Brian Pasfield is the CTO of Fringe Finance, a platform that seeks to unlock the billions of dollars of dominant capital tied up in cryptocurrencies by offering loans guaranteed by them. The platform aims to accept the broadest range of altcoins as collateral on the market.
With over two decades of experience within the industry, Pasfield is an expert in the current security problems facing DeFi. We picked his brains about the most common attack vectors exploited this year, identified specific vulnerabilities related to centralisation, how they can be prevented, and what steps to take to conduct a thorough audit.
Which key challenges are we facing today as far as DeFi security is concerned?
DeFi is a remarkably new industry. Ethereum introduced Turing-complete smart contracts less than eight years ago. For this reason, smart contract security demands an order of magnitude more attention and effort than building conventional financial systems. Moreover, transactions are irreversible, and stolen funds can be obscured through mixers and tumblers. Billions are up for grabs if a hacker can just identify and exploit a severe oversight by a developer team.
Meanwhile, developers often succumb to external pressure to rush out new features often without proper audits and extensive testing. This is the key challenge for DeFi security today — ensuring it is the utmost priority on new and long-standing DeFi projects.
What are the most common attack vectors exploited this year?
Just to list a few: missing event emissions, where functions don't emit events after changing a critical variable. Not locking the compiler version allows generating differing bytecode for the same code. There's also improper input validation, which leads to unintended behavior when the contract receives invalid input.
Although experienced in writing non-blockchain applications, some developers sometimes fail to consider the nuances of smart contract development when writing dApps. One such nuance is not accounting for reentrancy attacks: In them, contract A calls a contract B before updating its state. When this happens, there is a chance for B to repeat the previous operation as if the circumstances — for instance, A's ETH balance— had not changed.
Another class of exploits involves relying on data that can be manipulated for internal logic. Miners and mining pools have significant power to tinker with the block hash, timestamp, and order of transactions, making these unreliable sources of randomness. Using AMM liquidity pools as price oracles is extremely problematic as well, as they are easily manipulated using cheap flash loans, which can throw off a whole protocol. Because of this, solutions like decentralized oracles and sources of randomness are critical for our industry's development.
Relying on third-party dependencies is fairly common too. They might be modified, which changes the contract's behavior without notice. The most common vulnerability by far is centralization which, aside from rug pulls, makes stealing funds as simple as getting access to a few mismanaged private keys.
Can you elaborate? For example, name any particular vulnerabilities connected with centralisation? How can these be fixed - or prevented?
Centralisation introduces single points of failure, opening up multiple attack vectors. The most obvious one is rug pulls. Mismanaged keys may end up with hackers who might then use them to steal funds. Keyholders might lose keys or pass away, leaving funds inaccessible forever.
Centralisation issues aren't always immediately apparent. Proper audits are necessary for identifying the broadest range of vulnerabilities possible, and sadly, most DeFi platforms lack such comprehensive audits.
The answer to centralisation is, of course, decentralization. DAOs are essential for that goal, but protocol design can make intervention by centralized entities wholly unnecessary.
What are the steps to performing a thorough audit?
The party that commissioned the audit sets the scope of the process: what contracts will the auditing firm scrutinize and to what degree. Ideally, you would have your whole protocol audited, not just a few contracts, but there's always the possibility to be strategic about this.
From this point on, the audit firm's experts will study the codebase, use automatic testing tools to identify malfunctioning components, apply a wide range of known exploits that faulty code might make possible, and manually check for vulnerabilities one line at a time. This process aims to generate a report that the team will act upon, fixing vulnerabilities by prioritizing the most critical.
After re-submitting the code, the audit firm will re-check and re-test all previously identified issues, also looking for newly introduced vulnerabilities. Ideally, the project should repeat this back and forth process until the auditing firm can no longer find any vulnerabilities.
Note that this is how an audit should be ideally run. Each round of auditing is expensive, and it's not uncommon to see people trying to cut corners to save costs. Therefore, "audited," more than as a binary statement, should be taken with nuance in many cases.
Decentralisation placed additional responsibility on the user, so let's talk a bit about client-side security. What can we do to protect our DeFi investments?
First of all, your private keys are your greatest treasure. Don't ever share them with anyone, and store them in a hardware wallet if you can. Of course, the same goes for your recovery phrase, as it is simply your private key in a different format. Read transactions carefully before signing them off; you might be allowing a scammer to take away your tokens.
You need to understand what you're investing in, from tokenomics to the team's reputation. Beware of meme coins, dozens are created every day, and the indisputable majority are rugpulls. Last but not least, only use platforms that have been audited recently and by reputable firms.
And lastly, can you share any secrets on choosing a reliable DeFi product?
Look for DeFi platforms with experienced teams with a solid reputation, a history of not cutting corners when it comes to security, and recent successful audits to show off — double audits are the gold standard.