Analysis of Basic Security Risks in Popular DeFi Projects

Examining Key Security Vulnerabilities in Leading DeFi Platforms

By: Mountain Brother & Mr.A@SlowMist Security Team

Background

In recent years, DeFi projects have experienced rapid growth, leading to a revolution in financial innovation. DeFi projects utilize blockchain technology to provide decentralized financial services such as lending, trading, and asset management, allowing users to interact directly without traditional financial intermediaries.

However, due to the significant amount of funds and user base that DeFi projects possess, they have become potential targets for hackers. Many project teams incorrectly believe that DeFi security solely refers to contract security, overlooking other critical factors such as domain names and servers.

• Jito initiates nearly 200 million dollars JTO airdrop, Solana ecology brews the fight for a comeback
• Sui Blockchain Bridges USDC Liquidity Like No Other!
• LianGuaiWeb3.0 Daily | Bitcoin ETF applicant in discussions with US SEC enters critical technical details

As a result, various phishing scam groups have emerged, with Angel Drainer being particularly notable for utilizing social engineering attacks. This phishing group has launched attacks on DeFi project teams such as Balancer, Galxe, Frax Finance, VelodromeFi, and Aerodrome.Finance. Angel Drainer hijacks project team DNS and injects malicious JavaScript code on the frontend to deceive users into providing their signatures, ultimately resulting in asset theft.

Against this backdrop, this article aims to evaluate and analyze the basic security risks of DeFi projects listed on the DefiLlama leaderboard. DefiLlama is a platform that provides data and rankings for DeFi projects, with the projects on its leaderboard representing the most popular and widely used DeFi services in the market.

Test Projects and Methods

Firstly, we classified the projects into different ranges based on DefiLlama’s rankings: top 50, top 100, top 200, top 500, and top 3000. Mainly, we collected and analyzed each project’s DNSSEC-related information, domain WHOIS information, CDN information, and the exposure of their source IPs.

DNSSEC Security Issues

DNSSEC (Domain Name System Security Extensions) is a technology extension used to enhance the security of the Domain Name System (DNS). Its primary function is to provide a mechanism to ensure the integrity, authenticity, and authenticity of DNS query data. The following are the main functions of DNSSEC:

1. Data Integrity: DNSSEC signs DNS data using digital signature technology to ensure that it is not tampered with during data transmission. This prevents malicious attackers from modifying DNS responses to redirect users to malicious websites or hijack network traffic.

2. Data Authenticity and Authentication: DNSSEC can verify the authenticity of DNS responses, ensuring that data comes from authoritative DNS servers and not malicious DNS servers. This helps prevent DNS fraud attacks, where attackers attempt to forge DNS responses to deceive users.

3. Resistance to Cache Poisoning Attacks: DNSSEC can prevent cache poisoning attacks, which involve attackers inserting counterfeit DNS records into DNS caches, leading users to be directed to malicious websites. Through digital signature verification, DNSSEC can detect and reject false DNS records.

4. Enhancing DNS Security: DNS is one of the key infrastructures of the internet, and many network activities depend on DNS. The use of DNSSEC can improve the security of the entire internet, reduce the success rate of malicious attacks, and enhance the network security of users and organizations.

In summary, DNSSEC strengthens the security of DNS by using digital signatures and verification mechanisms to ensure the integrity and authenticity of DNS queries. In particular, when DNSSEC is enabled, it allows for verification of the authenticity of authoritative DNS servers for domain names, reducing the risks of domain hijacking and DNS fraud, and helping to improve the overall security and trustworthiness of the internet.

In this test, DNSSEC security analysis is performed through scripts and third-party detection websites such as https://domsignal.com/, checking whether the DNSKEY of the domain name is correctly configured, whether RRSIG is valid, etc., as shown below:

Security Issues with Domain Name Registrars

Domain name registrars are responsible for registering and managing domain names. Their security measures include protecting user accounts from unauthorized access, preventing domain names from being maliciously transferred or altered, and ensuring the security of domain name registration data. A secure domain name registrar typically provides two-factor authentication, regular security audits, and robust privacy protection features.

Using an insecure domain name registrar can lead to various DNS security issues, some of the major problems include:

1. DNS Hijacking: Insecure domain name registrars can be vulnerable to DNS hijacking attacks, where attackers can tamper with DNS responses and redirect users to malicious websites. This can deceive users and expose them to risks such as phishing, malware, or other malicious activities.

2. DNS Cache Poisoning: Attackers can perform cache poisoning attacks by providing false DNS records to insecure domain name registrars. This can cause insecure DNS servers to cache false data in their DNS cache, affecting a wide range of users and redirecting them to malicious websites.

3. Data Tampering: Insecure domain name registrars can be susceptible to man-in-the-middle attacks, where attackers can tamper with data during the transmission of DNS queries, resulting in users receiving false DNS responses. This can lead to users connecting to the wrong servers or being exposed to risks from malicious websites.

4. Service Unavailability: If an insecure domain name registrar is subjected to distributed denial-of-service (DDoS) attacks or other network attacks, its DNS servers may become unavailable, causing websites and online services to be inaccessible.

5. Lack of DNSSEC Support: Insecure domain name registrars may not provide DNSSEC support, which increases the insecurity of DNS queries and makes users more susceptible to DNS fraud and other attacks.

Overall, using an insecure domain name registrar can lead to DNS security issues, exposing users and organizations to various network threats. Therefore, choosing a trusted domain name registrar that provides strong security measures, such as DNSSEC support, is crucial for protecting domain names and network security. DeFi projects should carefully evaluate and choose domain name registrars to ensure that the services they provide are secure and reliable.

This test uses whois service providers such as https://www.godaddy.com/whois to query domain names and collect the Register and current Name Server corresponding to the project domain name. Here is an example:

CDN and Traffic Protection Security Issues

Content Delivery Network (CDN) is a service that optimizes website performance and security by distributing website content across multiple nodes worldwide, reducing latency and improving access speed. CDN security measures include combating Distributed Denial of Service (DDoS) attacks, website application firewall protection, and HTTPS support to ensure security and encryption during data transmission.

Insecure Content Delivery Network (CDN) providers may bring various security risks, including:

1. Data Leakage: Insecure CDN providers may not adequately protect data hosted on their servers. This can lead to sensitive information leaks, such as customer data, login credentials, or sensitive documents. Attackers can exploit weaknesses in CDN to gain access or steal this data.

2. Man-in-the-Middle Attacks: Attackers may attempt man-in-the-middle attacks between the CDN and end-users. This means attackers could tamper with or monitor data traffic transmitted through the CDN to obtain sensitive information or spread malicious content.

3. Service Unavailability: If CDN providers suffer Distributed Denial of Service (DDoS) attacks or other network attacks, the CDN service may be disrupted, resulting in the inability to access websites or applications. This can have a severe impact on business availability and performance.

4. Spread of malicious content: If CDN providers do not take sufficient security measures to verify and audit the content hosted on their networks, malicious users may abuse the CDN to spread malware, malicious scripts, or other harmful content.

5. Lack of Encryption Support: Insecure CDN providers may not provide sufficient encryption support, making data transmission vulnerable to eavesdropping. This can lead to data leaks and privacy issues.

6. Exploitation of Security Vulnerabilities: Attackers can exploit security vulnerabilities in insecure CDNs to invade CDN networks and access sensitive data or control network resources.

7. Legal and Compliance Issues: Certain CDN providers may be located in different countries or jurisdictions, which may involve legal and compliance issues. This can lead to challenges related to data privacy and compliance.

To mitigate these risks, DeFi projects should carefully evaluate the security measures, privacy policies, and compliance of CDN providers when choosing them. Selecting trusted CDN providers with a good security record and dedicated security teams is an important step in ensuring data and network security.

This test obtains the corresponding IP addresses of project domains and provides statistics on the usage of mainstream CDNs such as Akamai, Azure CDN, Cloudflare, Cloudfront, Fastly, Google Cloud CDN, MaxCDN. Here is an example:

Source IP Exposure Security Issues

Source IP exposure refers to the ability of attackers to identify the real IP address of the backend server of a website, bypassing CDN or other security measures to directly attack the server, bypass firewall restrictions, and so on. Source IP exposure of web servers can lead to the following security issues:

1. Direct Attacks: The exposed IP address becomes a target for hackers to directly attack, including Distributed Denial of Service (DDoS), which can render the website inaccessible.

2. Exploitation of Security Vulnerabilities: If there are known vulnerabilities in the server software, hackers can exploit these vulnerabilities to invade the server.

3. Data Leakage Risk: Hackers may access sensitive data through the exposed IP, resulting in data leakage.

4. Phishing and Fraud: Hackers may impersonate the server and engage in phishing or fraud activities.

Therefore, protecting the source IP address of a web server is an important measure to maintain network security. To prevent the source IP from being exposed, measures are commonly taken to hide the real IP address, such as using reverse proxy servers, configuring secure DNS records, and ensuring that all entry points of the server have appropriate security protection. This can reduce the risk of direct attacks on the source server.

This test attempts to bypass the domain name using a CDN through a third-party service in order to detect whether the source IP of the domain name is exposed. An example is shown below:

Based on the above test, let’s analyze the results.

Results Statistics

DNSSEC Security Issues

Some results:

DNSSEC statistics:

(Quantity Distribution)

(Percentage Distribution)

Domain Registrar Security Issues

Some results:

Domain registrar statistics:

CDN and Traffic Protection Security Issues

Some results:

CDN usage statistics:

As we can see, the usage of the world’s leading security CDN provider Akamai in the DeFi industry is basically 0. The improvement of DeFi’s basic security and security awareness still has a long way to go.

Source IP Exposure Security Issues

Partial Results:

Exposure Statistics:

The security issues caused by source IP exposure should not be ignored. On December 7th, the well-known game project @XAI_GAMES suffered a DDoS attack, resulting in its official website becoming unavailable. At the same time, the attacker posted a fake official website on the project’s Discord community to deceive victims into visiting a fraudulent website and carry out phishing attacks, resulting in a large number of victims being deceived and a loss of approximately 400+ ETH. Therefore, DeFi project teams should pay attention to protecting the source IP address of their web servers to reduce the risk of direct attacks on the source server.

Summary

Based on the statistical information from various aspects above, we can clearly see that the basic security risks of DeFi projects are severe, and a large number of DeFi project configurations are unsafe, with risks of being attacked.

Through the analysis in this article, we know that DeFi security is not just about contract security; security is holistic. The Web3 project security practice requirements (https://github.com/slowmist/Web3-Project-Security-Practice-Requirements) and the Web3 industry supply chain security guide published by the SlowMist security team aim to guide and remind Web3 project teams to pay attention to comprehensive security measures. The MistEye security monitoring system deployed by the SlowMist security team covers contract monitoring, front-end and back-end monitoring, vulnerability detection and early warning, and other comprehensive information, paying attention to the all-round security of DeFi projects in the pre, during, and post stages. Project teams are welcome to use the MistEye security monitoring system to control risks and improve project security.

Acknowledgments: @DefiLlama @censysio

Reference links:

https://www.akamai.com/blog/trends/dnssec-how-it-works-key-considerations

https://en.wikipedia.org/wiki/Domain_name

https://www.akamai.com/glossary/what-is-a-cdn

We will continue to update Blocking; if you have any questions or suggestions, please contact us!