Application security, Threat Management

Centralization, ironically, most common cause of decentralized finance hacks

A ‘Buy Bitcoin Here’ sign is posted at a 7-Eleven store on Nov. 10, 2021, in Los Angeles. (Photo by Mario Tama/Getty Images)

In a report earlier this month, Blockchain security firm CertiK noted that the most common vein of security problems in its 1,737 audits of decentralized finance (DeFi) projects last year was centralization itself.

DeFi seeks to bring the freedoms of the blockchain to traditional finance – for example, earning interest from a global user base rather than a bank. Centralization rears its more conventional head for a number of reasons, some of which can be noble and intentional. Others are careless.

"It does sound ironic that decentralized finance’s main problem is centralization," said Ronghui Gu, co-founder of CertiK and assistant professor at Columbia University. "But the fact that we’re even talking about this is a sign of the importance that decentralization as an ideology commands in the world of crypto."

CertiK found 286 centralization risks last year, even more instances than traditional software vulnerabilities (211).

"Developers can have well-intentioned reasons for including centralized privileges in their smart contracts," noted gu. "For example, the contract owner could be granted the power to pause or upgrade a contract, something which could come in very handy and protect users’ funds in the event of an attack."

That is not just a hypothetical issue. Last year's heist of tokens from the Poly exchange was thwarted in part because central authorities were able to halt transfers.

But putting that much power in a single body can be dangerous if criminals gain control of the central, private keys. EasyFi was taken for $59 million this way and bZx for $55 million over the course of last year.

"One project even left the private keys to the owner's wallet in their public GitHub repository," said Gu.

A system more true to the decentralized ethos would take that authority out of a single entity's hands and place it a decentralized autonomous organization, he said. If that was not possible, at least instituting a multi-sig system.

Centralization of tokens creates a risk of rug pull scams, where owners cash out tokens in such quantities that they become valueless.

Traditional institutions can use centralization as part of their security, with a global financial system designed to leverage regulatory and institutional power to prevent some risks and reverse bad outcomes. Forgoing the oversight can make any centralization into a liability, said Gu. It is not just a security risk, he added, it is antithetical to the product.

"Centralized offerings simply will not survive. And there’s no reason for them to: they don’t offer anything new," he said. "If you want to own centralized companies and trade assets in a centralized market, the New York Stock Exchange is a much more efficient place to do that than Uniswap."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.