Security First in BSC & DeFi: Is Binance Smart Chain Safe?

By June 1, 2021 No Comments

Recently there have been multiple instances of scams and extensive attacks within the BSC ecosystem. Due to the decentralized permissionless nature of the BSC blockchain, this is an issue that can’t be resolved as easily. There are several major challenges in the BSC now:

  1. As the BSC ecosystem grows at rocket speed, it’s becoming a special target of hackers. These hackers are well-organized and keep trying to identify the potential issues in different protocols, and may own more zero-day vulnerabilities now.
  2. Some projects within the ecosystem lack experience in secure software development and have no risk control experts. There’s also a lack of code audits, penetration testing, and collaboration with security professionals

This is a very challenging issue, as for any blockchain to succeed, it has to be secure. With Binance Smart Chain, security must be the top priority. The security first principle is ingrained in everything we do, and in this article, we’ll introduce you to the basic threats and answer your burning questions about BSC’s security.

What are the threats?

The threats you might be facing on BSC are no different from the majority of crypto-related threats. In some sense, BSC might remind some of the 2017 ETH craze where hundreds of projects with millions of users flooded the blockchain and became a target of hackers and scammers.

The community faced basic social scams, hacking, personal data thefts, and many fake projects and Ponzi schemes. Since then, the attackers gained years of experience, but otherwise not much has changed in the way they operate.

There are two categories of threats:

  1. External – These are all the threats coming outside of the project. External attackers usually exploit technical or operational vulnerabilities, infiltrate internal systems via hacks or social engineering, and attempt to steal the funds, valuable information, or just simply take the project down.
  2. Internal – Internal threats are the well-known rug pulls, exit scams, and insider leaks. They are much harder to prevent and usually more complicated to investigate. In most cases, there are individual team members who felt an opportunity and abused their power, but there are also rare cases of organized groups and teams executing these attacks.

Is Binance Smart Chain safe?

The question of whether BSC or any other blockchain, as a matter of fact, is safe, could be answered in different ways. One element is the security of the code, the nodes, and the blockchain itself, the second element is the security of the ecosystem. The BSC ecosystem consists of multiple parts and participants where each comes with a different set of threats. There’s code and the algorithm, validators and their hardware, projects building on BSC, and also the individuals using it.

The decentralized BSC blockchain is running on an open-source code accessible for third parties and the public for auditing. With open-source code, anyone (with required technical knowledge) has the ability to review the code line by line and assess the possible weakness and threats. The PoSA algorithm built around 21 elected validators prevents individual validators from gaining too much control over the network and going rogue.

The BSC network and the algorithm it operates on are indeed very safe. The track record of BSC clean of incidents or hacks shows that there are no known vulnerabilities or attack vectors that could be abused on the blockchain itself. Security teams and projects incentivized by the bounty program rigorously test every element of BSC’s security on a regular basis, ensuring that even the slightest issues get resolved immediately.

Are dApps on BSC safe?

While with BSC network and code, we can verify and audit almost everything, with individual projects it’s a bit more difficult. Not every project on BSC is open-source, and even then, being open-source doesn’t automatically mean secure. Then there’s the security of smart contracts and no zero-defect codes and as each project is developed by an independent team, there’s always a chance of defects.

Due to the decentralized nature of BSC, basically, anyone can build on the network and attempt to list a token on one of the many decentralized exchanges. There’s no reviewal process or centralized governance that would prevent malicious projects from launching on BSC, as such censorship would damage the decentralization and it’s not technically or logistically possible.

There are multiple BSC security companies like Peckshield and Certik that audit and verify different BSC tokens and dApps. Delicate security audits look for potential vulnerabilities in the code, business model, and other aspects. They also often verify the core team members, review their previous experience, or audit the project’s finance. However, these audits are not mandatory and they rarely cover new or emerging dApps. When looking for a genuine project, it’s recommended to avoid uncertified projects and always prefer projects with multiple audits from different companies.

Can BSC bridges stop or revert hacks?

Simply put, no. Bridges can’t stop or revert hacks or suspicious transactions. Bridges are often used by attackers to transfer the stolen assets to a different chain and decrease the chances of being caught. Currently, there are more than 10 bridges between BSC and other blockchains (like Ethereum, Bitcoin, Tron, and others) processing thousands of transactions every minute. Even for bridge operators, it’s very difficult to identify and stop suspicious transactions. Out of the recent incidents, there were 7 hacks that used the Anyswap bridge to move the stolen assets outside of the BSC blockchain.

It’s also important to note that not all the bridges introduced anti-fraud mechanisms (AML, blacklists, etc.) and many to this day don’t partner with any professional chain analytics or security companies to minimize the risks.

Is there a way to report scams?

Thanks to PeckShield, one of the major security partners within the BSC ecosystem, there’s now an easy way to report scams or suspicious projects.
Simply visit https://forms.coinholmes.com/ and enter as much information as you can.

Building a better blockchain security

There are many ongoing community-driven efforts aiming to increase the security of the BSC ecosystem and protect the users and their funds and data. Security Companies like PeckShield, CertiK, and others help the BSC ecosystem with auditing,  threat intelligence, and security ops, and there are also individual security teams within the projects.

BSC Core team will keep working with industry-leading security companies to introduce better infrastructures and services:

  1. Introduce multiple new partners on Bounty Program to provide more proactive penetration testing to identify issues earlier.
  2. Identify new professional partners to provide BSC SAFU Funds or insurance protocol.

Due to the intensity of the recent incidents, we want to call for community action.

If you are a BSC user:

  1. Grow your knowledge, participate in community education and awareness hosted by the different BSC communities, and spread the word.
  2. Always do your own research (DYOR) and avoid speculative projects.  Learn how to spot scams in DeFi from Binance Academy and regularly refresh your knowledge.
  3. Gather extra info from trusted sources like Certik Security Dashboard  https://www.certik.org/boards/bsc, which provides insights into the BSC projects from different angles.

If you are a developer or a project, you should aim to improve your reputation, security and build trust with your audiences by :

  1. Learning about best practices from Security First in BSC sessions:
    How do projects respond to risks, and how can general users protect themselves?
    Incident response process during and after hacks and exploits
    Understanding the security risks of blockchain
  2. Going through at least 2 audits (the more, the better) and proactively working with security companies with a solid reputation to keep analyzing potential vulnerabilities.
  3. Introduce your own bounty program or leverage 3rd party platforms like Immunefi., which can attract community testers to identify issues earlier.
  4. Dedicate a portion of your funds to SAFU-like insurance to protect your users and their funds.
  5. Provide better transparency, clearly communicate all major updates and roadmap, and organize community sharings for both developers and users.

The last 9 months exposed that some of the critical infrastructure and services need to be rebuilt to cater to the rocket growth of users and network activity. As a community-driven and decentralized ecosystem, BSC can survive and thrive only if all the ecosystem members come together and coordinate as a community.

The BSC ecosystem will face many challenges over the upcoming months, but building a decentralized, scalable, and secure blockchain is not easy. We’re asking for your support during these times and we welcome all your suggestions.

Our ongoing security workshops with some of the best BSC projects are a great way to learn more about security of decentralized permissionless environments. Join us!

Session 1: Understand the security risks of blockchain – by Certik Team

  • A quick introduction to solidity, smart contract development, and applications in the DeFi environment.
  • Case study on ten recent exploits and hacks; grouped into four categories.
  • How to prepare your project and get the most out of a security audit.

Watch the playback here

Session 2: Incident response process during and after hacks

  • Identifying affected addresses
  • Tracking and monitoring fund movements
  • Notifying recipient entity
  • Due diligence reports on entities built on BSC

Watch the playback here

Session 3: Project Panel – How projects respond to risks and how general users can protect themself?

Guests: CreamdForceAutofarmOgle

  • Evaluating and mitigating collateral risks
  • Isolating risk of multiple protocol interactions
  • Risks of flash loans and liquidity pools
  • What are some common things to look out for in a contract that indicate it be risky? [Mint unlimited tokens, migrate liquidity pools or staked assets, changes to fee percentages without a timelock]
  • What are some practical measures a user can take on a day to day basis to keep themselves safe in a Defi environment?
  • And more…

Watch the playback here