DeFi protocols development continue to be on the rise, with more developers switching from traditional companies to crypto. However, security remains as a main concern when it comes to blockchain – and DeFi – development, both before launching application to the public and in the process of upgrading a more established protocol.
With that in mind, we want to share best practices and tips one can use to improve overall protocol security.
Focusing on DeFi security
When building a DeFi application, most developers focus on known set backs and vulnerabilities connected to the specific application type. Thus, they need to have an in-depth knowledge and understanding of both code and attacks – and study similar applications and any exploits that happened to them in the past to create a well-guarded codebase.
With that in mind, let’s explore the most common attack vectors and risks developers might face on their building journey.
Reentrancy attack is one of the most common exploit types in the DeFi space. It takes form after the infamous DAO hack and involves a smart contract calling an external contract to update its state.
As smart contracts are an integral part of any DeFi application, its security is essential. Smart contract manipulation during the reentrancy attack can end up in withdrawing funds without the application or user’s consent.
The best practice here would be to ensure that all updates to the smart contract’s state happen before calling external contracts. and ensure that before calling any external contracts with no connection to the project. Another tip would be to use function modifiers that prevent reentrancy.
Next in line is oracle vulnerabilities where hackers use AMM and/or DEX reserves as the price oracle. This is a common exploit point when DeFi protocol is using a centralised price oracle and get market data from one place.
The best practice in such cases would be to use a decentralized oracle network and TWAPs to increase the cost of the attack for the hacker and get tru market data at the same time.
Audits & Risk Management Solutions
There are various attack patterns and paths one can take when exploiting a protocol. And even the best developers and in-house security specialists might overlook small backdoors in the code that can end up in exploit – code lines become blurred with time, new function is undertested, new patch opens up a simple exploit path, etc.
The best practice in such cases is the oldest one – undergo an external audit before mainnet deployment (be it application launch or just a new feature). Auditors look at the code as whole, spotting small discrepancies and loopholes, thereby providing you with better review of the code.
Another security practice comes with risk management tools (e.g. Apostro) that help safeguarding the protocol against economic and technical exploits by screening and analyzing both blockchain and market data.
We want to end this article with the most pragmatic highlight of DeFi application security – a doomsday plan. No matter how confident you are in the security of the DeFi application, you still need to have a backup plan to use in case of exploit.
The most common suggestions here are to add emergency pause to the protocol’s smart contracts and have a defined upgrade pipeline. Another thing would be collaborating with insurance protocols to add financial security to users.