AAVE itself has touched $60B in deposits, but it's still SCARY to use DeFi -- did you know that a while ago SAFE, the standard for managing billions of dollars in crypto, had its front-end hacked?
Front-end hacks have stolen billions of dollars in crypto.
Why? And how to improve?
A front-end of a dapp itself is a lot of moving pieces and variables, each touching many different parts of a transaction lifecycle originating from the user.
A front-end of a dapp has many attack vectors possible, including the domain registrar itself to its team pushing a bad commit.
I think it should be very important and a standard security practice for each app to do disclosures around how they manage the domain itself.
Which registrar? Has the domain provider ever been hacked before? And if they do get hacked, what are the failsafes against it?
After proper domain maintenance hygiene is done, the dapp developer should then disclose or have clear rules about commit, merge, and review.
I think maybe the SEAL team should also publish best practices around that.
And always, always, ask your devs to never download anything from the work laptop.
it's better if you can give work laptops which are pre-loaded with all the restrictions like how corporates do this
I know it sounds weird, but it's important to set proper firewalls against scenarios like the SAFE hack, where one developer downloaded malware unknowingly and that injected malware into the front-end itself.
I mean, even if you do all that, and someone's wallet itself got hacked also due to a front-end hack, you still are at risk.
Imagine someone took over a tier-2 extension wallet and attempted to get the private keys itself or just the password.
Then also you're f*cked.
what should we do then? i think every dapp to best of their extent try to focus and create a front-end that is super secure against these kind of attacks, there's no perfect way. you just have to be paranoid all the time, thinking anything that can go wrong will go wrong.
and be fast in detecting and responding to any such kind of issue -- forget that you have a life if you're building in defi
on top, always do KYC of your employees, maintain good domain hygiene, ensure good Git access control hygiene, practice work-laptop hygiene, and block by default any wallets that you think are shady.
Limit access to wallets that adhere to the best standards only.
or introduce a YOLO and safe mode for your users
in YOLO mode, every wallet is allowed, and think are YOLO and but in safe mode you're really really focused purely on the safety, which means you're completely even hosted over an IPFS and only necessary things are accessible
for analytics, users can see in YOLO mode
To conclude, I just want to make it clear that building in DeFi has many attack vectors, and it takes more than textbook reading to really serve your users in the best way possible.
We at @SuperlendHQ take this very seriously for what we are building -- a unified interface for on-chain finance.
btw, this was only about front-end attack vectors, I am sure there might be more scenarios as well which we are constantly debating and working on
but there's a whole lot of pandora box when we talk about economic security itself of defi protocols itself
more on than soon, about how do we handle all aspects of security at @SuperlendHQ while building the best ux
@SuperlendHQ interface*
excuse the typos
4.51K
4
The content on this page is provided by third parties. Unless otherwise stated, OKX is not the author of the cited article(s) and does not claim any copyright in the materials. The content is provided for informational purposes only and does not represent the views of OKX. It is not intended to be an endorsement of any kind and should not be considered investment advice or a solicitation to buy or sell digital assets. To the extent generative AI is utilized to provide summaries or other information, such AI generated content may be inaccurate or inconsistent. Please read the linked article for more details and information. OKX is not responsible for content hosted on third party sites. Digital asset holdings, including stablecoins and NFTs, involve a high degree of risk and can fluctuate greatly. You should carefully consider whether trading or holding digital assets is suitable for you in light of your financial condition.