Radical need to update blockchain security protocols

Decentralized Finance (DeFi) is here to live with a Total Value Locked (TVL) of over $ 100 billion, which underscores the vote of confidence in these new financial instruments. That investment will keep growing, but it seems that for every new record at TVL, another horrific damage cyberattack is reported.

Cryptocurrency decreased 57% in 2020, but DeFi attacks have increased dramatically, costing businesses and investors billions in losses. In March alone, there were multiple attacks in just 5 days, with Paid Network losing $ 180 million. In late May, PancakeBunny lost over $ 200 million in a flash credit exploit.

It is clear that there are too many loopholes and loopholes in the current blockchain security protocols. From carpet pulling to fraudulent scams, the security and technology of this space isn’t quite as perfect as the numbers suggest. However, there are important practices that both developers and users can adopt to fill this void.

Decentralized technology is still centralized

No matter how decentrally a protocol is declared, the basic structure is still centralized. Take a look at one of our most important internet features, DNS records. Each domain name is still centrally owned – owned by the government, state, or company that has ultimate authority over the domain and can deactivate it if desired.

One example of centralization in decentralization is smart contracts. The smart contract writers at Ethereum or Binance have the final say on what’s in the code, and there are ways to code nefarious schemes, like carpet-pulling, into smart contracts.

During the productivity farm boom in the summer of 2020, we saw many logs emerge to take advantage of the money flowing into DeFi, and it continues this year. In March, TurtleDex conducted a carpet pull, which is actually a back door in a smart contract, which resulted in investors being stolen $ 2.5 million. This supposed feature allows developers to program cheats that are then executed in response to other events in the code, and TurtleDex is one of several projects this year that programmatically broke the carpet.

Connected: Profit is on everyone’s lips, but DeFi promises to change the way we deal with money

Smart contract auditing is a great way to prevent carpeting, but even then we see cases where developers are handing off a tested smart contract to an untested one. The Compounder case shows a fraud project that easily captures the reputation of well-known, reputable names in the room. They were able to take advantage of Harvest Finance and Yearn.finance quickly before they pulled the carpet over their users and walked away with millions of dollars in crypto.

Connected: Standard audit for DeFi projects is a must for industry development

Current hacking trends

Aside from carpet pulling, there are many common attacks that can topple an entire company if not prepared. A 51% attack – that is, when a pool of miners controls more than 50% of the network’s mining hash rate and allows them to foreclose or manipulate transaction records to double spend or break the chain block – is still coming often before. Firo and Grin both suffered 51% attacks lately.

Even some top-cap crypto projects are unsafe. In February, it was reported that 200 days of XVG trading on the Verge network was deleted in what is literally “the most profound event ever in the top 100 cryptocurrencies.”

We accept these mistakes as part of the blockchain experience, but what would the reaction be if the same thing happened to a large bank, for example? There is likely to be a lot of media headlines and an uproar among users and customers. These events go largely unnoticed in crypto as there are fewer users, but with the recent bull market this is changing. Inevitably, the security of public blockchains is being scrutinized more strictly.

Hack prevention methods like carpet pulling kéo

Unfortunately, hacking is always an option for developers when working in the crypto space. The question is not how to prevent hacking, but how to prevent yourself from being hacked. Several advances in hardware wallets – like Gnosis Safe’s multi-signature wallet – are key drivers in improving overall security.

Using a multisig wallet allows multiple users to hold keys for the same wallet and requires both participation to take actions on the account. Since a wallet like this one requires multiple user input to conduct a transaction, it is virtually impossible to pull carpets with this type of safe.

Another security method to prevent carpets from being pulled is time locks. Lots of decentralized applications use timeouts so if a developer tries to get their users you will get an alert in around 12 to 24 hours to clear the coins.

These type of safety practices will foster wider trust in DeFi and create a safety culture that will advance our industry.

Improved security of the crypto wallet

The security of the wallet ultimately depends on the developers and users who use smarter methods. Regular security reviews and internal security practices can all help make wallets more secure.

While security reviews are a good solution, Uniswap and other automated market maker-based decentralized exchanges (DEXs) are not allowed, so periodic reviews cannot be performed. Best practice is to understand the specifics of “fair launch” coins – projects launched from a DEX. While many of these projects are high quality, many are known to be great performers. Open source code makes it easy for anyone to test and verify that a smart contract is safe for themselves, and gives users more tools to practice good security.

Asking users to implement good security may seem like a huge feat, but it is required to access the many benefits of cryptocurrencies and DeFi in particular. With traditional banks, the bank is responsible for security, but with cryptocurrency, security depends on the practices of the developers and users.

If you forget your bank password or send money to the wrong person, you can contact your bank to mitigate the transaction until it is resolved. But in crypto there is no backup option if you lose your key or send money to the wrong address. One of the perks, of course, is that you don’t have to worry about your funds being available in crypto while banks can close and impose capital controls, as happened during the 2015 Greek banking crisis.

Conclusion

As developers, we need to conduct security testing and cross-validation and hold each other accountable for developing improved security practices.

Users should consider implementing their own security protocols and understanding the nuances of storage and potential attack scenarios. Good practice for passive crypto holders is to disconnect hardware wallets from the internet or paper wallets that are 100% offline and do not require online syncing for firmware updates.

Phishing attacks, one of the early forms of Internet attack, are still widespread and common. One way to combat phishing attempts is to verify the authenticity of the sender.

Do not enter your private keys or seed phrases on any website or send them to anyone on public channels or DMs. In general, you should only enter your seed phrase the first time you set up the wallet. In addition, you should only enter your seed phrase if you need to restore your wallet after forgetting your password, import an existing wallet to a new device, or use compatible wallet software. In general, you should use hardware wallet devices that will never give your seed to any type of software – not even a trusted wallet app or software can be hacked.

As we continue to build our new (mostly) global DeFi economy, it will be important to improve security so that general acceptance and capital can continue to pour into space so that the next generation can next reach new frontiers of financial independence .

Kadan Stadelmann is a blockchain developer, operational security specialist and chief technology officer of the Komodo platform. His experience ranges from working in security in the government sector and founding tech startups to developing apps and cryptography. Kadan began his journey into blockchain technology in 2011 and joined the Komodo team in 2016.

.

.

Radical need to update blockchain security protocols

Decentralized Finance (DeFi) is here to live with a Total Value Locked (TVL) of over $ 100 billion, which underscores the vote of confidence in these new financial instruments. That investment will keep growing, but it seems that for every new record at TVL, another horrific damage cyberattack is reported.

Cryptocurrency decreased 57% in 2020, but DeFi attacks have increased dramatically, costing businesses and investors billions in losses. In March alone, there were multiple attacks in just 5 days, with Paid Network losing $ 180 million. In late May, PancakeBunny lost over $ 200 million in a flash credit exploit.

It is clear that there are too many loopholes and loopholes in the current blockchain security protocols. From carpet pulling to fraudulent scams, the security and technology of this space isn’t quite as perfect as the numbers suggest. However, there are important practices that both developers and users can adopt to fill this void.

Decentralized technology is still centralized

No matter how decentrally a protocol is declared, the basic structure is still centralized. Take a look at one of our most important internet features, DNS records. Each domain name is still centrally owned – owned by the government, state, or company that has ultimate authority over the domain and can deactivate it if desired.

One example of centralization in decentralization is smart contracts. The smart contract writers at Ethereum or Binance have the final say on what’s in the code, and there are ways to code nefarious schemes, like carpet-pulling, into smart contracts.

During the productivity farm boom in the summer of 2020, we saw many logs emerge to take advantage of the money flowing into DeFi, and it continues this year. In March, TurtleDex conducted a carpet pull, which is actually a back door in a smart contract, which resulted in investors being stolen $ 2.5 million. This supposed feature allows developers to program cheats that are then executed in response to other events in the code, and TurtleDex is one of several projects this year that programmatically broke the carpet.

Connected: Profit is on everyone’s lips, but DeFi promises to change the way we deal with money

Smart contract auditing is a great way to prevent carpeting, but even then we see cases where developers are handing off a tested smart contract to an untested one. The Compounder case shows a fraud project that easily captures the reputation of well-known, reputable names in the room. They were able to take advantage of Harvest Finance and Yearn.finance quickly before they pulled the carpet over their users and walked away with millions of dollars in crypto.

Connected: Standard audit for DeFi projects is a must for industry development

Current hacking trends

Aside from carpet pulling, there are many common attacks that can topple an entire company if not prepared. A 51% attack – that is, when a pool of miners controls more than 50% of the network’s mining hash rate and allows them to foreclose or manipulate transaction records to double spend or break the chain block – is still coming often before. Firo and Grin both suffered 51% attacks lately.

Even some top-cap crypto projects are unsafe. In February, it was reported that 200 days of XVG trading on the Verge network was deleted in what is literally “the most profound event ever in the top 100 cryptocurrencies.”

We accept these mistakes as part of the blockchain experience, but what would the reaction be if the same thing happened to a large bank, for example? There is likely to be a lot of media headlines and an uproar among users and customers. These events go largely unnoticed in crypto as there are fewer users, but with the recent bull market this is changing. Inevitably, the security of public blockchains is being scrutinized more strictly.

Hack prevention methods like carpet pulling kéo

Unfortunately, hacking is always an option for developers when working in the crypto space. The question is not how to prevent hacking, but how to prevent yourself from being hacked. Several advances in hardware wallets – like Gnosis Safe’s multi-signature wallet – are key drivers in improving overall security.

Using a multisig wallet allows multiple users to hold keys for the same wallet and requires both participation to take actions on the account. Since a wallet like this one requires multiple user input to conduct a transaction, it is virtually impossible to pull carpets with this type of safe.

Another security method to prevent carpets from being pulled is time locks. Lots of decentralized applications use timeouts so if a developer tries to get their users you will get an alert in around 12 to 24 hours to clear the coins.

These type of safety practices will foster wider trust in DeFi and create a safety culture that will advance our industry.

Improved security of the crypto wallet

The security of the wallet ultimately depends on the developers and users who use smarter methods. Regular security reviews and internal security practices can all help make wallets more secure.

While security reviews are a good solution, Uniswap and other automated market maker-based decentralized exchanges (DEXs) are not allowed, so periodic reviews cannot be performed. Best practice is to understand the specifics of “fair launch” coins – projects launched from a DEX. While many of these projects are high quality, many are known to be great performers. Open source code makes it easy for anyone to test and verify that a smart contract is safe for themselves, and gives users more tools to practice good security.

Asking users to implement good security may seem like a huge feat, but it is required to access the many benefits of cryptocurrencies and DeFi in particular. With traditional banks, the bank is responsible for security, but with cryptocurrency, security depends on the practices of the developers and users.

If you forget your bank password or send money to the wrong person, you can contact your bank to mitigate the transaction until it is resolved. But in crypto there is no backup option if you lose your key or send money to the wrong address. One of the perks, of course, is that you don’t have to worry about your funds being available in crypto while banks can close and impose capital controls, as happened during the 2015 Greek banking crisis.

Conclusion

As developers, we need to conduct security testing and cross-validation and hold each other accountable for developing improved security practices.

Users should consider implementing their own security protocols and understanding the nuances of storage and potential attack scenarios. Good practice for passive crypto holders is to disconnect hardware wallets from the internet or paper wallets that are 100% offline and do not require online syncing for firmware updates.

Phishing attacks, one of the early forms of Internet attack, are still widespread and common. One way to combat phishing attempts is to verify the authenticity of the sender.

Do not enter your private keys or seed phrases on any website or send them to anyone on public channels or DMs. In general, you should only enter your seed phrase the first time you set up the wallet. In addition, you should only enter your seed phrase if you need to restore your wallet after forgetting your password, import an existing wallet to a new device, or use compatible wallet software. In general, you should use hardware wallet devices that will never give your seed to any type of software – not even a trusted wallet app or software can be hacked.

As we continue to build our new (mostly) global DeFi economy, it will be important to improve security so that general acceptance and capital can continue to pour into space so that the next generation can next reach new frontiers of financial independence .

Kadan Stadelmann is a blockchain developer, operational security specialist and chief technology officer of the Komodo platform. His experience ranges from working in security in the government sector and founding tech startups to developing apps and cryptography. Kadan began his journey into blockchain technology in 2011 and joined the Komodo team in 2016.

.

.

Leave a Reply