4 min read · Oct 20, 2023
--
Decentralized exchanges (DEXs) like UniSwap, PancakeSwap and 1Inch are super popular but carry risks. Stay safe with these DEX security super tips.
Security, enhanced privacy, and personal monetary sovereignty are some of the major advantages that have seen decentralized exchanges (DEXs) rocket in popularity in recent history.
Yet the majority of crypto traders still prefer centralized exchanges (CEXs) due to ease of use, faster transacting and all the security breaches that had occurred on DEXs and other decentralized finance (DeFi) protocols.
Unfortunately, DEX use comes with its own set of security risks, which in some cases are bigger than CEXs.
In the first half of 2020, DeFi exploits accounted for 45% of all the hacks in the crypto space, amounting to $51.5 million. Theft incidents were just as bad for the rest of the year, with DeFi users losing approximately $47.7 million to malicious actors.
Some of the biggest DeFi and DEX hacks in recent history include MakerDAO ($8.32 million), Eminence ($15 million), bZx ($8.954 million), Lendf.me ($25 million), PAID Network ($3 million), Uniswap ($300,000), Harvest ($34 million), and Pickle Finance ($19.7 million.)
In March 2021, PancakeSwap and Cream Finance reported a DNS attack. In the same month, another exploit cost DODO users $3.8 million.
All these unfortunate and costly breaches point to one obvious fact: using DEXs requires extra care and responsibility.
A premium hardware wallet like the CoolWallet is one of the most convenient and secure ways to interact with DEXs, since your assets are protected by additional biometric and hardware measures.
Warning: If you send funds to a bogus address or contract due to falling for phishing or a counterfeit website, you will lose your assets. Always check the URL of a website, or use the blockchain explorer or a site like Coinmarketcap that will display the authentic address.
Despite the growing DEX and DeFi adoption, hackers, scammers, and other malicious actors continue to find new attack vectors. Let’s take a look at some types of DEX attacks.
Re-entry attack
This type of exploit had drained lending platform Lendf.me roughly $25 million. The hacker conducted a re-entry attack through a flaw in an ERC-777 token. This attack happens when a protocol’s smart contract initiates a call to an outside contract, and the external contract calls back all in a single transaction.
Consequently, a hacker can control the smart contract. The key rationale of a re-entry attack is to allow other contracts to withdraw funds from their balance.
Rug pull
A rug pull is an internal attack where a project’s founding team abandons the project by first withdrawing users’ funds deposited in liquidity pools for personal gain.
SushiSwap lost over $13 million through a rug pull incident. The platform’s pseudonymous founder, Chef Nomi, withdrew approximately 37,400 Ethereum (ETH) meant for project development to a personal wallet. Luckly, the founder later returned the funds.
Flash Loan
A flash loan attack happens when an attacker bundles several actions in a single transaction within a smart contract. The attack’s main objective is to avoid the set loan mechanisms to unlock token price manipulation, among other ills. On June 28, 2020, the Balancer network fell victim to this type of attack.
Oracle Manipulation
Most DeFi protocols rely on oracles to interact with activities outside its blockchain. DEX platforms, in particular, need price feed oracles to properly set prices for its token pairs.
Centralized oracles present a weak point to a DEX by exposing the protocol to attackers. Hackers had utilized this strike on Value DeFi and took roughly $7.5 million. Luckily, decentralized oracle networks like Chainlink have more or less fixed this issue.
Bug Exploit
Hackers intensely explore a project looking for a bug or a malfunction in its code. A bug can give a malicious actor permission to artificially increase their balance, such as in the case of bZx’s iToken duplication, among other fishy activities. Akropolis and Opyn are also recent victims of this type of attack.
Phishing Attack
In a phishing attack, hackers trick you into providing critical wallet details such as the seed phrase and private key. They can do this by compromising legitimate websites providing gateways into a DEX or DeFi protocol. This is what befell Cream Finance users.
Although distributed platforms have some significant advantages over CEXs, they house significant risks that users should be aware of.
Major Risks with DEXs include:
- Security — Although distributed networks provide enhanced security by allowing users to hold their private keys, it doesn’t always hold true especially if the DEX platform is not properly audited. In cases of theft, DEX funds are absolutely gone and non-refundable as distributed networks are not covered by insurance.
- Centralized platforms like Binance and Coinbase either insure their users’ funds or run a fund (such as SAFU) to compensate users in the event of theft.
- Front running — Front running happens when a trader knows the list of buy and sell orders in a DEX ahead of time and places a trade at the appropriate price before everybody else does. Front running is more common on DEXs due to the public nature of a blockchain.