Back to Blog

DeFi Risk Mitigation Guide 04: Security Practices for DeFi Project Team

July 7, 2024

This series of articles, excerpted from the "Security Special Edition 05" co-curated by OKX Web3 and BlockSec, addresses the security concerns faced by DeFi users and DeFi project teams.

Q1 : What types of risks do DeFi projects face, and how can they address them?

BlockSec Security Team : DeFi projects face several types of risks, including code security risks, operational security risks, and external dependency risks.

Firstly, code security risks refer to potential vulnerabilities at the code level of DeFi projects. For DeFi projects, smart contracts are the core of their business logic (front-end and back-end processing logic belong to traditional software development and are relatively mature), and they are the focus of our attention and discussion, including :

  • 1)Firstly, from a development perspective, it is necessary to follow recognized smart contract security development practices in the industry, such as the Checks-Effects-Interactions pattern used to prevent reentrancy vulnerabilities; also, common functionalities should be implemented using reliable third-party libraries to avoid the unknown risks of reinventing the wheel.
  • 2)Secondly, thorough internal testing is essential. Testing is an important part of software development that helps discover many issues. However, for DeFi projects, local testing alone is not sufficient to expose problems; further testing is needed in an environment close to actual deployment.
  • 3)Lastly, after testing is completed, engage reputable third-party audit services. Although audits cannot guarantee 100% absence of issues, systematic audits can greatly help project teams identify common security issues, which are often areas that developers are not familiar with or find difficult to reach due to different ways of thinking. Of course, since audit firms vary in expertise and focus, if the budget allows, it is recommended to involve two or more audit firms in practice.

Secondly, operational security risks arise post-launch and encompass both potential, undetected code vulnerabilities—even after rigorous development, testing, and auditing—as well as post-deployment challenges like private key leaks and misconfigured system parameters. These can result in severe outcomes and substantial losses. Recommended strategies to mitigate these risks include :

  • 1)Establish a robust private key management system, such as reliable hardware wallets or MPC-based wallet solutions.
  • 2)Monitor the operational status in real-time to detect privileged operations and the security status of the project.
  • 3)Build an automated response mechanism for risks, such as using BlockSec Phalcon, which can automatically implement blocking when an attack is encountered to prevent further losses.
  • 4)Avoid single-point risks in privileged operations, such as using multisig wallet Safe{Wallet} for executing privileged operations.

Thirdly, external dependency risks refer to the risks brought by the project's external dependencies, such as relying on price oracles provided by other DeFi protocols, but if the oracle has issues, it leads to incorrect price calculations. Recommendations for addressing external dependency risks include :

  • 1)Choose reliable external partners, such as recognized top-tier protocols in the industry.
  • 2)Monitor the operational status, similar to operational security risks, but the monitoring target here is external dependencies.
  • 3)Build an automated response mechanism for risks, similar to operational security risks, but the response methods may differ, such as switching to backup dependencies instead of directly pausing the entire protocol.

In addition, for project parties wishing to build monitoring capabilities, we also offer some monitoring advice :

  • 1)Set monitoring points accurately: Determine which key states (variables) of the protocol need monitoring and where to monitor, which is the first step in building monitoring capabilities. However, it is difficult to cover all monitoring points comprehensively, especially in attack monitoring, it is recommended to use an external professional third-party attack detection engine that has been tested in real

BlockSec Phalcon is the world’s only attack monitoring and blocking platform with a proven track record. It has saved over $20 million worth of assets in more than 20 whitehat hacker rescues. Learn more at 👇

https://blocksec.com/blog/lead-in-phalcon-s-hack-blocking-saga

  • 2)Ensure the precision and timeliness of monitoring: The precision of monitoring means having minimal false positives (FP) and false negatives (FN). A monitoring system lacking accuracy is essentially unusable; timeliness is a prerequisite for response (for example, whether it can detect before a suspicious contract is deployed or before an attack transaction is put on the chain), otherwise, it can only be used for post-event analysis, which requires high performance and stability from the monitoring system.
  • 3)An automated response capability is needed: Based on accurate and real-time monitoring, an automated response can be constructed, including pausing the protocol to block attacks, etc. A customizable and reliable automated response framework is needed here to support flexible customization of response strategies according to the project party's needs and to trigger execution automatically.

In general, the construction of monitoring capabilities requires the participation of professional external security vendors.

OKX Web3 Wallet Security Team : DeFi project teams face a variety of risks, mainly including the following categories:

  • 1)Technical risks: Mainly include smart contract vulnerabilities and cyber attacks. Protection measures include adopting secure development practices, hiring professional third-party audit companies for comprehensive smart contract audits, setting up bug bounty programs to encourage white-hat hackers to discover vulnerabilities, and isolating assets to improve the security of funds.
  • 2)Market risks: Mainly include price fluctuations, liquidity risks, market manipulation, and composability risks. Protection measures include using stablecoins and risk hedging to guard against price fluctuations; utilizing liquidity mining and dynamic fee mechanisms to address liquidity risks; strictly reviewing the types of assets supported by DeFi protocols and using decentralized oracles to prevent market manipulation; and continuously innovating and optimizing protocol functions to address competitive risks.
  • 3)Operational risks: Mainly include human error and governance mechanism risks. Protection measures include establishing strict internal controls and operational processes to reduce human errors; using automated tools to improve operational efficiency; and designing robust governance mechanisms to balance decentralization and security, such as introducing voting delays and multi-signature mechanisms. Also, monitor the projects that have gone live and have emergency plans in place to take immediate action and minimize losses in case of anomalies.
  • 4)Regulatory risks: Mainly include legal compliance requirements and Anti-Money Laundering (AML) / Know Your Customer (KYC) obligations. Protection measures include hiring legal advisors to ensure the project complies with legal and regulatory requirements, establishing transparent compliance policies, and actively implementing AML and KYC measures to enhance trust with users and regulatory authorities.

Q2 : How should DeFi projects evaluate and select a reputable audit firm?

BlockSec Security Team : Here are some simple standards for reference:

  • 1)Have they audited well-known projects: This indicates that the audit company is recognized by these well-known projects.
  • 2)Have the audited projects been attacked: Although theoretically, an audit cannot guarantee 100% security, practical experience shows that most projects audited by reputable audit companies have not been attacked.
  • 3)Assess audit quality via historical reports: The audit report is an important sign of the professionalism of the audit company, especially when the same audit project and the same audit scope can be compared. The focus should be on the quality (severity) and quantity of vulnerabilities found, and whether the findings are usually accepted by the project party.
  • 4)Professional personnel: The composition of the audit company's personnel, including their education and professional background, systematic education, and experience in the industry are very helpful in ensuring the quality of the audit.
Sign up for the latest updates
Tether Freezes $6.76M USDT Linked to Iran's IRGC & Houthi Forces: Why On-Chain Compliance is Now a Geopolitical Battlefield
Security Insights

Tether Freezes $6.76M USDT Linked to Iran's IRGC & Houthi Forces: Why On-Chain Compliance is Now a Geopolitical Battlefield

Looking ahead, targeted freezing events like this $6.76M USDT action will only become more common. On-chain data analysis is improving. Stablecoin issuers are also working closely with regulators. As a result, hidden illicit financial networks will be exposed.

Weekly Web3 Security Incident Roundup | Mar 2 – Mar 8, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Mar 2 – Mar 8, 2026

During the week of March 2 to March 8, 2026, seven blockchain security incidents were reported with total losses of ~$3.25M. The incidents occurred across Base, BNB Chain, and Ethereum, exposing critical vulnerabilities in smart contract business logic, token deflationary mechanics, and asset price manipulation. The primary causes included a double-minting logic flaw during full token deposits that allowed an attacker to exponentially inflate their balances through repeated burn-and-mint cycles, a price manipulation vulnerability in an AMM-based lending market where artificially inflated vault shares created divergent price anchors to incorrectly force healthy positions into liquidation, and a flawed access control implementation relying on trivially spoofed contract interfaces that enabled attackers to bypass authorization to batch-mint and dump arbitrary tokens.

Weekly Web3 Security Incident Roundup | Feb 23 – Mar 1, 2026
Security Insights

Weekly Web3 Security Incident Roundup | Feb 23 – Mar 1, 2026

During the week of February 23 to March 1, 2026, seven blockchain security incidents were reported with total losses of ~$13M. The incidents affected multiple protocols, exposing critical weaknesses in oracle design/configuration, cryptographic verification, and core business logic. The primary drivers included oracle manipulation/misconfiguration that led to the largest loss at YieldBloxDAO (~$10M), a crypto-proof verification flaw that enabled the FOOMCASH (~$2.26M) exploit, and additional token design and logic errors impacting Ploutos, LAXO, STO, HedgePay, and an unknown contract, underscoring the need for rigorous audits and continuous monitoring across all protocol layers.