Securing DeFi with CertiK Security Oracle

Originally published
September 1, 2020

DeFi Today

Greater growth comes with higher Risk

Decentralized finance (DeFi) aims to build an open and flexible financial ecosystem with less censorship and discrimination.

With the adoption of such a concept in the blockchain world, many well-known DeFi projects with rich capital inflow become lucrative targets for hackers.

As of september 2020, $9.3B of digital assets are locked in Ethereum for trading, payments, and financial derivatives.

However, the amount of digital assets stolen is also growing rapidly. To name a few DeFi attacks in 2020:

To name a few DeFi attacks in 2020:

Preventing DeFi attacks

The current available security offerings for DeFi are mainly static Smart Contract audits, which are effective in catching vulnerabilities before DeFi Smart Contracts go live.

However, not to mention any travial code updates that might void the audit, even if the code is bullet-proof and you won't make any pre-launch changes, it is still impossible for the static audit to keep up once your DeFi project is published into real runtime production. Here is why:

When a smart contract goes live and interacts with unauthorized software programs and/or unaudited contracts, the whole static audit become less effective in this dynamic environment. Thus any vulnerability hidden in any part of the tech stack is widely open for malicious manipulations and can be easily taken advantage of by those bad actors.

Introducing CertiK Security Oracle

In short, what is it?

CertiK's Decentralized Security Oracle is a solution developed by CertiK Foundation to guard on-chain transactions and prevent DeFi projects from malicious attacks through real-time security checks.

The mission of the Security Oracle is to bridge industry-leading software security services with DeFi projects and fulfill all types of security needs. A security score is provided to help users gain insights and make important decisions.

Who are the users?

To serve a user group with high security standards, the Security Oracle is built for any blockchain platform (i.e. Ethereum) that can support smart contract functionality.

Provided by CertiK Chain, a Security Oracle public interface is deployed on a blockchain, a Smart Contract then accepts security inquiries from DeFi applications for impending transaction calls they need to make. Users can simply connect to the Security Oracle interface, inquire about their upcoming transactions, and gain real-time security insights.

How does it work?

Let's say you are going to perform a transaction but you are not sure how "safe" it is. You decide to leverage the CertiK Security Oracle to assist you with the next steps.

You connect to the Security Oracle interface on your own business chain (i.e. Ethereum) and make an inquiry on the impending transaction.

Note: The inquiry will take two parameters: the contract address and function signature offset.

Once the Security Oracle receives your inquiry, it responds back with the insight if such data record has already been monitored and logged. If the answer is yes, the Security Oracle will provide you with a real-time security score (within the range of 0-255) aggregated and processed by CertiK Chain with its self-defined safety threshold.

If you have submitted an inquiry and the Security Oracle found no available historical information, it will respond back with a default score indicating no suggestion at the moment and you are encouraged to come back later for updates.

While you are waiting, this inquiry is broadcasted to CertiK Chain as a new task for fulfillment by Oracle Operators with chosen Primitives and certain combination principles applied.

When you come back and check again, the Security Oracle will provide you with the score and the insight you need.

Where does the Security Oracle live?

CertiK Decentralized Security Oracle is built on CertiK Chain. With the mission of becoming the guardian of the blockchain galaxy, CertiK Chain bridges on-chain smart contracts, cross-chain components, and off-chain security offerings while maintaining all characteristics of a decentralized blockchain:

  • Decentralization: Those participating nodes operate a peer-to-peer oracle network and they choose their own strategies on handle security requests
  • Security: CertiK Chain is a blockchain network built with security at its core, and its module components are elaborately designed to meet security guarantees.
  • Immutability: All oracle operations conducted by Oracle Operators are broadcast to CertiK Chain and recorded in local states and distributed ledgers
  • Consensus: CertiK Chain uses Delegated Proof-of-Stake (DPoS) as its consensus model, and there are modules like staking and slashing to guarantee the seriousness and professionalism of Oracle Operators
  • Transparency: All oracle results published to the Business Chain are trackable with CertiK Chain transaction hashes. DeFi projects can query CertiK Chain states or transaction histories to access in-depth recorded information.

How does CTK come into play?

CTK is the native token on CertiK Chain, and our proposed solution uses CTKs to maintain the well running of the oracle network.

Given the fact that CertiK Foundation will collaborate with industry pioneers to sponsor CTKs and maintain a pool of targeted smart contracts for live monitoring on their security statuses, end users such as DeFi smart contracts could enjoy the benefits of having realtime security insights free of charge.

Meanwhile, for data that is not in the Security Oracle yet, users could simply create an oracle task funded in CTK and broadcast to CertiK Chain. Oracle Operators will be rewarded with the fees collected in CTK to appreciate their services for the operations of the oracle network.

For each oracle task submitted to CertiK Chain, the fee is determined by the task submitter and each Operator could choose to take the job or not.

A note from CertiK team...

The CertiK Security Oracle solution is built to solve security pain points by bridging the gap between on-chain transactions and real-time security checks via decentralized approaches. By adopting the CertiK Security Oracle, DeFi projects will be shielded with more security guarantees on every potential move to mitigate the risk factors. We believe that CertiK Chain with its Decentralized Security Oracles will become an indispensable component of the ever-growing blockchain and DeFi ecosystem