What Can We Learn from the $25Mln dForce Hack
A hack on the decentralized finance (DeFi) protocol saw $25 million in cryptocurrencies exit its wallets over three hours on April 19. Curiously, almost all the stolen assets were returned two days later with a message “Better Future”, for reasons that weren’t made fully clear. Since the assets had been recovered, the dForce team thus submitted a request to the police for the case to be withdrawn.
This is one of the largest hacking incidents in DeFi. Although the stolen assets were recovered, the incident itself is still worth thinking about. Should the DeFi product take the risk for lack of proper safety measures and security audits? Does the disclosure of hacker’s IP violate the principle of decentralized privacy protection? When will Chinese technical teams invest more in r&d and stop relying too heavily on their foreign counterpart’s open source code?
DeFi is undoubtedly an innovation of the future, but there’s still a long way to go in terms of security. On April 30, we invited Lucas, head of business with Tokenlon, Yang Xia, founder & CEO of blockchain security company Beosin, and Dan Guido, Trail of Bits CEO, to hold an AMA on China’s largest crypto forum Chainnode, discussing the security issues regarding DeFi assets.
Dan: In reality, very few DeFi projects are truly decentralized today and I think this is a good thing
DeFi (Decentralized Finance), also known as open Finance, is one of the most trending areas in the blockchain ecosystem over these years. Yang Xia mentioned in the discussion that DeFi is trying to use blockchain technology to solve the natural shortcomings of traditional, centralized finance, such as cumbersome review process, lack of transparency, financial system inequality, and potential transaction risks.
While DeFi is not perfect also with some security vulnerabilities, as DeFi apps rely much on complex math, and the most serious issues are related to arithmetic issues. For example, many DeFi apps will inappropriately round numeric values. Regarding this, Dan recommended to check with tools like Echidna, security property tester, and symbol verifier Manticore.
When looking back at the dForce hacking, how a DeFi project can balance the protection of privacy and the protection of users with the final recovery of assets through centralized efforts has also been heatedly discussed. Dan replied,
“In reality, very few DeFi projects are truly decentralized today and I think this is a good thing. DeFi apps are building on new, unproven technologies with immature tools and they must plan to encounter issues along the way. This centralization allows them to respond to incidents and correct the app when it malfunctions or is hacked.
It is incumbent upon project owners to properly secure their own access to DeFi apps and to disclose to users what level of access they have. If source code is available, then tools like Slither can verify what actions they can perform. Research to create more robust decentralized systems will continue, and DeFi projects should adopt those new techniques as they become available and proven. This will take time.”
Vitalik once commented that DeFi products have a trend of being more and more complex and called on people to do something simple and stable. Regarding the DeFi protocols’ being more complex caused by the composability between DeFi protocols, Dan agreed with it and added that
“Emergent behavior from DeFi apps is hard to model, and the best solution today is to limit your exposure to unknown third-party contracts by whitelisting only what you trust. It’s important that projects take small, carefully measured steps to carefully build new technology.”
CeFi or DeFi? It should be a “cooperation”, not a “combination”
The debate about DeFi and CeFi never seems to stop. As mentioned above, in reality, very few DeFi projects are truly decentralized today. Decentralization is still processing and not all the CeFi should transform towards that direction. There should be cooperation between the two as Lucas said,
“In the development process of a project, there will be different pace in decentralization in different phases. For example, in terms of technology, in the early stage, it is often developed by the core team and product/market fit will be quickly searched by trials and errors; during the growth period, the core team will invite community developers to participate in the development; later, the core team will gradually withdraw from a dominant position and hand it over to the community. In this sense, when it comes to the relationship between CeFi and DeFi, I prefer to call it a “cooperation” rather than “combination”, and I believe that CeFi and DeFi will be increasingly interdependent in the industry. Both, by their own advantages and disadvantages, can provide distinguished services for the market.”
On the way towards decentralization, DeFi still has a long way to go. During the process, how to choose a reliable audit is quite important. Dan gives some recommendations for evaluating a security vendor,
- “Do they have relevant experience in security? It takes years to grow as a security engineer. Find a team with a strong foundation of security fundamentals.
- Have they published original research in your field? Blockchain security is a new field with undiscovered pitfalls. It’s not enough to only use current best practices.
- Will they share their tools with you? You’ll want to build on their progress. Shared tools also ensure that the results are repeatable and verifiable by others.
- What are the outcomes you’ll receive? Anyone can provide a list of bugs. Will they have context? Architectural and process recommendations? Custom tools?
- Can they address risk in areas adjacent to the surveyed product? Smart contracts typically depend on advanced cryptography, off-chain oracles, and much more.”
One large review with a qualified security vendor is worth more than two small ones. You’ll get more strategic results, better integration of automated testing and verification tools, and a chance to find higher severity bugs that only come with domain knowledge.
The dForce hack once again made DeFi a heatedly discussed topic. In fact, there have been a number of DeFi security incidents happening since the beginning of 2019, including Nuo, MakerDAO, Synthetix, Edgeware, 0x, AirSwap among other projects with issues about their protocols or Oracle, but fortunately there’s no direct big losses. The existence of the problem is difficult yet challenging for the industry, and it also reflects the rapid development of DeFi.
Check here for the AMA on Chainnode
Thanks for the media support from Coindesk China, Cointelegraph China, Crypto Briefing, and NewsBTC (in no particular order).