Common Security Vulnerabilities in DeFi and Preventive Measures

Recently, an industry expert shared insights on DeFi security. He reviewed the significant security incidents that the Web3 industry has encountered over the past year, discussed the reasons behind these incidents and how to avoid them, summarized common security vulnerabilities in smart contracts and preventive measures, and provided some security advice for project parties and ordinary users.

Common types of DeFi vulnerabilities mainly include flash loans, price manipulation, function permission issues, arbitrary external calls, fallback function problems, business logic vulnerabilities, private key leakage, and reentrancy, among others. Below, we will focus on flash loans, price manipulation, and reentrancy attacks.

Flash Loan

Although flash loans are an innovation in Decentralized Finance, they are often exploited by hackers. Attackers borrow a large amount of funds through flash loans to manipulate prices or attack business logic. Developers need to consider whether the contract functions may exhibit abnormal behavior due to the massive amounts of funds, or whether it is possible to interact with multiple functions in a single transaction to obtain improper rewards.

Many DeFi projects seem to offer high returns, but in reality, the quality of the project teams varies. Some projects may use purchased code, and even if the code itself has no vulnerabilities, there may still be logical issues. For example, some projects distribute rewards at fixed times based on the amount of tokens held, but attackers can exploit flash loans to purchase large amounts of tokens, obtaining most of the rewards when they are distributed.

Price Manipulation

The issue of price manipulation is closely related to flash loans, primarily due to certain parameters that can be controlled by users during price calculation. There are two common types of problems:

1. When calculating prices, third-party data is used, but the method of use is incorrect or lacks verification, leading to price manipulation by malicious actors.

2. Use the number of tokens at certain addresses as calculation variables, while the token balances at these addresses can be temporarily increased or decreased.

Reentrancy Attack

One of the main risks of calling external contracts is that they may take over the control flow and make unexpected changes to the data. For example:

solidity mapping (address => uint) private userBalances;

function withdrawBalance() public { uint amountToWithdraw = userBalances[msg.sender]; (bool success, ) = msg.sender.call.value(amountToWithdraw)(""); require(success); userBalances[msg.sender] = 0; }

Since the user's balance is set to 0 only at the end of the function, subsequent calls will still succeed, allowing for repeated withdrawals of the balance.

To address the reentrancy issue, the following points need to be considered:

1. Not only prevents the reentrancy issue of a single function.
2. Follow the Checks-Effects-Interactions pattern for coding
3. Use verified reentrancy modifier

It is best to use mature security practices rather than reinventing the wheel. New solutions developed independently often lack sufficient validation and have a higher probability of issues.

Security Recommendations

Project Party Security Recommendations

1. Contract development follows best security practices
2. Contracts can be upgraded and paused.
3. Use time locks
4. Increase investment in security and establish a sound security system
5. Raise the security awareness of all employees
6. Prevent internal malfeasance, while enhancing efficiency and strengthening risk control.
7. Cautiously introduce third parties and conduct safety checks on upstream and downstream.

How can users determine if a smart contract is safe ###

1. Is the contract open source?
2. Does the Owner adopt a decentralized multi-signature?
3. Check the existing transaction status of the contract.
4. Is the contract a proxy contract, is it upgradeable, and is there a time lock?
5. Has the contract been audited by multiple institutions, and does the Owner have excessive permissions?
6. Pay attention to the security of the oracle.

In short, in the DeFi field, security issues cannot be ignored. Both project parties and users should remain vigilant, take necessary security measures, and work together to maintain the healthy development of the DeFi ecosystem.