OKEx Academy Talks Recap: How to Ensure Security for DeFi Investors

CertiK | May 14, 2020

Article's Poster

Earlier last month, CertiK was proud to be a part of OKEx’s Academy Talks. The live online discussion on DeFi and Security was moderated by Boxmining with other representatives from SlowMist and SECBIT.

During this panel, Dominik Teiml, Security Engineer at CertiK, talked about ensuring security for DeFi Investors.

First, What is DeFi?

A new movement geared towards decentralized finance quickly gained momentum in 2019. Decentralized Finance, known as DeFi, further promotes the use of decentralized networks to reimagine traditional finance and blockchain technology.

As it stands many blockchain projects are still managed through centralized organizations, like exchanges that lack transparency and accountability. Protocols and consensus methods may be decentralized, but access points to the actual assets are still centralized.

Enter DeFi.

DeFi is now one of the fastest growing sectors in cryptocurrency and blockchain.Decentralized Finance is an effort to build infrastructure that allows people to take control of their own assets. By utilizing different methods, users are able to unlock new forms of value and build impactful products that are both secure and decentralized.

Security Within DeFi

DeFi offers alternative methods to move control from centralized entities into the hands of the people. While the advantages of adopting this method are advantageous, security remains a large issue.

However, security is a matter of diminishing returns. Verification methods are not always 100% secure since there could be mistakes in the verification itself, resulting in a paradox of logic.

“However, I am very optimistic we can achieve high-security guarantees with the proper measures. Extensive and intensive audits, formal verification, generous bug bounties…” said by Dominik, Security Engineer at CertiK.

Formal Verification is the highly specialized process that CertiK uses to mathematically prove the security and correctness of blockchain smart contracts. Meaning, the source code only performs as it’s exactly intended to. While Formal Verification may not be able to protect against all attack vectors, this level of rigor is the only way to show immunity against some of the most critical and frequent vulnerabilities.

“The more interesting question is whether these methods canscale. Can we find a tool that automates security? Nobody has achieved that yet; it is still an open question.”

New Programming Languages

As new programming languages, like Vyper and Haskell, grow larger with greater adoption, blockchain security gets stronger and more robust.

During the early phases of blockchain, many underestimated security. Even at its best, many of the currently established blockchain systems are inherently insecure no matter how good the external protections are. Architectural decisions that were made are now extremely difficult to change.

“The EVM has dynamic jumps, which make any static analysis extremely cumbersome, but there are hardly any benefits at all. Solidity since 0.5, in my opinion, has become security-focused, reversing some of what was with hindsight poor language design decisions. Vyper is better, but unfortunately, it is not production-ready for big projects and lacks a lot of important features.”

CertiK’s DeepSEA, a new language to write verified smart contracts, is an EVM-targeted programming language that overcomes all imposed challenges and allows for a more seamless formal verification process. DeepSEA allows programmers to handle complex code when doing formal verification with the Coq proof assistant.

However, until DeepSEA is further developed, the current transition to eWASM (Ethereum-flavored Web Assembly) is great for security. Not only is WASM security-focused, but it’s also able to tap into its own ecosystem of security tools.

Takeaway and Final Remarks

The movement towards DeFi carries the potential to lead the next shift in blockchain technology. With security as a top priority moving forward, the applications DeFi could have are infinite. And there are many ways investors can be on the forefront of this movement.

However in order to make more informed choices, investors should conduct research and understand the risks associated. Reading an audit report could save thousands of dollars and help investors protect their assets.

“Read an audit report before using any decentralized application. From time to time we see vulnerabilities pointed out during audits, never corrected, and later exploited. Check if the last report issued mentions any critical or significant vulnerabilities.”

Prioritizing security within DeFi will be a key driving factor towards building true decentralized and permissionless products. To learn more about CertiK’s security offerings for DeFi products, reach out to us at bd@certik.io!