An ultimate list of security practices for DeFi protocols to ensure user safety.
| Categorisation | Link |
|---|---|
| Threat Modeling | Inspect |
| Smart Contract Audits | Inspect |
| Bug Bounty Programs | Inspect |
| Suspicious Activity Tracking | Inspect |
| DeFi Risk Insurance | Inspect |
| Audit Contests | Inspect |
| Formal Verification | Inspect |
| Economic Security | Inspect |
| Risk Score | Inspect |
| Lessons Learned | Inspect |
| Potenial Perfection | Inspect |
| Contributing | Inspect |
| Feedback | Inspect |
| Connect With Me | Inspect |
Threat modeling goal is to identify, communicate, and understand threats and mitigations within the context of protecting something of value. Activity usually carried out at an early stage of the project to detect potential vulnerabilities and prevent them before they arise. The process involves specialists from various areas to have the broadest possible perspective. It is based on evil brainstorming over any component of the project or its entire architecture at a high level of abstraction.
A smart contract audit is a detailed methodical examination of the code used to interact with the blockchain. Smart contract security audits are essential to eliminating security vulnerabilities that could have arisen during the development process and could cause potential exploits, putting user funds at risk. Regular security audits are essential to eradicate vulnerabilities during the product life cycle. A security audit must be performed post-development and before the main net deployment of a new version of the smart contract. Ex- V1, V2 and V3.
- CertiK
- ChainSecurity
- Composable Security
- ConsenSys Diligence
- Dedaub
- Hacken
- Halborn Security
- OpenZeppelin
- Quantstamp
- Runtime Verification
- Sherlock
- Trail of Bits
- Zellic
Bug bounty programs act as a line of defence between organisations and threat actors that are actively looking to exploit vulnerabilities in smart contracts and steal stored funds. Organisations operating bug bounty programs pay for the submitted bugs.
It is crucial to have an active bug bounty program as it stamps out the bugs missed during the audit phase. Since bug bounty programs are open-source (unlike an audit), they invite more eyes to your code, subsequentially decreasing the probability of a vulnerability in the code, therefore securing the smart contract from external threats at a greater level.
On-chain activity tracking bots are used to detect mission-critical actions, or state changes (malicious transactions) in smart contracts, such as external function call, and re-entrancy calls and alert teams through custom notifications to take necessary action on time.
Much like any traditional insurance that protects insurance holders from certain damage, DeFi insurance protects users from hacks & exploits, private key compromises or any security incident by purchasing a premium. DeFi risk cover could be purchased by projects as well as end-users. In case of a security incident, projects can benefit from the insurance policy to strengthen their infrastructure or reimburse the affected users. Users can receive their hack compensation if they own DeFi risk insurance.
DeFi insurance is the solution to crypto's hacks & exploits problems.
Many eyes, make a better audit. More is better. Audits contests/peer code review is an invaluable way to secure your smart contracts from potential threats. It ensures bugs overlooked by audit firms during a security audit get reported.
Formal verification is a method used to prove the correctness of a design and demonstrate the root cause of an error by rigorous mathematical procedures. Formal verification can help verify the correctness of systems such as cryptographic protocols. It is performed mathematically to avoid any cryptographic vulnerabilities in the source code. In formal verification, one writes a specification (you define what is right in terms of context and what’s wrong) to expose a bug.
It differs from a security audit as it focuses on the mathematical logic of the smart contract code and can reliably find complex bugs that auditing firms tend to miss.
Maximum capital efficiency, reduced risk solution. Economic security is a solution that focuses on the financial model of the DeFi projects. It ensures protocols are tested extensively on financial security and helps developers understand how decisions about security, governance, and consensus mechanisms are likely to affect network activity and asset value.
Evaluating your smart contracts across factors including technicals and non-technicals is a prominent security measure to treat obstacles in the progress of your smart contracts. Such inspections are convenient to boost investor confidence in your application.
-
Following multiple security practices in DeFi protocols is imperative to protect user-locked funds from hacks and exploits.
-
Relying on a single security practice can cause a single point of failure in case of a security incident. Multiple security practices should be followed to hedge one's bets against potential exploits.
-
It is worth noting that most of the exploited smart contracts are either not audited or do not have etiquette security practices to safeguard assets.
Blockchain hackers stole $4.32 Billion in 123 attacks.
- $2B were lost to crypto hacks and exploits.
- Source
- More than $3.8B have been lost to crypto hackers. A 695% increase from the previous year (same quarter)
- Source
- ~$2B have been lost to crypto hacks and exploits.
- Source
It is important to note that nearly all the hacks that occurred were post-audit hacks. Hence, it is beneficial to have multiple security practices in place to eliminate security risks.
Compound Finance, an autonomous algorithmic marketplace to borrow and lend cryptocurrencies is a top performer in DeFi security practices, having multiple security audits from leading auditing firms, a bug bounty program, formal verification and an economic security audit.
MakerDAO, a lending protocol on the Ethereum blockchain, with its stablecoin DAI, holds a top-performing position with multiple security practices.
If you don’t invest in the security of your application, you have to pay one way or another.
Contributions are always welcome!
Please open a pull request with the necessary changes to commit changes to the official repository.
If you found the list helpful, please consider sharing it with others. If you have any feedback, please reach out to me on Twitter.
The legitimacy of this study has been verified by:
Thanks to the incredible people who helped frame this study.
- Razzor
- ehildenb#2510
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent