Monday 21 December 2020 3:14 pm

Why knowledge sharing is key to DeFi’s long-term security

Interoperability and collaboration are key issues in order for blockchain technology to be adopted as a trusted global platform in supporting peer to peer immutable business transactions and exchange of value.

However, the recent surge in proposed and actual uses of the technology to enable decentralised finance, or ‘De-Fi’, has revealed vulnerabilities in some blockchain protocols and smart contracts, many of which are at risk of hacks and double spend attacks. In fact, over $100 million is reported to have been lost in this way to DeFi projects in 2020 alone. It is therefore imperative that players within the space actively encourage knowledge sharing and teamwork in order to mitigate these threats and enforce best practice by design.

De-Fi is a term for the many ways in which blockchain and cryptocurrency technology can provide equivalents to the traditional financial instruments and services while removing third-party barriers and allowing users to access finance and exchange funds directly. Unfortunately, DeFi’s popularity coupled with its infancy and the underlying concern that its protocols are not always secure by design, makes it especially susceptible to malicious activity and exploits like the draining of funds held in smart contracts.

However, these issues, whether caused by security neglect, coding mistakes, or simple business logic errors, can be avoided by prioritising the underpinning research necessary to ensure robust security – of both the blockchain software itself and the associated automated processes, or ‘smart’ contract functionality. In order to explain how, we first need to look at the two main accounting methods used in blockchain.

Two kinds of crypto accounting

The two most common ways in which a blockchain accounts for funds held by users and smart contracts are the “account” and the “UTXO” models, which differ significantly in their impact on security. 

The account-based ledger model, used by the Ethereum or Polkadot blockchains for example, is similar to how traditional banks account for users’ funds by maintaining a balance for each account and updating it as transactions modify the funds held by the account. On such a ledger, smart contracts are typically associated with an account and have control of the funds in it.

On the other hand, the UTXO-based (stands for Unspent Transaction Output) ledger model used by the Bitcoin and Cardano blockchains does not maintain the account balance on the ledger but sees the account as a collection of “transaction outputs” containing funds that can later be consumed by another transaction. In this model, smart contracts typically see some number of UTXOs, rather than the global state of the account. This provides benefits in control, parallelism, and predictability, but makes it harder to work with global state.

Although Bitcoin was the first blockchain to implement the UTXO model, IOHK, the developers of the Cardano blockchain, have undertaken further research and refinement that has sought to incorporate the best features of both models. While UTXO is undoubtedly the more secure, private and scalable model and is therefore perfectly suited to the DeFi space, continuing to innovate and enhance the system has and will continue to be crucial in accelerating adoption in the coming months and years.

Why is UTXO more secure?

Most of the security issues that have been reported around smart contracts in the last year have centred around developers’ inability to foresee how contracts would be used. In other words, the way in which the contract was programmed can be exploited by attackers to ‘drain the pool’ of the contract’s assets – the reason for this is the user allowing the contract to be in full custody of the assets associated with it.

While this problem is an integral property of the account model, the UTXO method allows full control over users’ assets, whereby they are the only ones able to unlock the contract. Even if a developer makes certain mistakes in the contract’s creation, it remains entirely secure.

Case study – IOHK and Nervos

Although the benefits of the UTXO model over the account model are certainly important, it is more crucial that as many people in the industry have an awareness of the differences, as well as why exactly that is the case. Without education and investigation into how to optimise these models, users will be unable to fully benefit from their potential. 

For this reason, partnerships between companies at the cutting edge of research into these methods represent one of the most promising ways for the industry to progress. This month, IOHK has partnered with Nervos in a research initiative aimed at reducing the risk of hacks in blockchain-based, decentralised finance. Through this partnership, we hope to improve the security of smart contracts by enhancing the UTXO accounting method, adding features for users and enabling the support of smart contracts on other blockchains.

In the first phase of the partnership, Nervos and IOHK will co-author research papers on the topic, open source future UTXO developments, and explore the creation of a universal standard for UTXO models. The two projects will also form a global UTXO alliance with other leading UTXO-based blockchains to facilitate industry-wide research, development, education, and more.

Looking ahead

By highlighting the advantages of the UTXO model and working towards an improved framework for UTXO-based blockchains, I see this partnership, as well as similar future projects I hope will follow, as a maturation of this early-stage technology. Through providing unrivalled, proven security guarantees, we hope to cultivate a truly ‘next-generation’ approach to thinking about UTXO-based blockchains.

Our ultimate goal with this project is to accelerate the widespread adoption of blockchain technologies even further. Just last week we saw Bitcoin’s value breaking the $20,000 mark and reaching an all-time high, signalling what is undeniably a milestone moment for the industry. What’s more, mainstream financial institutions like JP Morgan are already taking notice and adapting their business strategies to support DeFi services in the future.

It is therefore more important than ever today that cross-party knowledge sharing keeps up with the pace of adoption. By underpinning the exciting work going on every day with high-quality research, education and innovation, we can empower users, developers and the industry as a whole to usher in what I see as the future of finance.

There is of course much work to be done in the DeFi space. Nevertheless, I truly believe that partnerships like this one will be the standard-bearers for future projects aimed at addressing and mitigating security vulnerabilities across blockchain platforms. As is the case with any movement, there is no doubt in my mind that the best way forward is together.

Romain Pellerin, CTO of IOHK

IOHK is an R&D and product engineering company, committed to using peer-to-peer innovations to provide 21st century services to the 3bn who don’t have them. The company builds blockchain based products for governments, corporations and academic institutions and upskill people across the world, empowering them to solve the most pressing problems faced by people in their countries.

Romain Pellerin has a PhD in distributed computing from the Conservatoire National des Arts et Métiers and Télécom SudParis. He has founded three start-ups since 2008, at which he held both chief executive and chief technology officer positions. Since 2017, Romain has built blockchain-based products for clients, including a major international bank, and released open-source projects to help developers create durable blockchain systems. A key part of this work has been Romain’s focus on reducing complexity and cutting costs by encouraging the adoption of public blockchains, so lowering the barrier to entry for companies. Romain joined IOHK in 2020.