Security Risks in DeFi | How to Mitigate Risks in DeFi

In this post, you'll learn What is Security Risks in DeFi, How to Mitigate Risks in DeFi and How to Stay Safe in DeFi?

Decentralized finance or DeFi provides a clear description for an emerging ecosystem of blockchain-based alternative financial systems. DeFi platforms help users in engaging in different traditional financial transactions such as lending and borrowing through direct P2P exchanges. As a result, they can remove the need for traditional financial intermediaries and offer direct reconciliation for the transfer of value. 

However, the growing popularity of DeFi has also drawn attention towards DeFi security risks for many obvious reasons. The following discussion helps you discover a comprehensive outline of some of the prominent security risks in DeFi with an explanation. A detailed overview of the security risks associated with DeFi can help you discover the best practices for using DeFi. 

Understand the Vulnerability of DeFi Ecosystem

DeFi or decentralized finance, as the name implies, provides decentralized access to financial services. DeFi leverages open protocols and decentralized applications empowered by smart contracts. You can get a better understanding of DeFi risks by identifying the core elements in their functionality. 

Smart contracts are indeed a crucial aspect of DeFi as they replace the role of conventional centralized financial institutions. However, smart contracts are just code, and any compromises in the code could lead to loss of funds. On the other hand, hackers are always seeking opportunities for breaching the DeFi ecosystem through any of the dApps or users in the ecosystem. 

DEFI MARKET SECURITY OVERVIEW

The DeFi industry has never been secure. Sad but true. Over the last ten years, the market has experienced 226 different security incidents that have led to $12.1B stolen from various protocols and platforms. What is more, one-third of these hacks and breaches were reported in 2021.

Map of Security Breaches and Fraud Involving Crypto 2011-2021, source: crystalblockchain.com

Overall, from January 2011 till December 2021, there have been 120 security attacks, 73 DeFi protocol exploits, and 33 fraudulent schemes. You might have heard of some of them, including the recent Badger DAO hack that resulted in a $120M loss or the biggest Ponzi scheme in history that led to a $2.9B loss.

Of course, some of these 226 incidents might have been prevented or the losses could have been minimized if protocol owners were more concerned about their project security. Yet, sometimes, the breaches occur due to mere neglect or carelessness.

That’s why we offer you to look through various DeFi security risks, hoping that they will come in handy when protecting other protocols.

What are the Security Risks in DeFi?

As of mid-2020, DeFi has been experiencing profound levels of growth. The total value locked in DeFi protocols in August 2021 was almost $75 billion. With such massive amounts of money placed at stake throughout different DeFi protocols, it is important to identify decentralized finance security risks. The identification of security risks in the domain of DeFi could help in anticipating productive safeguards for the massive investments in DeFi protocols. Here are some of the notable entries among DeFi security risks you should be careful of. 

Wrong Liquidity Pool Estimates

The most general issue leading to security risks in DeFi is the incorrect calculation of the value of tokens in the liquidity pool. DeFi users invest their tokens in a liquidity pool and receive a stake which helps them in obtaining value in the future. Generally, the liquidity pools evaluate the value of tokens in the pool according to the existing composition of the pool rather than depending on external oracles. 

Attackers could capitalize on this discrepancy in one of the common DeFi attacks, such as flash loan attacks. Attackers could introduce radical imbalances in the pool for the duration of a specific transaction. The unbalanced pool could result in incorrect calculation of token value while enabling attackers to compromise value in the pool. 

Compromised Private Keys

Another formidable issue that emerges among security risks in DeFi would refer to stolen or leaked private keys. Blockchain protocols leverage cryptography for managing access and control of blockchain accounts. Private keys are basically the PIN code you need to access transactions sent to your public key address. Therefore, many of the prominent DeFi risks emerge from the possibilities of compromised private keys. Interestingly, there are various possible ways for leaking or theft of private keys. 

The first entry among the types of attacks on private keys includes a compromised MetaMask interface. MetaMask is a popular application tailored for interacting with the Ethereum blockchain and performing transactions on it. Different DeFi projects, as well as users, have experienced losses of crypto by using malicious versions of MetaMask. 

The DeFi security risks due to stolen and leaked private keys also emerge due to poor practices for key generation. It is important to use a secure random number generator for generating private keys. However, generating the keys by using a poor source of randomness could make the private keys vulnerable to hackers. How? Poor private keys are easy to guess, and hackers could easily gain control over the user’s blockchain account. 

Another potential way in which you can lose private keys leading to common DeFi attacks refers to loss or theft of the seed phrase. The seed phrase or mnemonic phrases offer an easier way of remembering private keys. However, many notable DeFi hacks in recent times involved the accidental exposure or theft of the seed phrase. 

Frontrunning Attacks

The next important addition among DeFi security risks would point towards front-running attacks. You should note that blockchains do not add transactions immediately to the distributed ledger. On the other hand, transactions have to be broadcasted throughout the blockchain network upon creation. Subsequently, the transactions are stored in mempools of each blockchain node prior to their addition to the ledger in blocks. 

The time between creating a transaction and including it in the ledger is a gleaming opportunity for front-running attacks. Attackers would generally seek out the transactions which they could compromise by leveraging the Miner Extractable Value. In event of identification of opportunity for frontrunning attacks, the attackers would create their own variant of the transaction with higher transaction fees before transmitting it to the network. Blockchain miners generally arrange the transactions in the order of their transaction fees. So, with the attacker’s transaction coming prior to the original one, they could easily grab profits. Frontrunning security risks in DeFi could have varying levels of impact.

First of all, many attackers or bots would leverage frontrunning for making profits according to their prior knowledge of transactions of a user. However, in some cases, the attackers would stage an attempted exploit followed by returning the compromised tokens to the exploited protocol. 

Rug Pulls and Ponzi Schemes

Another top entry among decentralized finance security risks would obviously refer to rug pulls and Ponzi schemes. Various DeFi protocol attacks emerge from external threats, albeit not in all cases. Alarmingly, DeFi users can also be victims of attacks by the owners and developers of the protocol. 

Rug pulls are one of the most common examples of insider attacks in DeFi. It is one of the common DeFi attacks in which an individual in the company having access to the company’s contracts misuses their privileges for draining value from the protocol. In all cases, the project and the team disappear into oblivion with little left to solve the issue. 

Inefficient Access Control 

The majority of DeFi smart contracts leverage the use of privileged functions, which is also responsible for one of the common DeFi security risks. The privileged functions are specially tailored so that the owner of the smart contracts can call the functions. In addition, the contract owner also has access controls for enforcing the functions. The most common approach for managing access is through the specification of calls to the function, which should be performed by one or multiple addresses from a collection of addresses. 

Alarmingly, the access controls are implemented wrongly or not at all, thereby opening up doors for attackers. Hackers could gain privileged access to a smart contract, and they could exploit value by using the smart contract to their advantage. 

51% Attacks

The final entry among the different types of decentralized finance security risks would obviously point towards 51% attacks. You should note that the 51% attack is one of the most common threats in blockchain security. 51% attack is more common in the case of Proof-of-Work protocols and arises primarily due to the design of blockchain consensus algorithms. It is clearly evident that blockchain consensus algorithms leverage some type of majority vote, and in Proof-of-Work, miners use their computational power for voting. 

In the case of 51% attacks, attackers gain control over a major share of the computational power of a blockchain. As a result, they could easily ensure faster growth of their blockchain in comparison to legitimate blockchains. Subsequently, attackers could exploit the security risks in DeFi through the 51% attack and rewrite the contents of the distributed ledger. Most importantly, 51% attacks could also open up possibilities for double-spend attacks. Therefore, 51% attacks could easily threaten the security of DeFi protocols running on smart contracts.

Read more: What are 51% Attacks in Cryptocurrencies | How does it work

MAIN SECURITY RISKS IN DEFI

There are dozens of ways the protocol security can be jeopardized – from tiny bugs in the smart contract code to more severe problems. Let’s talk about the most common risks and types of attacks in DeFi.

• Code vulnerability. Simple coding mistakes can lead to pretty serious losses if a team hasn’t checked smart contracts before deployment or neglected security audits.
• Smart contract logic. Occasionally, some inexperienced developers or auditors might miss the lack of logic in the whole smart contract and its underlying processes. For this reason, we believe that the knowledge of business processes and traditional financial instruments is a must while dealing with DeFi.
• Access control. If smart contract access control is implemented inefficiently or not at all, hackers could gain privileged access to a smart contract and exploit value to their advantage.
• Liquidity pool estimates. If a project team hasn’t calculated the value of tokens in the liquidity pool correctly, bad actors might perform flash loan attacks leveraging smart contract vulnerabilities for their benefit.
• Compromised private keys. The DeFi security risks connected with stolen or leaked private keys emerge due to poor key generation practices with an insufficient source of randomness. Besides, they might occur due to a loss or theft of the seed phrase used to remember a private key.
• Frontrunning attacks. Hackers might look for the transaction they could compromise by leveraging the Miner Extractable Value (MEV) and including it in the ledger prior to the original one, thus, getting profit.
• Ponzi schemes and rug pulls. Unfortunately, some DeFi security risks emerge not from some external threats but from protocol owners and project teams. It’s a shame that such cases still take place since they decrease DeFi credibility and impede global adoption.
• Flash loan attacks. One of the most common security risks in DeFi in the last couple of years is flash loan attacks. Flash loans are a form of uncollateralized loans that can let bad actors borrow governance tokens and manipulate the protocol to their advantage. Such attacks are pretty popular these days since they are comparatively low-risk and low-cost, while bringing high rewards.

As you can see, the DeFi industry is far from being a bank vault. Yet, there are several things protocol owners can do to protect their products and users.

HOW TO BOOST SMART CONTRACT SECURITY AND MITIGATE RISKS IN DEFI

1. Perform a full unit test to detect the functionality problem in separate parts of the contract and eliminate them at the very beginning.
2. Contact several auditors to conduct a smart contract security audit. This will help you detect uneven and unexpected vulnerabilities of smart contracts before project deployment and, therefore, prevent DeFi hacking.
3. Ensure code uniqueness. Copy-pasting code from other protocols might speed up development but lead to future exploits due to incompatible pieces of code that don’t go together.
4. Take care of contracts’ access protection. To prevent unnecessary private key access or protect your DeFi protocol in case of key loss, consider using a separate multisig contract or the multisig logic within your protocol.
5. Hire an experienced team of DeFi developers with accurate knowledge of DeFi project vulnerabilities and specifications.
6. Turn to your protocol community to help with bugs and mistakes. Launching a bug bounty campaign will allow you to improve the user experience within the protocol and successfully defend it from potential hacks.

Best Practices for DeFi Security

While there are so many notable DeFi risks, you can turn towards some best practices to ensure safety from them. One of the common recommendations in best practices for DeFi security refers to smart contract audits. In addition, the use of DeFi-related monitoring and ranking tools can help in reviewing security information regarding DeFi protocols. Furthermore, risk management solutions and monitoring network health could also serve as vital practices in resolving DeFi security risks.

Read more: What is Smart Contract Audits in Crypto?

The most important highlight about DeFi points out the complexity of its work. Everything is out in the open with smart contracts, and DeFi aims to open financial services more to the general public. So, it is reasonable to expect security risks in DeFi, which could affect users. The wide variety of decentralized applications emerging in the DeFi ecosystem presents new opportunities for attackers to exploit DeFi vulnerabilities. 

Some of the notable security risks include frontrunning attacks, 51% attacks, rug pulls, and discrepancies in access control. With a clear impression of different security risks associated with DeFi, users could identify productive ways for using DeFi solutions. Learn more about DeFi and explore the best practices for addressing security risks in the domain.

Thank you for reading!

#blockchain #defi 

What is GEEK

Buddha Community

Best Custom Web & Mobile App Development Company

Everything around us has become smart, like smart infrastructures, smart cities, autonomous vehicles, to name a few. The innovation of smart devices makes it possible to achieve these heights in science and technology. But, data is vulnerable, there is a risk of attack by cybercriminals. To get started, let’s know about IoT devices.

What are IoT devices?

The Internet Of Things(IoT) is a system that interrelates computer devices like sensors, software, and actuators, digital machines, etc. They are linked together with particular objects that work through the internet and transfer data over devices without humans interference.

Famous examples are Amazon Alexa, Apple SIRI, Interconnected baby monitors, video doorbells, and smart thermostats.

How could your IoT devices be vulnerable?

When technologies grow and evolve, risks are also on the high stakes. Ransomware attacks are on the continuous increase; securing data has become the top priority.

When you think your smart home won’t fudge a thing against cybercriminals, you should also know that they are vulnerable. When cybercriminals access our smart voice speakers like Amazon Alexa or Apple Siri, it becomes easy for them to steal your data.

Cybersecurity report 2020 says popular hacking forums expose 770 million email addresses and 21 million unique passwords, 620 million accounts have been compromised from 16 hacked websites.

The attacks are likely to increase every year. To help you secure your data of IoT devices, here are some best tips you can implement.

Tips to secure your IoT devices

1. Change Default Router Name

Your router has the default name of make and model. When we stick with the manufacturer name, attackers can quickly identify our make and model. So give the router name different from your addresses, without giving away personal information.

2. Know your connected network and connected devices

If your devices are connected to the internet, these connections are vulnerable to cyber attacks when your devices don’t have the proper security. Almost every web interface is equipped with multiple devices, so it’s hard to track the device. But, it’s crucial to stay aware of them.

3. Change default usernames and passwords

When we use the default usernames and passwords, it is attackable. Because the cybercriminals possibly know the default passwords come with IoT devices. So use strong passwords to access our IoT devices.

4. Manage strong, Unique passwords for your IoT devices and accounts

Use strong or unique passwords that are easily assumed, such as ‘123456’ or ‘password1234’ to protect your accounts. Give strong and complex passwords formed by combinations of alphabets, numeric, and not easily bypassed symbols.

Also, change passwords for multiple accounts and change them regularly to avoid attacks. We can also set several attempts to wrong passwords to set locking the account to safeguard from the hackers.

5. Do not use Public WI-FI Networks

Are you try to keep an eye on your IoT devices through your mobile devices in different locations. I recommend you not to use the public WI-FI network to access them. Because they are easily accessible through for everyone, you are still in a hurry to access, use VPN that gives them protection against cyber-attacks, giving them privacy and security features, for example, using Express VPN.

6. Establish firewalls to discover the vulnerabilities

There are software and firewalls like intrusion detection system/intrusion prevention system in the market. This will be useful to screen and analyze the wire traffic of a network. You can identify the security weakness by the firewall scanners within the network structure. Use these firewalls to get rid of unwanted security issues and vulnerabilities.

7. Reconfigure your device settings

Every smart device comes with the insecure default settings, and sometimes we are not able to change these default settings configurations. These conditions need to be assessed and need to reconfigure the default settings.

8. Authenticate the IoT applications

Nowadays, every smart app offers authentication to secure the accounts. There are many types of authentication methods like single-factor authentication, two-step authentication, and multi-factor authentication. Use any one of these to send a one time password (OTP) to verify the user who logs in the smart device to keep our accounts from falling into the wrong hands.

9. Update the device software up to date

Every smart device manufacturer releases updates to fix bugs in their software. These security patches help us to improve our protection of the device. Also, update the software on the smartphone, which we are used to monitoring the IoT devices to avoid vulnerabilities.

10. Track the smartphones and keep them safe

When we connect the smart home to the smartphone and control them via smartphone, you need to keep them safe. If you miss the phone almost, every personal information is at risk to the cybercriminals. But sometimes it happens by accident, makes sure that you can clear all the data remotely.

However, securing smart devices is essential in the world of data. There are still cybercriminals bypassing the securities. So make sure to do the safety measures to avoid our accounts falling out into the wrong hands. I hope these steps will help you all to secure your IoT devices.

If you have any, feel free to share them in the comments! I’d love to know them.

Are you looking for more? Subscribe to weekly newsletters that can help your stay updated IoT application developments.

#iot #enterprise iot security #how iot can be used to enhance security #how to improve iot security #how to protect iot devices from hackers #how to secure iot devices #iot security #iot security devices #iot security offerings #iot security technologies iot security plus #iot vulnerable devices #risk based iot security program

OWASP Top 10 API Security - DZone Security

I am sure that almost all of you would be aware about OWASP. But, just for the context let me just brief about the same.

OWASP is an international non-profit organization that is dedicated to web application security. It is a completely opensource and community driven effort to share articles, methodologies, documentation, tools, and technologies in the field of web application security.

When we talk about API, we are almost every time talking about REST and OWASP has a dedicated project to API security. As this series of articles are focused towards the API security, we shall not be going in details of web application security. You can use the provided links to find more about these. Let us spend some time on the background, before we dive deep in to API security project.

Background

OWASP’s most widely acknowledged project is OWASP top 10. This is the list of security risks compiled by the security experts from across the world. This report is continuously updated, outlining the concerns of web application security, and specially focuses on the Top 10 of the most critical risks. According to OWASP, this report is an “The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.” They recommend that all companies incorporate the report into their processes in order to minimize and/or mitigate security risks. The latest version was published in 2017 and below is the list.

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML Eternal Entities (or XXE)
5. Broken Access Control
6. Security Misconfiguration
7. Cross-Site Scripting (or XSS)
8. Insecure Deserialization
9. Using Components With known vulenerabilities
10. Insufficient Logging And Monitoring

How API Security Is Different from Web Application Security

Although API’s have many similarities with web applications, but both are fundamentally different in nature.

In web applications, all the processing is done on the servers and the resulting web page is sent back to web-browser for rendering. Because of this nature, they have limited entry point and attack surface which are resulting web pages. This can easily be protected by putting up and web-application firewall (WAF) in front of the application server.

In most of the modern application UI itself uses API’s to send and receive data from backend servers and provide the functionality of the application. It is the responsibility of the clients to do the rendering and convert the responses to a web page.

Also, with the rise of microservices architecture individual components become APIs, and it becomes a different world altogether, where UI clients could interact with hundreds of services via API calls. This significantly increases the attack surface. Now all those API’s become the entry point and attack surface.

These entry points can’t be guarded using the WAF solutions as they cannot differentiate between the legitimate and malicious API calls.

Why A Separate Project on API security?

Since its first release in 2003 OWASP top 10 projects has been the most useful resource in terms of web application security risks and to suggest the ways to mitigate these issues.

These days almost all the application development like banking, retail, transportation, smart devices, are done with the APIs.

APIs are critical to modern mobile and SaaS application. By nature, the API’s expose business logic and data, often these data are sensitive in nature, for example Personally Identifiable Information (PII). Because of this API’s are increasingly being targeted by attackers.

As API’s are changing how we design and develop our application, this is also changing the way we think about our security. A new approach in needed in terms of security risks. To cater to this need, OWASP decided to come up with another version of Top 10 dedicated to API security which is named “OWASP API Security Project”. The first report was released on 26 December 2019.

Below is the OWASP Top 10 API security risks and their brief description as provided by the official report.

API1:2019 Broken Object Level Authorization

APIs tend to expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be considered in every function that accesses a data source using an input from the user.

API2:2019 Broken User Authentication

Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.

#security #api security #owasp top 10 #api penetration testing #api security risks #owasp top 10 web security risk

Oracles in DeFi Systems: Off-Chain Aggregation vs Centralized Solutions

DeFi projects are changing the way we’re interacting with digital funds. We’re taking real money and transforming them into digital assets that can be used in blockchain-powered applications. Anyway, as much as we want to think that the cryptocurrency world is one that is separated from the actual real-world, it is not. Otherwise, why are you checking the USD price of your tokens?

We are changing the way we are interacting with each other financially, but we are not changing the way we are interacting with the world. Real-world events are influencing our lives and our digital funds. However, blockchain seems to have its own peace. Yes, the price of a token is going up or down. But one ETH will always be one ETH on its blockchain. A block on the blockchain doesn’t know the time. It’s just a block with a number. But blockchain blocks are generated faster or slower based on the external world miners activity.

#defi #cryptocurrency #crypto #oracles-in-defi #off-chain-aggregating-defi #community-curated-oracle-defi #blockchain-oracles #bridge-defi-provable-defi

10 Cyber Security Tools to Watch Out for in 2021 - DZone Security

With an immense number of companies and entities climbing onto the digital bandwagon, cybersecurity considerations have come up as limelight. Besides, new technologies such as Big Data, IoT, and Artificial Intelligence/Machine Learning are gradually more making inroads into our everyday lives, the threats related to cybercrime are mounting as well. Additionally, the usage of mobile and web apps in transacting financial information has put the complete digital stuff exposed to cybersecurity breaches. The inherent risks and vulnerabilities found in such apps can be exploited by attackers or cybercriminals to draw off crucial information data counting money. Internationally, cyber-security breaches have caused a yearly loss of USD 20.38 million in 2019 (Source: Statista). Plus, cybercrime has led to a 0.80 percent loss of the entire world’s Gross domestic product, which sums up to approx. USD 2.1 trillion in the year 2019 alone (Source: Cybriant.com).

In this article, take a look at ten cyber security tools to watch out for in 2021, including NMap, Wireshark, Metasploit, and more!

#security #cyber security #security testing #security testing tools #cyber security tools

Avail Defi wallet development services to ensure efficient fund management

DeFi wallet development services are used for storing the crypto coins and tokens of the users safely. There is no third party involved in the platform. The users need not disclose their personal identity or submit any personal information to register themselves on the wallet. It is non-custodial, easily compatible, utilizes fully encrypted private keys, easy to access, and is completely decentralized. Top-notch security measures are taken to safeguard the users’ funds and data. The different types of DeFi wallets are single-currency, multi-currency, business wallets, web, mobile, hardware, and desktop wallets.

**The typical features of a DeFi wallet are **

Safety measures such as two-factor authentication, biometric authentication, DDoS mitigation, anti-phishing software, SSL implementation, HSM implementation, browser detection security, and multi-signature wallets.
An inbuilt QR code scanner for quick execution of payments.
Whitelisting and blacklisting of wallet addresses.
Merchant integration services.
Seamless integration with numerous payment gateways.
Can be used for the transfer of funds, peer-to-peer payments, preparing invoices, and bill payments.
Is compatible across web, mobile, and desktop.
Protection from inflation, economic downturn, and a market crash,
Auto-denial of duplicate payments helps to prevent chargeback fraud.

Make full use of professional DeFi wallet development services and improve your financial position in no time.

#defi wallet development services, #defi wallet development company, #defi wallet developers, #defi wallet development, #defi wallet development solution, #build your defi wallet,