SlowMist: Foundational Security Risk Analysis of Popular DeFi Projects

Background

In recent years, DeFi projects have seen rapid growth, spearheading a revolution in financial innovation. These projects leverage blockchain technology to provide decentralized financial services, such as lending, trading, and asset management, enabling users to interact directly without traditional financial intermediaries.

However, the substantial capital and user base of DeFi projects have also made them potential targets for hackers. Many project teams mistakenly believe that DeFi security solely concerns contract security. This is a misconception, as DeFi also encompasses elements like domain names and servers.

Consequently, various phishing and scam groups have emerged, with a notable example being the Angel Drainer, which employs social engineering attacks. This year, the group has launched attacks on DeFi projects such as Balancer, Galxe, Frax Finance, VelodromeFi, and Aerodrome.Finance. Angel Drainer hijacks domain names by taking over the DNS of these projects, then injects malicious JavaScript code into their front-end interfaces, deceiving users into providing signatures, ultimately leading to asset theft.

In this context, this article aims to assess and analyze the fundamental security risks of DeFi projects listed on the DefiLlama leaderboard. DefiLlama, as a platform that provides data and rankings for DeFi projects, features projects on its leaderboard that represent the most attention-grabbing and widely used DeFi services in the market.

Test Projects and Methods

Initially, we categorized the projects based on their ranking in DefiLlama, segmenting them into different groups: Top 50, Top 100, Top 200, Top 500, and Top 3000. Our primary approach involved gathering and analyzing specific data for each project, including:

DNSSEC-related information for each project’s domain.

Domain WHOIS information.

CDN (Content Delivery Network) details.

Exposure of source IP addresses.

DNSSEC Security Issues

DNSSEC (Domain Name System Security Extensions) is a technological extension designed to enhance the security of the Domain Name System (DNS). Its primary functions are to ensure the integrity, authenticity, and verification of DNS query data. The main roles of DNSSEC include:

1. Data Integrity: DNSSEC uses digital signature technology to sign DNS data, ensuring it isn’t altered during transmission. This protects against malicious attackers modifying DNS responses, redirecting users to harmful websites, or hijacking network traffic.
2. Data Authenticity and Verification: DNSSEC verifies the authenticity of DNS responses, ensuring that the data comes from an authoritative DNS server and not a malicious one. This helps to prevent DNS spoofing attacks where attackers try to forge DNS responses to deceive users.
3. Resistance to Cache Poisoning Attacks: DNSSEC prevents cache poisoning attacks, where attackers insert false DNS records into DNS caches, leading users to malicious websites. Digital signature verification enables DNSSEC to detect and reject false DNS records.
4. Enhanced DNS Security: As a critical infrastructure of the internet, many online activities rely on DNS. The use of DNSSEC can improve the overall security of the internet, reduce the success rate of malicious attacks, and enhance the cybersecurity of users and organizations.

In summary, the role of DNSSEC is to strengthen the security of DNS through digital signatures and verification mechanisms, ensuring the integrity and authenticity of DNS query data. Especially when DNSSEC is enabled, it allows for the verification of the authenticity of authoritative DNS servers, reducing the risk of domain hijacking and DNS fraud, thereby enhancing the overall security and trustworthiness of the internet.

In our tests, DNSSEC security analysis was conducted using scripts and third-party detection websites like https://domsignal.com/. We checked whether the project domain’s DNSKEY was correctly configured, the validity of RRSIG, etc. Example analyses are as follows:

Domain Registrar Security Issues

Domain registrars are responsible for registering and managing domain names. Their security measures include protecting user accounts from unauthorized access, preventing malicious domain transfers or changes, and ensuring the security of domain registration data. A secure domain registrar typically offers two-factor authentication, regular security audits, and robust privacy protection features.

Using an insecure domain registrar can lead to various DNS security issues, including:

1. DNS Hijacking: Insecure registrars may be susceptible to DNS hijacking attacks, where attackers manipulate DNS responses to redirect users to malicious websites. This can lead to deception, exposing users to phishing, malware, or other malicious activities.

2. DNS Cache Poisoning: Attackers can perform cache poisoning attacks by providing false DNS records to insecure registrars. This results in insecure DNS servers caching fraudulent data, affecting a wide range of users and directing them to malicious sites.

3. Data Tampering: Insecure registrars may be vulnerable to man-in-the-middle attacks, where attackers tamper with data during DNS query transmission, leading users to receive false DNS responses. This could result in users connecting to incorrect servers or being exposed to malicious websites.

4. Service Unavailability: If an insecure registrar is targeted by distributed denial-of-service (DDoS) or other network attacks, its DNS servers may become unavailable, rendering websites and online services inaccessible.

5. Lack of DNSSEC Support: Insecure registrars may not offer DNSSEC support, increasing the insecurity of DNS queries and making users more susceptible to DNS spoofing and other attacks.

In summary, using an insecure domain registrar can lead to DNS security issues, exposing users and organizations to various cyber threats. Therefore, choosing a reliable registrar with robust security measures (like DNSSEC support) is crucial for protecting domain names and network security. DeFi projects should carefully evaluate and select domain registrars to ensure their services are secure and reliable.

In our tests, domain queries were conducted using services like https://www.godaddy.com/whois to collect data on the project domains’ registrars and current Name Servers. Examples of such queries are as follows:

CDN and Traffic Protection Security Issues

A Content Delivery Network (CDN) is a service that optimizes website performance and security by distributing content across multiple global nodes, reducing latency and enhancing access speed. CDN security measures include defenses against Distributed Denial of Service (DDoS) attacks, web application firewall protection, and HTTPS support to ensure secure and encrypted data transmission.

Insecure Content Delivery Network (CDN) providers can pose several security risks, including:

1. Data Breach: Insecure CDN providers may not adequately protect the data hosted on their servers, leading to potential leaks of sensitive information such as customer data, login credentials, or sensitive documents. Attackers could exploit weaknesses in the CDN to access or steal this data.

2. Man-in-the-Middle Attacks: Attackers might attempt to intercept the data traffic between the CDN and end users, manipulating or monitoring the traffic to acquire sensitive information or disseminate malicious content.

3. Service Unavailability: If a CDN provider is targeted by DDoS or other network attacks, the CDN services might be disrupted, rendering websites or applications inaccessible, severely impacting business availability and performance.

4. Malicious Content Distribution: If a CDN provider fails to implement sufficient security measures to verify and audit content hosted on their network, malicious users could misuse the CDN to spread malware, malicious scripts, or other harmful content.

5. Lack of Encryption Support: Insecure CDN providers might not offer adequate encryption support, making data transmission vulnerable to interception, leading to data breaches and privacy issues.

6. Security Vulnerability Exploitation: Attackers could exploit security vulnerabilities in insecure CDNs to infiltrate the network, accessing sensitive data or controlling network resources.

7. Legal and Compliance Issues: Some CDN providers may operate in different countries or jurisdictions, leading to legal and compliance challenges, potentially causing data privacy and compliance concerns.

To mitigate these risks, DeFi project teams should carefully evaluate a CDN provider’s security measures, privacy policies, and compliance standards. Choosing a trusted CDN provider with a strong security track record and a dedicated security team is a crucial step in ensuring data and network security.

In our tests, we gathered the IP addresses associated with project domains to analyze the usage of mainstream CDNs such as Akamai, Azure CDN, Cloudflare, Cloudfront, Fastly, Google Cloud CDN, and MaxCDN. Examples of such analyses are as follows:

Source IP Exposure Security Issues

Source IP exposure refers to the scenario where attackers can identify the real IP address of a website’s backend server, allowing them to bypass CDN or other security measures to directly attack the server, or circumvent firewall restrictions. The exposure of a web server’s source IP can lead to several security issues:

1. Direct Attacks: An exposed IP address becomes a direct target for hackers, including Distributed Denial of Service (DDoS) attacks, potentially leading to website inaccessibility.

2. Exploitation of Security Vulnerabilities: If the server software has known vulnerabilities, hackers can exploit these to infiltrate the server.

3. Risk of Data Breach: Hackers could access sensitive data through the exposed IP, resulting in data leaks.

4. Phishing and Fraud: Hackers might impersonate the server to conduct phishing or fraudulent activities.

Protecting the source IP address of a web server is thus a crucial measure for maintaining network security. To safeguard against source IP exposure, measures typically include hiding the real IP address using reverse proxy servers, configuring secure DNS records, and ensuring that all entry points to the server are adequately protected. These steps can significantly reduce the risk of direct attacks on the source server.

In our testing, we attempted to bypass the CDN for the domains using third-party services to check if the project domain’s source IP was exposed. Examples of such tests are as follows:

Based on the above tests, let’s now proceed to statistically analyze the results.

Statistical Results

DNSSEC Security Analysis

Domain Registrar Security Analysis

Domain Registrar Statistics

CDN Utilization and Traffic Protection Analysis

Observation: The negligible usage rate of Akamai, a leading global secure CDN provider, in the DeFi industry indicates a significant scope for improvement in foundational security practices and awareness within the sector.

Source IP Exposure and Associated Security Risks

The security issues arising from source IP exposure are not to be overlooked. On December 7, the well-known gaming project @XAI_GAMES suffered a DDoS attack, resulting in its official website being inaccessible. Simultaneously, attackers within the project’s Discord community posted a fake official website, deceiving victims into visiting the fraudulent site for phishing attacks. This led to a substantial number of victims being deceived, resulting in losses of approximately 400 ETH. Therefore, DeFi project teams should prioritize safeguarding the source IP addresses of their web servers to minimize the risk of direct attacks on the source server.

Conclusion

From the comprehensive statistical information gathered, it’s clear that the basic security risks in current DeFi projects are severe, with many DeFi projects having unsafe configurations and being at risk of attacks.

This article’s analysis demonstrates that DeFi security is not just about contract security. The SlowMist Security Team released the “Web3 Project Security Practice Requirements” and the “Web3 Industry Supply Chain Security Guide,” both aimed at guiding and reminding Web3 project teams of the importance of comprehensive security measures. The MistEye security monitoring system deployed by the SlowMist Security Team covers contract monitoring, front-end and back-end monitoring, vulnerability discovery and early warning, focusing on the complete security process of DeFi projects before, during, and after incidents. Project teams are welcome to use the MistEye security monitoring system to manage risks and enhance project security.

Special thanks: DefiLlama, censys

References:

https://www.akamai.com/blog/trends/dnssec-how-it-works-key-considerations

https://en.wikipedia.org/wiki/Domain_name

What Is a CDN (Content Delivery Network)? | How Do CDNs Work? | Akamai

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. They offer AML (Anti-money laundering) software, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. They have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, they can identify risks and prevent them from occurring. Their team was able to find and publish several high-risk blockchain security flaws. By doing so, they could spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub