This post is brought to you by a member of the Umee Community DAO.
Author: @seniorpomidor95 / SeniorPomidor#4270
Edited by Cris & Daniel
As the decentralized finance (DeFi) continues to expand, ensuring the security of users’ funds and protecting against vulnerabilities becomes paramount. Umee, a pioneering cross-chain DeFi protocol built in the Cosmos ecosystem, recognizes the importance of security and has implemented various measures to safeguard users' assets. In this article, we will explore the importance of DeFi security and highlight Umee's proactive approach to mitigating risks. We will also examine some notable instances of security breaches in the DeFi space and discuss the security protection types deployed by Umee.
To emphasize the significance of security in DeFi, let's examine three notable cases with significant losses incurred due to safety vulnerabilities:
Reason: Vulnerability in the smart contract
The original smart contract was updated and replaced with a malicious version. This allowed attackers to burn existing tokens and mint new ones, all of which eventually came to be under their complete control.
Reason: Re-entry vulnerability
Attackers exploited a re-entry vulnerability that arose because CREAM integrated AMP into its protocol. Using this vulnerability, attackers could borrow more assets than what was available to them.
Losses: $610,000,000 (The attackers returned the funds)
Reason: Vulnerability in the smart contract
Through interactions between several of the project's smart contracts, the attackers were able to configure the custodian role to point to their address, allowing them to transact at will.
With the rise of DeFi, the industry has witnessed several security breaches and exploits. It is crucial to acknowledge these incidents to understand the importance of robust security measures. Since 2011, over 140 attacks with security vulnerabilities and more than 80 cases of exploiting DeFi protocols have been reported. The financial losses incurred by users in these incidents have been in the Billions.
Built with safety in mind, Umee’s strong security measures guarantee that users' funds are safeguarded.
Understanding the various security risks that exist in the DeFi landscape is crucial for implementing effective protective measures. Some common types of security risks include:
Neglecting security auditing or insufficient validation of smart contracts can lead to overlooked vulnerabilities, potentially resulting in irreparable consequences.
Inefficient or absent access control implementation can allow attackers to gain privileged access to smart contracts, enabling unauthorized operations.
Compromised Private Keys:
Weak generation of private keys can pose risks of theft or leakage, compromising the security of user funds.
Attacks Using Instant Credits:
Instant loans can be taken advantage of by attackers to borrow governance tokens and manipulate the protocol to their advantage, potentially causing significant disruptions.
Attackers may compromise transactions using miner's extractable value (MEV) to include their own transaction in the ledger before or after the original one, leading to manipulated sequence of transaction to make profit.
Liquidity Pool Exploitation:
Incorrect valuation of tokens within liquidity pools can be exploited by attackers, leveraging instant credits and smart contract vulnerabilities for their own gains.
Umee prioritizes security and employs best practices to ensure the safety of its platform and users. Over 20+ borrow and lending parameters implemented by Umee cater to specific risk profiles of each token. Other security measures include:
IBC Rate Limiting
Umee implemented IBC rate limiting as a failsafe mechanism in face of DeFi risks. IBC rate limiting safe guards users’ fund by putting a cap on the maximum outflow from the Umee blockchain over a certain period time, which effectively limits the max profit any exploits or hacks can make on Umee.
Umee has partnered with leading security firms like Forta and Halborn, ensuring comprehensive security coverage and continuous monitoring.
Umee conducts extensive code audits, collaborating with renowned auditors such as Peckshield, Trail of Bits, Halborn, Least Authority, and Runtime Verification. These audits thoroughly examine every line of code to identify and address potential vulnerabilities. Here’s a list of each below:
Report: Umeev1.0 Peckshield Audit Report
Date: January 15, 2022
Auditor: Trail of Bits
Report: Trail of Bits Full Audit
Date: March 5, 2022
Report: WebApp Pentest
Date: March 17, 2022
Date: June 3, 2022
Date: August 31, 2022
Auditor: Least Authority
Date: June 6, 2022
Auditor: Runtime Verification
Date: June 9, 2022
For more updates on Umee, stay connected with our official channels.