13 June 2022
3 min read
While building DeFi protocols or any other smart contract application, various security inspections need to be done before deploying it on a blockchain mainnet. Instead of solely focussing on solidity pitfalls while reviewing the code, ensuring a dApp’s security is strong enough to make it ready for mainnet, must be followed. The contingencies towards the most popular types of DeFi security vulnerabilities, such as oracle attacks, brute force attacks, and many other threats, would be beneficial to save you and your users billions of dollars, along with a long span of aggravation. Doing your due diligence before launching your protocol is imperative, and here are a few ways to tackle the DeFi attacks:
Be Aware of Reentrancy Attacks
In the reentrancy attack, the most common type of DeFi security attack like the infamous DAO hack, a contract calls an external contract before updating its state. Quoting the Solidity documentation: ‘Any interaction from a contract (A) with another contract (B) and any transfer of Ether hands over control to that contract (B). It makes it possible for B to call back into A before this interaction is completed.
Solution: Before transferring ETH/tokens or calling an untrusted external contract, one should update the internal state of the contract. There are a few strategies to do that, like using mutex locks or simply ordering your function calls in a way where you only reach out to external contracts or functions after the state is updated.
Avoid Common Glitches
This point is a sort of catch-all for Solidity, but to have a secure contract, you need to build it with all of these DeFi security principles in mind. To write really impactful Solidity, you must be aware of how it works under the hood. One must consider the issue of Overflows/Underflows, Loops Gas Limit, and Avoid using tx. the origin for authorization in smart contracts, Proxy Storage Collision
Complete Unit Tests Coverage
It identifies weaknesses and vulnerabilities early-on, decreasing the risk of substantial losses. As a chain is only as strong as its weakest link, remember to include “complete” unit test coverage, not merely 65% or 70%, or only “the most significant elements of a contract.”
Security Audit of Smart Contracts
Always remember how essential smart contract auditing is. Do not minimize the development time by reducing the time for audit or full test coverage. Remember, if you won’t double-check your work, the hacker definitely will!
While a security audit does not safeguard a project from hacking attempts, it works pretty well to identify areas for improvement that would otherwise go unnoticed in full unit test coverage.
Always Get an External Audit before Deploying to Mainnet
Consider an audit of your code as a security-focused peer review. Auditors will scan your entire codebase line by line and use formal verification techniques to check the vulnerabilities of your smart contracts. Deploying code without getting it audited or changing code & redeploying after an audit is an easy way to open yourself up to potential vulnerabilities.
Put together a Disaster Recovery Plan
Depending on your protocol, it’s always best to have a contingency plan in case you get hacked. Some popular methodologies are:
- Getting insurance
- Installing an emergency pause feature
- Having an upgrade plan
Protect against Frontrunning
In blockchains, all transactions are visible in the mempool, which means that everyone can see your transaction and potentially make a transaction before yours to profit off your transaction.
For example, let’s say you use a DEX to exchange ETH for DAI at the current market price. Once you send your transaction to the mempool, a frontrunner could make a transaction to buy a large quantity of ETH just before your purchase, causing the price to rise. They could then sell you the ETH they purchased at a higher price and profit out of your pocket.
Fortunately, a group of world-class researchers of smart contract and cryptography, including Chainlink Labs Chief Scientist Ari Juels, are working to solve this exact problem with “Fair Sequencing Services.”
Continuing with the dForce example, the dForce contract pattern has a framework similar to the preceding Compound contracts. It demonstrates that duplicating other protocols’ coding will not safeguard your DeFi project. When someone copies a code, they must retrofit the project’s requirements to the code, which gives gaps and incompatibilities. Future exploits will be affected by these factors.