artificially drive up the value of a low-liquidity token in order to drain the platform of nearly all its available funds, including customer deposits (see: Mango Markets Hacker in US Regulator's Crosshairs).
"We have founders who are former traders, founders who did not even graduate high school. Unfortunately, the inexperience can translate into cutting corners by not maintaining good engineering practices and not developing [the software] properly in order to ship rapidly," Derka says.
That inexperience and lack of knowledge result in apps that have multiple features to make them attractive for consumers, but at the cost of maintaining documentation and with security as an afterthought. This, Derka says, results in vulnerabilities in the code.
DeFi's transparency, which makes it so attractive to the community, is also its Achilles' heel. "Hackers can scan DeFi code for vulnerabilities and strike at the perfect time to maximize their theft," Chainalysis says.
The Web3 ecosystem's complex, "Lego-like" quality - in which different infrastructure layers stack on top of each other - also makes for an attractive target, as a vulnerability in one layer can potentially affect all other layers. That enables a wider attack surface, Derka tells Information Security Media Group.
"You can't control the security of contracts you haven't developed, and if they can be upgraded or changed after deployment, then the risk profile is liable to change," Ronghui Gu, CEO and co-founder of CertiK, tells ISMG. The same goes for applications that use layered contracts with different functions: One weak link in the chain can compromise the whole application, Gu says.
Audits Are No Panacea
Downward market pressure on security isn't a secret, which is why the crypto trading world came up with a check against careless expediency. Code auditing performed by third parties has become the default expectation for reputable DeFi platforms. Unfortunately, even allowing for built-in limitations of any code review, auditing is not living up to expectations as a meaningful guarantor of security.
The problem is the same as the haste with which many DeFi projects are rushed into production. Security needs to be an ongoing commitment, not a checkbox.
"Auditors live and breathe Web3 security - they do it on a daily basis. They have seen exploits you may not even be aware of and understand the ecosystem your project will interact with," says Derka. Auditors examine a project's code base, use automated tools to look for known vulnerabilities and design custom attacks to probe platform security in a protected environment. They also interpret the results of these tests to make security recommendations.
Still, "no auditor is ever going to say that any smart contract is absolutely safe," Derka says. And more importantly, auditors don't fix the issues encountered during an audit: It is the project team's job to implement patches.
Auditing is a critical first step, but it's not the only one, Gu said. "Think of it like a safety rating for a car. You can still buy a car with a less-than-ideal rating, but the rating, which is public information, can inform your decision ahead of purchase. The rating doesn’t necessarily fix the problems encountered, but it gives the builder the opportunity to do so," he said.
David Schwed, who has worked with banks such as BNY Mellon in the past, is currently the CEO of Halborn, which according to Chainalysis has a track record of having audited DeFi protocols that have never been subsequently hacked. He says that DeFi's security problems boil down to one thing: lack of investment in security.
With growth as its priority, DeFi developers direct all funds, including those that should be earmarked for security, toward building. “The DeFi community generally isn’t demanding better security - they want to go to protocols with high yields. But those incentives lead to trouble down the road," he told Chainalysis.
DeFi can also borrow security lessons from traditional financial institutions. Schwed recommended testing protocols with simulated attacks, monitoring for suspicious activity on smart contracts to detect potential attacks early and deploying circuit breakers that automatically halt transactions if suspicious activity is detected.
It's also just possible that DeFi could benefit from regulatory mandates as a counter to market pressures - at least, if the end goal for DeFi is widespread consumer trust. Unlike traditional finance, there's no authority to impose penalties on DeFi for not implementing proper security.
Schwed told Chainalysis that regulators can set minimum security standards for developers to adhere to. "The data on DeFi hacks makes one thing clear: Whether achieved through regulation or voluntary adoption, DeFi protocols will greatly benefit from adopting better security in order for the ecosystem to grow, thrive, and eventually penetrate the mainstream," he said.