Common Security Vulnerabilities in DeFi and Preventive Measures

Recently, a security expert shared a lesson on DeFi security with community members. The expert reviewed the major security incidents that the Web3 industry has encountered over the past year, discussed the reasons behind these incidents and how to avoid them, summarized common security vulnerabilities in smart contracts and preventive measures, and provided some safety advice for project teams and ordinary users.

Common types of DeFi vulnerabilities mainly include flash loans, price manipulation, function permission issues, arbitrary external calls, fallback function issues, business logic vulnerabilities, private key leakage, and reentrancy attacks. This article will focus on three types: flash loans, price manipulation, and reentrancy attacks.

Flash Loan

Flash loans are an innovation in Decentralized Finance, but they are also often exploited by hackers. Attackers borrow large amounts of funds through flash loans to manipulate prices or attack business logic. Developers need to consider whether contract functions might behave abnormally due to the influx of large amounts of capital, or be exploited to interact with multiple functions in a single transaction to obtain improper gains.

Many DeFi projects seem to offer high returns, but in reality, the quality of the project teams varies significantly. Some projects may use purchased code, and even if the code itself has no vulnerabilities, there can still be logical issues. For example, some projects distribute rewards based on the number of tokens held by the holders at fixed times, but attackers can exploit flash loans to purchase large amounts of tokens and obtain most of the rewards when they are distributed.

Price Manipulation

Price manipulation issues are closely related to flash loans, mainly because certain parameters during price calculation can be controlled by users. There are two common types of issues:

1. When calculating prices, third-party data is used, but if the method is incorrect or checks are missing, it can lead to price manipulation by malicious actors.
2. Use the number of tokens at certain addresses as computing variables, where the token balances at these addresses can be temporarily increased or decreased.

Reentrancy Attack

Reentrancy attacks are one of the main dangers that can arise when calling external contracts. An attacker can take control of the flow and make unexpected changes to the data by calling functions. For example, in a withdrawal function, if the user's balance is only set to 0 at the end of the function, an attacker can repeatedly call the function in between, withdrawing the balance multiple times.

For reentrancy attacks, the following points need to be noted:

1. Not only prevent reentrancy issues of a single function
2. Follow the Checks-Effects-Interactions pattern for coding
3. Use a time-tested reentrancy guard modifier

When addressing security issues, one should try to use well-validated best security practices rather than reinventing the wheel.

Security Recommendations for Project Teams

1. Follow best security practices for contract development
2. Implement contract upgradeability and pause functionality
3. Adopt a time lock mechanism
4. Increase investment in security and establish a comprehensive security system.
5. Enhance the security awareness of all employees.
6. Prevent internal malfeasance while enhancing risk control and improving efficiency.
7. Carefully introduce third-party components to ensure security.

How Users Can Determine if a Smart Contract is Safe

1. Confirm whether the contract is open source.
2. Check if the Owner adopts a decentralized multi-signature mechanism.
3. Check the existing trading situation of the contract
4. Understand whether the contract is a proxy contract, whether it is upgradable, and whether it has a time lock.
5. Confirm whether the contract has been audited by multiple institutions and whether the Owner permissions are too extensive.
6. Pay attention to the usage of the oracle.

Through the above measures, both the project party and users can improve the security of DeFi projects to a certain extent and reduce the risk of being attacked.