A Guide to Vulnerabilities in Decentralized Finance
Take the time to manage the various risks
Decentralized finance offers some genuinely revolutionary potential. However, given the relative immaturity of the DeFi sector, vulnerabilities are commonplace. The recent incidents with bZx provide a stark illustration of how attackers are finding these weaknesses and exploiting them for personal gain.
It’s thus a worthwhile exercise for users to take the time to understand these vulnerabilities to make an informed decision about the relative risks.
When users invest in a DeFi dApp, they’re essentially depositing funds into another user’s wallet. Smart contracts may govern how the funds in those wallets are used, but someone, somewhere, has the private keys to that wallet.
Earlier this month, Chris Blec released a video on his YouTube channel in which he introduced an overview of the operational security in place around the wallets used for various DeFi dApps. As Blec points out in the video:
“There is no way to prove that a seed phrase isn’t sitting in a screenshot saved on an iPhone. We have to trust [the dApp operators] when they say that it isn’t.”
In an attempt to bring some transparency to the matter, Blec investigated the methods deployed by DeFi projects to keep funds safe from hackers. These include measures such as time locks and multi-signature security.
However, because DeFi teams are understandably secretive about their OpSec practices, it can be impossible for any users to know for sure if the best measures applied are really in place. For example, Blec explains that multi-signature may be in place, but there’s no way of verifying that one individual doesn’t have access to all of the signatures required for a transaction.
Wallet security is a general vulnerability that exists across all of DeFi, and crypto in general. The same risk applies to centralized exchanges.
As the DeFi space matures, it’s possible that dApp developers may begin deploying similar security measures used by large exchanges and institutional custodians. These include hardware security modules like Ledger’s Vault or multiparty computation like Fireblocks.
However, judging by Blec’s research, these measures aren’t yet in place.
The issue of wallet security is related to a broader topic in the DeFi sector, which is the risks of centralization. Despite the name, many DeFi dApps are operated by centrally controlled entities.
Developer Ameen Soleimani highlighted this in a blog post last year, using Compound as a case study to illustrate how DeFi users are, in more ways than one, dependent on the centralized entities in control.
Part of Soleimani’s post explained what many in the crypto community already know — anyone with access to the Compound admin key would have the power to drain all the platform’s lending pools.
However, with lending protocols, there’s another concern.
Compound uses a metric called “utilization rate,” which describes the percentage of staked funds that have been lent out at any given moment. The higher the percentage, the greater the risk if something happens that triggers a liquidity crisis. Soleimani calls this the “bank run risk.”
If the utilization rate is at 99%, and more than 1% of lenders want to withdraw their DAI, then Compound wouldn’t have enough available DAI to meet the withdrawal demand.
Compound addresses this risk through its interest rate model, which adjusts according to the utilization rate. However, this method isn’t infallible. In 2019, Compound was forced to upgrade its interest rate model precisely because the utilization rate had reached 99%.
As Soleimani points out, Compound users are dependent on the dApp operators taking these measures each time the utilization rate approaches 100%. Otherwise, users risk being unable to withdraw their funds.
Last year, trading platform dYdX also faced accusations of centralized control when it forced all users to upgrade from DAI to SAI. Whether or not one agrees or disagrees, these issues illustrate that DeFi dApps are under some degree of control from their centralized entities.
Because DeFi is currently unregulated, the markets are still vulnerable to manipulation tactics. In the traditional financial sector, many of these tactics are known but heavily regulated.
Frontrunning is a tactic used by traders to make profitable trades based on information that wasn’t yet available in the public domain. In blockchains, it takes a slightly different form. When there’s a backlog of transactions waiting to enter a block and become confirmed, they’re queued in the mempool.
Once in the mempool, any trader can see the queued transaction, and jump in with their own trade by ensuring that theirs has a higher gas fee. In doing so, it’s more likely to be selected by a miner for inclusion in the next block than the first transaction.
There have been several instances of frontrunning found in DeFi. A 2019 study by academics at Cornell University found that arbitrage bots are engaging in “priority gas auctions” with Ethereum miners, essentially bidding for the highest gas price to ensure their transactions were given priority.
The study highlighted that Bancor and Uniswap as two example DEXes vulnerable to these kinds of tactics. Both projects have put measures in place to eliminate this risk, including setting a limit on gas fees and enabling users to specify the maximum allowable slippage in the transaction. Bancor had also reportedly hired a frontrunner as an employee to help them solve the problem.
Decentralized derivatives platform Synthetix has also fallen prey to frontrunning bots. Late last year, a Reddit user named Onyx accused Synthetix of having deleted their balance. The user had deployed an arbitrage bot that had successfully managed to exploit frontrunning vulnerabilities to the tune of $11.5 billion.
In this case, the attacker returned the funds to Synthetix after the project offered a bug bounty but had continued to use his bots to attack the system. Relations subsequently turned sour when Synthetix used the trader’s own tactics against them to purge one of the platform’s “synth” tokens, defeating the bot and reducing their account balance to zero.
Blockchains rely on oracles to bring in information from outside sources. In DeFi, the biggest dependency on oracles is price information. The Ethereum blockchain itself doesn’t determine the price of ETH – the markets do. Therefore, price data is fed in using oracles. The oracle may be a DEX such as Uniswap, or the average of multiple DEXes or exchanges, or an oracle service such as Chainlink.
Oracle manipulation becomes a risk when a DeFi dApp uses only a single exchange, or perhaps even two exchanges, as an oracle. Traders can manipulate the price information provided by an oracle by trading a large enough transaction to sway the price.
The less liquidity on the exchange, the easier it is to manipulate the price. The trader can then make a second, leveraged trade on the manipulated price to ensure they reap maximum profit.
The recent attacks on bZx used varied complex and layered tactics to drain funds from the Fulcrum exchange, and oracle manipulation was among them. As part of an orchestrated series of trades, the attacker manipulated the price of Synthetix’s sUSD to borrow 6,800 ETH on bZx.
Although the non-Ethereum DeFi infrastructure is now starting to emerge, the fact is that DeFi is still heavily dependent on Ethereum.
Scalability has proven to be Ethereum’s biggest weakness, with transaction speeds of around 15 TPS the norm even now, over five years into its lifespan. Furthermore, with stablecoin transactions dominating network traffic, Ethereum is struggling to keep up.
The long-promised ETH 2.0 upgrade may or may not alleviate the issue, but in any case, the full implementation still appears to be a few years away. So for now, DeFi’s dependence on Ethereum remains on the list of vulnerabilities.
The fact that these issues exist aren’t necessarily reasons to run scared from DeFi. After all, many of these same risks exist in the broader crypto and traditional financial markets.
However, in the spirit of “do your own research,” it’s crucial that users understand the risks involved when investing their funds in crypto and related apps, and take a measured approach to manage those risks.