DREP Research Institute I DREP’s Solutions to Security and Privacy Challenges in DeFi
To better understand security and privacy issues in DeFi, this article describes security as an existing concern, argues the necessity to protect privacy, and explains what DREP is doing to bring security and privacy to DeFi.
Security Is Still A Concern to DeFi
Decentralized finance or “DeFi” is a big buzzword this year. One of DeFi’s biggest selling points is the idea that DeFi platforms are believed to be extremely secure: because they are not centralized, and don’t rely on any singular third-party to operate, they are slated to be extremely secure. However, in reality, this hasn’t always been the case. Indeed, DeFi platforms may not be at risk of security breach in the same kinds of ways that centralized platforms are, but they certainly aren’t completely safe from harm.
The most recent case of a security breach on a DeFi platform took place this April, when Lendf.me, a subsect of the dForce DeFi platform, was exploited to the tune of $25 million. In this case, the funds were able to be removed from the platform because of a vulnerability in the platform’s software. Specifically, the main cause was an exploit in the ERC-777 standard and the dForce protocol. The hacker manipulated the accounting books of the Lendf.Me contracts, which enabled them to register imBTC tokens without depositing them and finally make off with $25 million worth of various cryptocurrencies. In a bizarre turn of events, the hacker eventually returned the stolen funds, but the incident still caused quite a shake-up.
The reason why this exploitation happens is that Lendf.me contracts did not have any re-entrancy guards, which is what is usually used to protect contracts from these attacks. And this highlights a greater issue regarding DeFi platforms more generally: there is no quality assurance process, like non-blockchain software applications. The code has to be 100% correct, otherwise it becomes vulnerable. Therefore, it is critical that DeFi platforms do as much as they can to assure their platforms do not have any exploitable vulnerabilities. In this regard, DREP is working hard to make sure there is no exploitable vulnerabilities for our users.
A Secure DREP Wallet
DREP Wallet is a highly-secure, multi-chain Hierarchical Deterministic wallet. Apart from functions like supporting multi-chain, multi-currency asset management and facilitating cross-chain interactions, DREP Wallet employs multiple technologies to protect assets of our users from being stolen.
- Decentralized Private Key Storage Technology
DREP wallet stores users’ private keys locally and not on the cloud, which grants a user complete control of his digital assets. Symmetric, irreversible and other encryption algorithms are also used to encrypt user data, allowing the creation of a multi-chain wallet with a single identity as well as the usage of a mnemonic word to manage multiple chains. In order to achieve high levels of security, user data is encrypted and sharded before undergoing data redundancy through storage in nodes located in Singapore, Dubai, India and other countries. Advantages: Safe, reliable, and efficient.
DREP offers m-of-n multi-sig. A public key is obtained from all participating users, where corresponding private key are used to generate a multi-sig transaction, and the public key are announced to other participants. Every participant will use their public key to create a signature with same restrictions (i.e same m, n and list of public keys) to form a multi-sig, creating a multi-sig address beginning with the number ‘3’. in Pay-to-Script-Hash (P2SH) model, a participant will generate a multi-sig transaction using a multi-sig address. To have the multi-sig transaction broadcast, at least m participants are required to sign off-chain following incomplete signature from previous participants. Multi-sig is especially useful in e-commerce, asset division, co-management of capital and so on.
- DREP Security Technology Library
DeFi Needs Privacy
As we develop a DeFi system, it’s critical to remember that any decentralized financial system worth having must respect the personal privacy of the individuals it serves. With all of the excitement around the composability of the products and protocols in DeFi and the impressive interest rates offered by decentralized lending products, it’s easy to forget about the importance of privacy.
Some contend that applications using blockchain shouldn’t be intended for privacy, the logic essentially being that the whole point is to maintain a public record of transactions. Transaction data, however, doesn’t necessarily need to reveal any personally identifiable information that could be correlated with an individual person using a given application. Market-level information should be transparent to all participants while still preserving individual privacy.
Without privacy, a decentralized financial system will suffer many of the same pitfalls as our current financial system. From inappropriate censorship and the exposure of customers’ personal information to outright theft, consumers must tiptoe through a minefield of potential problems when dealing with today’s financial institutions. In this regard, DREP introduces zero-knowledge proof in DID to protect our users’ personal information.
DREP DID Privacy Protection Technology
DREP introduces zero-knowledge proof in DID to prevent leakage of unrelated sensitive information. The corresponding zero-knowledge proof is stored in the DID document as verifiable credentials. With DREP’s DID technology and DREP Client, users only need to maintain a single DREP DID private key, to access and manage multiple types of digital assets (e.g. BTC, ETH, etc.).
For example, a verifiable credential D is issued by a trusted third party DID_X to DID_Y. DID_Y’s verifiable credential D, which DID_Z wishes to verify, contains information that is irrelevant to the verification needs, while DID_Y wishes to conceal the irrelevant information from DID_Z. DID_Y can negotiate with DID_Z to verify the necessary information of interest via zero-knowledge proof such that his privacy is protected.
DeFi platforms are supposed to be much more secure than their centralized counterparts, but the real story isn’t so simple. There have been some pretty big bumps like the dForce exploitation along the road. Also, without privacy, a decentralized financial system will suffer many of the same pitfalls as our current financial system. DeFi platforms like DREP provide their solutions to bring security and privacy to DeFi.