DeFi Security Risks

Risk is in every layer of the tech stack!

• Network Layer
  • DDoS attacks etc.
• Blockchain Layer
  • Sybil attacks
  • MEV
• Smart Contract Layer
  • Malicious code
  • Bug exploits
• Interface Layer
  • Oracle attacks
  • Malicious plug-ins (e.g., malicious wallet installation etc.)

Known Smart Contract Vulnerabilities

• Re-entrancy
• Insecure arithmetic
• Unexpected ETH flows (force feeding)
• Unprivileged access/writes
• Etc...

Re-entrancy - The DAO hack

Re-entrancy - The DAO hack

fallback() with "evil" logic

The DAO

withdraw

send

receive() is missing!

• Hacker calls withdraw
• The DAO sends ETH
• No receive()
  • Do fallback()
  • fallback  takes ETH and calls withdraw()
  • First withdraw is still running!!!
  • Nested loop and balance never updates

It's happened before

Unprivileged Writes - The Parity Wallet hack

DeFi Exploits 

Smart Contract Scams

• Too many to enumerate here
  • SetApproveForAll -> "I give you access to my digital assets to move around"
    • OK for NFT marketplaces and maybe DEX.
    • NOT OK if you don't trust the URL (see "Uniswap phishing attack")
  • SendEth -> Well..."Send your ETH to X address"
    • OK, but what if it's invoked when you try to "mint" an NFT?? 
  • Hidden "disable transfer" functions
    • Cannot sell token (Squid token)
  • Buy/Sell taxes
    • Scammer can change tax from 5% to 99% for all holders except owner
    • Slippage threshold makes all transactions fail
• Scammers think of new tricks every time a trick becomes "known"
  • Honeypots!!

Solutions?

Some options