The fundamental need to update the blockchain security protocol

[ad_1]

The total value lock-in (TVL) of decentralized finance (DeFi) exceeds 100 billion U.S. dollars, highlight Evidence of confidence in these new financial instruments. This investment will continue to increase, but it seems that with each new record of TVL, another cyber attack that caused astronomical losses will be reported.

Crypto crime has fallen by 57% in 2020, But DeFi hacking incidents surged, causing companies and investors to lose billions of dollars. In March alone, there were several attacks in just five days. Paid network loses $180 million. In late May, PancakeBunny Lost more than US$200 million In the flash loan attack.

Obviously, the current blockchain security protocol has too many loopholes and hacker attacks. From phishing to phishing scams, the security and technology in this field are not as mature as the numbers show. However, both developers and users can implement some key practices to close this gap.

Decentralized technology is still centralized

No matter how decentralized the protocol claims, its underlying structure is still centralized. Look at one of the core functions of our Internet, DNS records. Each domain name is still centralized-owned by the government, state, or company, and has the ultimate authority over the domain. If they want, they can shut it down.

An example of centralization in decentralization is smart contracts. Those who write Ethereum or Binance smart contracts have the final say in the content of the code, and there are multiple ways to encode malicious programs (such as carpet pull) into smart contracts.

During the high-yield agricultural boom in the summer of 2020, we saw many agreements emerge to profit from the influx of DeFi funds, and this situation continued until this year. March, TurtleDex performed a carpet pull, This is actually a backdoor in the smart contract, which caused investors to steal 2.5 million US dollars. This intentional feature allows developers to write fraudulent programs and then execute them based on other events in the code. TurtleDex is one of many projects that write carpet pull programs this year.

related: Yield agriculture is a fashion, but DeFi is expected to change the way we interact with money

Smart contract auditing is a good way to prevent rug pulls, but even so, we will still see developers switching audited smart contracts to unaudited smart contracts.Compound machine case Demo How easy it is for a scam project to gain influence from known and reputable names in the field. They can quickly take advantage of Harvest Finance and Year.finance, and then draw the carpet to their users and take away millions of dollars in cryptocurrency.

related: The default audit of DeFi projects is a necessary condition for industry development

The latest trends in hackers

In addition to carpet attacks, there are many popular attacks that, if not prepared, can cause the entire company to collapse. 51% attacks—that is, a group of miners that control more than 50% of the network’s mining hash rate, allowing them to exclude or manipulate transaction records to perform double spending or disrupt the blockchain—is still very common. Philo with Grin Both have suffered 51% attacks recently.

Even some of the leading cryptocurrency projects by market capitalization are still insecure.In February, it was Reported that 200 days of XVG transactions Being deleted on the Verge network is actually “the deepest reorganization of the top 100 cryptocurrencies.”

We accept these mistakes as part of the blockchain experience, but if the same thing happened in a big bank, how would it react? There may be more media headlines and commotion from users and customers. These events have basically gone unnoticed in encryption because there are fewer users, but with the recent bull market, this situation is changing. Inevitably, the security of public blockchains will be subject to more scrutiny.

Prevent hacking practices like pulling carpets

Unfortunately, it is always possible for developers to be hacked when working in encryption. The question is not how to prevent hacking, but how to prevent the chance of being hacked.Some advancements in hardware wallets-such as Gnosis Safe’s multi-signature walletFor example-is a key element to improve overall safety.

Using a multi-signature wallet allows multiple users to hold the same wallet’s keys and need to participate in each other to perform operations on the account. Because wallets like this require input from multiple users to conduct transactions, it is almost impossible to perform carpet pulls with this type of vault.

Another safety measure to prevent the carpet from pulling is a time lock. Many decentralized applications use time locks, so if a developer tries to pull their users, you will receive a warning of approximately 12 to 24 hours to remove funds.

These types of security practices will encourage broader trust in DeFi and create a culture around security that will drive the development of our industry.

Improve the security of crypto wallets

Wallet security ultimately boils down to the implementation of smarter practices by developers and users. Regular security audits and internal security practices can help improve the security of the wallet.

Although security auditing is a good solution, Uniswap and others Based on automatic market maker Decentralized exchanges (DEX) are permissionless, so regular audits cannot be performed. The best practice is to understand the specific details of “fair launch” coins-projects launched from DEX. Although many of these projects are of high quality, it is well known that many projects have major vulnerabilities. Open source code makes it easier for anyone to audit and verify the security of smart contracts on their own, providing users with more tools to practice good security.

Requiring users to practice good security may seem like an amazing feat, but in order to obtain the many benefits of cryptocurrency, especially DeFi, it is necessary. For traditional banks, the bank is responsible for security, but in encryption, security boils down to the practices of developers and users.

If you forget your bank password or send funds to the wrong person, you can contact your bank to reduce transactions until the problem is resolved. But in encryption, if you lose the key or send money to the wrong address, there is no backup option.Of course, one of the many benefits is that you don’t have to worry about whether your funds are available in cryptocurrency, and banks can close their doors and implement capital controls, such as happened The Greek banking crisis in 2015.

in conclusion

As developers, we need to implement cross-validation and security audits, while holding each other accountable for developing increasingly improved security practices.

Users should consider implementing their own security protocols and understand the nuances of storage and potential hacking scenarios. For passive cryptocurrency holders, a good practice is to disconnect the hardware wallet from the Internet, or a paper wallet that is 100% offline and does not require online synchronization of any firmware updates.

Phishing attacks are one of the original types of Internet hackers, and they are still very common and frequent. The way to combat phishing attempts is to verify that the sender is authentic.

Do not enter your private key or seed phrase on any website, and do not send them to anyone through public channels or DM. Generally, you should only enter your seed phrase when initially setting up your wallet. In addition, you should only enter the seed phrase when you need to restore your wallet after forgetting your password, import an existing wallet into a new device, or use compatible wallet software. It is generally recommended to use a hardware wallet device that will never leak your seeds to any type of software-in many cases even trusted wallet applications or software are not recommended.

As we continue to build a new global (mainly) DeFi economy, improving security is essential so that mainstream adoption and capital can continue to flow into the field, so that the next generation can enter a new field of financial independence.

This article does not contain investment advice or recommendations. Every investment and trading action involves risks, and readers should research on their own when making a decision.

The views, thoughts and opinions expressed here are only those of the author, and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Cardan Stadman He is a blockchain developer, operational security expert, and CTO of the Komodo platform. His experience ranges from operational security work in government agencies and launching technology startups to application development and cryptography. Kadan started his blockchain technology journey in 2011 and joined the Komodo team in 2016.