How Centralization Enables Smart Contract Hacks and Scams

Achieving the ideal of blockchain decentralization requires careful design and additional effort by smart contract developers and blockchain users.  As a result, a certain degree of centralization is seen as a necessary and acceptable evil.  However, centralization introduces significant security risks for smart contracts and their users:

One of the most common forms of centralization in the DeFi world is using a single private key to manage a DeFi smart contract.  Best practices state that all contracts should be deployed using multisig wallets for decentralization and increased security.

However, DeFi hacks due to leaked private keys are commonplace in the DeFi world.  In the space of ten days in December 2021, approximately $415 million was lost in four security incidents due to compromised private keys.

Another DeFi security threat that is enabled by smart contract centralization is scams and rug pulls.  Many scams have been pulled off in the crypto space where a project is hyped up to gain investment and then the creators steal the money invested in the project and disappear.  

However, rug pulls are not limited to the DeFi space, some centralized exchanges (CEXs) have also been scams where the founder steals the money and disappears.

Rug pulls and scams are only possible in a centralized system because the malicious creators need to be able to unilaterally extract the value from the project.  Multisig wallets are not a solution to rug pulls if the project team controls all of the private keys.  To be immune from rug pull attacks, a project cannot have a mechanism for the team to unilaterally remove invested value from it.

Distributed Denial of Service (DDoS) attacks are a major threat to availability in traditional IT environments.  If a system has a single point of failure, overwhelming that bottleneck with spam and malicious requests can cause the system to crash.

Blockchain decentralization is intended to protect against DDoS attacks, but many blockchain projects are centralized or users rely upon centralized systems to access the blockchain, making blockchain DDoS attacks possible. For example, LooksRare, a NFT marketplace, was the victim of a DDoS attack against its website shortly after its launch in January 2022, which made it difficult for users to connect their wallets to the marketplace and create NFT listings.

DeFi projects and smart contracts that do not use multisig wallets run the risk of attacks by rogue developers.  If only a single key is used to manage a contract on the blockchain, anyone with that key can push malicious code, enabling a rug pull or other scam.

This was the case with the Bent Finance hack in December 2021.  A rogue developer added malicious code to the project’s contract that allowed them to drain its pool.  This attack was made possible by using a single private key rather than a multisignature wallet.

Centralization is often introduced into smart contracts and DeFi projects for convenience.  It’s easier for the project team to write and update code if they don’t need to coordinate with multiple key holders to push code to the blockchain.  Similarly, the centralized infrastructure that makes DDoS attacks possible is often cheaper and easier to manage.

However, this centralization creates significant security risks for smart contract projects and their users.  Many of the warning signs of smart contract centralization can be detected and fixed in a security audit.  To learn more about securely designing and decentralizing your smart contract platform to avoid smart contract hacks, get in touch with our blockchain security specialists at halborn@protonmail.com.