On the decentralized finance (DeFi): Exploring the potential use cases and security vulnerabilities
1.0 Overview of DeFi
Decentralized finance — often called DeFi — refers to the transition away from traditional, centralized financial institutions and toward peer-to-peer finance, which is possible by decentralized technology based on the Ethereum blockchain. From lending and borrowing platforms to stablecoins and tokenized BTC, the DeFi ecosystem has launched an expansive network of integrated protocols and financial instruments. Decentralized finance has emerged as the most active industry in the blockchain ecosystem, with a wide range of use cases for people, developers, and institutions, with approximately $13 billion worth of wealth locked in Ethereum smart contracts. From decentralized exchanges to lending and insurance platforms, the DeFi ecosystem is flourishing and unlocking a parallel financial system that is setting new standards for access, resilience, and transparency. What has emerged is a vast spectrum of activity: on one end, there are open finance platforms that empower individuals around the world in engaging with new and remodeled financial systems. And on the other, decentralized finance solutions are transforming the approach of traditional institutions by bringing decentralized solutions into play. All in all, decentralized finance projects now range in the thousands, and we’re witnessing the emergence of a whole new wave of global infrastructure for financial activity. Whereas our traditional financial system runs on centralized infrastructure that is managed by central authorities, institutions, and intermediaries, decentralized finance is powered by code that is running on the decentralized infrastructure of the Ethereum blockchain. By deploying immutable smart contracts on Ethereum, DeFi developers can launch financial protocols and platforms that run exactly as programmed and that are available to anyone with an Internet connection. DeFi’s breakthrough is that crypto assets can now be used in ways that fiat or “real world” assets cannot. Decentralized exchanges, synthetic assets, and flash loans are all new concepts that can only be realized on blockchains. This financial infrastructure paradigm shift offers a lot of benefits in terms of risk, trust, and opportunity.
1.1 Some Potential advantages of DeFi
Decentralized finance uses the Ethereum blockchain’s main principles to improve financial security and transparency, open liquidity and development potential, and promote a unified and invariable economic system.
· Programmability. Highly programmable smart contracts automate execution and enable the creation of new financial instruments and digital assets.
· Immutability. Tamper-proof data coordination across a blockchain’s decentralized architecture increases security and auditability.
· Interoperability. Ethereum’s composable software stack ensures that DeFi protocols and applications are built to integrate and complement one another. With DeFi, developers and product teams have the flexibility to build on top of existing protocols, customize interfaces, and integrate third-party applications. For this reason, people often call DeFi protocols “money legos.”
· Transparency. On the public Ethereum blockchain, every transaction is broadcast to and verified by other users on the network (note: Ethereum addresses are encrypted keys that are pseudo-anonymous). This level of transparency around transaction data not only allows for rich data analysis but also ensures that network activity is available to any user. Ethereum and the DeFi protocols running on it are also built with open source code that is available for anyone to view, audit, and build upon.
· Permission-less. Unlike traditional finance, DeFi is defined by its open, permission-less access: anyone with a crypto wallet and an Internet connection, regardless of their geography and often without any minimum amount of funds required, can access DeFi applications built on Ethereum.
· Self-Custody. By using Web3 wallets like MetaMask to interact with permission-less financial applications and protocols, DeFi market participants always keep custody of their assets and control of their personal data.
Before we explore the smart contract vulnerabilities from the perspective of DeFi, we would like to provide an overview about DeFi architecture.
2.0 Defi Architecture
DeFi uses a multi-overlay architecture. Every overlay has its own distinct purpose. In this section we propose a framework for the analysis of these overlays and study the token and the protocol layer in greater detail.
There are five overlays in the DeFi ecosystem which encompasses the followings: settlement, asset, protocol, application and aggregation layers [1].
2.1 The settlement layer: consists of the Blockchain and its native protocol asset. It allows the network to securely store ownership information and ensures that any of the state changes adhere to the network’s rule set. As such, the Blockchain can be seen as the foundation for trustless execution and serves as a settlement and dispute resolution layer.
2.2 The asset layer: consists of all tokens that are issued on top of the settlement layer. This includes the native protocol asset as well as any additional tokens that are based on token standards supported by the Blockchain.
2.3 The protocol layer: provides standards for specific use-cases such as decentralized exchanges, debt markets, derivatives and on-chain asset management. These standards are usually implemented as a set of smart contracts and can be accessed by any user (or DeFi application). As such, these protocols are highly interoperable. We will provide the detail DeFi use cases in the next section.
2.4 The application layer: creates user-oriented applications that connect to individual protocols. The smart contract interaction is usually abstracted by a web browser-based front end, making the protocols easier to use.
2.5 The aggregation layer: is an extension of the application layer. Aggregators create user-centric platforms that connect to several applications and protocols. They usually provide tools to compare and rate and services, allow users to easily perform otherwise complex tasks by connecting to several protocols simultaneously, and finally combine relevant information in a clear and concise manner.
It’s critical to remember that these overlays are hierarchical, meaning they’re only as secure as the layers below them. If the Blockchain in the settlement layer, for example, is compromised, all subsequent levels will be insecure.
Now that we have described a brief explanation of DeFi architecture, now we will take a closer look at potential uses cases or protocols of DeFi, which comprises many applications that are built in the DeFi ecosystem.
3. Potential Use Cases of DeFi
In this section we explain some of the projects pioneering decentralized finance below:
3.1 DEXs
Decentralized exchanges (DEXs) are cryptocurrency exchanges that operate without a central authority, allowing users to transact peer-to-peer and maintain control of their funds. DEXs reduce the risk of price manipulation, as well as hacking and theft, because crypto assets are never in the custody of the exchange itself [4].
DEXs also give token projects access to liquidity that often rivals centralized exchanges and without any listing fees. Just a few years ago, projects would pay millions of dollars to get a token listed on a centralized exchange. Some exchanges implement degrees of decentralization, in which centralized servers might host order books and other features but do not hold users’ private keys. Popular DEXs in the DeFi space currently includes: (AirSwap, Liquality, Mesa, Oasis, Bancor: and Uniswap, Kyber, Bamboo relay, IDEX , Curve Finance).
3.2 Gaming
The composability of DeFi has unlocked opportunities for product developers to build DeFi protocols directly into platforms across a variety of verticals. Ethereum-based games have become a popular use case for decentralized finance because of their built-in economies and innovative incentive models. PoolTogether, for example, is a no-loss audited savings lottery that enables users to purchase digital tickets by depositing the DAI stablecoin, which is then pooled together and lent to the Compound money market protocol to earn interest.
3.3 Identity
Decentralized finance protocols paired with blockchain-based identity systems are an opportunity to help previously locked-out users access a truly global economic system. DeFi solutions can reduce the collateralization requirements for people who do not have extra funds and help assess users’ creditworthiness via attributes around reputation and financial activity, instead of traditional data points such as home ownership and income. The DeFi space prizes data privacy around personal identifying information, as well as open access. Anyone with an Internet connection can access DeFi applications while maintaining control of their data and assets example of decentralized identity include the followings: (Codefi Compliance, SelfKey, Civic, uPort, Bloom, Sovrin, Jolocom)
3.4 Insurance
DeFi is still an emerging space with attendant risks around smart contract bugs and breaches. A number of innovative insurance alternatives have come to market to help users buy coverage and protect their holdings. Solutions like Etherisc, Nexus Mutual, Opyn, ouchForMe etc for example these platforms, provide a Smart Contract cover that protects against unintended uses of smart contract code.
3.5 Stablecoins
A stablecoin is any cryptocurrency that is pegged to a stable asset or basket of assets, such as fiat, gold, or other cryptocurrencies. Stablecoins were originally developed to reduce the volatile prices of cryptocurrency and make blockchains a viable payment solution. They are now implemented across the DeFi space for remittance payments, lending and borrowing platforms, and even institutional use cases like central bank digital currency ((CBDC). Other examples of stablecoins include the followings: DaiCoin, Gemini, StableUnit, Augmint, TrueUSD, Paxos Standard, Ctrix, Synthetix etc)
3.6 Lending and borrowing
Peer-to-peer lending and borrowing protocols are some of the most widely used applications in the DeFi ecosystem. Compound, for example, is an algorithmic, autonomous interest rate protocol that integrates with and underlies a long list of DeFi platforms, including PoolTogether, Argent, and Dharma. By providing interest rate markets on Ethereum, Compound allows users to earn interest on crypto that they’ve supplied to the lending pool. The Compound smart contract automatically matches borrowers and lenders and calculates interest rate based on the ratio of borrowed to supplied assets. Compound is a compelling example of the exponential opportunity of the DeFi space: as more products integrate the Compound protocol, more and more crypto assets will be able to earn interest, even when idle.
3.7 Asset management
You are the custodian of your own crypto assets with DeFi protocols. Crypto wallets such as MetaMask, Gnosis Safe, and Argent make it simple and secure to conduct everything from buying, selling, and transferring cryptocurrency to earning income on your digital assets. In the DeFi space, you own your data: MetaMask, for example, stores your seed phrase, passwords, and private keys in an encrypted format locally on your device so that only you have access to your accounts and data.
3.8 DAOs
A DAO is a decentralized autonomous organization that cooperates according to transparent rules encoded on the Ethereum blockchain, eliminating the need for a centralized, administrative entity. Several popular protocols in the DeFi space, such Maker and Compound, have launched DAOs to fundraise, manage financial operations, and decentralize governance to the community example of DAOs include the followings: (Maker DAO, Aragon, ompound DAO, Compound DAO)
3.9 Derivatives
Ethereum-based smart contracts enable the creation of tokenized derivatives whose value is derived from the performance of an underlying asset and in which counterparty agreements are hardwired in code. DeFi derivatives can represent real-world assets such as fiat currencies, bonds, and commodities, as well as cryptocurrencies typical example of DeFi derivatives such as (UMA, bZx, dYdX, Hegic, Synthetix)
3.10 Data and analytics
Provides the analytical reports based on real-time blockchain data. Reliable, simplified, and actionable data is key to inspire investor confidence and alleviate the risks of engaging with crypto funds, traders, and platforms. Data, analytics, compliance, and risk management for digital assets for example contain the most popular data and analytics DeFi platfoems: (Codefi Data, DeFi Pulse, Etherscan, Bloxy, Maker Governance Dashboard, Uniswap Vision).
3.11 Investment
Many platforms now emerge to provides all-in-one platform for creating, issuing, and managing the lifecycle of digital assets example (Codefi Assets, Allinfra, Set, Securitize, Betoken etc)
3.12 Lending and borrowing
Provides Open source protocol for algorithmic, efficient money markets on Ethereum. A suite of smart contracts and developer tools that make it possible to borrow and lend crypto-assets on blockchains like Ethereum. The followings contains some of the examples of DeFi lending and borrowing platforms (MakerDAO Vaults, Aave, Compound Finance, DDEX, Oasis Borrow, BlockFi).
3.13 Marketplaces
Provides a marketplace for open source development work (Gitcoin, Ethlance , Origin, WeBlock)
3.14 Payments
Codefi Payments, Request Network, Groundhog , OmiseGO, Connext are typical examples decentralized payment protocols in DeFi over ethereum blockchain.
3.15 Prediction markets
Provides Open platform for creating prediction market applications on the Ethereum protocol such as (Augur, Guesser , Gnosis, Prediction Global).
4.0 Smart contract vulnerabilities from the perspective of DeFi architecture
During 2020 to date — there has seen a never-ending run of weekly hacks on DeFi platforms and their smart contract oracles, as well as other flash trade hacks taking advantage of lack-of-security flaws. Nonetheless, the DeFi is still at an early stage, a lot of other security challenges are yet to be identified, we manage to summaries some of the most recent attacks of DeFi.
· February 15, 2020 — bZx lost $350,000 in an attack and $600,000 more in a copycat attack[3].
· Similarly in March, 2020 — On MakerDAO’s Black Thursday, an estimated $9M in funds were lost. Again, this was not so much a hack but a design flaw in the smart contract oracles, which failed to catch a falling knife as the market moved aggressively and collateral positions were over-liquidated.
· Another incidence in April 18, 2020 — The imBTC Uniswap pool lost approximately $300,000 in an attack on its ERC-777 smart contract token standard, which had no reentrancy guard in place. This allowed the hacker to increase his ability to borrow assets on the platform repeatedly. However, this turned out to be the test run.
· In April 19, 2020 — It was probably the team that had been responsible for the imBTC Uniswap hack on the previous day, who took advantage of the same exploit again and drained dForce’s lending protocol LendF.Me of about $25M. This truly highlights the importance of audits and rapid updates, which are standard in general Fintech.
· June 29 — Now it got really ugly. Missing an exploit the day before was one thing, but ignoring several bugs for two months? Not so clever. The Balancer automated market maker protocol was hacked for over $500,000 in a single ETH transaction. The hack was facilitated once again by a dYdX flash loan relying on a feature of STA — a deflationary token — which Balancer’s smart contract didn’t account for, along with another reentrancy guard missing in action.
· September witnessed two attacks were caused by flawed code in the smart contract. On September 14, bZx lost $8.1M (again), due to flaws in the code that audit firms PeckShield and CertiK had failed to pick up. On September 28, Eminence’s smart contract code was hacked and $15M were stolen ($8M were returned). However, this was more of an oracle-level error not accounting for undercollateralized positions.
· October 26 saw the Harvest Finance platform get hacked for $24M. Again, this was more of an arbitrage attack using a flash loan.
· Another incidence arose in 28, May 2021 with Binance Smart Chain Defi Protocol Burgerswap Drained for $7.2M. Burgerswap is a decentralized finance (defi) project that leverages the Binance Smart Chain (BSC). Similar to Sushiswap or Uniswap, the Burgerswap protocol allows users to swap between tokens issued on BSC. Users can also add liquidity and earn the project’s native token dubbed BURGER. “Hackers created their own Fake Coin (non-standard BEP-20 tokens) and formed a new trading pair with BURGER,” Burgerswap. However, Burgerswap is not the first BSC project that’s having issues with flash loan attacks, as hackers have seemingly made a sport of it in recent times. A total of $6 million was stolen from two BSC projects last week, as Belt, finance Pancakebunny and Bogged respectively [5].
· Belt Finance, is a platform that provides automated market making for decentralized finance (DeFi), was hacked in May, 31 2021 in a flash loan attack that resulted in a profit of $6.23 million for the perpetrator and an overall $50 million loss for the platform. It’s the latest attack on a DeFi protocol built on Binance Smart Chain, one of the so-called Ethereum killers that’s built by centralized crypto exchange giant Binance. Belt Finance team highlighted that “said the attacker created a smart contract that used PancakeSwap for flash loans and exploited its beltBUSD pool and its strategy protocols and then proceeded to execute the contract eight times for a total profit of 6.23 million BUSD (US $6.23 million).”
Flash loans are an innovative product of the DeFi ecosystem, but it comes with certain caveats. For example, in the dYdX flash loan controversy, the borrower took out an ether flash loan on dYdX (a lending app). Consequently, Flash loans have been a problem for a number of defi protocols recently between ( 2020- 2021). The specialized exploit has been a common attack in the defi world ever since the defi margin trading protocol Bzx was attacked.
Finally, about 20%~30% of all crypto hacks in 2020–2021 “roughly $100 million, came from ‘decentralized finance’ or DeFi, which are transactions on platforms that facilitate lending outside of banks [2]. Companies and individuals have rushed DeFi products to market that have not gone through formal security verification and validation. DeFi is attracting innovation and attention from the people. The progress is in the right direction, but many challenges still need to be addressed. The security of smart contracts is a massive problem that developers are facing. Auditing and penetration testing is crucial for survival.
Reference:
3. https://consensys.net/blockchain-use-cases/decentralized-finance/
4. https://blog.coinbase.com/a-beginners-guide-to-decentralized-finance-defi-574c68ff43c4
5. https://medium.com/belt-finance/may-29-incident-report-865d20cc46ca
