This series of articles, excerpted from the "Security Special Edition 05" co-curated by OKX Web3 and BlockSec, addresses the security concerns faced by DeFi users and DeFi project teams.
Q1 : What types of risks do DeFi projects face, and how can they address them?
BlockSec Security Team : DeFi projects face several types of risks, including code security risks, operational security risks, and external dependency risks.
Firstly, code security risks refer to potential vulnerabilities at the code level of DeFi projects. For DeFi projects, smart contracts are the core of their business logic (front-end and back-end processing logic belong to traditional software development and are relatively mature), and they are the focus of our attention and discussion, including :
- 1)Firstly, from a development perspective, it is necessary to follow recognized smart contract security development practices in the industry, such as the Checks-Effects-Interactions pattern used to prevent reentrancy vulnerabilities; also, common functionalities should be implemented using reliable third-party libraries to avoid the unknown risks of reinventing the wheel.
- 2)Secondly, thorough internal testing is essential. Testing is an important part of software development that helps discover many issues. However, for DeFi projects, local testing alone is not sufficient to expose problems; further testing is needed in an environment close to actual deployment, which can be facilitated using tools like Phalcon Fork.
- 3)Lastly, after testing is completed, engage reputable third-party audit services. Although audits cannot guarantee 100% absence of issues, systematic audits can greatly help project teams identify common security issues, which are often areas that developers are not familiar with or find difficult to reach due to different ways of thinking. Of course, since audit firms vary in expertise and focus, if the budget allows, it is recommended to involve two or more audit firms in practice.
Secondly, operational security risks arise post-launch and encompass both potential, undetected code vulnerabilities—even after rigorous development, testing, and auditing—as well as post-deployment challenges like private key leaks and misconfigured system parameters. These can result in severe outcomes and substantial losses. Recommended strategies to mitigate these risks include :
- 1)Establish a robust private key management system, such as reliable hardware wallets or MPC-based wallet solutions.
- 2)Monitor the operational status in real-time to detect privileged operations and the security status of the project.
- 3)Build an automated response mechanism for risks, such as using BlockSec Phalcon, which can automatically implement blocking when an attack is encountered to prevent further losses.
- 4)Avoid single-point risks in privileged operations, such as using multisig wallet Safe{Wallet} for executing privileged operations.
Thirdly, external dependency risks refer to the risks brought by the project's external dependencies, such as relying on price oracles provided by other DeFi protocols, but if the oracle has issues, it leads to incorrect price calculations. Recommendations for addressing external dependency risks include :
- 1)Choose reliable external partners, such as recognized top-tier protocols in the industry.
- 2)Monitor the operational status, similar to operational security risks, but the monitoring target here is external dependencies.
- 3)Build an automated response mechanism for risks, similar to operational security risks, but the response methods may differ, such as switching to backup dependencies instead of directly pausing the entire protocol.
In addition, for project parties wishing to build monitoring capabilities, we also offer some monitoring advice :
- 1)Set monitoring points accurately: Determine which key states (variables) of the protocol need monitoring and where to monitor, which is the first step in building monitoring capabilities. However, it is difficult to cover all monitoring points comprehensively, especially in attack monitoring, it is recommended to use an external professional third-party attack detection engine that has been tested in real
BlockSec Phalcon is the world’s only attack monitoring and blocking platform with a proven track record. It has saved over $20 million worth of assets in more than 20 whitehat hacker rescues. Learn more at 👇
- 2)Ensure the precision and timeliness of monitoring: The precision of monitoring means having minimal false positives (FP) and false negatives (FN). A monitoring system lacking accuracy is essentially unusable; timeliness is a prerequisite for response (for example, whether it can detect before a suspicious contract is deployed or before an attack transaction is put on the chain), otherwise, it can only be used for post-event analysis, which requires high performance and stability from the monitoring system.
- 3)An automated response capability is needed: Based on accurate and real-time monitoring, an automated response can be constructed, including pausing the protocol to block attacks, etc. A customizable and reliable automated response framework is needed here to support flexible customization of response strategies according to the project party's needs and to trigger execution automatically.
In general, the construction of monitoring capabilities requires the participation of professional external security vendors.
OKX Web3 Wallet Security Team : DeFi project teams face a variety of risks, mainly including the following categories:
- 1)Technical risks: Mainly include smart contract vulnerabilities and cyber attacks. Protection measures include adopting secure development practices, hiring professional third-party audit companies for comprehensive smart contract audits, setting up bug bounty programs to encourage white-hat hackers to discover vulnerabilities, and isolating assets to improve the security of funds.
- 2)Market risks: Mainly include price fluctuations, liquidity risks, market manipulation, and composability risks. Protection measures include using stablecoins and risk hedging to guard against price fluctuations; utilizing liquidity mining and dynamic fee mechanisms to address liquidity risks; strictly reviewing the types of assets supported by DeFi protocols and using decentralized oracles to prevent market manipulation; and continuously innovating and optimizing protocol functions to address competitive risks.
- 3)Operational risks: Mainly include human error and governance mechanism risks. Protection measures include establishing strict internal controls and operational processes to reduce human errors; using automated tools to improve operational efficiency; and designing robust governance mechanisms to balance decentralization and security, such as introducing voting delays and multi-signature mechanisms. Also, monitor the projects that have gone live and have emergency plans in place to take immediate action and minimize losses in case of anomalies.
- 4)Regulatory risks: Mainly include legal compliance requirements and Anti-Money Laundering (AML) / Know Your Customer (KYC) obligations. Protection measures include hiring legal advisors to ensure the project complies with legal and regulatory requirements, establishing transparent compliance policies, and actively implementing AML and KYC measures to enhance trust with users and regulatory authorities.
Q2 : How should DeFi projects evaluate and select a reputable audit firm?
BlockSec Security Team : Here are some simple standards for reference:
- 1)Have they audited well-known projects: This indicates that the audit company is recognized by these well-known projects.
- 2)Have the audited projects been attacked: Although theoretically, an audit cannot guarantee 100% security, practical experience shows that most projects audited by reputable audit companies have not been attacked.
- 3)Assess audit quality via historical reports: The audit report is an important sign of the professionalism of the audit company, especially when the same audit project and the same audit scope can be compared. The focus should be on the quality (severity) and quantity of vulnerabilities found, and whether the findings are usually accepted by the project party.
- 4)Professional personnel: The composition of the audit company's personnel, including their education and professional background, systematic education, and experience in the industry are very helpful in ensuring the quality of the audit.
