Brian Pasfield is the CTO of Marginal financinga platform that seeks to unlock the billions of dollars of mainstream capital tied up in cryptocurrencies by offering loans secured by them. The platform aims to accept the widest range of altcoins as collateral in the market.
With over two decades of industry experience, Pasfield is an expert on the current security issues facing DeFi. We picked up his insights on the most common attack vectors exploited this year, identified specific centralization-related vulnerabilities, how they can be avoided, and what steps to take to conduct a thorough audit.
What key challenges do we face today when it comes to DeFi security?
DeFi is a remarkably new industry. Ethereum introduced full Turing smart contracts less than eight years ago. For this reason, the security of smart contracts requires an order of magnitude more attention and effort than building conventional financial systems. In addition, transactions are irreversible and stolen funds can be hidden by mixers and cups. Billions are up for grabs if a hacker can simply identify and exploit a severe oversight by a team of developers.
Meanwhile, developers often succumb to external pressure to rush new features, often without proper audits or thorough testing. This is the main challenge for DeFi security today – ensuring that it is the top priority on new and long-standing DeFi projects.
What are the most common attack vectors exploited this year?
To name a few: missing event emissions, where functions do not emit events after changing a critical variable. Not locking the compiler version allows generating different bytecodes for the same code. There is also poor input validation, which leads to unexpected behavior when the contract receives invalid input.
Although experienced in writing non-blockchain applications, some developers sometimes fail to consider the nuances of smart contract development when writing dApps. One of these nuances ignores reentrancy attacks: in these, contract A calls contract B before updating its state. When this happens, it is possible for B to repeat the previous operation as if the circumstances – for example, A’s ETH balance – had not changed.
Another class of exploits involves relying on data that can be manipulated for internal logic. Miners and mining pools have significant power to tinker with the block hash, timestamp, and order of transactions, which makes these random sources unreliable. Using AMM liquidity pools as price oracles is also extremely problematic, as they are easily manipulated using cheap flash loans, which can disrupt an entire protocol. For this reason, solutions such as decentralized oracles and random sources are essential to the development of our industry.
Relying on third-party dependencies is also quite common. They can be modified, which changes the behavior of the contract without notice. By far the most common vulnerability is centralization which, aside from sweepstakes, makes stealing funds as simple as gaining access to a few mismanaged private keys.
Can you elaborate? For example, cite specific vulnerabilities related to centralization? How can they be corrected – or avoided?
Centralization introduces single points of failure, opening up multiple attack vectors. The most obvious is carpet pulls. Mishandled keys can end up with hackers who could then use them to steal funds. Keyholders can lose keys or die, leaving funds inaccessible forever.
Centralization problems are not always immediately apparent. Proper audits are needed to identify the widest range of vulnerabilities possible, and unfortunately most DeFi platforms lack such comprehensive audits.
The answer to centralization is, of course, decentralization. DAOs are essential for this purpose, but the design of the protocol can make the intervention of centralized entities totally unnecessary.
What are the steps to perform a thorough audit?
The party commissioning the audit defines the scope of the process: which contracts will the auditing firm review and to what extent? Ideally, you would have your entire protocol audited, not just a few contracts, but there is always the opportunity to be strategic about this.
From then on, experts from the auditing firm will study the code base, use automatic testing tools to identify faulty components, apply a wide range of known exploits that faulty code could make possible, and manually verify vulnerabilities one line at a time. This process aims to generate a report on which the team will act, fixing the vulnerabilities by prioritizing the most critical ones.
After resubmitting the code, the auditing firm will recheck and retest any previously identified issues, also looking for newly introduced vulnerabilities. Ideally, the project should repeat this process back and forth until the auditing firm can find no more vulnerabilities.
Note that this is how an audit should be ideally Course. Every audit cycle is expensive, and it’s not uncommon to see people trying to cut corners to cut costs. Therefore, “audited”, more than a binary statement, should be taken with nuance in many cases.
Decentralization has placed additional responsibility on the user, so let’s talk a bit about client-side security. What can we do to protect our DeFi investments?
First of all, your private keys are your greatest treasure. Never share them with anyone and store them in a hardware wallet if you can. Of course, the same goes for your recovery phrase, because it’s just your private key in a different format. Read transactions carefully before signing them; you may be allowing a scammer to confiscate your tokens.
You need to understand what you’re investing in, from tokenomics to team reputation. Beware of meme pieces, dozens are created every day, and the indisputable majority are rugpulls. Last but not least, only use platforms that have been audited recently and by reputable companies.
And finally, can you share any secrets on choosing a reliable DeFi product?
Look for DeFi platforms with experienced teams with a strong reputation, a history of not cutting corners on security, and recent successful audits to show – double audits are the gold standard.