This series of articles, excerpted from the "Security Special Edition 05" co-curated by OKX Web3 and BlockSec, addresses the security concerns faced by DeFi users and DeFi project teams.
Q1 : How do users build monitoring awareness when participating in DeFi
OKX Web3 Wallet Security team : Take whale users as an example, whale mainly refers to individual investors or small team of investment institutions that have a large scale of funds, but usually do not have a very strong security team, and do not have the ability to self-develop security tools. Therefore, so far, most of the whales actually lack sufficient risk awareness, otherwise, they would not have suffered such significant losses.
Due to the risk of huge losses, some whale users have consciously come to rely on a number of publicly available security tools to monitor and sense risk. Now, there are many teams working on monitoring products, but the choice is critical. Here are a few key points:
First, there is the cost of using the tool. Many tools, while very powerful, require programming and are not cheap to use. It is not easy for users to figure out the structure of the contract or even collect the address.
Second, there is precision. No one wants to go to bed at night with several alerts in a row, only to find out that they are false positives. Therefore, accuracy is also critical.
Lastly, it is the security. Especially at this scale of funds, we cannot ignore the various security risks of the tool development and its team. The recent Gala Game attack incident is said to be due to the introduction of an insecure third-party service provider. Therefore, a reliable team and trustworthy products are essential.
So far, many whales have also found us, and we will recommend professional asset management solutions for them, so that whale users can ensure the safety of their funds while also taking into account daily fund management such as "mining, withdrawing, and selling" perceive risks, and even withdraw funds in emergency situations.
Q2 : Security tips for participating in DeFi and handling security risks
BlockSec Security Team : For large fund participants, the primary concern when participating in DeFi protocols is to ensure the safety of their principal, investing only after conducting a thorough study of potential security risks. There are several aspects to consider to ensure the safety of funds:
Firstly, one should make a multi-faceted judgment of the project party's emphasis on and investment in security. This includes whether the project has undergone a thorough security audit, whether the project party has the ability to monitor project security risks and respond automatically, and whether there is a good community governance mechanism. All these can reflect whether the project party places the safety of user funds in an important position and whether it has a highly responsible attitude towards the safety of user funds.
Secondly, large fund participants also need to build their own security monitoring and automatic response systems. In the event of a security incident in the invested protocol, large fund investors should be able to perceive and withdraw funds at the first moment, to salvage losses as much as possible, rather than placing all their hopes on the project party. Observing high-profile attacks on projects like Curve, KyberSwap, and Euler Finance in 2023, it's clear that large investors often miss timely alerts and lack self-sufficient security monitoring and emergency withdrawal systems.
Additionally, investors need to choose good security partners to continue to pay attention to the security of the invested project targets. Any upgrades to the project party's code, important parameter changes, etc., need to be perceived in time and the risks assessed. Such tasks are difficult to accomplish without the participation of a professional security team and tools.
Lastly, it is necessary to protect the security of private keys. For accounts that require frequent trading, it is best to combine online multi-signature and offline private key security solutions to eliminate the single-point risk after the loss of a single address and a single private key.
What should be done if the invested project faces security risks?
It is believed that for any whale and investor, the first reaction to encountering a security incident must be to protect the principal, and the first priority is to withdraw funds as quickly as possible. However, attackers are usually very fast, and manual operations are often too late, so it is best to withdraw funds automatically according to the risk. Currently, our attack monitoring and blocking platform Phalcon can automatically withdraw funds after detecting an attack transaction, helping users to evacuate first.
Secondly, if there is a loss, in addition to learning lessons, it should actively promote the project party to seek the help of security companies to trace and monitor the damaged funds. With the whole Crypto industry's attention to security, the proportion of funds recovered is gradually increasing.
Lastly, for substantial holders, consider engaging security firms to audit your entire investment portfolio for similar vulnerabilities. Many attacks stem from common root causes, as seen with the Compound V2 incident, which had parallels in other projects. Security firms can identify risks across your investments, allowing for prompt communication with project teams or strategic withdrawal if necessary.
OKX Web3 Wallet Security Team : When participating in DeFi projects, users can take a variety of measures to participate in DeFi projects more safely, reduce the risk of fund loss, and enjoy the benefits brought by decentralized finance. We will elaborate from two aspects: the user level and the OKX Web3 Wallet level.
Firstly, for users :
- 1)Choose projects that have been audited: Prioritize projects that have been audited by well-known third-party audit companies (such as ConsenSys Diligence, Trail of Bits, OpenZeppelin, Quantstamp, ABDK), review their public audit reports, and understand potential risks and vulnerability fixes.
- 2)Understand the project background and team: Ensure the project's transparency and credibility by studying the project's white paper, official website, and the background of the development team. Pay attention to the team's activities in social media and development communities to understand their technical strength and community support.
- 3)Diversify investments: Do not invest all funds in a single DeFi project or asset; diversification can reduce risk. Choose multiple different types of DeFi projects, such as lending, DEX, farming, etc., to diversify risk exposure.
- 4)Test with small amounts: Before making large transactions, first make small test transactions to ensure the safety of operations and platforms.
- 5)Regularly monitor accounts and emergency handling: Regularly check your DeFi accounts and assets to detect unusual transactions or activities in a timely manner. Use tools (such as Etherscan) to monitor on-chain transaction records to ensure asset safety. After detecting abnormalities, take emergency measures in time, such as revoking all authorizations of the account, contacting the wallet security team for support, etc.
- 6)Exercise caution with new projects: Maintain a cautious attitude towards projects that have just been launched or are unverified. You can first invest a small amount of funds for testing, observe their operation and security.
- 7)Use mainstream Web3 wallets for transactions: Only use mainstream Web3 wallets to interact with DeFi projects, which provide better security protection.
- 8)Guard against phishing attacks: Be cautious when clicking on unfamiliar links and emails from unknown sources, do not enter private keys or mnemonics on untrusted websites, and ensure that the links you visit are official websites. Use official channels to download wallets and applications to ensure the authenticity of the software.
Secondly, from the perspective of the OKX Web3 Wallet :
We provide many security mechanisms to protect the safety of user funds :
-
1)Risk domain detection: When users access DAPPs, OKX Web3 Wallet will detect and analyze at the domain level. If users access malicious DAPPs, it will intercept or remind them to prevent users from being deceived.
-
2)Honeypot Token Detection: The OKX Web3 Wallet supports comprehensive detection of Honeypot Token, proactively blocking these tokens within the wallet to prevent users from interacting with them.
-
3)Address Tag Library: The OKX Web3 Wallet offers a rich and comprehensive address tag library, which provides timely alerts to users when they interact with suspicious addresses.
-
4)Transaction Pre-Execution: Before any transaction is submitted, the OKX Web3 Wallet simulates the execution of the transaction and displays the changes in assets and authorizations for the user's reference. Users can judge whether the results meet their expectations and decide whether to continue with the transaction based on this information.
-
5)Integration of DeFi Applications: The OKX Web3 Wallet has integrated services from various mainstream DeFi projects, allowing users to confidently interact with these integrated DeFi projects. Additionally, the OKX Web3 Wallet provides path recommendations for DEX, cross-chain bridges, and other DeFi services to offer users the best DeFi services and optimal gas solutions.
-
6)Additional Security Services: The OKX Web3 Wallet is progressively adding more security features and developing advanced security protection services to better and more efficiently ensure the safety of OKX wallet users.
