Rob Behnke
October 3rd, 2022
This is the first article in a three-part series exploring vulnerabilities that place DeFi projects at risk.
Decentralized Finance (DeFi) is one of the biggest and fastest-growing applications of blockchain and smart contract technology. DeFi’s ability to revolutionize the financial sector by offering decentralized, blockchain-based alternatives to traditional financial services has driven significant investment in the space.
Today, DeFi projects have a total market cap of $55 billion. However, the large amount of value invested in DeFi smart contracts also makes them common targets of attack. DeFi smart contracts can be exploited in various different ways that take advantage of vulnerabilities at different levels of the blockchain ecosystem. In this article, we’ll look at common vulnerabilities in DeFi contracts that relate to data management and security.
At their core, blockchain and smart contract technology are data processing and storage systems. The blockchain maintains an immutable digital ledger for storing transaction data, and smart contracts execute on top of this ledger and process the data stored on it. As a result, errors in data management and security can have a significant impact on smart contracts in general and DeFi smart contracts in particular.
In blockchain systems, the private key controlling a blockchain account is the most important piece of data to protect. Anyone with access to an account’s private key can generate digital signatures and transactions on behalf of that account. A compromised private key can result in the loss of cryptocurrency and abuse of the account’s permissions on DeFi contracts.
Blockchain private keys can be compromised in a variety of different ways. Some common examples include:
One of the core capabilities of DeFi projects is exchanges between different types of tokens. For example, a blockchain user may want to trade ETH for BNB to use certain functionality in a smart contract that uses BNB or to take advantage of an arbitrage opportunity.
For DeFi projects to support trades, they need information about the exchange rate between different tokens. In some cases, DeFi contracts will calculate this internally based on their relative supply of each token. For example, if a contract has a large amount of ETH, it may provide a higher rate to someone buying ETH than selling it.
On-chain calculations of token values are vulnerable to price oracle manipulation. If a token’s valuation depends on the quantity of that token available to a contract, then this value can be manipulated using a flashloan attack, which provides the attacker with access to sufficient tokens to significantly change the supply of that token available to a smart contract.
Many DeFi protocols have fallen victim to price oracle manipulation attacks, including Pancake Bunny, Alpha Finance, and the Spartan Protocol to name a few. These vulnerabilities can be mitigated by using off-chain sources of token pricing information, such as Chainlink.
Smart contracts are designed to communicate with other smart contracts. Often, this includes sending a set of variables containing state information that the contract wants to pass.
Instead of sending variables individually, a smart contract might serialize data into a single stream of bits. At the other side, the recipient can deserialize this data based on an understanding of the original format of the data. For example, knowing that a serialized value contains four integer values can allow the recipient to extract those four integers.
Data serialization/deserialization only becomes an issue if the deserialization code contains exploitable vulnerabilities (such as an integer overflow/underflow or buffer overflow vulnerability) or if the serialized data can be interpreted in multiple different ways. In the case of the Superfluid hack, a data serialization vulnerability enabled an attacker to steal $13 million from the project.
DeFi smart contracts can be vulnerable to exploitation if data is not managed properly and securely. The effects of poor data management and security can range from takeover of a single blockchain account to a multi-million dollar hack of a DeFi protocol.
Many of the data security vulnerabilities that impact DeFi projects are well-known and can be identified and remediated in a smart contract security audit. To learn more about protecting your blockchain project against these vulnerabilities, reach out to our Web3 security experts at halborn@protonmail.com.