DeFi Reflections on Hackers and Viruses

In the wake of the current pandemic and other recent events affecting DeFi, we at OpenZeppelin have taken the chance to review the current state of security and risk management in the blockchain space. Over twenty of the leading DeFi project teams for whom we performed security audits have shared with us their experiences. From these conversations we gathered many useful insights related to the impact of COVID-19 and other recent events, including widely reported hacks, exploits and bugs. We’d like to share with you our summary of those insights and implications here.

OpenZeppelin thanks all the project teams who took the time to speak to us recently, many of whom are cited in this article.

Economic volatility is the new reality

The world economy, including the economy of the US, leading European countries, Japan, and China, has benefited from relative stability for almost 20 years. However, for many reasons, stability has been deceptive and the world economy is fragile, as we see in the current pandemic. Political upheavals as well as the ongoing threats of war and climate change further threaten economic stability.

Perhaps an even bigger threat comes from the fragile security of the world’s interconnected computer systems. Computer networks manage critical financial systems, supply chains and infrastructure. Today we take the internet for granted but the truth is that internet-connected critical systems are less than one generation old. As the increased number of security issues of the last few years have shown (Capital One was hacked for 100 million records in 2019) these systems are at high risk. As real as the threat of future human pandemics is the threat of massive internet failures or attacks which could result in catastrophic economic issues.

Many of the DeFi leaders that OpenZeppelin spoke to over the last two months now believe our current situation may only be the start of longer-term economic volatility. Hackers and viruses are just two of the stressors revealing cracks in existing systems. DeFi leaders anticipate that market fluctuations and economic shifts like those we’ve recently observed are likely to occur more frequently in the next decade than they have in the past two decades.

A new reality creates new opportunity

Evolution shows us that when an environment becomes volatile the existing order is shaken. Some things die, some survive, but others thrive. Volatility creates fear for everyone including those in power, but it is a time of opportunity for those who have more to gain than to lose. Opportunity arises as situations and people’s needs change.

The current pandemic has affected a huge number of industries including many financial institutions and services. Even though DeFi recently passed $1B in funds staked, the leaders that OpenZeppelin spoke with believe that DeFi is in its infancy and they acknowledge that it is only covering a small portion of global financial services. For example, while DeFi now provides multiple options for stable currencies (DAI, USDC), lending (Aave, dYdX), collateralized debt (Compound, Dharma, InstaDApp), and other innovative protocols (Gnosis, Augur, PoolTogether) it has not yet fully addressed other traditional financial services such as securities exchange and personal and business insurance.

The good news is that there is work underway in these areas, with many new innovators (such as Opyn). The bad news is that the lack of sufficient DeFi services in some areas today has amounted to a missed opportunity as the incumbent services are being deeply stressed, and therefore exposed, in the current economic crisis. For example, had there been other separate markets to trade stocks more efficiently and at lower trading costs, investors would have welcomed them during recent events. Similarly, many businesses and individuals would have welcomed additional insurance options that could cover them in this time of crisis.

Those we spoke to realize that the DeFi market is a highly interconnected network of smart contracts working together 24/7. This interconnection also means that DeFi is subject to strong network effects. As DeFi expands to a wider range of financial services there will be more opportunity to bring more users and capital to DeFi which will trigger the network effects that can benefit other DeFi service providers as well. Volatility and crises present chances to get users to switch but only if DeFi is stronger and better than centralized systems.

The same is true for blockchain applications and protocols beyond DeFi. The current worldwide pandemic shows that there is a need for a variety of secure remote services, such as medical supply tracking, small business loan systems, unemployment and other government benefit processing, and remote voting. Blockchain solutions can help address these needs. Also, continued volatility will create more opportunity for innovators in these spaces as well, but only if the solutions provided are better than existing systems.

Opportunity favors those who prepare

The first step to establishing DeFi as a safe haven versus centralized financial systems is to make sure that DeFi systems are secure, resilient and robust. That means they must be ready to withstand attacks and hackers, but also external market pressures and high-volume activity spikes that might occur during times of stress. Improvements for scalability, throughput and reliability are all being worked on at the Layer 1 and Layer 2 network level. But the recent hacks and events tied to COVID-19 identified multiple areas for improvement in DeFi systems and also revealed how some teams are already innovating to reduce risk.

During the events that stressed the Ethereum network in March, when a violent price drop drove transaction volume and gas prices up to 40 times their normal values, many projects in DeFi were put to the test. Among those most impacted was MakerDAO, which saw suddenly undercollateralized Vaults being liquidated with zero-value bids before their owners could deposit more collateral. This was ultimately due to the system’s dependence on price oracles that lagged during the Ethereum network congestion, which, once abruptly updated with a much lower price, brought previously healthy Vaults to an undercollateralized position.

While the issue of faithfully and trustlessly incorporating price data–a “real world” number–into a decentralized system is still an open problem in the industry, there are solutions in place today. These include using partially centralized services (Chainlink) or computing the median of several trusted sources. These solutions, however, proved not up to the task when network activity spiked and block space became hard to get. Multiple DeFi systems saw user losses due to slow oracles. Coinbase’s recent announcement of their Price Oracle could provide a solution to this problem.

Recent DeFi hacks (dForce, Uniswap) and other widely reported exploits (bZx) and bugs (Hegic) revealed other issues as well. The ERC-777 reentrancy attacks that compromised dForce and Uniswap were based on a vulnerability reported publicly by ConsenSys Diligence a year prior — OpenZeppelin also provided a proof-of-concept exploit nine months ago. In the case of bZx the issue was dynamic market manipulation enabled by flash loans and a vulnerable price oracle. The Hegic bug was a typo. In all cases this revealed an inability to find and quantify critical risks which could have been resolved by following known best practices. At OpenZeppelin we see these issues as particularly instructional on the need for better security and risk management tools.

Fortunately, the very growth of the DeFi ecosystem means that more varied tools and integrations are also becoming available, including the ability to hedge against some forms of risk. DeFi Saver, for instance, had just integrated with the flash-loans feature from AAVE to allow MakerDAO Vault owners to self-liquidate in an emergency. The sudden spike in flash-loan volume that AAVE saw during the crash is witness to a large number of users who were able to navigate the crisis unscathed.

The tight interconnectedness amongst DeFi projects means that critical feedback loops necessarily arise between them. Protocols need to think ahead and prepare for times where the whole ecosystem is under stress. Enter DeFi Saver again, who resorted to their GasToken reserves in order to operate the system at a reasonable cost–at least for a while–during the crisis. Block space is a scarce resource, and one that can become extremely hard to come by during rapid price fluctuations. Users and projects need to be ready to respond under such circumstances, which will inevitably arise time and again.

Basic preparation is not enough

While building systems to be secure, resilient and robust is critical, we heard from many of those in DeFi that they remain very concerned about the “unknown unknowns.” To address this, multiple teams are looking at further steps to reduce the scope of their unknowns, such as:

  • Improvement in the understanding and execution of security testing to identify known vulnerabilities, and the use of bug bounties and white hat hackers to identify undiscovered system issues before they cause problems
  • Creating security and risk management solutions that ensure that teams are following best practices and identifying and resolving their critical risks
  • Investigating insurance and other risk hedging options which might provide financial coverage in the case of system or user losses incurred from any scenario

But even with all of that, the threat of the unexpected in light of potential worldwide instability remains real. As the author Nassim Nicholas Taleb has written, individuals and organizations who not only withstand stress but also develop additional strength from such events can achieve non-linear growth during volatile times.

Multiple DeFi projects spoke with us about more advanced solutions they are contemplating to make sure they are ready to survive and even capitalize in the times ahead. Among the areas being discussed, and which we are investigating at OpenZeppelin, are:

  • Stress testing. Example: using flash loans or specialized test networks as a means for chaos testing similar to the way Netflix uses Chaos Monkey and other tools
  • Circuit breakers to limit the potential domino effect of issues among interconnected DeFi services. Example: if one DeFi service has a problem the circuit breaker might notify other DeFi systems to trigger defensive actions
  • Implementing anomaly detection systems that can detect failures or issues across interconnected DeFi systems. Example: using advanced log analysis tools and sophisticated statistical analysis such as Hidden Markov Models
  • Performing quantitative risk analysis based on probabilities factoring in the potential for network system issues (gas price spikes, failed upgrades) and even world events (such as further pandemics, government failures, internet attacks) to identify the most critical system risks and the controls to protect against them

In the end, speed is also critical. Learning quickly and the ability to apply learning fast is a means to gain strength from volatility and unexpected events. For example, the fast reaction and the new solutions rolled out by the MakerDAO team after the COVID-19 events in March exhibited qualities that can pay off if that speed and adaptability can be maintained.

What’s next

At OpenZeppelin, our mission is to protect the open economy so we are taking these insights to heart and working to do our part. In the coming months we will announce new products and services tied directly to the insights mentioned in this article. We are also thinking about how to make ourselves more robust and resilient, and to make sure we have “skin in the game” to keep us aligned with our customers. We remain optimistic that all of us working together can grow and even accelerate DeFi and the adoption of open economies while existing financial systems struggle to adapt rapidly enough to our changing world.

About OpenZeppelin

OpenZeppelin is a leading cybersecurity company providing security audits and developer tools for decentralized systems that power multimillion dollar networks. With a mission to protect the open economy, OpenZeppelin partners with leading organizations to help them manage and reduce the risk associated with deploying and running decentralized systems.

For more information, visit openzeppelin.com.

If you are building a project of your own and would like to request a security audit, please do so here.