OKX Web3, BlockSec: @All whales DeFi world hedging strategy

Introduction

OKX Web3 Wallet has specially planned the "Security Special Issue" column to provide special answers to different types of on-chain security issues. Through the most real cases happening around users, together with experts or institutions in the security field, dual sharing and answers from different perspectives, we will sort out and summarize the rules of safe transactions from the shallow to the deep, aiming to strengthen user security education while helping users learn to protect their private keys and wallet assets from themselves.

The biggest charm of the DeFi world is that everyone has the potential to become a "whale"

But even "whales" cannot be arrogant. Although they eat meat, they also have times when they are "beaten"

So, when playing on the chain, safety comes first

Otherwise, you have to "start from scratch" again~

This issue is the 05th issue of the Security Special Issue. We specially invite blockchain security pioneer BlockSec and the OKX Web3 Wallet Security Team to share a DeFi hedging strategy from the perspective of a practical guide for all users and project parties who are about to become or have become "whales". For example, how to read the audit report, the common indicators and parameters for preliminary assessment of DeFi project risks, how to build monitoring perception capabilities for project parties or whale users, DeFi security protection rules, etc. Don't miss it!

BlockSecSecurity Team:BlockSec is the world's leading "full-stack" blockchain security service provider. The company has currently served more than 300 customers, including MetaMask, Compound, Uniswap Foundation, Forta, PancakeSwap, Puffer and other well-known project parties, and has recovered more than 20 million US dollars in capital losses through white hat rescue.

BlockSec's CEO & Co-Founder Zhou Yajin is a professor of computer science at Zhejiang University and the world's most influential scholar selected by Aminer. He has published more than 50 top papers and received more than 10,000 citations. CTO & Co-Founder Wu Lei is a professor of computer science at Zhejiang University and the former co-founder of Paidun. He led the team to discover dozens of zero-day vulnerabilities in many well-known projects. Product Director Raymond was responsible for security products at Tencent and 360.

OKX Web3 Wallet Security Team:Hello everyone, I am very happy to be able to share this. The OKX Web3 Security team is mainly responsible for the construction of various security capabilities of OKX in the Web3 field, such as smart contract security audits, wallet security capability construction, on-chain project security monitoring, etc., providing users with multiple protection services such as product security, capital security, and transaction security, and contributing to the maintenance of the entire blockchain security ecosystem.

Q1: Share several real DeFi risk cases encountered by users

BlockSecsecurity team:DeFi has attracted many big players to participate because of the relatively stable high returns it brings to assets. In order to improve liquidity, many project parties will also actively invite big players to settle in. For example, we often see news reports that some big players deposit huge assets into DeFi. Of course, when these whales participate in DeFi projects, in addition to obtaining stable returns, they also face some risks. Next, we share some DeFi risk cases disclosed by the industry:

Case 1: In the PolyNetwork security incident in 2022, a total of more than $600 million in assets were attacked. It is rumored that Shenyu also had $100 million in it. Although the attacker later paid the money and the incident was successfully resolved, Shenyu also announced that it would build a monument on the chain to commemorate the incident, but I guess this process was very painful. Although a small number of security incidents have achieved good results, most security incidents are not so lucky.

Case 2: The well-known DEX SushiSwap was attacked in 2023, and the big player 0xSifu lost more than 3.3 million US dollars. His loss alone accounted for about 90% of the total loss.

Case 3: In the Prisma security incident in March this year, the total loss was 14 million US dollars. These losses came from 17 wallet addresses, with an average loss of 820,000 US dollars per wallet, but the losses of 4 users accounted for 80%. Most of these stolen assets have not been recovered.

In the final analysis, DeFi, especially the mainnet DeFi, because the Gas Fee cannot be ignored, only when the assets reach a certain scale can they really get benefits (except for airdrop rewards). Therefore, the main TVL of DeFi projects is generally contributed by giant whales, and even in some projects, 2% of the giant whales contribute 80% of the TVL. When a security incident occurs, these giant whales will inevitably bear most of the losses. "We can't just watch the whales eat meat, they also get beaten up."

OKX Web3 Wallet Security Team:With the prosperity and development of the on-chain world, the number of DeFi risk cases encountered by users is also increasing day by day. On-chain security is always the most basic and important need of users.

Case 1: PlayDapp privileged account private key leakage incident. From February 9 to 12, 2024, the Ethereum-based PlayDapp game platform was attacked due to private key leakage. The attacker minted and stole 1.79 billion PLA tokens without authorization, resulting in a loss of approximately US$32.35 million. The attacker added a new minter to the PLA token, minted a large amount of PLA, and dispersed it to multiple on-chain addresses and exchanges.

Case 2: Hedgey Finance attack incident. On April 19, 2024, Hedgey Finance suffered a major security vulnerability on Ethereum and Arbitrum, resulting in a loss of approximately US$44.7 million. Attackers exploit the lack of user input validation in contracts to gain authorization to vulnerable contracts, thereby stealing assets from contracts.

Q2: Can you summarize the main types of risks in the currentDeFi field?

OKX Web3Wallet Security Team: Combining real cases, we have sorted out the four common types of risks in the current DeFi field

The first type: phishing attacks. Phishing attacks are a common type of cyberattack that tricks victims into providing sensitive information such as private keys, passwords, or other personal data by disguising as legitimate entities or individuals. In the DeFi field, phishing attacks are usually carried out in the following ways:

1) Fake websites: Attackers create phishing websites similar to real DeFi projects to trick users into signing authorization or transfer transactions.

2) Social engineering attacks: On Twitter, attackers use high-imitation accounts or hijack project Twitter or Discord accounts to post fake promotional activities or airdrop information (actually phishing links) to carry out phishing attacks on users.

3) Malicious smart contracts: Attackers publish seemingly attractive smart contracts or DeFi projects to trick users into authorizing their access rights, thereby stealing funds.

Second category: Rugpull. Rugpull is a scam unique to the DeFi field, which refers to the project developers suddenly withdrawing funds and disappearing after attracting a large amount of investment, resulting in all investors' funds being swept away. Rugpull usually occurs in decentralized exchanges (DEX) and liquidity mining projects. The main manifestations include:

1) Liquidity withdrawal: Developers provide a large amount of liquidity in the liquidity pool to attract user investment, and then suddenly withdraw all liquidity, causing the token price to plummet and investors to suffer heavy losses.

2) Forged projects: Developers create a seemingly legitimate DeFi project and lure users to invest through false promises and high returns, but in fact there are no actual products or services.

3) Change contract permissions: Developers use backdoors or permissions in smart contracts to change the rules of the contract or withdraw funds at any time.

Third category: Smart contract vulnerabilities. Smart contracts are automatically executed codes that run on the blockchain and cannot be changed once deployed. If there are vulnerabilities in smart contracts, it will lead to serious security issues. Common smart contract vulnerabilities include:

1) Reentrancy vulnerability: The attacker repeatedly calls the vulnerable contract before the last call is completed, causing problems in the internal state of the contract.

2) Logical error: Logical errors in the design or implementation of the contract lead to unexpected behavior or vulnerabilities.

3) Integer overflow: The contract does not correctly handle integer operations, resulting in overflow or underflow.

4) Price manipulation: The attacker implements the attack by manipulating the oracle price.

5) Precision loss: Calculation errors due to floating point or integer precision problems.

6) Lack of input validation: User input is not fully validated, leading to potential security issues.

The fourth category: governance risk. Governance risk involves the core decision-making and control mechanisms of the project. If it is maliciously exploited, it may cause the project to deviate from its intended goals and even lead to serious economic losses and a crisis of trust. Common types of risks include:

1) Private key leakage

Privileged accounts of some DeFi projects are controlled by EOA (Externally Owned Accounts) or multi-signature wallets. If these private keys are leaked or stolen, attackers can manipulate contracts or funds at will.

2) Governance attack

Although some DeFi projects have adopted decentralized governance solutions, the following risks still exist:

· Borrowing governance tokens: attackers manipulate voting results in a short period of time by borrowing a large number of governance tokens.

· Control of majority voting rights: If governance tokens are highly concentrated in the hands of a few people, these people can control the decision-making of the entire project by concentrating voting rights.

Q3: What dimensions or parameters can be used to preliminarily evaluate the security and risk level ofDeFi projects?

BlockSec Security Team:Before participating in a DeFi project, it is very necessary to conduct an overall security assessment of the project. Especially for participants with a large amount of funds, necessary security due diligence can guarantee the security of funds to the greatest extent.

First, it is recommended to conduct a comprehensive assessment of the code security of the project, including whether the project party has been audited and whether it has been audited by an audit company with a good security reputation, whether there are multiple audit companies involved, and whether the latest code has been audited. Generally speaking, if the code running online has been audited by multiple security companies with a good security reputation, the risk of security attacks will be greatly reduced.  

Second, it depends on whether the project party has deployed a real-time security monitoring system. The security guaranteed by security audits is static and cannot solve the dynamic security problems caused by the project going online. For example, the project party improperly adjusted the key operating parameters of the project, added a new pool, etc. If the project adopts some real-time security monitoring systems, the safety factor of the project will be higher than that of the protocol that does not adopt such a solution.  

Third, it depends on whether the project has the ability to respond automatically in an emergency. This ability has long been ignored by the community. We found that in multiple security incidents, the project did not achieve automatic function fuse (or fuse for sensitive fund operations). In emergencies, the project mostly uses manual methods to handle security incidents, which has been proven to be inefficient or even ineffective.  

Fourth, it depends on the external dependencies of the project and the robustness of the external dependencies. A DeFi project will rely on information provided by third-party projects, such as price, liquidity, etc. Therefore, it is necessary to evaluate the security of the project from the perspective of the number of external dependencies, the security of external dependent projects, and whether there is monitoring and real-time processing of abnormal data of external dependencies. Generally speaking, the externally dependent project party is the head project party, and the project with fault tolerance and real-time processing of abnormal data of external projects will be safer.  

Fifth, whether the project party has a relatively good community governance structure. This includes whether the project has a community voting mechanism for major events, whether sensitive operations are completed by multi-signature, whether the multi-signature wallet introduces community neutral participation, whether there is a community security committee, etc. These governance structures can improve the transparency of the project and reduce the possibility of users' funds being rugpulled in the project.  

Finally, the past history of the project is also very important. Background checks need to be conducted on the project team and core members of the project. If the core members of the project have been attacked or rugpulled many times in the past, the security risk of such a project will be relatively high.  

In short, before participating in DeFi projects, users, especially those with large amounts of funds, should do a good job of research, from code security audits before the project goes online to real-time security monitoring and automatic response capability construction after the project goes online, to examine the security investment and security of the project, and to do a good job of adjustment from the perspectives of external dependence, governance structure and the past history of the project to ensure the security of the funds invested in the project.  

OKX Web3 Wallet Security Team:Although the security of DeFi projects cannot be 100% guaranteed, users can preliminarily evaluate the security and risk level of DeFi projects through the cross-combination of the following dimensions.  

1. Project Technical Security

1. Smart Contract Audit:

1) Check whether the project has been audited by multiple auditing companies and whether the auditing companies have a good reputation and experience.

2) Check the number and severity of issues reported in the audit report to ensure that all issues have been fixed.

3) Check whether the code deployed by the project is consistent with the audited code version.

2. Open Source Code:

1) Check whether the code of the project is open source. Open source code allows the community and security experts to review it, which helps to discover potential security issues.

2) Development Team Background: Understand the background and experience of the project development team, especially their experience in blockchain and security, as well as the team's transparency and degree of public information.

3) Bug bounty program: Does the project have a bug bounty program to incentivize security researchers to report vulnerabilities?

3. Financial and economic security

1) Locked funds: Check the amount of funds locked in the smart contract. Higher locks may mean that the project has a higher degree of trust.

2) Trading volume and liquidity: Evaluate the trading volume and liquidity of the project. Low liquidity may increase the risk of price manipulation.

3) Token economic model: Evaluate the token economic model of the project, including token allocation, incentive mechanism and inflation model. For example, whether there is an over-concentrated token holding situation, etc.

4. Operational and management security

1) Governance mechanism: Understand the governance mechanism of the project, whether there is a decentralized governance mechanism, whether the community can vote on important decisions, and analyze the distribution of governance tokens and the concentration of voting rights, etc.

2) Risk management measures: Does the project have risk management measures and emergency plans, and how to deal with potential security threats and economic attacks. In addition, in terms of project transparency and community communication, you can see whether the project party regularly releases project progress reports and security updates, whether it actively communicates with the community and solves user problems, etc.

5. Market and community evaluation

1) Community activity: Evaluate the community activity and user base of the project. An active community usually means that the project has broad support.

2) Media and social media evaluation: Analyze the evaluation of the project on the media and social media to understand the views of users and industry experts on the project.

3) Partners and investors: Check whether the project has the support of well-known partners and investors. Reputable partners and investors can increase the credibility of the project, but this cannot be a decisive factor in judging its security.

Q4: How should users view the audit report, open source status, etc.? 

BlockSecSecurity Team: For audited projects, the project party usually actively publishes the audit report to the community through official channels. These audit reports are usually in the project's documents, Github code base and other channels. In addition, the authenticity and identification of the audit report are also required. The identification methods include checking the digital signature of the audit report and contacting the audit company for secondary confirmation.  

So how do investors read such an audit report?  

First, it depends on whether the audit report has been audited by some security companies with a relatively high security reputation, such as Open Zeppelin, Trail of Bits, BlockSec and other head audit companies.  

Second, it depends on whether the problems mentioned in the audit report have been fixed. If not, it depends on whether the project party has sufficient reasons for not fixing them. It is also necessary to distinguish between valid vulnerability reports and invalid vulnerability reports in the audit report. Since there is no unified industry standard for audit reports, security audit companies will rate and report project vulnerability risks based on their own security awareness. Therefore, for the vulnerabilities found in the audit report, focus on valid vulnerability reports. It is best to introduce your own security consulting team to conduct a third-party independent assessment in this process.  

Third, we need to see whether the audit time in the audit report published by the project party is consistent (or close) with the upgrade and update time of the latest project. In addition, we also need to pay attention to whether the project party's code in the audit report covers all the project party's current online code. For economic and time cost considerations, the project party usually conducts partial code audits. Therefore, in this case, it is necessary to determine whether the audited code is the core protocol code.  

Fourth, we need to see whether the code running online by the project party has been verified (open source) and whether the verified code is consistent with the audit report. Usually the audit is based on the code on the project party's Github (rather than the code that has been deployed online). If the code that the project finally deploys to the chain is not open source, or has a large difference from the audited code, these are points that need to be paid attention to.  

In short, reading the audit report itself is a highly professional matter. It is recommended to introduce independent third-party security experts to provide consulting opinions during the process.  

OKX Web3Wallet Security Team:Users can view the audit report and open source status of smart contracts through the official website of the DeFi project or third-party websites, such as OKLink. The following are common steps to view the audit report and open source status of the project: 

First, find the official announcement or website. Most credible DeFi projects will display their relevant document information on their official website. On the project document page, there is usually a page such as "Security", "Audit" or "Contract Address" linking to the audit report and the contract address deployed by the project party. In addition to the official website of the project party, it usually displays the audit report and deployed contract address information on official social media such as Medium and Twitter.  

Second, after reading the official website of the project party, you can query the deployed contract address information given by the project party through the OKLink browser, and view the open source code information of the contract deployed at the address in the "Contract" column.  

Third, after getting the audit report of the project party and the open source code information of the deployed contract, you can start reading the audit report of the project party. When reading the audit report, there are the following points to note:  

1) Understand the structure of the audit report and have a general concept of the content of the audit report. The audit report is roughly divided into an introduction, problems found, solutions and suggestions, and audit results.  

2) When reading the introduction-related content, we need to pay attention to the scope and objectives of the audit report audit. Usually, the audit report will mark the Github Commit Id submitted by the audit file. We need to compare whether the audited file in the audit report is consistent with the open source code deployed on the chain.  

3) When reading the problems found, solutions and suggestions and audit results, we need to focus on whether the project team has fixed the discovered vulnerabilities according to the suggestions, and whether the project party has conducted subsequent audits on the modified content to ensure that all problems are properly handled.  

4) Compare multiple reports. If the project has been audited multiple times, check the differences between each audit report to understand the security improvements of the project.  

Q5: What is the reference value of hacker attack history and bounty program for the security of DeFi projects?  

OKX Web3 Wallet Security Team: The hacker attack history and bounty program provide a certain reference value for the security assessment of DeFi projects, which is mainly reflected in the following aspects: 

First, the hacker attack history 

1) Revealing historical vulnerabilities: The attack history can show the specific security vulnerabilities that the project has had, allowing users to understand which security issues have been exploited in the past and whether these issues have been thoroughly fixed.  

2) Evaluating risk management capabilities: How a project responds to historical security incidents can reflect its risk management and crisis handling capabilities. A project that actively responds, fixes vulnerabilities in a timely manner, and compensates affected users is generally regarded as a more reliable and mature investment option.  

3) Project reputation: Frequent security issues may undermine users' trust in the project, but if the project can demonstrate the ability to learn from mistakes and strengthen security measures, this can also build its long-term reputation.  

Second, bounty program 

The implementation of bounty programs in DeFi and other software projects is an important strategy to improve security and discover potential vulnerabilities. These programs bring many reference values ​​to the security assessment of projects: 

1) Enhance external audits: Bounty programs encourage security researchers around the world to participate in the security audits of projects. This "crowdsourcing" security testing can reveal problems that internal audits may overlook, thereby increasing the chances of discovering and resolving potential vulnerabilities.  

2) Verify the effectiveness of security measures: Through actual bounty programs, projects can test the effectiveness of their security measures in actual combat. If a project's bounty program lasts for a long time but reports fewer serious vulnerabilities, this may be an indicator that the project is relatively mature and secure.  

3) Continuous security improvement: Bounty programs provide a mechanism for continuous improvement. As new technologies and new attack methods emerge, bounty programs help project teams update and strengthen their security measures in a timely manner to ensure that the project can meet the latest security challenges.  

4) Establish a security culture: Whether a project has a bounty program, as well as the seriousness and activity of the program, can reflect the project team's attitude towards security. An active bounty program shows the project's commitment to building a solid security culture.  

5) Enhance community and investor confidence: The existence and effectiveness of the bounty program can prove to the community and potential investors that the project attaches importance to security. This can not only enhance user trust, but may also attract more investment, because investors tend to choose projects that show a high sense of security responsibility.  

Q6：How do users build monitoring and perception capabilities when participating inDeFi 

BlockSecSecurity Team: Take whale users as an example. Whales mainly refer to individual investors or investment institutions with small teams. These users have large funds, but usually do not have very strong security teams or the ability to develop their own security tools. Therefore, so far, most whales actually do not have sufficient risk perception capabilities, otherwise they would not have suffered such huge losses.  

Due to the risk of huge losses, some whale users began to consciously rely on some public security tools to monitor and perceive risks. Now, there are many teams working on monitoring products, but how to choose is very critical. Here are a few key points: 

First, the cost of using the tool. Although many tools are very powerful, they require programming and the cost of use is not low. For users, it is not easy to figure out the structure of the contract or even collect addresses.  

Second, it is accuracy. No one wants to receive several alerts in a row when they are sleeping at night, and then they find out that they are false alarms, which will make people's mentality explode. Therefore, accuracy is also very critical.  

Finally, it is security. Especially with this scale of funds, the various security risks of tool development and its team cannot be ignored. The recent attack on Gala Game is said to be due to the introduction of an unsafe third-party service provider. Therefore, a reliable team and a credible product are crucial.  

So far, many whales have also found us, and we will recommend professional asset management solutions for them, so that whale users can not only ensure the safety of funds, but also take into account daily fund management such as "mining, withdrawing and selling", perceive risks, and even withdraw funds in an emergency.

Q7: Security suggestions for participating inDeFi, and how to deal with security risks

BlockSecsecurity team:For large-scale capital participants, the first thing to do when participating in the DeFi protocol is to ensure the safety of the principal, and to invest after a relatively thorough study of possible security risks. Usually, the security of funds can be guaranteed from the following aspects.

First, it is necessary to judge the security emphasis and investment level of the project party from multiple perspectives. This includes whether it has undergone a relatively thorough security audit, whether the project party has the ability to monitor and automatically respond to project security risks, and whether it has a relatively good community governance mechanism. All of these can reflect whether the project party attaches great importance to the security of user funds and whether it has a highly responsible attitude towards the security of user funds.

Secondly, participants with large amounts of funds also need to build their own security monitoring and automatic response systems. After a security incident occurs in the investment protocol, investors with large amounts of funds should be able to perceive and withdraw funds as soon as possible to recover losses as much as possible, rather than pinning all their hopes on the project party. In 2023, we can see that many well-known projects have been attacked, including Curve, KyberSwap, Euler Finance, etc. Unfortunately, we found that when the attack occurred, large investors often lacked timely and effective intelligence, and did not have their own security monitoring and emergency retreat systems.  

In addition, investors need to choose better security partners to pay continuous attention to the security of the investment project targets. Whether it is the upgrade of the project party's code or the change of important parameters, it is necessary to be able to perceive and assess the risks in a timely manner. Such things are difficult to accomplish without the participation of professional security teams and tools.

Finally, private key security needs to be protected. For accounts that need to trade frequently, it is best to combine online multi-signature and offline private key security solutions to eliminate the single point risk after the loss of a single address and a single private key.  

If the project you invest in faces security risks, how should you deal with it?

I believe that for any whale and investor, the first reaction to a security incident must be to protect the principal first, and withdrawing funds as soon as possible is the top priority. However, attackers are usually very fast, and manual operations are often too late, so it is best to automatically withdraw funds according to risks. At present, we provide relevant tools that can realize automatic withdrawal after discovering attack transactions, helping users to withdraw first.  

Secondly, if you really suffer a loss, in addition to learning lessons, you should also actively encourage the project party to seek help from security companies to trace and monitor the damaged funds. As the entire Crypto industry attaches importance to security, the proportion of recovered funds is gradually increasing.

Finally, if you are a big investor, you can also ask the security company to check whether there are similar problems in other projects you have invested in. The root causes of many attacks are the same, such as the precision loss problem of Compound V2. Last year, many projects had similar problems and were attacked continuously. Therefore, you can ask security companies to analyze the risks of other projects in your portfolio. If you find risks, you should communicate with the project party or withdraw as soon as possible. OKX Web3 Wallet Security Team: When participating in DeFi projects, users can take a variety of measures to participate in DeFi projects more safely, reduce the risk of capital loss, and enjoy the benefits of decentralized finance. We will start from the user level and the OKX Web3 wallet. First, for users: 1) Choose audited projects: Give priority to projects audited by well-known third-party audit companies (such as ConsenSys Diligence, Trail of Bits, OpenZeppelin, Quantstamp, ABDK, and our guest BlockSec today), review their public audit reports, and understand potential risks and vulnerability repairs.  

2) Understand the project background and team: Ensure the project is transparent and credible by studying the project's white paper, official website and development team background. Pay attention to the team's activities in social media and development communities to understand its technical strength and community support.  

3) Diversify your investment: Do not invest all your funds in a single DeFi project or asset. Diversification can reduce risk. Choose multiple different types of DeFi projects, such as lending, DEX, Farming, etc., to diversify your risk exposure.  

4) Small-amount testing: Before large-amount transactions, conduct small-amount test transactions to ensure the security of operations and platforms.  

5) Regularly monitor accounts and emergency handling: Regularly check your DeFi accounts and assets to detect abnormal transactions or activities in a timely manner. Use tools (such as Etherscan) to monitor on-chain transaction records to ensure asset security. Take emergency measures in a timely manner after detecting abnormalities, such as revoking all authorizations of the account, contacting the wallet security team for support, etc.  

6) Use new projects with caution: Be cautious about new projects that have just been launched or have not been verified. You can invest a small amount of money to test it first to observe its operation and security.  

7) Use mainstream Web3 wallets for transactions: Only use mainstream Web3 wallets to interact with DeFi projects. Mainstream Web3 wallets provide better security protection.

8) Prevent phishing attacks: Be cautious when clicking on unfamiliar links and emails from unknown sources. Do not enter private keys or mnemonics on untrusted websites. Make sure the links you visit are official websites. Use official channels to download wallets and applications to ensure the authenticity of the software.  

Second, from the perspective of OKX Web3 wallet:  

We provide many security mechanisms to protect the security of user funds:  

1) Risky domain name detection: When a user accesses a DAPP, the OKX Web3 wallet will perform detection and analysis at the domain name level. If the user accesses a malicious DAPP, it will be intercepted or reminded to prevent the user from being deceived.

2) Pixiu disk token detection: OKX Web3 wallet supports comprehensive Pixiu disk token detection capabilities, actively blocks Pixiu disk tokens in the wallet to prevent users from trying to interact with Pixiu disk tokens.  

3) Address tag library: OKX Web3 wallet provides a rich and complete address tag library. When users interact with suspicious addresses, OKX Web3 wallet will give timely warnings.  

4) Transaction pre-execution: Before the user submits any transaction, OKX Web3 wallet will simulate the execution of the transaction and display the asset and authorization change results to the user for reference. Users can judge whether the result meets expectations based on the result, so as to decide whether to continue submitting the transaction.

5) Integrated DeFi applications: OKX Web3 wallet has integrated services of various mainstream DeFi projects. Users can interact with integrated DeFi projects with confidence through OKX Web3 wallet. In addition, OKX Web3 wallet will also recommend paths for DeFi services such as DEX and cross-chain bridges, so as to provide users with the best DeFi services and the best Gas solutions.

6) More security services: OKX Web3 wallet is gradually adding more security features and building more advanced security protection services, which will better and more efficiently protect the security of OKX wallet users.

Q8: Not only users, but also the types of risks faced by DeFi projects and how to protect them?

BlockSecsecurity team: The types of risks faced by DeFi projects include: code security risks, operational security risks and external dependency risks.

First, code security risks. That is, the potential security risks that DeFi projects may have at the code level. For DeFi projects, smart contracts are their core business logic (front-end and back-end processing logic, etc. belong to traditional software development business and are relatively mature), and are also the focus of our attention and discussion, including:

1) First, from a development perspective, it is necessary to follow the industry-recognized smart contract security development practices, such as the Checks-Effects-Interactions mode used to prevent reentry vulnerabilities, etc.; in addition, commonly used functions should be implemented as much as possible with reliable third-party libraries to avoid unknown risks caused by reinventing the wheel.

2) Secondly, internal testing is done well. Testing is an important part of software development and can help discover many problems. However, for DeFI projects, local testing alone is not enough to expose problems. Further testing is required in a deployment environment close to the actual online version. This can be achieved by using tools such as Phalcon Fork.

3) Finally, after the test is completed, access to a third-party audit service with a good reputation. Although auditing cannot ensure 100% of the problems, systematic auditing work can help project parties locate various known common security issues to a large extent, which are often unfamiliar to developers or difficult to reach due to different ways of thinking. Of course, due to the differences in expertise and direction among audit companies, if the budget allows, it is recommended that two or more audit companies participate in practice.

Second, operational security risks. That is, the security risks generated during the operation of the project after it goes online. On the one hand, the code may still have unknown vulnerabilities. Even if the code has been well developed, tested and audited, there may still be undiscovered security risks, which has been widely proven in decades of security practices in software development; on the other hand, in addition to code-level problems, the project faces more challenges after it goes online, such as private key leakage, incorrect settings of important system parameters, etc., which may cause serious consequences and huge losses. The response strategies for operational security risks are recommended as follows:

1) Establish and improve private key management: adopt reliable private key management methods, such as reliable hardware wallets or MPC-based wallet solutions.

2) Do a good job of operating status monitoring: The monitoring system perceives privileged operations and the security status of the project in real time.

3) Build an automated response mechanism for risks: For example, using BlockSec Phalcon, it can automatically block when an attack is encountered to avoid (further) losses.

4) Avoid single-point risks of privileged operations: such as using Safe multi-signature wallets to perform privileged operations.

Third, external dependency risk refers to the risk brought by the external dependencies of the project, such as relying on price oracles provided by other DeFi protocols, but problems with the oracles lead to incorrect price calculations. Suggestions for external dependency risks include:

1) Choose reliable external partners, such as reliable head protocols recognized by the industry.

2) Do a good job of operating status monitoring: similar to operational security risks, but the monitoring object here is external dependencies.

3) Build an automated response mechanism for risks: similar to operational security risks, but the disposal methods may be different, such as switching to backup dependencies instead of directly pausing the entire protocol.

In addition, for project parties who want to build monitoring capabilities, we also give some monitoring suggestions

1) Accurately set monitoring points: Determine which key states (variables) exist in the protocol and where they need to be monitored. This is the first step in building monitoring capabilities. However, it is difficult to cover all aspects of the monitoring point setting, especially in terms of attack monitoring. It is recommended to use an external professional third-party, combat-tested attack detection engine.

2) Ensure the accuracy and timeliness of monitoring: The accuracy of monitoring means that there should not be too many false positives (FP) and false negatives (FN). A monitoring system that lacks accuracy is essentially unusable; timeliness is the prerequisite for responding (for example, whether it can be detected after the suspicious contract is deployed and before the attack transaction is on the chain), otherwise it can only be used for post-analysis, which has extremely high requirements for the performance and stability of the monitoring system.

3) Automated response capabilities are required: Based on accurate and real-time monitoring, automated responses can be built, including pause protocol blocking attacks, etc. Here, a customizable and reliable automated response framework is needed to support it, which can flexibly customize the response strategy according to the needs of the project party and automatically trigger the execution.

In general, the construction of monitoring capabilities requires the participation of professional external security suppliers.

OKX Web3 Wallet Security Team:DeFi projects face a variety of risks, mainly including the following categories:

1) Technical risks: mainly including smart contract vulnerabilities and network attacks. Protective measures include adopting secure development practices, hiring professional third-party auditing companies to conduct comprehensive audits of smart contracts, setting up bug bounty programs to incentivize white hat hackers to find vulnerabilities, and doing a good job of asset isolation to improve the security of funds.

2) Market risks: mainly include price fluctuations, liquidity risks, market manipulation and combination risks. Protective measures include using stablecoins and risk hedging to prevent price fluctuations, using liquidity mining and dynamic fee mechanisms to deal with liquidity risks, strictly reviewing the types of assets supported by DeFi protocols and using decentralized oracles to prevent market manipulation, and responding to competition risks through continuous innovation and optimization of protocol functions.

3) Operational risks: mainly include human error and governance mechanism risks. Protective measures include establishing strict internal controls and operating procedures to reduce the occurrence of human errors, using automated tools to improve operational efficiency, and designing reasonable governance mechanisms to ensure a balance between decentralization and security, such as introducing voting delays and multi-signature mechanisms. And monitor and prepare emergency plans for the projects that are launched, and take immediate measures to minimize losses in the event of an abnormality.

4) Regulatory risks: legal compliance requirements and anti-money laundering (AML)/know your customer (KYC) obligations. Protective measures include hiring legal counsel to ensure that the project complies with legal and regulatory requirements, establishing transparent compliance policies, and proactively implementing AML and KYC measures to enhance the trust of users and regulators.

Q9：DeFiproject parties, how to judge and choose a good auditing company?

BlockSecsecurity team:How do DeFi project parties judge and choose a good auditing company? Here are some simple standards for reference:

1) Whether it has audited well-known projects: This shows that the auditing company is recognized by these well-known projects.

2) Whether the audited project has been attacked: Although in theory, auditing cannot guarantee 100% security, practical experience shows that most projects audited by auditing companies with a good reputation have never been attacked.

3) Judging the audit quality through past audit reports: Audit reports are an important indicator of the professionalism of audit companies, especially when the same audit projects and the same audit scope can be compared. We can focus on the quality (harm level) and quantity of vulnerability discoveries, and whether the vulnerability discoveries are usually adopted by the project party.

4) Professional practitioners: The personnel composition of the audit company, including academic qualifications and work background, systematic education and work experience are very helpful in ensuring the quality of audits.  

Finally, thank you for reading the 05th issue of the OKX Web3 Wallet "Security Special Issue". We are currently preparing for the 06th issue, which will not only include real cases, risk identification, but also security operation dry goods. Stay tuned!

Disclaimer:

This article is for reference only. This article does not intend to provide (i) investment advice or investment recommendations; (ii) an offer or solicitation to buy, sell or hold digital assets; or (iii) financial, accounting, legal or tax advice. Holding digital assets (including stablecoins and NFTs) involves high risks and may fluctuate significantly or even become worthless. You should carefully consider whether trading or holding digital assets is suitable for you based on your financial situation. Please be responsible for understanding and complying with local applicable laws and regulations.