The radical need for updating blockchain security protocols

The radical need for updating blockchain security protocols

Decentralized finance (DeFi) is here to stay with over $100 billion in total value locked (TVL), highlighting the evidence of faith in these new financial tools. This investment will continue to increase, but it appears that with each new record in TVL, there is another network attack being reported with astronomical losses.

Crypto crime dropped 57% in 2020, but DeFi hacks surged, costing companies and investors billions of U.S. dollars. In March alone, there were several attacks within just a five-day period, with Paid Network losing $180 million. Later in May, PancakeBunny lost more than $200 million in a flash loan exploit.

Our top trading bots

It is clear that there are far too many loopholes and hacks in current blockchain security protocols. From rug pulls to phishing scams, the security and technology of this space are not as mature as the numbers make them out to be. But there are critical practices that both developers and users can implement to close this gap.

Decentralized technology is still centralized

No matter how decentralized a protocol claims to be, the underlying structure is still centralized. Looking at one of our core features of the internet, DNS records, every domain name is still centralized — owned by either a government, state or company that has the ultimate authority over the domain, and could shut it off if they choose.

An example of centralization within decentralization is smart contracts. Those who write Ethereum or Binance smart contracts have the final say in what's in the code, and there are ways to code nefarious programs, like rug pulls, into smart contracts.

During the yield farming boom of summer 2020, we saw many protocols pop up to profit off of the money pouring into DeFi, and this continued into this year. In March, TurtleDex executed a rug pull, which was effectively a backdoor in the smart contract that resulted in $2.5 million stolen from investors. This intentional feature allows developers to program scams that are then executed depending on other events in the code, and TurtleDex is one of many projects this year that programmed a rug pull.

Related: Yield farming is a fad, but DeFi promises to change the way we interact with money

Smart contract audits are a good way to prevent rug pulls, but even then we see cases where the developers will switch the audited smart contract for an unaudited one. The case of Compounder demonstrates how easy it is for a scam project to gain clout off of known, reputable names in the space. They were able to quickly capitalize on Harvest Finance and Yearn.finance before pulling the rug on their users and walking away with millions of dollars in crypto.

Related: Default auditing for DeFi projects is a must for growing the industry

Apart from rug pulls, there are many popular attacks that can cause an entire company to crumble if they are not prepared. A 51% attack — which is when a group of miners controls more than 50% of the network’s mining hash rate, allowing them to exclude or manipulate transaction records to execute double-spends or disrupt a blockchain — is still frequent. Firo and Grin both recently suffered from 51% attacks.

Even some cryptocurrency projects with leading market cap sizes are still not secure. In February, it was reported that 200 days of XVG transactions on the Verge network were erased, effectively being the “deepest reorg that has ever taken place in a top 100 crypto.”

We accept these errors as a part of the blockchain experience, but what would be the reaction if the same thing happened to a major bank, for example? There would likely be a lot more media headlines and uproar from users and clients. These events go largely unnoticed in crypto because there are fewer users, but with the recent bull market, this is changing. Inevitably, more scrutiny will be placed on the security of public blockchains.

Practices to prevent hacks like rug pulls

Unfortunately for developers, hacks are always a possibility while working in crypto. The question is not how to prevent hacks, but how to prevent your chances of getting hacked. Some advancements in hardware wallets — like Gnosis Safe’s multisignature wallet, for example — are key elements to improving overall security.

Using a multisig wallet allows multiple users to hold keys for the same wallet and requires mutual participation to execute actions on the account. Because a wallet like this requires input from multiple users in order to make trades, it is almost impossible to execute rug pulls with this type of vault.

Another security practice to prevent rug pulls is timelocks. Many decentralized apps use timelocks so that if a developer tries to rug pull its users, you have a warning of about 12 to 24 hours to remove the funds.

These types of security practices will encourage wider trust in DeFi, and create a culture around security that will advance our industry.

Improving wallet security in crypto

Wallet security ultimately comes down to developers and users implementing smarter practices. Regular security audits and internal security practices can all contribute to safer wallets.

While security audits are a good solution, Uniswap and other automated market maker-based decentralized exchanges (DEXs) are permissionless, therefore it is impossible to perform regular audits. The best practice is to understand the specifics around “fair launch” coins — projects that are launched from a DEX. Although many of these projects are high quality, many have been known to have major exploits. Open-source code makes it easier for anyone to audit by themselves and verify whether the smart contract is safe, giving the users more tools to practice good security.

It may seem like a big feat to ask a user to practice good security, but it is required in order to access the many benefits of cryptocurrencies and, especially, DeFi. With traditional banks, the bank is responsible for security, but in crypto, security comes down to the practices of the developers and users.

If you forget your bank password or send funds to the wrong person, you can contact your bank to mitigate the transaction until it is resolved. But in crypto, if you lose your keys or send money to the wrong address, there is no backup option. One of many upsides, of course, is that you don't have to worry about whether your funds are available in crypto, while banks can close their doors and impose capital controls, like what happened in the 2015 Greece banking crisis.

Conclusion

As developers, we need to implement cross-validation and security audits, along with holding each other accountable for developing increasingly improved security practices.

Users should consider carrying out their own security protocols and understand the nuances in storage and potential hacking scenarios. A good practice for passive crypto holders is to have a hardware wallet disconnected from the internet or a paper wallet that is 100% offline and doesn’t require syncing online for any firmware updates.

Phishing attacks, one of the original types of internet hacks, are still common and frequent. The way to combat phishing attempts is to verify if the sender is genuine.

Do not enter your private keys or seed phrases on any website or send them to anyone in public channels or DMs. Generally, you should only enter your seed phrase when you initially set up your wallet. Moreover, you should only enter your seed phrase if you need to recover your wallet after forgetting your password, need to import an existing wallet to a new device or use the compatible wallet software. It is generally recommended to use hardware wallet devices that will never leak your seed to any kind of software — not even a trusted wallet application or software could be recommended in many cases.

As we continue to build our new global (mostly) DeFi economy, it is crucial that security is improved so that mainstream adoption and capital can continue to flow into the space, so that the next generation can access new frontiers of financial independence.

This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Kadan Stadelmann is a blockchain developer, operations security expert and Komodo Platform’s chief technology officer. His experience ranges from working in operations security in the government sector and launching technology startups to application development and cryptography. Kadan started his journey into blockchain technology in 2011 and joined the Komodo team in 2016.
Keep reading relating to Cointelegraph
SEC fines Coinschedule $200K over sponsored, favorable ICO ratings
The U.S. Securities and Exchange Commission has settled charges against the defunct initial coin offering (ICO) review website Coinschedule.com for violating...
Messari: USDC set to become ‘dominant’ stablecoin on Ethereum
USDC has grown much faster than Tether (USDT) in 2021 and it is emerging as the dominant stablecoin on Ethereum thanks to its popularity in DeFi according...
Bulls hesitate to buy the dip after Bitcoin price falls close to $35K
On June 18, Bitcoin (BTC) and traditional markets faced another day of downward pressure comments from the United States Federal Reserve about the possibility...
Cointelegraph Consulting: DeFi hit by a tsunami of liquidations in May
The savage sell-off that took place in mid-May fueled volatility in markets and triggered liquidations among numerous decentralized finance protocols. Like...
Bitcoin tackles $40,000 as Biden unveils new $6 trillion federal spending budget
Bitcoin (BTC) may get a boost to finally clear $40,000 at the expense of the U.S. dollar as United States President Joe Biden's new $6 trillion federal...
Litecoin Jumps 22% In Bullish Trade
Investing.com - Litecoin was trading at $218.938 by 08:51 (12:51 GMT) on the Investing.com Index on Thursday, up 22.26% on the day. It was the largest one-day...
VanEck and BetaShares apply for Aussie crypto ETFs as family offices snap up BTC
Family offices in Australia are reportedly piling into digital assets as fund managers compete to list the country’s first cryptocurrency-backed exchange-traded...
Dogecoin passes Tether's market cap following eToro integration
At more than $52 billion, the market capitalization of meme-based cryptocurrency Dogecoin (DOGE) has already passed that of Twitter, U.S. car manufacturer...
Eftpos reveals plans to power Australian smart cities with blockchain tech
Australia’s leading point-of-sale technology provider Eftpos Australia has revealed ambitious plans to roll out blockchain-powered autonomous vehicles and...
Smells like NFT spirit? Look Labs launches first digital fragrance
Look Labs, a contemporary beauty and lifestyle studio founded in Berlin, Germany, has launched the first digital fragrance encoded into a non-fungible token,...
Microsoft Releases Dev Kit to Connect Users to Blockchain
The American technological titan Microsoft has finally introduced its development kit dubbed Azure. Azure functions without a server and is powered by unaltered...
“Pretend Like Bitcoin is a Goat,” Ellen DeGeneres Got BTC on Her Comedy Show
It may seem to you that all people in your surroundings who talk about bitcoin know perfectly well what it is as a phenomenon and how it functions. But...
Starbucks On Blockchain, Who Is Next?
Chairman of the Board of Directors of Starbucks Howard Schultz said that his coffee network plans to include blockchain and digital currencies in his...
Ripple Co-founder Lost $44 Billion On The Collapse Of The Cryptocurrency
The continuing collapse of the largest cryptocurrencies has led to the fact that market capitalization has declined by billions of dollars. Many investors...
Viral Cat Game in the Ethereum Network
Lovely friendly kittens are taking over the Ethereum network and currently responsible for 4% of transactions carried out on the so-called "world computer."...