Centralization Is The Most Common DeFi Vulnerability According To CertiK

What Is Bitcoin?

The blockchain and smart contract security firm CertiK found centralization risks in more than 16% of all audits performed in 2021.

1,737 smart contract audits in review

Throughout 2021, CertiK performed a total of 1,737 smart contract audits. Out of these, 286 audits found a centralization risk. As an example for a hack that occured due to centralization risks, their 2021 report mentions the DeFi protocol bZx, which was exploited for more than 55 million USD in November, after the attackers managed to obtain a single private key which had privileged control over the platform’s smart contracts.

The second most common vulnerability found by CertiK were missing event notifications (211 instances), followed by unlocked compiler versions (176 instances), improper input validation (104 instances), and third-party code dependencies (102 instances). 

DeFi still lacks best practices for decentralization

The CertiK report notes that single points of failures are antithetical to decentralized finance and pose a major risk to DeFi protocols:

When a simple phishing email can compromise an entire protocol relatively easily, a single, non-multi signature setup is insufficient. If these privileged functions were protected by a timelock, delegated to a DAO, or managed by a multi-sig wallet, the centralized point of failure would have been resolved and the exploit averted.

In general, communally held funds within a DAO or DeFi project should never be held by a single private key. This extends to privileged control as well. The easiest and most common way to achieve decentralization is the use of a multi-sig wallet, but this method is still far from perfect and does not protect against rogue parties within the project. 

For instance, in 2021, several of SushiSwap’s core developers discussed compensating one of them after he lost over 100,000 xSUSHI in the Cream Finance hack. Although ultimately no compensation was paid, some community members believe that this was a deliberate attempt to misappropriate funds out of Sushi’s multi-sig wallet. 

Finding best practices for decentralization is still an open issue within the DeFi sector, which urgently needs to be addressed.