In a blink of an eye, I have been with CertiK for the fifth year. However, after reading thousands of audit reports, there is always a problem that makes technical laymen like me feel puzzled. Sometimes, we can tell whether a project's code is of high quality by looking at its audit report. Then judge whether the security of the project code meets the standard according to the risk level and number in the audit report.

However, in the past year, the codes of many projects are relatively complete and safe, but there is a major risk-centralization risk.

So for a project with this risk, if its code performs well in other aspects, how can we judge whether its code quality is high-quality or not?

Such projects accounted for a large proportion of previous audit records——Among the 1,737 audit reports in 2021 according to CertiK, there are as many as 286 projects with centralization risks, accounting for nearly 17%.

2021 DeFi Industry Security Report2021 DeFi Industry Security Report], it is pointed out that:The most common reason for hacking in 2021 is centralization risk. In the resulting 44 DeFi hacking incidents, the total asset loss was as high as 1.3 billion US dollars!

secondary title

https://certik-2.hubspotpagebuilder.com/the-state-of-defi-security-2021-chinese

What is centralization risk?

Everyone should be clear: the significance of blockchain lies in decentralization, anonymity and transparency.

Among them, decentralization is the most unique core essence of DeFi, DAO and even the entire encrypted world.

From the definition - Baidu Encyclopedia search results are as follows: In a system distributed with many nodes, each node has the characteristics of a high degree of autonomy. Nodes can be freely connected to each other to form new connection units. Any node may become a phased center, but it does not have a mandatory central control function. This open, flat, and equal system phenomenon or structure is called decentralization.

The risk of centralization at this level alone deviates from the original intention of the creation of the encryption field.

At the heart of centralization risk is a single point of failure within a DeFi protocol — smart contracts with centralized ownership are riskier than contracts with timelocks or multi-signature key ownership.

Once this risk is exploited by malicious attackers, unlimited minting, Rug Pull, and other types of attacks will follow.

If your contract has a minting loophole, as long as the attacker can get the private key of the contract, he can resell countless tokens and give them to whomever he wants.

Obviously, this attack method is simply a money-printing artifact for project owners, and of course some projects will become ATM machines for other hackers.

Another typical attack method is Rug Pull, which CertiK just released to analyzeBabyMusk attackIt is a typical case.

In this attack method, some project owners maliciously sell all the tokens they hold in order to consume the liquidity of the decentralized exchange. There are also some project owners who directly steal tokens from the contract, such as pre-sale locked contract projects.

secondary title

Typical Case

The DeFi protocol bZx was maliciously attacked in November 2021 due to poor private key management, resulting in a loss of up to 55 million US dollars.

The private key of the project contract did not adopt multi-signature, and the attacker easily obtained control of the private key through phishing emails. This centralization risk gives an attacker complete control over all contracts managed by that private key.

secondary title

How to mitigate centralization risk?

How can centralization risk be mitigated?

Smart contract audits are the first and necessary step in identifying centralization risks.

Through the smart contract audit, the centralization risk in the project code can be identified in time, but the audit alone is not enough, and the subsequent code modification is also crucial.

In many cases, the problems discovered by security experts and the suggestions for modification will be ignored by the project owner....

These behaviors are simply calling for hackers: Come on, I have money for you!

CertiK categorizes risks found in audits into five levels: critical, major, moderate, minor, and informational.

We have mentioned above that centralization risk belongs to the main risk level, which means that under certain circumstances, this risk may lead to the loss of funds and/or project control. It may not significantly affect the operation of the platform, but it is also one of the high-risk risks that must be addressed.

As a leader in blockchain security, CertiK is committed to improving the security and transparency of cryptocurrencies and DeFi. So far, CertiK has been recognized by 2,500 corporate customers, protecting more than $311 billion in digital assets from loss.

As a leader in blockchain security, CertiK is committed to improving the security and transparency of cryptocurrencies and DeFi. So far, CertiK has been recognized by 2,500 corporate customers, protecting more than $311 billion in digital assets from loss.