A Security Survey of DeFi

DeFi Risks

  • Smart-contract Risks
  • Code Security
  • Code Openness
  • Centralized Points of Failure
  • Protocol Administration and Governance
  • Oracles
  • Financial Risk
  • Collateral — Exchange Rate and Liquidation
  • Liquidity — Bank Runs
  • Jun 2019:
  • Synthetix — sETH $37m
  • Feb 2020:
  • bZx — $900k
  • Mar 2020:
  • iEarn — $280k
  • MakerDAO Black Thursday $9M
  • Apr 2020:
  • LendfMe — $25m USD stolen through a reentrancy attack vector; funds are re-issued after team’s negotiation with hacker.
  • imBTC — Uniswap Pool $300k USD stolen through a reentrancy attack vector
  • Curve — A stablecoin exchange platform, revealed that they found and solved a bug in the sUSD reserve contract.
  • PegNet — A cross-chain DeFi platform, suffered a 51% attack when 4 miners in their network controlled 70% hashrate.
  • Hegic — 28k USD of liquidity locked in expired options contract by a bug in contract, for which the team promised to compensate affected users with their own funds.
  • Jun 2020:
  • Balancer — $500k ETH
  • Jun 2020:
  • Liquid network — $16m BTC (avoided)

Smart contract risks

Code Security

Uniswap

Lendf.me

Code Openness

Centralized Points of Failure

Protocol Administration and Governance

Compound

Liquid Network

Oracle risk

Synthetix Hack

bZx second hack

Financial Risk

Colateral — Exchange Rate and Liquidation Risk

Liquidity — Bank Runs Risk

Black Thursday

DeFi Risk Mitigation

  1. Smart Contract Risk
  • Time on Mainnet: Normalized time since the protocol first launched on mainnet
  • No Critical Vulnerabilities: No vulnerabilities have been exploited
  • Four Engineer Weeks 4 or more engineer weeks have been dedicated to auditing the protocol
  • Public Audit: Has the audit report been made public
  • Recent Audit: Has there been an audit in the last 12 months OR have no code changes been made
  • Bounty Program: Does the development team offers a public bug bounty program?
  1. Financial Risk
  • Collateral Makeup CVaR
  • Utilization Ratio
  • Absolute Liquidity
  1. Centralization Risk
  • Protocol Administration
  • Oracles

Mitigating Smart Contract Risks

Code Audits

Bug Bounties

Best Practices

Mitigating Illiquidity & Bank Run Risk

Live security monitoring

Increased transparency

Insurance

Mitigating Centralization Risks

Conclusion

--

--

--

Oxford-based blockchain and zero knowledge consultancy and auditing firm

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Time Crash Hack Free Resources Generator

AWS Cognito User Pool Tokens

CoinGecko 2021 Q1 數字資產行業季度報告

Add Ransomware Detection Rules to Your SIEM

HTTP’ or ‘HTTPS’ -which is more secure?

Important Information

Identity and Access Management — the Enabler of Smooth Insurance Experiences

Mihails Galuška, Identity & Access Management Global Product Manager, If P&C Insurance

Cyber attacks — Ransomware Is A Growing Problem

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Extropy.IO

Extropy.IO

Oxford-based blockchain and zero knowledge consultancy and auditing firm

More from Medium

Using Multiple DeFi Tracking Apps? Tokenpad Can Replace Them All

Exploiting the next big thing in DeFi 2.0

Analyzing Lending/Borrowing Protocols in DeFi

How uniswap set its price