Common Security Vulnerabilities in DeFi and Preventive Measures

Recently, a security expert shared a lesson on DeFi security for community members. The expert reviewed the major security incidents that the Web3 industry has encountered over the past year, discussed the reasons behind these events and how to avoid them, summarized common security vulnerabilities of smart contracts and preventive measures, and provided some security advice for project parties and ordinary users.

Common types of DeFi vulnerabilities mainly include flash loans, price manipulation, function permission issues, arbitrary external calls, fallback function problems, business logic vulnerabilities, private key leakage, and reentrancy, among others. This article will focus on flash loans, price manipulation, and reentrancy attacks.

Flash Loan

Flash loans are an innovation of Decentralized Finance, but they are often exploited by hackers for attacks. Attackers borrow large amounts of funds through flash loans to manipulate prices or attack business logic. Developers need to consider whether contract functions may become abnormal due to large amounts of funds, or whether it is possible to interact with multiple functions in a single transaction to obtain improper rewards through large amounts of funds.

Many DeFi projects appear to offer high returns, but in reality, the level of the project teams varies widely. Some projects may have their code purchased, and even if the code itself has no vulnerabilities, there may still be logical issues. For example, some projects distribute rewards at fixed times based on the number of tokens held by holders, but attackers can exploit flash loans to purchase a large number of tokens and obtain most of the rewards when the distribution occurs.

Price Manipulation

Price manipulation issues are closely related to flash loans, mainly because certain parameters in price calculation can be controlled by users. There are two common types of issues:

1. Third-party data is used to calculate prices, but if the usage is incorrect or checks are missing, it can lead to price manipulation.
2. Use the number of tokens from certain addresses as a calculation variable, where the token balance of these addresses can be temporarily increased or decreased.

Reentrancy Attack

Reentrancy attacks are one of the main dangers that can be faced when calling external contracts. An attacker may take control of the control flow and make unexpected changes to the data.

There are many ways that reentrancy can occur with different contracts, potentially involving different functions of the contract or functions of multiple different contracts. When addressing the issue of reentrancy, the following points should be noted:

1. Not only should we prevent the reentrancy issue of a single function.
2. Follow the Checks-Effects-Interactions pattern for coding
3. Use a time-tested reentrancy guard modifier

In the Web3 space, using mature security practices is wiser than reinventing the wheel. Utilizing well-validated solutions can significantly reduce the likelihood of issues arising.

Project Party Security Recommendations

1. Follow best security practices for contract development.
2. Implement contract upgradeable and pause functionality
3. Adopt time lock mechanism
4. Increase security investment and establish a complete security system.
5. Improve the security awareness of all employees
6. Prevent internal malfeasance while enhancing risk control and improving efficiency.
7. Be cautious when introducing third-party services and follow the principle that "default upstream and downstream are unsafe."

How Users Can Determine if a Smart Contract is Safe

1. Confirm whether the contract is open source
2. Check if the Owner uses a decentralized multi-signature mechanism
3. Check the existing trading situation of the contract
4. Confirm whether the contract is a proxy contract, whether it is upgradeable, and whether there is a time lock.
5. Check whether the contract has been audited by multiple institutions and whether the Owner's permissions are too extensive.
6. Pay attention to whether the oracle used by the project is reliable.

By paying attention to these points, users can better assess the security of smart contracts and reduce the risks associated with participating in Decentralized Finance projects.