Common Security Vulnerabilities in DeFi and Preventive Measures

Recently, a security expert shared DeFi security knowledge with community members. He reviewed the major security incidents that the Web3 industry has encountered over the past year, discussed the causes of these incidents and how to avoid them, summarized common smart contract security vulnerabilities and preventive measures, and provided some security recommendations.

Common types of DeFi vulnerabilities include flash loans, price manipulation, function permission issues, arbitrary external calls, fallback function issues, business logic vulnerabilities, private key leaks, and reentrancy, among others. This article focuses on three types: flash loans, price manipulation, and reentrancy attacks.

Flash Loan

Flash loans are an innovation in Decentralized Finance, but when exploited by hackers, they can borrow large amounts of funds at no cost to carry out attacks. Common attacks are often accompanied by flash loans, where attackers borrow large amounts of funds to manipulate prices or attack business logic.

Developers need to consider whether the contract's functionality may result in anomalies due to large amounts of funds, or be exploited to interact with multiple functions in a single transaction to obtain improper gains.

Some projects distribute rewards based on holdings at fixed times, but attackers exploit flash loans to purchase a large number of tokens and obtain most of the rewards. Other projects calculate prices through tokens, which can be affected by flash loans. Project teams should be vigilant about these issues.

Price Manipulation

The issue of price manipulation is closely related to flash loans, mainly involving two types:

1. Third-party data is used to calculate prices, but incorrect usage or lack of checks leads to malicious manipulation of prices.

2. Use the number of tokens from certain addresses as a calculation variable, and the token balance of these addresses can be temporarily increased or decreased.

Reentrancy Attack

The main risk of calling external contracts is that they may take over the control flow and make unintended changes to the data. For example:

solidity mapping (address => uint) private userBalances;

function withdrawBalance() public { uint amountToWithdraw = userBalances[msg.sender]; (bool success, ) = msg.sender.call.value(amountToWithdraw)(""); require(success); userBalances[msg.sender] = 0; }

Since the balance is set to 0 only at the end of the function, repeated calls can still successfully withdraw.

Reentrancy attacks are diverse and may involve multiple functions or contracts. To solve reentrancy issues, it is important to pay attention to:

1. Not only prevents reentrancy of a single function
2. Follow the Checks-Effects-Interactions coding pattern
3. Use a verified reentrancy modifier

Mature security practices should be used as much as possible to avoid reinventing the wheel.

Security Recommendations for Project Parties

1. Contract development follows best security practices.

2. Contracts can be upgraded and paused: timely detection and reduction of losses

3. Use Time Lock: Provide time for inspection and response

4. Establish a sound security system: comprehensively avoid risks

5. Raise the security awareness of all employees

6. Prevent internal malfeasance while enhancing efficiency and strengthening risk control.

7. Cautiously introduce third parties: verify the safety of upstream and downstream.

How Users Can Assess the Security of Smart Contracts

1. Is the contract open source?

2. Does the Owner adopt decentralized multi-signature?

3. Check the existing transaction status of the contract

4. Are contracts upgradeable, and is there a time lock?

5. Is it accepted to have multiple institutions conduct audits, and is the Owner's authority too large?

6. Pay attention to the reliability of the oracle.

In summary, security is crucial in the DeFi field. Project parties and users should remain vigilant and take necessary measures to reduce risks.