The uptick in Decentralized Finance (DeFi) has led to a substantial increase in cybercrime targeting the blooming DeFi industry. I posit that the DeFi industry must find ways to self-regulate by collaborating to develop a foundational knowledge and content base aimed at educating users of DeFi applications about the associated cybersecurity risks and must actively promote the security of its users engaging with DeFi applications while contributing to the long-term resiliency of the industry. Such a knowledge base must be enforced as prerequisites using Non-fungible Tokens (NFTs) and dives into the benefits of establishing such a mechanism including de-risking user-oriented liability as well as avoiding the increased scrutiny from government regulators.
SECURITY CHALLENGES IN THE DeFi ECOSYSTEM
The DeFi ecosystem and industry as a whole are still at an early stage, and applications within the industry are starting to offer various services similar to those provided by traditional finance, simultaneously suffering from familiar vulnerabilities and potential security risks. According to Ronghui Gu, co-founder of CertiK, a security ranking platform that analyzes and monitors blockchain protocols and DeFi projects, losses due to exploits, hacks, and scams increased by 2500% from 2020 to 2021.
In a study to understand the causes behind such cybersecurity attacks, the Wharton Initiative on Financial Policy and Regulation initiated the Blockchain and Digital Asset Project which showed that most participants attributed the attacks to human failures, such as failing to store their keys securely or losing their private keys. Security researchers at Imperial College London proposed a few ways in which the aforementioned cases of vulnerability can be addressed such as blocking analytics scripts by enabling browser extensions like privacy badger which allows users to prevent malicious analytics providers from linking their blockchain addresses to their real-world identities, avoiding connecting their wallet to non-essential DeFi applications, and encouraging the use of one’s wallet address as confidential as bank account or credit card information. They also recommend that DeFi users reconsider their current threat models and explore ways in which various points of failure resulting from open gates can lead to phishing attacks.
Setting such a high bar of security for oneself can prove to be difficult for users who are new to the world of DeFi and requires a significant shift in the mental model of how users approach such unchartered territories.
SELF-REGULATION AS THE OPTIMAL APPROACH
While we can expect regulators to announce favorable legislation for DeFi, there is still a long way to go in the regulation of DeFi. There are also concerns with regards to external regulation of DeFi applications as DeFi projects can have varying technical stacks, objectives, and offerings, and regulators might fail to sift through such distinctions enacting cookie-cutter regulation that could significantly stifle innovation and progress. Another glaring reason why self-regulation is the best way forward for the DeFi industry is the lack of clarity on where liability lies if a DeFi protocol does not work as intended. In principle, anyone with an internet connection anywhere on the globe, and even outside of the globe can access DeFi services. While this is certainly an advantage of DeFi, it also makes it easier for black hat hackers from anywhere across the world to launch attack vectors. A recent news report revealed that an unknown hacker managed to trick the CEO of a well-known DeFi platform into signing an illegitimate transaction and redirected all his tokens to an attacker-controlled address stealing USD $8 million from their personal wallet . Such incidents portray how human factors are being leveraged by malicious hackers and strengthen the case for why the DeFi industry must converge to establish some form of self-regulation to minimize the security risks for its users.
THE CASE FOR ELIGIBILITY NFTs
NFTs are unique in that they can substantially minimize the challenge of faking the digital signature of the NFT owner as the signature is incorporated within a unique token such that an asset can be easily traceable to its owner. More recently, NFTs have been used to address the problem of counterfeit items through online transactions such as tickets to an event or artwork. The introduction of NFTs has not only enabled artistic businesses that previously found it challenging to establish online markets to emerge but it is also leading to a paradigm shift in proof of ownership in an era of internet-based businesses. Given these unique properties of NFTs, there remains a less explored use case for NFTs as a record of eligibility, termed “eligibility NFTs”, whereby users who meet pre-specified eligibility criteria can mint an NFT that acts as a certificate of obtained prerequisite knowledge to access DeFi services.
To address the aforementioned security challenges in the DeFi ecosystem, the DeFi industry must act now and form the “DeFi Security Accord”, an equivalent of the Crypto Climate Accord, an initiative led by the private sector for the entire DeFi community focused on decarbonizing the blockchain industry. The DeFi Security Accord must work towards initiating commitments and investments from the private sector leaders within the DeFi industry to build the foundational content and knowledge base that encompasses basics on the wallet, token, and DeFi security to recent attacks, understanding the consequences of a potential exploit, as well as the various ways in which loss of funds can happen and can be prevented. Furthermore, the accord must actively create pathways to collaborate, update, and moderate the content and enforce eligibility NFTs as proof of eligibility for the system to flourish. Given the increased number of cyberattacks caused due to human error and heightened scrutiny that the industry has recently been dealing with lately, integrating eligibility NFTs in the signup flow of DeFi applications to ascertain user understanding of the associated market and technical security risk, as well as their awareness of ways to mitigate such risks, is a must to build long-term resiliency within the DeFi industry.