When an Investor wants to invest in DeFi, they are investing in a specific smart contract. The first thing we do is to identify the attack surface that may affect the smart contract of interest (the one the investor is looking to invest in). We do this by mapping all the smart contracts that connect to the smart contract of interest. We designate all the contracts in the attack surface as a policy and the smart contract of interest as the address of reference (AOR).
The second step is to model the attack surface topology and all the smart contracts in the attack surface. Depending on the modeling output, we automatically monitor in real time transactions destined to different smart contracts in the attack surface. Whenever a transaction matches a monitoring rule an event is generated.
We also apply the monitoring rules on all past transactions from genesis destined to the smart contacts in the attack surface to obtain historical events that will be used to generate a baseline security risk score.
The third step is to aggregate the different events generated for a particular attack surface, apply different weights and severity ratings to calculate a reliable security risk score.
The nature of protocols on the blockchain and the interconnectivity between smart contracts means that the risk to your investment is not necessarily coming from a direct malicious transaction to the contract that you are invested in. We at Arkhivist understand this and therefore our security risk score is looking at the entire attack surface affecting your investment. In this manner we are providing you with better coverage, robustness and advanced warning of any risk to your investment.
Anti Money Laundering (AML) solutions are required by regulation so that you as a financial institution will not be processing assets and funds that are illicit, or that you as a financial institution will not be investing in activities that fund illicit activity or are used by illicit actors. However AML solutions do not protect your investments or your investors from losing their money due to hacks, breaches or other bad actors. In a way you can say that AML is protecting you from the regulator but not safeguarding your investment or assets.
Securing against crypto hacks requires keeping your keys safe and to prevent authorizing transactions to malicious parties. However, it is only one part of a holistic security solution to protect your funds and avoid financial loss. Protecting your wallet is an important layer in your overall cyber security when investing in DeFi, but it does not protect your investment in a protocol or smart contract.
Smart Contracts themselves can be directly targeted with hacks or any one of the Smart Contracts engaging with the Smart Contract you are invested in. As more and more value is stored in a Smart Contract over time, it becomes a very attractive target for hackers to help themselves to a very big payday.
By adding a dedicated security solution for Smart Contracts you bolster your security posture as you can assess the security risks surrounding the Smart Contract itself, and take real-time preventive measures to ensure your funds are exfiltrated before they get compromised.
Smart contracts that comprise NFT and DeFi protocols are programmed by software developers that use advanced software concepts and code. The behavior and outcome of the smart contract is strictly defined by the software code written. No software environment should be entrusted with your money or other people’s money without the type of commonplace security solutions to protect you against bad actors that you have on your laptop or on your network.
While some DeFi Protocols may have been audited by a security auditing company, that audit was performed at a single point in time on development code that was never actually deployed on a mainnet. So the code actually deployed may be different than that that was audited. Furthermore, that offline, one-time and already outdated security audit on a protocol does not tell you about the current security baseline of the smart contract that you are actually looking to invest in.
A common line of thinking is that because the protocol is immutable (cannot be changed), and a security audit was carried out, therefore that audit is good forever. However, most protocols are upgradable. Technically, upgradability is about replacing the software code (pointing to a new software code implementation/version rather than an old one), rather than actually changing the software code itself, which isn’t possible, because it’s immutable.
This means that code on the mainnet can be replaced with vulnerable code any time. Here again, is another scenario where the software code actually deployed is different from the audited version. Protocols typically (ever?) don’t go for an external security audit for each upgrade.
Once you have invested in a smart contract, how do you ensure that new transactions by bad actors are not malicious and do not pose a security threat to your investment? For example, most protocols have upgradable smart contracts. Upgradability highlights another safety and confidence aspect for investors. Does the investor know that the protocol they are investing in is the upgradable-type? Do the investors know that a protocol was upgraded? To further highlight the risks involved, in a different use case scenario, every time a governance proposal is accepted that means that the protocol has a smart contract that was modified with new, potentially, vulnerable software code introduced. It’s virtually impossible to track thousands of transactions per second in tens and hundreds of smart contracts without an automated solution. Moreover, we cannot expect investors to know how to identify different types of suspicious behavior, even if they do try to individually and continuously track the smart contract themselves.