The DeFi Attack Vectors No One is Talking About - & What You Can Do About Them
DeFi is awesome. It extends decentralized blockchain architecture beyond basic functions of asset storage and transfer, and empowers users to fully manage and invest their capital without ever relying on a trusted third party.
But does decentralization imply comprehensive security? The short answer is no, but read on for the full answer below - it might just save you from a gut-wrenching catastrophe.
Here’s the capital-T truth: there’s no hardware wallet, cryptographic standard, or intelligent password manager that is capable of protecting you from a run-of-the-mill phishing attack. And by the way, phishing attacks account for virtually 100% of successful retail hacks in the crypto space today.
We all know what DeFi was meant to be: trustless, decentralized finance - all on-chain. An elegant blockchain solution tailored to the domains of borrowing, lending, insurance, and derivatives, to name a few.
But DeFi does not operate independently from the rest of the internet; a host of websites, third-party applications, and browsers all play a role in the landscape of the modern-day internet - the same one DeFi applications rely and run on.
It really begs the question:
How are we supposed to build a Web3 ecosystem while depending on Web2 infrastructure?
To be fair, it’s not easy nor even straightforward for development teams to comply resolutely with the principles of blockchain and the Web3 movement. And truthfully, most teams aren’t interested; users ultimately prioritize ease and reliability, and either disregard or don’t understand the imperative of safe practices.
Those practices though - best termed operational security (opsec) - make up half the battle.
Imagine your opsec practices as a physical safe: it might be impossible to penetrate by physical means. However, if any average thief gains access to the owner and earns his trust, the contents of the safe would only be a single, five-dollar-wrench-attack away from being compromised.
In other words, it is not merely the security provided by the safe that protects the individual’s assets, but the way in which the individual accesses and interacts with the safe.
Returning to crypto, between the focus placed on hardware wallets and cybersecurity (cybersec) nowadays, systems are extremely difficult to penetrate as long as they are updated and configured properly. For this reason, much like the average thief attempting to penetrate a physical safe, hackers largely resort to deceiving users via low-cost phishing attacks as the most reliable and successful vector for hacks.
So while you’re considering how to protect your wealth in the digital age, it may worthwhile to ask yourself:
Although development teams may be doing quite a lot to protect user funds, what are they doing to protect users themselves from phishing vectors?
The reality: not much. Here’s why:
Opsec does not hold much weight in the crypto space, and projects will not receive significant praise or attention for allocating developer resources to address them.
It is far easier to disregard phishing-related concerns and defer responsibility to users.
Before we proceed further, it’s important to recognize that anyone who has lost their life savings in a coin named after a vegetable is more likely to benefit from a course in financial risk management, which should be addressed either prior or in parallel to risks concerning operational security.
Now, what are the main risks you are exposed to?
First and foremost, you need an internet connection to broadcast transactions. Like many others, you may believe DeFi platforms protect you from being surveilled when you trade. And like many others, you’d be wrong.
By virtue of using an internet connection, your ISP will always reveal which transactions you performed. And while we’re on the topic, VPNs are not an adequate solution; they are basically ISPs, and they can and do track your internet activity.
If you want to go the distance with your internet access, setting up your own VPN through a VPS owned by you is the best course to take. For more information on self-hosted VPN VPS, have a read here.
Beyond internet connection, almost all other risks (IP and personal info leaks, for instance) can be mitigated by a mindful site owner. The only question is, should site owners bear the responsibility to protect the user?
To me, it’s not difficult to settle the score. Given that a significant user demographic is helpless and plays no role in a leak where a site owner behaves irresponsibly, it is definitely on site owners to go the extra mile and create a more secure user experience.
It is for that reason that I am going the extra mile on my end by proposing an open standard that consists of a few simple and critical measures which development teams can adhere to in order to protect and support users without detaching from what the blockchain ethos is (or at least, should be) about.
I call it PriFi Compliance:
1) Use an anonymous or self-hosted server provider and domain name registrar.
Doing so allows for protection of user identities without KYC, makes it impossible for attackers to access personal information if there is a server breach, eliminates the option for hackers to attempt accessing personal data, and makes it infeasible for companies to threaten doxxing for authority compliance. Without endorsing, at Offshift we use njal.la.
2) Host your codebase on a decentralized repo.
With Web3’s decentralized ethos, it’s more than a bit ironic that many teams rely on GitHub for codebase hosting. GitHub is a poor choice for a number of reasons- one of the biggest being that it is centralized and its code isn’t public, meaning it could include backdoors, tracking systems, and data collecting snippets. Additionally, if GitHub has an outage, everyone’s codebase goes down. There are hacking risks across multiple servers here too. Finally, GitHub has a history of banning developers from various regions under political pressure.
3) Use IPFS for website hosting.
As every dev knows, websites have a DNS record, which converts a hostname into an IP address. When a DNS hijack occurs, an attacker gains access to a site’s DNS record and changes the IP address it points to - usually to a look-alike domain phishing site. This was the case in the Cream Finance and PancakeSwap DNS hacks, which asked users for wallet seed phrases or private keys.
The solution to this, and what Offshift will use for our Shifting dApp, is to host with a decentralized solution like IPFS (InterPlanetary File System). Here’s some helpful IPFS documentation to get started.
4) Use CLI scripting when possible.
Almost any website visit logs information– an IP address at a minimum. If you want to see an example played out in MetaMask, go to
Download State Logs to see every site you’ve ever interacted with via Metamask and what you did on the site.
We believe that users shouldn’t have to go through a website - if they don’t want to - to interact with decentralized protocols, which is why the scripts in our GitLab’s Ethereum Directory and Moonbeam Directory allow you to use our Shifting dApp from command line interface (CLI) without using a browser, or even without a PC by using a VPS or virtual machine.
5) Submit a proof of ownership on-chain at regular intervals.
To prove that teams still own the master keys and haven’t received any warrants, it’s important to provide regular ownership updates on-chain.
Here’s an example of what that should look like on testnet. Click here, scroll down to
Click to see more and under the
Input Data field, click
View As and select
UTF-8. There you’ll see the following message:
As of 1618945181.1148486 no warrants have ever been served to offshift, No searches or seizures of any kind have ever been performed on offshift. offshift has never disclosed any user communications to any third party.
This is an example of a periodic on-chain attestation on an address known to be held by the team. It’s an important way to communicate with your users and community, and to establish and maintain proof that your team is still in the driver’s seat.
Have questions, tips, or general disgruntled remarks about opsec? Send them my way on the Offshift Discord - I’m anonymous, but friendly.
Offshift is leading private decentralized finance (PriFi) with the world’s first Private Derivatives Platform. It leverages zero-knowledge (zk) proofs and sources reliable, real-time price feeds from Chainlink’s decentralized oracle network to enable users to mint zkAssets, an unprecedented line of fully private synthetics. Offshift’s mostly anonymous team has developed a trusted reputation for their thorough privacy research, development and execution.
To learn more and get involved, visit the links below: