Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding Cybersecurity Management in Decentralized Finance Series.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding Cybersecurity Management in Decentralized Finance Series.

Understanding Cybersecurity Management in Decentralized Finance Series.

deetwo
Newcomer II
‎05-15-2023 10:07 AM
‎05-15-2023 10:07 AM

Understanding Cybersecurity Management in Decentralized Finance: Decentralized Finance Challenges and Issues (Article 5)

 

Author: Gurdip Kaur, PhD, CySA, CISSP

 

Decentralized finance (DeFi) eliminates the need for human intervention that increases liquidity in the market and facilitates financial transactions. The growing popularity of decentralized finance has drawn attention to the prevalent security challenges and issues faced by it. This article provides a comprehensive outline of the security pitfalls in decentralized finance.

 

This is the last articles of the Understanding Cybersecurity Management in Decentralized Finance series that aims to explore a range of cybersecurity issues in decentralized finance.

 

Challenges and Issues

 

There are several general security issues related to coding practices followed by developers. Some examples include common coding mistakes, misuse of third-party protocols, and business logic errors. Previous studies on DeFi have shown financial risk, technical risk, and technical optimization as the major categories of risks in DeFi. Figure 1 summarizes a non-exhaustive list of imperative security challenges and issues identified in DeFi. The major categories of attacks are programming issues, cyber-attacks on DeFi, dependency among transactions, and liquidity.

 

 

deetwo_0-1683851159625.png

 

                             Figure 1: Challenges and issues in Decentralized Finance

 

 

1. Programming

 

Programming issues are related to smart contracts and ineffective coding practices. Some programming challenges do not cause any issue now but can be exploited by the attackers in future to launch severe cyber-attacks. 

 

  • Arithmetic Bugs: Arithmetic bugs are a type of integer bugs that occur because of various arithmetic operations on smart contracts. Arithmetic bugs allow a malicious user to steal Ether or modify the execution path of a smart contract. A common example of arithmetic bug is mathematical operations performed on an unbounded integer. Some other situations that lead to arithmetic bugs include integer overflow, underflow, and modulo zero or division by zero.

 

  • Weak random Number Generator: One of the reasons for generating random numbers in smart contracts is to decide the winner. In a public deterministic environment such as Ethereum, it is difficult to generate a random number. However, Solidity does that with flaws.

 

  • Vulnerable Libraries: Libraries provide functionality that can be reused in other smart contracts. Libraries can also be used multiple times by other smart contracts or client contracts. A client contract interacts with the library and the corresponding code is executed in the context of the calling client contract. Although libraries provide clear functionality by sharing among smart contracts, there is a security issue associated with them. If a library is vulnerable and is shared or called by multiple smart contracts, the vulnerability becomes inherent in all the calling client contracts. If the vulnerability is detected or exploited, there is no way to patch it by re-deploying to the same address. Further, many client contracts do not possess the functionality for versioning. That means an existing library cannot be updated to a new version for fixing the vulnerable code.

 

  • Exceptions: Unhandled exceptions occur in different ways. Exception handling is an area of concern as errors do not propagate across the call-stack, but it may depend on certain specifics of the target function. Exceptions can exist anywhere in the contract. For example, inside a loop or a function. External exceptions inside a loop can lead to denial-of-service attacks under the external influence.

 

2. Cyber-Attacks

 

Cyber-attacks are very common in decentralized finance. DeFi lost USD 1.8 billion to cyber-attacks in 2021. A total of 65 events were observed and 90% of the losses resulted from unsophisticated attacks. To our surprise 51% of the attacks witnessed by DeFi in 2021 were launched against smart contract bugs. Assets over USD 500 million have been stolen in the last year because of cyber-attacks.

 

  • Re-entrancy Attack: Re-entrancy attacks are one of the most severe and effective attack vectors against smart contracts. In such an attack, a contract calls another contract which calls back the calling contract. All these actions are executed in a single transaction. Interestingly, the other contract called by the original contract is external to the blockchain.

 

  • Denial of Service Attack: Denial of service restricts legitimate users from using the smart contracts permanently or for a certain period. In a blockchain, DoS attacks are of three types: unexpected revert, block gas limit, and block stuffing. In an unexpected revert attack, a smart contract allows a bidder to make a bid and as soon as a higher bid is available, it refunds the amount to the old bidder. This attack exploits the smart contracts by reverting unexpectedly on receiving a higher bid. This vulnerability exists because of inadequate exception handling for conditional and iteration statements. In a block gas limit attack, the transaction hits a higher gas limit than the maximum limit available, resulting in the transaction failure. If such a transaction fails, especially when the refund is in progress, it stops execution, resulting in blocking of refunds. Thus, the refunds get stuck forever. The situation for this attack can be created by the malicious miner by using a simple for loop that keeps on incrementing the variable without checking the upper limit for the value supported by that variable. In the worst case, the transaction is blocked permanently, preventing additional transactions. In a block stuffing attack, an attacker fills multiple blocks in the blockchain to prevent other transactions from being included in the blocks. This is achieved when the attacker uses a high gas price for transactions to ensure that only those transactions are included in the blocks.

 

  • Vampire Attack: A vampire attack in smart contracts is a method to steal money, customers, and investors of other DeFi protocols by offering better rates. In other words, the attacks attempt to steal liquidity volume from other protocols. An interesting instance of vampire attack is SushiSwap, a new project, which was successful in attracting over $1 billion of liquidity in less than a week. SushiSwap gained more and more attraction within less time as it competed with UniSwap by forking the project and launching vampire attacks. The project was launched with an objective to gain government market makers and distribute its tokens called Sushi. When enough liquidity was attracted to the protocol, the next step of the attack was to migrate or suck the tokens from one platform to another platform. That is why it is named vampire attack.

 

3. Dependency

 

The third category of challenges include dependency issues that result when transactions and their order of execution are dependent on each other for obtaining resources or based on time of execution.

 

  • Timestamp: Timestamp dependency is one of the key features of the Ethereum Virtual Machine. Timestamp dependency is a preferred choice for smart contracts over random number generators to synchronize transactions in a blockchain. However, timestamp dependency does not provide any information about the environment such as host operating system, IP address or time. All this information can be extracted from the timestamp field in the block’s meta-data. Unfortunately, the block’s timestamp field is arbitrary, and the block’s miner can write any timestamp without any verification from the other nodes in the network. Miners can manipulate environment variables to earn profits. Consider a deciding variable that results in winning or losing a lottery prize irrespective of the fact that whether it returns an even or odd number.

if (variable % 2 == 0) winner = p1; else winner = p2;

 

  • Transaction-Ordering: Transaction-ordering attacks are dependent on the order in which transactions are submitted. The order of processing transactions in Ethereum is determined by the miners. Malicious miners may exploit this vulnerability in smart contracts to change the order of submitted transactions to prioritize malicious transactions in a manner that genuine transactions remain in a pending state and malicious transactions are processed and completed before them. In this attack, malicious miners change the state of transactions for their own benefits. A transaction goes to a memory pool called mempool when it is submitted. The miners then select the transactions from the pool for completion and organize them into a block using PoW. Once a block is mined, it is broadcast to the network. The risk is inherent in this situation because all transactions in the memory pool are visible to all users on the network and the order of execution of transactions is entirely dependent on the miner. A transaction-ordering dependence attack changes the price at which an item is purchased during the processing. This occurs because someone else (malicious miner, contract owner, or another user) has sent a transaction that modifies the price before the transaction is complete. The problem arises because two transactions can be sent to the memory pool in any order irrespective of their arrival. This makes it difficult for smart contracts as they rely on state of storage variables according to the order of transactions.

 

  • Race Conditions: Race conditions occur due to lack of synchronization in transactions in Solidity and Ethereum smart contracts. One of the most common potential race conditions exists in the ERC20 standard that recognizes the Ethereum community standards. This standard specifies the APIs used in smart contracts. Consider two users A and B. A has a wallet and wants to allow B to withdraw 10 tokens as a payment for some piece of code that B has developed in the smart contract. If B negotiates and convinces A to add 5 bonus tokens for her splendid work and A agrees to pay 15 tokens in total. Just before A was to send the approved 15 tokens because of negotiation, B called the respective transfer function to transfer 10 tokens to her account. Later in the scenario, B received approval for 15 tokens and received them too. Overall, B received 25 tokens in total.

 

4. Liquidity

 

The fourth major category of challenges is related to liquidity. Liquidity is a game changer in decentralized finance. Mismatch in liquidity can bring devastating results to decentralized finance. Since DeFi relies on liquidity pools for functioning, a decentralized exchange without liquidity is like a pool without water.

 

  • Flash Loans: A flash loan attack abuses smart contract security of a platform in which an attacker usually borrows a lot of funds that do not require collateral. The price of the crypto asset on one exchange is then manipulated and resold to another user. The process is so quick that the attacker repeats it multiple times before finishing and leaving without a trace. Flash loan attacks take advantage of trading differences in asset price. The asset price is set based on demand and supply in the market. However, due to several DeFi platforms, there are always some differences in the same asset price. The process of exploiting these differences leads to flash loan attacks. A malicious flash loan attack transaction typically contains a sequence of actions. The first action borrows a very large sum of digital assets from a flash loan contract and the last action returns the borrowed assets. The sequence of actions in the middle interacts with multiple DeFi contracts using the borrowed assets to exploit their design flaws. When a DeFi contract fails to consider corner, cases caused by the large sum of borrowed assets, the attacker may extract prohibitive profits.

 

  • Maximal Extractable Value (MEV): It refers to the maximum value that can be extracted from a block in addition to block reward and gas fee by including, excluding, and changing the order of transactions in a block. Theoretically, MEV arises because of miners who are the only player in the game to use it for maximizing their profit. However, practically, a large portion of MEV is extracted by network practitioners referred to as searchers. Searchers execute complex algorithms on blockchains to determine opportunities that can lead to maximize their profit. In some scenarios, the network practitioners use bots to automate this process. Since network practitioners are ready to pay high gas fees to earn profit, miners also get a portion of that profit by including those practitioners in the blockchain. MEV emerges as several well-known opportunities such as decentralized exchange (DEX), liquidations, and sandwich trading.