An ultimate list of security practices for DeFi protocols to ensure user safety.
| Categorisation | Link |
|---|---|
| Smart Contract Audits | Inspect |
| Bug Bounty Programs | Inspect |
| Suspicious Activity Tracking | Inspect |
| DeFi Risk Insurance | Inspect |
| Audit Contests | Inspect |
| Formal Verification | Inspect |
| Economic Security | Inspect |
| Risk Score | Inspect |
| Lessons Learned | Inspect |
| Potenial Perfection | Inspect |
| Contributing | Inspect |
| Feedback | Inspect |
| Connect With Me | Inspect |
A smart contract audit is a detailed methodical examination of the code used to interact with the blockchain. Smart contract security audits are essential to eliminating security vulnerabilities that could have arisen during the development process and could cause potential exploits, putting user funds at risk. Regular security audits are essential to eradicate vulnerabilities during the product life cycle. A security audit must be performed post-development and before the main net deployment of a new version of the smart contract. Ex- V1, V2 and V3.
- Trail of Bits
- OpenZeppelin
- ConsenSys Diligence
- ChainSecurity
- Runtime Verification
- Halborn Security
- Sherlock
- Dedaub
- Hacken
- Zellic
- Quantstamp
- CertiK
Bug bounty programs act as a line of defence between organisations and threat actors that are actively looking to exploit vulnerabilities in smart contracts and steal stored funds. Organisations operating bug bounty programs pay for the submitted bugs.
It is crucial to have an active bug bounty program as it stamps out the bugs missed during the audit phase. Since bug bounty programs are open-source (unlike an audit), they invite more eyes to your code, subsequentially decreasing the probability of a vulnerability in the code, therefore securing the smart contract from external threats at a greater level.
On-chain activity tracking bots are used to detect mission critical actions, or state changes (malicious transactions) in smart contracts, such as external function call, re-entrancy calls and alert teams through custom notifications to take necessary action on time.
Much like any traditional insurance that protects insurance holders from a certain damage, DeFi insurance protects users from hacks & exploits, private key compromises or any security incident by purhcasing a premium. DeFi risk cover could be purchased by projects as well as end-users. In case of a security incident, projects can benefit from the insurance policy to strengthen their infrastructure or reimburse the affected users. Users can receive their hack compensation if they own a DeFi risk insurance.
DeFi insurance is the solution to crypto's hacks & exploits problems.
Many eyes, makes a better audit. More is better. Audits contests/peer code review is an invaluable way to secure your smart contracts from potential threats. It ensures bugs overlooked by audit firms during a security audit gets reported.
Formal verification is a method used to prove the correctness of a design and demonstrate the root cause of an error by rigorous mathematical procedures. Formal verification can help verify the correctness of systems such as cryptographic protocols. It is performed mathematically to avoid any cryptographic vulnerabilities from the source code. In formal verification, one writes a specification (you define what is right in terms of context and what’s wrong) to expose a bug.
It is different from a security audit as it focuses on the mathematical logic of the smart contract code and can reliably find complex bugs that auditing firms tend to miss.
Maximum capital efficiency, reduced risk solution. Economic security is a solution that focuses on the financial model of the DeFi projects. It ensures protocols are tested extensively on financial security and help developers to understand how decisions about security, governance, and consensus mechanisms are likely to affect network activity and asset value.
Evaluating your smart contracts across factors including technicals and non-technicals is a prominent security measure to treat obstacles in the progress of your smart contracts. Such inspections are convenient to boost investor confidence in your application.
-
It is imperative to follow multiple security practices in DeFi protocols to protect user-locked funds from hacks and exploits.
-
Relying on a single security practice can cause a single point of failure in case of a security incident. Multiple security practices should be followed to hedge one's bets against potential exploits.
-
It is worth noting that most of the exploited smart contracts are either not audited or do not have etiquette security practices in place to safeguard assets.
Blockchain hackers stole $4.32 Billion in 123 attacks.
~ $2B were lost to crypto hacks and exploits.
More than $2.5B have been lost to crypto hackers. A 695% increase from the previus year (same quarter)
It is important to note that nearly all the hacks occured were post-audit hacks. Hence, it is beneficial to have multiple security practices in place in order to eliminate security risks.
Compound Finance, an autonomous algorithmic marketplace to borrow and lend cryptocurrencies is a top-performer in DeFi security practices, having multiple security audits from leading auditing firms, bug bounty program, formal verification and an economic security audit.
MakerDAO, a lending protocol on the Ethereum blockchain, with its stablecoin DAI, holds a top-performing position with multiple security practices.
If you don’t make an investment in the security of your application, you have to pay one way or another.
Contributions are always welcome!
Please open a pull request with necessary changes to commit changes to the official repository.
If you found the list helpful, please consider sharing it with others. If you have any feedback, please reach out to me on Twitter.
The legitimacy of this study has been verified by:
Thanks to the incredible people who helped frame this study.
- Razzor
- ehildenb#2510