Author: BlockSec
introduction
As the development of DeFi continues to reshape the financial landscape, security has always been a major challenge facing the DeFi ecosystem, and security issues cause billions of dollars in asset losses every year.
According to Chainalysis, DeFi hacking attacks in 2023 resulted in more than $1.1 billion in asset losses. Although this figure is lower than in 2022, new DeFi attack trends have emerged in 2023. For example, some well-known protocols that have been operating securely for a long time, such as Curve and KyberSwap, have also been attacked. In addition, there have been sophisticated attacks targeting infrastructure vulnerabilities such as Flashbots Relay.
Security Incident Dashboard data shows that in the first half of 2024, there were more than 50 hacker attacks that caused losses of more than $100,000.
Recent hacker attacks
(Source: Security Incident Dashboard)
https://app.blocksec.com/explorer/security-incidents
Security is crucial to the development of DeFi protocols. Some protocols manage billions of dollars of user assets, and security incidents can cause significant losses to users. Although in some cases, stolen funds can be (partially) recovered (such as the Euler attack), we cannot pin our hopes entirely on this. Every attack incident is undermining users' confidence in DeFi.
Although the industry has proposed many measures to enhance security, there is still a lot of room for improvement in DeFi security. On the positive side, code audits have become a community consensus, and most protocols will be audited before going online, which helps reduce the risk of attacks caused by smart contract vulnerabilities. However, code audits alone are far from enough to solve all security issues. Code audits cannot prevent attacks caused by vulnerabilities introduced by contract upgrades, configuration changes, and external dependencies. Given these limitations, some protocols have begun to adopt more proactive solutions, such as operational monitoring and attack detection systems.
In this article, we will review the security measures that can be taken by the protocol from the pre-launch, post-launch, to the attack response stage to understand the DeFi security landscape. We will introduce each type of security measure and its main vendors/products in detail, as well as their pros and cons. We hope that this article can help the community better understand the current state of DeFi security and bring inspiration to innovative security solutions.
DeFi security overview
The security measures of DeFi protocols should run through the entire life cycle of the protocol from before to after launch, ensuring the security of the protocol itself and during operation. In addition, it is also crucial to deploy preventive measures and response plans for potential attacks in advance. To help readers clearly understand what DeFi security solutions are currently available, we have divided the relevant vendors (products) into the following categories.
Pre-Launch Security
Security measures that can be taken before the protocol goes online include code auditing, formal verification, and security testing.
Code Audit Services & Competitions
Code auditing is a community-recognized practice for ensuring protocol security. During this process, security companies will conduct semi-automatic reviews of frozen codes, that is, automatically scan common vulnerabilities in the code, and then manually review complex vulnerabilities. Representative auditing companies include OpenZeppelin, ChainSecurity, BlockSec, etc.
In addition, there are audit competition platforms. Unlike audit companies that directly provide audit services, these platforms publicly publish audit requirements, attract security researchers in the community to participate in audit competitions, and distribute rewards to contestants who discover protocol vulnerabilities. Audit competition platforms include Code4rena, SHERLOCK, Cantina, Secure3, etc. There are some differences between each platform in vulnerability severity level, distribution rewards and participation standards.
Code auditing is the first line of defense for protocol security. However, it also has some limitations, which is why many protocols audited by well-known companies still fail to avoid hacker attacks.
First, static code audits cannot solve security issues caused by protocol dependencies, which is exacerbated by the composability of DeFi protocols.
Second, some issues were not given enough attention during the code audit process. For example, precision loss is a common problem that may be overlooked by auditors and protocol parties. It was not until the Hundred Finance and Channels Finance incidents that the community fully realized the security impact of precision loss.
Finally, high-quality code audits are still a scarce resource, requiring interdisciplinary talents with knowledge of security, finance, and computer science, and few universities are currently able to provide such talents on a continuous and large scale. Therefore, although some protocols have been audited, the auditors providing audit services are insufficient in terms of professionalism.
Formal Verification
“Formal verification uses mathematical methods to prove the correctness or incorrectness of a system according to some formal specification or property.” Formal verification can ensure that the behavior of DeFi protocols conforms to formal specifications. For example, Prover developed by Certora can perform formal verification on DeFi protocols. Developers provide rules (specifications), and Prover will explore every possible program state, compare the results with the rules, and identify vulnerabilities.
The biggest advantage of formal verification is that it can mathematically prove the correctness of DeFi protocols that manage billions of assets. However, some limitations in practical applications hinder its widespread adoption.
First, specifications need to be provided by developers, which requires them to have detailed documentation of the expected behavior of the protocol, and most developers are not experts in this field.
Second, frequent upgrades of the protocol may require updating the specification and re-evaluating the protocol, and some protocols may not be able to devote so much time and effort.
Despite these limitations, we still believe that protocols should be formally verified, especially those that are new and have not been tested by time and manage a large number of user assets. However, how to enhance the operability of formal verification and increase its adoption rate remains a huge challenge.
Security Testing
Security testing uses test cases to discover potential problems in the protocol. Compared with formal verification that proves the correctness of the protocol through mathematical methods, security testing generally uses specific input data (rather than symbolic input in formal verification), so it is more efficient but slightly less comprehensive.
Foundry is a popular smart contract development and testing framework. Developers can perform tests in Foundry and can also perform differential testing, invariance testing, and difference testing on DeFi protocols. Other security testing tools include Tenderly and Hardhat.
Post-Launch Security
Security measures that can be taken after the protocol goes online, including Bug Bounty, attack detection, and operational monitoring.
Bug Bounty
Bug Bounty builds a bridge between protocols and security researchers. The protocol publishes a bounty plan on the Bug Bounty platform, detailing the bounty range and reward amount. Security researchers get rewards by reporting zero-day vulnerabilities of the protocol. Immunefi is a representative Web3 Bug Bounty platform.
Attack Detection
Attack detection platforms identify malicious transactions by scanning transactions. Specifically, these platforms scan every transaction that interacts with the protocol to look for malicious behavior, and the system triggers an alarm after identifying malicious transactions.
For example, BlockSec Phalcon scans every memory pool and on-chain transaction, and identifies malicious behavior (such as malicious contracts, malicious proposals) by analyzing the behavioral characteristics of transactions. It is like a security guard, monitoring every detail of every transaction without sleep for unusual movements. It extracts behavioral patterns from these transactions and uses financial models (similar to those used by banks to detect fraud) to identify potential attacks. Similar systems also include products provided by Hypernative and Hexagate. In addition, Ironblocks' Venn Security Network provides a decentralized infrastructure that aggregates detection results from multiple sources.
Operation monitoring
As the name implies, the operational monitoring framework monitors the operational security of the protocol after it goes live. For example, it keeps track of administrator key changes, deployment and updates of smart contracts in real time, and automatically detects security vulnerabilities in pull requests. The OpenZeppelin Defender platform helps developers write, deploy, and run smart contracts safely. BlockSec Phalcon can monitor contract upgrades, Safe wallet transactions (such as being initiated, newly signed, and executed), access control, and governance-related risks. In addition, through the real-time monitoring system Forta Network, users can create robots to monitor protocols, or subscribe to existing robots to receive security threat alerts such as phishing.
Attack Response
Security measures that are automatically triggered or taken urgently after an attack occurs, including attack blocking, automatic response, War Room, attack cause analysis, and attacker capital flow tracking.
Among these five response measures, attack blocking is particularly noteworthy, because the project party can deploy in advance to block the attack before it occurs and reduce the loss to zero. The automatic response platform also helps to reduce the losses caused by the attack.
Establishing a War Room, analyzing the causes of the attack, and tracking the flow of funds are countermeasures taken after the attack. Although they help reduce losses and prevent similar attacks in the future, they are likely to have caused significant losses that are difficult to recover. In addition, damage to the project's reputation and loss of user trust may have far-reaching negative effects. Risks seem to be everywhere and hard to guard against, but project owners are not limited to responding passively. They can deploy preventive measures in advance, which is also a more recommended approach.
Attack Blocking
Attack detection is an important channel to learn about hacker attacks, but if you want to fight against hacker attacks, detection alone is far from enough. Because without automated attack blocking capabilities, manual response measures are often too late. Take the KyberSwap, Gamma Strategies and Telcoin attacks as examples. These protocols took response measures minutes or even hours after the attack. During this period, hackers launched multiple attack transactions and stole huge amounts of assets. The Velocore and Rho attacks in July caused the Linea and Scroll chains to suspend operation, which aroused users' attention to the centralization problem of L2 chains.
Attack blocking can automatically prevent hacker attacks, which relies on two core technologies: early detection and automatic preemption. Early detection means that before the transaction is uploaded to the chain, it can identify which transactions are attack transactions while they are still in the memory pool stage. Automatic preemption means that before the attack transaction is uploaded to the chain, a preemption transaction is submitted to suspend the agreement, thereby preventing the execution of the attack transaction. This method blocks the attack before it actually occurs, thus avoiding losses.
In this category, BlockSec Phalcon is the only product with these core technologies. After the hacker launches an attack transaction, Phalcon's attack monitoring engine can detect the transaction in advance, push attack alerts to users, and automatically suspend the protocol to reduce losses to 0. The product's attack blocking ability has been verified in more than 20 white hat rescues in the past, saving more than $20 million in assets.
Automatic response
In addition to attack blocking platforms, platforms such as Phalcon, Hexagate, and Hypernative can also automatically respond when an attack occurs.
After subscribing to such platforms, users can set up monitoring and response measures for various protocol risks. If a transaction hits the monitoring rules, the system will automatically initiate the response measures set by the user in advance (such as suspending the protocol) to reduce losses. However, some platforms do not have an attack detection engine, and the system cannot directly identify attack transactions and inform users. Instead, users are required to customize the conditions under which a transaction can be judged as an attack. Since the characteristics of attack transactions are very complex, and users (often contract developers) may not have sufficient security knowledge, this is very challenging for users.
War Room
When a protocol faces an attack, it is particularly important to establish a War Room. This helps the protocol to understand the situation, synchronize information with the community in a timely manner, and effectively integrate resources to take countermeasures, which requires close cooperation among experts in multiple fields.
SEAL 911 aims to "help users, developers, and security researchers directly connect to trusted security experts in emergency situations." Users can access this service through the SEAL 911 Telegram Bot (https://t.me/seal_911_bot) and quickly form a War Room to respond to security challenges when the project is attacked.
Attack Cause Analysis
When a protocol is attacked, it is critical to identify the root cause of the problem, such as the vulnerability within the smart contract and how it was exploited. Analyzing attack transactions requires the help of some tools, Phalcon Explorer, OpenChain, and Tenderly are all good choices.
Fund flow tracking
Fund flow tracing refers to tracking the attacker's initial funds and attack profits on the chain to locate related addresses and entities. If these assets flow to centralized entities (for example, centralized exchanges and other institutional entities), law enforcement agencies can be contacted to help freeze the funds.
Chainalysis, TRM Labs, ARKHAM, ELLIPTIC, and MetaSleuth are representative companies/products in this field. For example, MetaSleuth can automatically track cross-chain fund flows and provide rich address labels. ARKHAM has established a community where protocol parties can publish investigation bounties to incentivize community members to assist in tracking the attacker's fund flows.
Safety education resources
Knowledge is the best line of defense. In addition to the security vendors and products mentioned above, there is another role that is crucial to DeFi security: educational platforms. The resources or information provided by these platforms can help DeFi practitioners and users to deeply understand security knowledge, improve security awareness, and cultivate security skills, playing an important role in promoting the development of DeFi security. We pay tribute to these platforms and share the following platforms that are worth paying attention to.
SΞCURΞUM: A Discord community focused on Ethereum security, and regularly hosts the smart contract security competition "Secureum RACE".
https://x.com/TheSecureum
Security Incidents Dashboard: This platform aggregates and updates in real time attacks with losses exceeding $100,000, and provides details such as the amount of loss, affected chains, vulnerability types, attack cause analysis, and PoC.
https://app.blocksec.com/explorer/security-incidents
Rekt: Known as the dark web for DeFi news, Rekt provides in-depth analysis of DeFi exploits, hacks, and scams.
https://rekt.news/
RugDoc: DeFi security and education community. The platform provides project risk assessment information and a platform RugDocWiKi that introduces the DeFi ecosystem and technology.
https://rugdoc.io/
DeFiHackLabs: A Web3 security community dedicated to helping Web2 security talents enter the Web3 field. It has more than 2,000 members and nearly 200 white hat hackers worldwide. The DeFiHackLabs warehouse provides rich learning resources.
https://x.com/DeFiHackLabs
Solodit: This platform collects past audit reports from Web3 auditing companies.
https://solodit.xyz/
Ethernaut: A Web3/Solidity-based game where players need to identify vulnerabilities in Ethereum contracts, similar to CTF.
https://ethernaut.openzeppelin.com/
Conclusion
Security issues cause billions of dollars in losses every year and are a serious threat to the DeFi ecosystem in the long run. Currently, most security measures are aimed at security issues before the project goes online. However, there is no "silver bullet" in the field of security. At different stages of the development of the protocol, there should be corresponding measures to ensure its security, and throughout the entire life cycle of the protocol.
We hope that the industry will recognize the importance of security after the project goes online, take measures to monitor protocol risks and automatically block attacks.
We also hope that the DeFi ecosystem can form a consensus that safety comes first, so as to better protect the security of users’ assets.