TWAP oracles, pioneered by Uniswap v2 and v3 implementations, have become critical infrastructure for many DeFi applications. But what security benefits do these oracles offer, especially in comparison to other oracle implementations?  In our prior article, we provided an overview of TWAP oracles. In this article, we’ll explore how TWAP oracles improve security for DeFi protocols. We also compare TWAP oracles with VWAP oracles and similar implementations such as spot price oracles.  TWAP vs VWAP oracles  In the previous article, we explained that TWAP (Time Weighted Average Pric ..read more

Given the immutability of public blockchains, it is important that transactions are executed only if conditions for safety are satisfied. An example of a safety condition enforced by smart contracts is the timing of certain transactions.  For example, an auction contract might require users to place bids only within a specific window. Similarly, an Initial Coin Offering (ICO) may prevent investors from transferring newly-acquired tokens until the initial sale is over (to avoid crashes in market value of the token).  In both cases, a “timelock” is used to restrict access to smart cont ..read more

Access control in cybersecurity defines how an organization restricts access to resources and data in a computing environment. Proper access control is critical, as unauthorized access to sensitive information and operations in a system poses a security risk.  Access control is even more important for smart contracts, as they live on public blockchains that permit anyone to call functions. In this article, we’ll explain what access control for smart contracts means, why it matters, and how to implement better access control patterns for your smart contracts.  What is access control i ..read more

2022 is on course to become the worst-ever year for crypto security. Since January, hackers have stolen over $3 billion worth of cryptocurrencies from DeFi applications. However, the industry’s security challenges transcend protocol exploits. According to a recent FTC estimate, crypto scams accounted for 25% of all fraud in 2021, totaling over $1 billion in losses. Typically, hackers apply technical expertise to obtain access to sensitive data, whereas scammers trick victims into handing over personal information or cash.  The popularity of cryptocurrencies, paired with widespread misconc ..read more

A step in the process of setting up a new cryptocurrency wallet is the issuance of a 12 to 24 word mnemonic phrase or seed phrases. These seed phrases are necessary for account recovery in case of lost access to users’ funds. The Bitcoin Improvement Proposal number 39 (BIP39) is an implementation design that describes how cryptocurrency wallets generate mnemonic phrases and convert them into binary seeds, which can be used to create deterministic wallets. In short, BIP39 standardizes how wallets handle this overarching process. Before this standardization, private keys were used to create and ..read more

This is the third article in a three-part series exploring vulnerabilities that place DeFi projects at risk. Click here to read DeFi Security Part 1 and here to read DeFi Security Part 2.  DeFi smart contracts are high-value targets for attackers. However, the fields of smart contract development and DeFi are relatively young. As a result, there is a limited number of experienced developers, and some smart contracts may be written by people without a clear understanding of potential security risks and best practices. Common Smart Contract Vulnerabilities Smart contracts running on the Eth ..read more

This is the second article in a three-part series exploring vulnerabilities that place DeFi projects at risk. Click here to read DeFi Security Part 1. Decentralized Finance (DeFi) projects are a common target of attacks due to the massive value that they hold.  DeFi tokens have a total market cap of over $50 billion, and DeFi hacks have had price tags in the millions.  If an attacker can get away with their ill-gotten gains, then hacking DeFi projects can be very lucrative. In the previous article in this DeFi Security series, we discussed data security vulnerabilities and their impa ..read more

Most developers don’t dream of writing elaborate and exhaustive error-handling code. Instead, they like to focus on the “happy path,” that is, the way a program flows when every little bit of logic is proceeding according to plan.  As security engineers and hackers, we are focused on the opposite. Instead of a pleasant stroll along the happy path, we have in mind the dangers that lay in wait just off the road for those who take the wrong turn. And we’re here to help you stay on the sunny side. A convenient tool for a developer who is focused on the happy path is to use a helpful programmi ..read more

This is the first article in a three-part series exploring vulnerabilities that place DeFi projects at risk. Decentralized Finance (DeFi) is one of the biggest and fastest-growing applications of blockchain and smart contract technology.  DeFi’s ability to revolutionize the financial sector by offering decentralized, blockchain-based alternatives to traditional financial services has driven significant investment in the space.   Today, DeFi projects have a total market cap of $55 billion. However, the large amount of value invested in DeFi smart contracts also makes them common ..read more

The concept of self-executing code that reduces risks and guarantees the satisfaction of conditions laid out in a contractual agreement is integral to most applications of blockchain technology today. Created by computer scientist Nick Szabo in 1994, a smart contract is a piece of code (now commonly deployed on blockchains) that automatically executes when specific conditions are satisfied. This makes it possible for parties to enforce transactions and agreements without requiring a third party or intermediary. One of the most appealing features of smart contracts is their potential to drastic ..read more