In CertiK’s recent State of DeFi Security - 2021 report it was stated that “Centralization issues were the most common attack vector”. More so, of the $1.3 billion in user funds stolen from DeFi protocols in 2021, the most common vector of attack was through centralization risks.
This data was gathered through the 1,333 smart contract audits performed by CertiK in 2021. But what is Centralization Risk? Let's go ahead and define these in more detail - in particular how they work and how they can be avoided.
Centralization risk at its core is a single point of failure within a DeFi protocol. Smart contracts with centralized ownership are riskier than contracts with a timelock or multi-signature key ownership. In smart contract audits, this is the most common major issue pointed out by the CertiK security experts
Centralization risks are vulnerabilities that can be exploited both by malicious developers of a project as well as malicious outside attackers. They can be taken advantage of in rug pulls, infinite minting exploits, and many other types of attacks.
In the case of a token minting contract exploit, if someone gains access to the private key of the contract, they can mint as many new tokens as they’d like and send them anywhere they’d like. This attacker could be the founder of the project who managed the private key or an outside attacker who gained access to the private key of the contract perhaps through poor key management.
Another type of exploit taking advantage of centralized contract ownership is a rug pull. Not all rug pulls are the same. For example, some rug pulls simply have malicious project founders who sell all of the tokens that they hold - effectively draining the liquidity from a decentralized exchange. Other rug pulls can involve founders stealing tokens from a contract, such as a presale lockup contract: a contract in which users invest funds such as Ethereum in advance of the release of a new token. Rug pulls thrive on decentralized exchanges because these exchanges are free to list new tokens on and don’t require a smart contract audit.
Smart contract audits are a necessary first step in identifying centralization risk. Through a smart contract audit, centralization risks can be identified. The smart contract audit isn’t enough though, the developers must heed the recommendations of the smart contract audit team and make the suggested changes to the contracts. There are many cases where smart contract audits are performed and critical, major, and medium issues identified by the auditor are left unchanged by the project owner. These are bad practices to follow and in many cases can lead to serious consequences resulting in a serious hack and substantial funds lost.
CertiK smart contract audits identify 5 types of issues: Critical, Major, Medium, Minor, and Informational. Let's break down these categories and see where centralization risk falls.
Critical: risks are those that impact the safe functioning of a platform and must be addressed before launch. Users should not invest in any project with outstanding critical risks.
Major: risks can include centralization issues and logical errors. Under specific circumstances, these major risks can lead to loss of funds and/or control of the project.
Medium: risks may not pose a direct risk to users’ funds, but they can affect the overall functioning of a platform.
Minor: risks can be any of the above but on a smaller scale. They generally do not compromise the overall integrity of the project, but they may be less efficient than other solutions.
Informational: errors are often recommendations to improve the style of the code or certain operations to fall within industry best practices. They usually do not affect the overall functioning of the code.
As you can see, centralization risks fall into the major level category. While they may not definitively impact the functioning of a platform, they are imperative to fix and can be a cause of failure for a project.
There are many examples of scams and exploits that have taken advantage of centralization risks. bZx protocol was exploited for more than $55 million as a result of private key mismanagement. They did not have a multi-signature wallet on their contract private keys. The attacker gained control of the private keys through a phishing email. This is a type of centralization risk that allowed the attacker to take full control of all contracts that the keys managed. In the case of bZx, once the attacker was able to take control of the contracts, they removed tokens from both the Polygon and BSC deployments. The post mortem showed that the ethereum deployment was not affected by the compromised keys.
Another example of a protocol exploited due to centralization risk is the MGold rug pull. Mgold is a Binance Smart Chain project whose founders used the private keys which they managed in order to drain the contracts of all funds. It’s a play-to-earn game that gained many users quickly after launch. The founders decided to take the money and run which is only possible due to the centralization privilege of them holding the private keys. Had the keys been in a timelock, or used a multi-signature wallet with a DAO structure this could have been avoided. Unfortunately, even if a project gets a smart contract audit if they don’t heed the advice of the auditors, they won’t be secure from these types of exploits.
Centralization risk is a problem in a decentralized protocol. Decentralization can offer greater privacy, security, and remove intermediaries from otherwise difficult processes. When designing a decentralized protocol, the more decentralized, the stronger the security can be. In the case of a decentralized protocol with centralization risks, that security can be compromised.
This is different from a centralized protocol in which single points of failure are an accepted risk. There are tradeoffs between centralized, decentralized, and distributed networks. You can read more about the pros and cons of each in the recent blog: what is decentralization.
CertiK points out centralization risks in all smart contract audits. When projects heed the recommendations of the CertiK auditors such as implementing timelocks and multi signature custody solutions, users can be much more confident in the security of that project. Ensuring that you read smart contract audit reports in order to see what suggestions are made by the security experts, and how the projects responded, will help you to navigate the DeFi space more safely. Knowing what to look for and how to assess if a project cares about their security is paramount to your success in the space. Read the blogs and follow the tweets from CertiK in order to better understand these risks.