Report: DeFi Undermined by Centralization, Code FlawsSecurity Firm Stresses Importance of Cybersecurity in Crypto Projects
Amid a surge in cryptocurrency investment - particularly across decentralized finance, or DeFi - blockchain experts warn that lax security, including "centralization risks" and other code weaknesses, was a main factor in $1.3 billion in cryptoassets being lost to hacks, exploits and scams in 2021. The losses, according to blockchain security firm CertiK, rose from $500 million in 2020.
In its new report, entitled The State of DeFi Security 2021, CertiK researchers say, however, that due to the uptick in investment, 2021 losses represented just 0.05% of crypto's total market capitalization - dropping 17% from 2020.
CertiK credits much of the growth in digital currencies to the rise of Binance Smart Chain, whose total value locked, or TVL, grew from $62 million to $21 billion in 2021 - a 31,000% increase, the firm says.
But the rise of DeFi protocols - which do not rely on traditional intermediaries and instead run on peer-to-peer smart contracts across decentralized apps, or DApps - has made the reward for successful exploits even greater, CertiK says. And "increased interoperability," it says, has opened up new attack vectors.
According to DeFi Pulse, which tracks related investments, DeFi had $95 billion in TVL at the time of writing.
Centralization and Other Risks
CertiK researchers, who audited more than 1,700 projects, say the most common vulnerability detected across DeFi protocols was centralization risk, in which a single actor controls multiple addresses. CertiK encountered 286 "discrete centralization risks" across the 1,737 audits performed in 2021. It says: "Centralization is antithetical to the ethos of DeFi and poses major security risks. Single points of failure can be exploited by dedicated hackers and malicious insiders alike."
Other common vulnerabilities included 211 instances of "mission event emissions," or functions that should emit notifications to users when "sensitive variables" or "important processes" are changed. CertiK also cites the use of an "unlocked compiler version," detected in 176 instances, which can lead to differences in bytecode.
CertiK came across 104 lines of code lacking proper input validation - or inputs that limit the functionality of an executable to a set of known possibilities.
The firm warned against a reliance on third-party dependencies, which it detected in 102 cases. It writes: "A developer can only control the security of their own code, not that of the external contracts with which theirs interact."
Offering a similar warning on DeFi security, Jennifer Fernick, a governing board member of The Linux Foundation’s Open Source Security Foundation, tells ISMG: "One leaked cryptographic key or a single software flaw could lead to the collapse of entire organizations. I suspect that serious DeFi companies will, over time, more easily understand the intrinsic value of robust cybersecurity than their so-called 'web2' counterparts, mainly because for DeFi, 'code is law,' and there is so much at stake that can vanish in an instant."
Fernick, who is currently the global head of research at cybersecurity consulting firm NCC Group, says she expects to see a potentially unprecedented "market-driven push for higher assurance systems" for DeFi companies.
And Connie Lam, head of CertiK's Incident Response Team, tells ISMG that crypto markets are no doubt widening, and the need for cybersecurity is intensifying. Still, she says, "We're entering a multi-chain world. … The real opportunity [moving forward] lies in efficiently maximizing opportunity across all chains."
'Security: A Foundational Concern'
Noting that Solidity - the language in which Ethereum Virtual Machine, or EVM, smart contracts are written - is only seven years old, CertiK states, "Developers are still exploring the possibilities of smart contract code, and there is no better time than these early days to make security a foundational concern and protect users well into the future."
The CertiK report says "hasty forks," or chain-splits following protocol updates, "unaudited deployments and outright scams" resulted in significant losses. It says that Uranium Finance, a fork of Uniswap deployed on Binance Smart Chain, lost $57 million in user funds due to a single character in its source code.
"Any changes to a platform's code should be reviewed and audited, no matter how small the initial modification is," the CertiK researchers say. "As we've seen, a byte-sized piece of code can have multimillion-dollar ramifications."
Regulators Watching Closely
Citing a wide-scale increase in crypto adoption, the CertiK researchers also acknowledge that regulators have circled DeFi and the broader cryptocurrency market of late.
In China in 2021, regulators cracked down on cryptocurrency and cryptomining, resulting in an exodus of miners from the Chinese mainland.
In the U.S., under the leadership of new Chair Gary Gensler, the Securities and Exchange Commission has repeatedly signaled potentially broader enforcement of securities laws to govern crypto markets.
On Aug. 3, 2021, Gensler called crypto markets "rife with fraud, scams and abuse," and urged Congress to provide the SEC with additional authority to regulate the markets. Gensler also noted in August that DeFi projects are not immune to regulation - with features that warrant federal oversight (see: SEC to Monitor Illicit Activity on DeFi Platforms).
Outspoken critic Sen. Elizabeth Warren, D-Mass., has also called for comprehensive regulation around cryptocurrencies - citing both security and market risks, including crypto's highly volatile nature.
"Going forward, security will continue to be inextricably tied to the future of DeFi," the CertiK researchers say. "Without meaningful security that protects users and secures platforms, innovation will suffer and interest will die off."
Elsewhere on the regulatory front, Federal Reserve Chair Jerome Powell said on Tuesday before the Senate Banking Committee that the Fed will be issuing its report on cryptocurrencies - including the feasibility of a central bank digital currency, or CBDC - in the coming weeks. Powell appeared for a hearing to be reconfirmed as Fed chair for four years.
Meanwhile, on Capitol Hill, Rep. Tom Emmer, R-Minn., tweeted on Tuesday that he intends to introduce legislation around digital currencies, but did not offer specifics. Last month, Sen. Cynthia Loomis, R-Wyo., a longtime crypto evangelist, announced that she too will introduce a bill that attempts to regulate the cryptocurrency space - including the creation of a self-regulatory body under the jurisdiction of the SEC and its sister agency, the Commodities Futures Trading Commission (see: GOP Senator to Introduce 'Comprehensive' Crypto Regs Bill).
[Update - Jan. 12, 6:15 p.m.]: On Wednesday, Emmer officially introduced a bill that would prohibit the Federal Reserve from issuing a CBDC directly to individuals. In a statement, he said: "Not only would this CBDC model centralize Americans' financial information, leaving it vulnerable to attack, but it could also be used as a surveillance tool. … Requiring users to open up an account at the Fed to access a U.S. CBDC would put the Fed on an insidious path akin to China's digital authoritarianism." The congressman said any CBDC must be accessible, transact on a transparent blockchain, and maintain the privacy elements of cash.