Halborn Logo

// Blog

Blockchain Security

Navigating Infrastructure Vulnerabilities in DeFi

profile

Rob Behnke

December 18th, 2024

The functionality of DeFi projects depends on a significant amount of underlying infrastructure. This infrastructure can contain various vulnerabilities that place the security and usability of the protocols at rest. 

Some key classes of DeFi infrastructure vulnerabilities include:

  • Blockchain and Network-Level Vulnerabilities: These are security risks associated with the blockchain and the infrastructure that it depends upon. Examples include consensus vulnerabilities and the security of cross-chain bridges.

  • Protocol-Level Vulnerabilities: Common elements of DeFi protocols can contain security risks exploitable by an attacker. For example, a protocol may be vulnerable to price oracle manipulation, frontrunning, or manipulation of liquidity pools.

  • Smart Contract Vulnerabilities: DeFi protocols are implemented as smart contracts, which can contain design or implementation errors. Reentrancy, integer overflows and underflows, and access control issues are common examples of smart contract issues affecting DeFi projects.

Blockchain and Network-Level Security Risks

DeFi protocols are built on top of blockchains or other distributed ledger technology (DLT). DeFi protocols rely on this underlying infrastructure to provide certain guarantees with regard to functionality and security. For example, protocols may assume that transactions will be processed within a reasonable amount of time and that the distributed ledger is immutable and protected against double-spend attacks. DeFi protocols may also rely on other infrastructure, such as secure cross-chain bridges, as well.

While these features may be valuable or vital to the security and performance of DeFi protocols, they may not always be guaranteed. Some examples of blockchain and network-level infrastructure vulnerabilities in DeFi include:

  • Consensus Attacks: Blockchain consensus algorithms are designed to protect the immutability of the digital ledger and provide a means of establishing a shared state of the digital ledger. However, a smaller blockchain project may be vulnerable to 51% attacks, or a blockchain using a new consensus algorithm might have exploitable vulnerabilities in its design and implementation.

  • Network-Level Attacks: A DeFi hacker may also perform attacks designed to target protocols at the network level. For example, a denial of service (DoS) attack in which the attacker spams the mempool with fake transactions could drive up gas prices and slow down legitimate transactions. Alternatively, the attacker could exploit the blockchain’s peer-to-peer network architecture in an eclipse/routing attack.

  • Cross-Chain Bridge Vulnerabilities: Cross-chain bridges are used to link different blockchains together, and many DeFi projects have a presence on several blockchains. However, these bridges are also a common target of attack due to their importance and the value that they hold. For example, the largest DeFi hack to date targeted the Ronin Network’s cross-chain bridge.

Protocol-Level Vulnerabilities

DeFi protocols implement various features, and many of them have certain requirements, such as accurate pricing information. 

The ways that these projects fulfill these needs can open them up to potential attacks, such as:

  • Price Manipulation: DeFi protocols need an accurate view of the value of an asset, but only stablecoins have (theoretically) stable pricing. Therefore, DeFi protocols need to use price oracles to estimate the current value of an asset. Depending on how this is accomplished, the protocol might be vulnerable to frontrunning and other attacks that attempt to skew the perceived price of an asset or exploit incorrect pricing information.

  • Frontrunning Attacks: Blockchain transactions are added to blocks based on the associated transaction fees or the block creator’s discretion. In a frontrunning attack, someone who sees a transaction submits a transaction exploiting it that is processed before the original transaction. This has the potential to degrade the user experience or may allow an attacker to exploit the protocol while it is in an insecure state, like in the August 2024 Vow hack.

  • Liquidity Manipulation: Price calculations for tokens are commonly based on the project’s current liquidity and the ratios of tokens contained in the pool. An attacker may be able to skew these ratios or otherwise impact liquidity to create arbitrage opportunities or take out bad loans from the protocol.

  • Cross-Protocol Dependencies: Many DeFi projects rely on other projects for certain data or functionality. For example, a DeFi project could query another project’s smart contracts for pricing information. These interdependencies create potential vulnerabilities if the remote project is exploited by an attacker or the interface between them is vulnerable to exploitation.

Smart Contract Vulnerabilities

DeFi projects are implemented as smart contracts that run on-chain. Logical or implementation errors in these smart contracts can open up the project to attack. 

Some common vulnerabilities impacting DeFi smart contracts include:

  • Reentrancy: Reentrancy attacks exploit scenarios where a smart contract transfers execution to another smart contract without performing a complete state update. This could allow the contract to reenter the original contract and exploit the invalid stored state information.

  • Integer Overflows and Underflows: Variables in smart contracts have fixed sizes that can store a particular range of values. Calculations using values that stray outside of these bounds can render a smart contract exploitable if safe mathematical functions aren’t used. For example, a protocol expecting to receive only positive values from a user may break if it receives a negative one.

  • Access Control: Anyone can interact with a smart contract on the blockchain; however, DeFi protocols commonly perform privileged actions (like minting tokens). To prevent misuse of these functions, they should include access controls. However, any vulnerability in these access controls could open up the protocol to attack.

For more information about the top smart contract vulnerabilities impacting DeFi projects, check out Halborn’s Top 100 DeFi hacks report.

Managing the Security Risks of DeFi Infrastructure

DeFi projects are complex protocols with many potential points of failure. They assume that the blockchain infrastructure is functional and secure and that the DeFi protocols themselves and the smart contracts that implement them are free from errors.

While DeFi infrastructure risks are outside of a protocol’s direct control, a project can manage its exposure to these and their potential repercussions. Others, like smart contract vulnerabilities, are the direct responsibility of the project to address.

Comprehensive smart contract audits are essential to ensure the functionality and security of DeFi protocols. For help with securing your DeFi project, reach out to Halborn.

© Halborn 2024. All rights reserved.