The amount of cyber attacks and recent losses in the platforms of finances decentralized (DeFi) leading the author John Mardlin to tell how users can ensure the security of these platforms.
Mardlin, security engineer and founding member of ConsenSys Diligence, recently published an article where it says that although the bugs, or programming errors are unavoidable, other steps can be taken to prevent these vulnerabilities are exploited by hackers. Clarifies as well that although it is necessary to perform specialized audits, it is also crucial that the users themselves push for the security protocols are complete.
With that premise, Mardlin listed a series of questions that users can perform to the developers to check these aspects of security. He also adds that even though some development teams or independent programmers do not have the resources to cover all levels of security, it is important that the user decide “what level of risk you’re comfortable with”.In the first place, explains that most of the protocols have certain levels of control, centralized in the figure of a “manager”, which requires the trust of the users in this figure. He adds that it is necessary to take into account also that, in these cases, some hacker could be done with the private keys and access to those administrative privileges of the network; a dangerous situation if these data are not adequately protected.In that sense, he mentioned a list of questions that you should answer platforms, which include approaches such as how many people are admins?, what special actions or preventive can you take?, can you stop the system?, can you modify balance sheets and other data arbitrarily? is it possible to create black lists vetando to users and / or tokens?One aspect to consider has to do with the dependence of the system from external entities. Many of these platforms use contracts smart designed by a third party, for what it’s worth to ask them if they are sure of their correct operation. “The ecosystem Ethereum is full of opponents, so that in general developers should not take for granted the way in which the contracts of other systems will behave,” says Mardlin.Another safety issue to assess is if the company offers reward programs to the hackers for the improvements that are proposed or faults that are detected on these platforms. With this, it becomes more attractive to report bugs for your solution, that make use of them maliciously. “Any company with a protocol Defined to handle the money of the people, should have a rewards program,” says the author, indicating that there is to ask for the availability of the source codes of the contracts. Should be easy to find support and safety, both on the web site as a repository. The platforms must also have a plan of response to security incidents. You have to know if you have written a contingency plan and in what scenarios it applies; and if the system is upgradable, what are the steps to follow? This includes assessing whether to detect a vulnerability it would be good to attack or not, to protect the funds, and what would be the protocol for audits. In this last aspect, the author points out that you should ask about all the audits carried out. When was the last time that you performed? How much effort in hours and people required? What firms performed the audit? Do you use other tools? For Mardlin is vital to keep the community informed via Twitter, Telegram, Discord, and other means of social interaction. In this regard, even if an incident occurs and you don’t want to give all the details, recommends that you provide basic information and to keep quiet to the community.
Before the recent attacks that have faced the DeFi in recent months, with millionaire losses for the users, all the points mentioned are of vital importance. This ecosystem will growing after it was reported last February that the DeFi of Ethereum already had a reserve of 1,000 million dollars.