DMEX joined forces with CertiK and held an AMA: Leave no stone unturned when it comes to DeFi contract security

The highly popular DeFi sector has created tremendous wealth for numerous people. However, in recent months there have been several incidents in which the hackers found the vulnerability in victim projects’ smart contracts. When the hackers launched their attack, the token value was instantly reduced to zero, bringing huge losses to both the project teams and the investors. Such events were also negatively affecting several major Crypto exchanges. Therefore, it is safe to conclude that if any DeFi project aims to develop safely and sustainably, it is absolutely necessary for the project team to audit their smart contract codes.

Decentralization and smart contracts have been trending for months, people are still most concerned about security issues. As a decentralized mining power financial service platform, DMEX has always paid great attention to asset security. DMEX has a strict risk management mechanism. At the moment, DMEX is under security audit by the internationally recognized auditing firm CertiK.

In order to help more people to profit from DeFi projects and avoid scams, on the evening of March 24, DEMX invited Candice the marketing director of CertiK to join the DMEX Chinese community. Candice is to share her knowledge on DeFi contract security with DMEX fans.

The following content is the transcript of the AMA live broadcast.

Moderator: DeFi has seen under attack from numerous hacking activities. How can we prevent such DeFi security risks from emerging?

Candice: Let me first briefly introduce the background of CertiK. CertiK is a blockchain company co-founded in 2017 by Professor Zhong Shao, Chair of Yale University’s Department of Computer Science, and Professor Ronghui Gu, Assistant Professor of Columbia University’s Department of Computer Science. CertiK aims to provide complete code security solutions for smart contracts, blockchain applications, and protocols through formal verification technology. CertiK provides a wide range of valuable services including security audit, penetration testing, platform customization, security oracle, fast scanning, and decentralized insurance platform, etc. We have provided audit services for over 220 projects worldwide. Our clients include Houbi, OKEx, Ethereum, Binance, and AAVE.

The causes of DeFi security leaks can vary widely. Thus an in-depth analysis is required before a correct remedy can be prescribed. With years of experience in the blockchain security industry, CertiK believes that DeFi hacking risks originated not only from outside attackers but also from the projects’ internal operations. Therefore, preventing DeFi security incidents requires the combined efforts of the DeFi community, the DeFi project team, and the auditors. The current DeFi market environment is characterized by numerous newly-emerging DeFi projects of varying quality and with different security concerns. Common causes of DeFi security incidents include code logic vulnerability (double-entry, integer overflow, etc.), transaction mechanism vulnerability (front-running trading, etc.), financial model vulnerabilities, and the excessive centralized authority issues. For the first three issues, it is the responsibility of the DeFi project team and auditor to ensure the security of the DeFi project. For all security vulnerabilities that may occur within the scopes of the first three issues, the DeFi project team must carefully implement the project code, while the auditor uses a variety of advanced program analysis techniques to rigorously audit the project codes. Ultimately, both parties work together to secure the project and collaborate to complete the audit report and present it to the DeFi community.

The DeFi community also plays an important role in preventing DeFi security incidents by acting as the scrutinizer for DeFi project team and auditors. The DeFi community should access the project audit reports to understand whether the project has code logic vulnerabilities, transaction mechanism vulnerabilities, and financial model vulnerabilities. At the same time, the DeFi community can monitor the project for excessive centralization authority. The DeFi community has the right to actively vote on the necessary centralization authority in the project through DAO community governance. Subsequently, the community can provide feedback to the auditors on potentially problematic project behaviors. We believe that the joint efforts of the DeFi community, DeFi project teams, and the auditors will create a safer DeFi market environment and prevent future DeFi security incidents.

CertiK also recommends: complete security = security audit + real-time monitor and detection + asset protection

CertiK Audit Service + CertiK Security Oracle + Skynet + CertiKShield Decentralized Asset Protection Plan

CertiK’s range of security services and tools is designed to cover the asset security needs of both projects and users.

For investors, before committing to a project, it would be wise to compare and measure the security strength of a project before making investment considerations.

Moderator: How do you determine if there are vulnerabilities in the project code?

Candice: For DeFi projects, there are multiple definitions of vulnerabilities. The main criterion is whether the investor or project owner will lose money. From this point of view, our method of determining vulnerability is to use program analysis techniques to determine whether the project fund is at risk for theft. Current program analysis techniques for project vulnerability analysis can be categorized in static methods, fuzz tests, and formal verification. For us, what we want to know is whether the ‘loss of investor’s or project team’s funds’ can be proven programmatically and whether this ‘loss of investor’s or project team’s funds’ needs to be converted into a program specification adapted to the particular program analysis technique. This ‘loss of investor’s or project team’s funds’ needs to be translated into procedural specifications adapted to the particular procedural analysis technique in order to be understood and analyzed by that procedural analysis technique.

Therefore, from a technical point of view, determining whether a project code has vulnerabilities requires two key steps.

The first step is to convert the definition of a vulnerability into an appropriate program specification.

The second step is to apply the program specification to a suitable program analysis technique for verification.

On the other hand, from a non-technical perspective, one can learn whether a project has a security vulnerability from the audit report issued by the auditor. Each finding in the audit report is in fact a concrete demonstration of the results of checking for vulnerabilities from a technical perspective. When the vulnerability program specification is verified using appropriate program analysis techniques, the result of the verification is a description that cannot be read and comprehend directly. Subsequently, the audit report converts the results of the validation into a description of the vulnerability problem that we can read and understand. Therefore, from a non-technical point of view, the audit report is one of the fundamental tools for determining whether the project code has vulnerabilities. In fact, we have made many audit reports publicly available. I believe other companies’ audit reports are also open to public access. I’d recommend you to check them out.

Moderator: Once a project has participated in a code security audit and obtained the audit report, is said project completely safe? Why are there still numerous projects at risk after the audit?

Candice: From the security incident data in recent years, auditing alone might not guarantee absolute security. Last year, I’ve seen numerous new articles that started with titles and sentences such as, yet another project has suffered so-and-so attack and they had previously been audited by a so-and-so security agency. Here comes a fact that I would like to explain to you: auditing alone does not automatically guarantee 100% security. When a project is uploaded to the chain and starts interacting with the chain, it will constantly change minute by minute. Now one might ask, in that case, isn’t a static audit useless? In fact, if you choose to question auditing service in this way, your question is actually similar to: If you are going to get your hands dirty anyway, why don’t you just stop washing your hands altogether? You can feel the slippery slope logic for yourself.

What is the probability that the project will still get attacked after the audit? First, let’s look at a set of data: CertiK selected three publicly available audit information security companies for data collection. We analyzed 377 audited projects (including repeated audit projects), of which 8 projects were audited at least once yet still suffered from hacking attacks. In other words, despite being audited, there is still about a 2% probability that the project will be attacked. Of course, the probability and risk for a hacking attack are even higher for projects that are not audited, especially when fraud and malicious backdoors are involved on the project team’s side. Such backdoors will never get past the auditors. This is exactly the reason why these dodgy projects choose to bypass the auditing process to serve their own agendas.

CertiK has therefore developed a complete security solution. The CertiK Audit Service + CertiK Security Predictor + Skynet + CertiKShield Decentralized Asset Protection Plan that I mentioned to you earlier.

Moderator: How long does a contract audit usually take? Are there a lot of contract audits going on right now?

Candice: The time required for a contract audit is determined by the complexity of the contract. The simplest ERC20 Token contracts can be completed within one day. Complex projects could take more than 3 weeks. Currently, for blockchain participants, the security issue is becoming increasingly important. Many project teams consider security as the cornerstone of their projects’ long-term development. The number of contract audits is bound to rise rapidly. At present, CertiK’s audit schedule is full. However, our project schedule is constantly being updated, so if you have any need in this area, please follow CertiK’s official WeChat account for the most updated information.

Moderator: Many of the un-audited projects typically have very high APY. Are these projects riskier?

Candice: For your statement that “many un-audited projects typically have very high return”, there is a common misconception that mining projects only have high returns when there is little money involved at the beginning stage. As more users and money flow to the platform, the returns (APY) will naturally come down. For projects that are not audited, only a few users dare to participate. Therefore the returns will naturally appear to be higher. Of course, we can’t rule out the possibility that the project team might choose to provide a false APY on the website to attract more users.

CertiK security team had done a survey at the end of last year. We used the CertiK Skynet system to monitor and analyze the token smart contracts newly added to a particular platform from 0:00 to 24:00 that day. During the time period analyzed, a total of 29 smart contract token projects were generated. Among them, a total of 16 smart contracts were actually found to have vulnerabilities or flaws. This is indeed an authentic number obtained by our security team. 55% of the smart contract projects have more or fewer vulnerabilities or defects, of which about 10% have serious vulnerabilities. Overall, 45% of the projects have flaws of having too much developer privilege and too much power centralization. This number is somewhat appalling.

In addition to the risk of project codes themselves, there is also the risk of fraud intentionally committed by the project team. Some project developers intentionally write the code with vulnerabilities. Therefore, we highly recommend users to always do their own research. Users should take some time to check the contract code, analyze the project’s funding sources, or review the website domain-related information, etc. In our official WeChat account, there is an article titled ’10 Hardcore Guidelines to Avoid Project Fraud’. This article explained in detail the core guidelines to detect project fraud and how to prevent asset loss. I highly recommend this article.

Moderator: This is a very good question from our fans. First DMEX has passed the audit of Chengdu Beosin Security, now we have CertiK for a second audit. This shows that DMEX is placing great emphasis on security issues.

Candice: Yes! If the project you’re interested in quickly produces a certified audit report, you can trust that at least it’s genuinely looking for long-term growth.

Moderator: Here’s another question from the DMEX fan community, is there any possibility that a smart contract might leave a back door where funds can be withdrawn in secret?

Candice: This is actually a very valuable question. I’ve seen people asking the same question in our community. In fact, CertiK has been publishing analysis articles regarding this issue on our own media platforms, including our official WeChat account and Jinse Financial News. I can give you two relatively new case studies:

https://twitter.com/certikorg/status/1373469189583867904

https://twitter.com/certikorg/status/1373445038936559618

Our security experts published the backdoor code in the contract to give the community a warning before the project team attempted to run away with users’ money.

Moderator: Many DAPPs have been hijacked by DNS recently. As a user, what do we need to do in our daily operations to prevent the loss of funds due to similar events?

Candice: When the project website is hijacked by DNS, the users who intended to go to the original website will be redirected to a highly similar website faked by the hackers and planted with malicious code. The hacker wants to steal the user’s money or account information. The hacker needs to persuade the users to enter the mnemonic phrase and private key. CertiK would like to give everyone two suggestions here.

1.most DAPPs do not require users to enter their mnemonic phrases and private key. Users typically interact with the DAPP through Metamask or other third-party wallets. Don’t enter your mnemonic or private key into the DAPP website when you have any doubt at all! When the DAPP asks for input, you should be alert and consult with the official customer service. This is the fastest and most convenient way to counter a DNS attack.

2.The transaction amounts and addresses displayed in the hacked website will not match with the actual transactions. Therefore, if you are using a hardware wallet, make sure to confirm your receiving address and transaction amount in the hardware wallet’s screen when you make a transaction.

Moderator: If the smart contract assets are stolen or if there is an unexpected attack, can you guarantee minimal or even zero loss for users’ assets? Is there any security measure?

Candice: For investments in smart contract projects, investors can prepare in two aspects. Namely, preventive measures and salvage measures. From a preventive point of view, investors must do their own research. Especially for projects with too many backdoor or centralized authority. From a salvage perspective, investors should have the basic skills to revoke their wallet authorization to the project or retrieve the funds invested in the project at any time. For example, if the project team takes down the website and does not allow anyone to retrieve the invested funds from the website, investors should understand how to retrieve the funds by interacting directly with the smart contract. CertiK is in the process of developing a collection of essential tips for investors. These tips will be shared on CertiK’s social media outlets when it’s ready for publishing. Please feel free to discuss and share your experiences. Of course, there is another option, which is to purchase our CertiK Shield insurance plan. Our Shield service team can help you to claim your assets and minimize the losses.

Moderator: Is an open-source contract riskier than a contract that is closed source?

Candice: First of all, an open-source contract is definitely more secure. It will make it easier for community users with a background in contract security to check the codes themselves. These users might well become the first person to find some of the project vulnerabilities and inform the project team. Open source contracts are also convenient for the community to monitor the project team’s behavior and prevent the project team from adding malicious code to the smart contract. For example, as you all know, our public chain CertiK Chain was officially launched at the end of October last year. Most of the CertiK Chain ecosystem, including the Chain itself, is completely open-source. This also conveys our trust and confidence in CertiK, CertiK Chain, and CertiK community users and developers.

Moderator: How do you guarantee the encryption and decryption of the data and the security of the data?

Candice: We are not talking about any specific target, so here is a broader answer:

1. understand cryptography-related concepts, have the ability to choose the right cryptographic algorithm for the scenario.

2. generate encryption keys correctly, choose secure encryption algorithms and hashing algorithms.

3. ensure that data is stored securely and locally not only by the user but also on the server side.

4. use secure channels (e.g. HTTPS, WSS) for data transfer.

Moderator: Thank you very much for Candice who is now working remotely from the US. The above questions are selected from the DMEX fan community. We hope that this AMA has informed you about blockchain security. DMEX Chinese community will continue to provide more professional knowledge to help you find the most valuable project. Let’s grow together with DMEX!

Contact us:

Official website: dmex.finance

Telegram: DMEX Chat

Twitter: @DMEX_finance

Medium: dmex.medium

Discord: dmex-finance