How to Secure DeFi Networks?

The DeFi market has seen tremendous growth over the past two years to become a billion-dollar market. According to Defipulse, there is over $96 billion in total value locked (TVL) on various protocols within the market.

DeFi protocols aim to provide DeFi alternatives to existing centralized options, with the key difference being inclusivity. While it takes a lot to get access to a loan from a bank in terms of paperwork, a good credit score, guarantors and so on, it is easy to land one from a DeFi protocol without providing much information. This helps empower the marginalized, especially those in the third world. It is this kind of empowerment that has made DeFi popular. However, as the market grows, so have security threats, especially those targeting various protocols. Many individuals have lost billions of dollars from hacks and other related scams.

Security is of utmost importance before launching a DeFi app to prevent such instances. Below, let us explore a few best practices for DeFi security that will help prevent your application from falling victim to an attack, and bolster your reputation as an ultra-secure developer.

Pay Attention to Reentrancy Attacks

Reentrancy attacks are pretty common within DeFi. They happen when a contract calls an external contract before updating its own state. According to Solidity documentation, "Any interaction from a contract (A) with another contract (B) and any transfer of Ether hands over control to that contract (B). This makes it possible for B to call back into A before this interaction is completed."

This opens a loop way that allows the user to withdraw all the funds in a contract before the state is updated. To secure your dApp from this mess, ensure you update the internal state of the contract before transferring ETH/tokens, or calling an untrusted external contract.

Using DEX or AMM Reserves as a Price Oracle

This is the most common method used to attack DeFi protocols, and also the easiest to prevent. It is a red flag to use `getReserves()` to quantify price. This centralized price oracle exploit occurs when a user manipulates the spot price of an order book or automated market maker-based decentralized exchange (DEX), often through a flash loan. The protocol then uses the price reported by the DEX as their price oracles, thus causing distortions in the smart contract's execution by triggering false liquidations, issuing excessively large loans or triggering unfair trades. Due to this vulnerability, even popular DEXs such as Uniswap do not recommend using their reserves alone as pricing oracle.

The solution lies in using a decentralized oracle network instead of a centralized oracle to determine exchange rates. A decentralized option will provide the actual value of an exchange rate that reflects broad market coverage.

Getting an External Audit Before Deployment

An audit of your code can be equated to a security-focused peer review, since auditors will go through your entire codebase line by line and use formal verification techniques to check your smart contracts for any vulnerabilities. To ensure your audit is as comprehensive as possible, there are a few things you can do, such as documenting everything, making it easier for auditors to track what is going on, keeping communication channels open with auditors in case they have questions, and putting comments in your code to make it easier for your team and theirs. Always remember that deploying code without an audit, or changing code and redeploying after an audit, is an easy way to open yourself up to potential vulnerabilities.

Viewing Security as A Whole Lifecycle Effort

The fast-evolving reality of blockchain and DeFi protocols, and the perpetual invention of new attacks, means you cannot afford to ever stop on your security efforts. Instead, you should obtain and follow up-to-date monitoring and alert intelligence and, if possible, try to introduce future-proofing in the smart contract itself to access and benefit from the fast-growing quantity of dynamic security intelligence.

Consider bringing in some extra help by employing the services of firms such as Certik Skynet that works around the clock to provide a security intelligence engine that offers multi-dimensional and real-time transparent security monitoring for on-chain deployment.

Putting Together a Disaster Recovery Plan

No matter the security measures you have in place, there is a chance your protocol can get hacked. Therefore, it helps to have a disaster recovery plan in place. This includes getting insurance, installing an emergency "pause" feature and having an upgrade plan. Insurance protocols represent a decentralized way to recover from a disaster. They add a level of financial security without impacting decentralization. It is always good to have insurance, even if you have other disaster recovery plans in place.