SlowMist’s Top DeFi Research: "The Basic Security Risks Are Severe"

Only 30% of the top 100 Web3 projects listed on DefiLlama have configured their DNSSEC properly.

Hacker cutting wires on the server computer
The cybersecurity team emphasizes the importance of the proper implementation of CDN technology, which can enhance data transfer encryption and firewall protection.

The Web3 cybersecurity firm SlowMist has conducted new research focused on general security risks, not specific to smart contracts, present in decentralized finance (DeFi) projects listed on the DefiLlama leaderboard.

For its study, the SlowMist team categorized DeFi projects based on their ranking on DefiLlama, segmenting them into different groups such as Top 50, Top 100, Top 200, Top 500, and Top 3000. At the time of the study, some of the leading protocols on the DefiLlama platform were Lido, Maker, JustLend, AAVE, Uniswap, Summer.fi, Rocket Pool, Compound Finance, stDSDT, Instadapp, and Curve Finance.

The primary data collected for the assessment included:

  • Project domains’ information related to DNSSEC (Domain Name System Security Extensions);
  • Information on the projects’ domains contained in the WHOIS database, which involves details about the registration of project domains’ names;
  • CDN (Content Delivery Network) details;
  • Exposure of source IP addresses.

Read also: Web3 Exploit Losses Decrease Following November's Surge in Attacks

Firstly, SlowMist assessed the configuration of the project domains’ DNSKEY (a resource record containing a cryptographic public key used for the verification of digital signatures), the validity of RRSIG (Resource Record Signature used for signing DNS resource records), and other critical components for the proper implementation of DNSSEC technology.

According to the team, DNSSEC helps "strengthen the security of DNS through digital signatures and verification mechanisms, ensuring the integrity and authenticity of DNS query data, allowing for the verification of the authenticity of authoritative DNS servers." This, in turn, minimizes the risk of DNS fraud and domain hijacking.

Incidents such as DNS cache poisoning, data tampering, DNS spoofing, and distributed denial-of-service (DDoS) attacks are more likely to occur if there are domain registrar security issues. SlowMist explains that domain registrars are "responsible for registering and managing domain names" and provide security measures such as user account protection from unauthorized access and prevention of malicious domain modifications and transfers.

As secure domain registrars play a critical role in overall protocol safety, SlowMist also conducted an assessment of this component in the Web3 projects listed on DefiLlama.

SlowMist: Foundational Security Risk Analysis of Popular DeFi Projects
Source: SlowMist, Medium

Meanwhile, CDN security measures provide defenses against DDoS attacks and HTTPS support for robust data encryption and firewall protection. This can reduce the chances of data breaches, man-in-the-middle attacks (hacks based on an attacker’s interception of the communication between two parties), malicious content distribution, data transmission interceptions, and network infiltration.

Gathering IP addresses allowed SlowMist to assess the use of popular CDNs such as Azure CDN, Cloudflare, Google Cloud CDN, Akamai, MaX CDN, Fastly, and Cloudfront.

Finally, SlowMist considered the exposure of IP addresses, which, as per the team, can create a scenario "where attackers can identify the real IP address of a website’s backend server, allowing them to bypass CDN or other security measures to directly attack the server, or circumvent firewall restrictions." In such cases, malicious actors have a stronger chance of exploiting security vulnerabilities, stealing data, impersonating the project’s server for phishing, and committing direct attacks.

To determine whether IPs were exposed or not, cybersecurity experts attempted to bypass the CDN whenever it was used by an assessed Web3 protocol.

The results of this research are staggering. For instance, it revealed that a significant portion of Web3 protocols potentially have exposed IPs, ranging from over 45% of the top 50 DefiLlama projects to almost 30% of the top 1000 projects listed on this platform.

Furthermore, it turns out that 29 out of the 50 top projects listed on DefiLlama (58%) do not have a correct DNSSEC configuration. The number of improper DNSSEC configurations was even higher for larger sets. Thus, 70% out of the top 100 projects lacked correct configurations, whereas only 12.4% of 3000 Web3 projects, which is equivalent to 372 protocols, have managed to implement DNSSEC technology properly.

Read also: New Trojan from BlueNoroff Threatens MacOS Crypto Users

SlowMist specifically highlights the issue of neglecting CDNs in the crypto space. The cybersecurity team emphasizes, "The negligible usage rate of Akamai, a leading global secure CDN provider, in the DeFi industry indicates a significant scope for improvement in foundational security practices and awareness within the sector."

"From the comprehensive statistical information gathered, it is clear that the basic security risks in current DeFi projects are severe, with many projects having unsafe configurations and being at risk of attacks," reports SlowMist.

The cybersecurity experts warn project teams about the importance of considering the role of essential web elements, such as domain names and servers, in shaping overall project safety, in addition to contract security. While the significance of these components is often underestimated, many attacks, including domain hijacks often performed by scam vendors like Angel Drainer, happen through front-end interfaces rather than the smart contract logic itself.