A New DeFi Security Paradigm
Security is an existential problem for the sector that needs to be resolved
This was first published as a Twitter thread.
DeFi is entering an entirely new security paradigm: simply put, security measures are going from reactive to proactive. Here are the emerging trends and projects.
Zooming out, security remains one of the primary bottlenecks for crypto adoptions, particularly in DeFi. A survey earlier this year found it to be one of the primary reasons people don’t invest.
And just over the past 8 months, approximately $2b was lost in hacks. Notable events were Ronin ($616m), Poly Network ($602m), and Wormhole ($326m).
Attacks are becoming more sophisticated, not only exploiting bugs in code but even broader protocol design.
Here’s a high-level and non-exhaustive overview of the current main attack vectors in crypto.
Importantly, as the industry grows, it becomes a bigger and bigger target for hacks. North Korea is likely using state resources to architect these attacks, and only more sophisticated actors should be expected to look at the space.
The current security landscape is quite reactive and passes considerable risk to protocol users.
Projects often audit their contracts and place a few bug bounties. If an attack occurs, they “react” by addressing the exploit and possibly compensating victims.
Every project I speak with complains about the expense and length of audits. There are often wait periods lasting multiple months, and the expense is considerable. Even then, there’s no guarantee that a hack won’t occur, as seen with multiple projects like Audius.
Finally, <1% of TVL in DeFi is insured, making the problem much worse. This not only makes retail afraid to participate on-chain, but almost becomes a non-starter for non-crypto institutions to enter the space.
Considering the above, more proactive, scalable security tooling seems like a necessity for DeFi and crypto more broadly.
While early, two types of projects excite me:
- Automated bug engines – instead of relying on bug bounties or smart contracts, OS libraries like Echidna and engines from white hat hacker DAOs like pwnednomore seem to be addressing a pretty clear need: constantly and cheaply identifying bugs throughout the dev process.
- Better testing – simulation-based testing from projects like Tenderly places far greater stress on a protocol vs. deploying on a testnet to identify potential bugs, attack vectors, etc. before deploying on mainnet.
Unlike web2, failures in crypto don’t result in the loss of somewhat inconsequential personal data, but rather millions of dollars that can’t be recovered. It could be someone’s last straw, leading them to give up on crypto.
Better security isn’t a trend but an existential problem for the sector that needs to be resolved.
**
Originally published on Twitter on August 31, 2022
DisclaimerAll information contained herein is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. You should consult your own advisers as to legal, business, tax, and other related matters concerning any investment. None of the opinions or positions provided herein are intended to be treated as legal advice or to create an attorney-client relationship. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by Variant. While taken from sources believed to be reliable, Variant has not independently verified such information. Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by Variant, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Variant (excluding investments for which the issuer has not provided permission for Variant to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://variant.fund/portfolio. Variant makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This post reflects the current opinions of the authors and is not made on behalf of Variant or its Clients and does not necessarily reflect the opinions of Variant, its General Partners, its affiliates, advisors or individuals associated with Variant. The opinions reflected herein are subject to change without being updated. All liability with respect to actions taken or not taken based on the contents of the information contained herein are hereby expressly disclaimed. The content of this post is provided "as is;" no representations are made that the content is error-free.