 Hi, good morning everyone. I hope you well and enjoying your virtual conference. My name is Ryan Rubin and today I'm going to be talking about decentralized finance. Is it ready for prime time? I'm really sorry not to be in Vegas today with all of you, but all I can say is here in the UK it feels pretty hot and it's almost like we are in the desert. First, the usual disclaimer. I'd like to confirm that the views expressed in this talk are my own and are not representative of any views from my employer. Of course no animals were hurt other than potential unicorns in this research. So today I'm going to give a quick introduction, give you a 101 on what decentralized finance is all about. Talk a little bit about the attack landscape and how people might target this particular protocol. And then I'll also talk about a methodology that we've introduced which effectively looks at key indicators of vulnerabilities and how we might be able to assess deafie projects in the future. I'll present the results and wrap up with some conclusions. So a little bit about myself. My name is once again Ryan Rubin. I've been in the security industry for the last 23 years covering a whole range of different topics. Last couple of years I've had a big interest in blockchain security as well as cyber insurance and looking forward to sharing some insights here today. I actually start this talk where I kind of left off last year when I presented a talk in the blockchain village on a cryptocurrency heist. And what I found quite interesting during that investigation was that as the attackers started to move their money and funds around the Ethereum blockchain they started to put some of their funds into a deafie platform and actually converted quite a lot into something called the die coin which I'd actually never heard of before. And after doing a bit of research I got quite interested in the whole deafie protocol and kind of the alternative finance options that it has. What startled me was that the attackers of this particular heist were obviously ahead of the game and realised that they needed to put their cryptocurrency somewhere in order to ensure that the pricing did not fluctuate and the value or the proceeds of their crime did not reduce as the price of Ethereum drops. But this talk is not just about hackers and fraudsters that might be leveraging various platforms to realise their investments in the blockchain world. It's actually more generally about many of us that may be looking at alternative ways of financing and investing in the future. So I came up with this research hypothesis which states firstly deafie is becoming really popular and I'll talk a little bit about that as the show goes on but as their popularity grows can they withstand the various types of attacks that are going to be attracted by that popularity? Also is there a way that we can measure the security posture of deafie projects and do so in a way that's non-invasive? Of course the assumption we have is that they must have good opsec in order to be in this business, right? So why carry out this research? Well, unfortunately people are still getting hacked. There are several stories in the news and quite a few that I'll discuss as the talk unfolds indicating that there are still compromises out there. People are still making money out of this and therefore it's really important to raise awareness of security related issues not only to those in the security community like many of you that are attending the talks today but also those outside that community including a lot of blockchain developers who understand, frequents the BCS village. I also wanted to use this research to try and build upon some of the work that others are doing in this space and try and move the industry forward in a positive direction. And finally I think this research could also be helpful for both consumers, those in the insurance space, investors and also owners of deafie projects because the last thing you want to be doing after spending weekends, hours, days, months and years building up your deafie project is fine that it all goes down the drain because of some city security issue that we've got to close. So deafie 101. So what is decentralized finance? Well, if we look at traditional finance products that you might buy from your bank today or some of the financial products that investment bankers are using, you can see that there are common trends around loans, derivatives, asset swaps and even insurance that can be provided to each of us through a traditional banking environment. One of the issues and challenges with that is the centralized aspects of it and what decentralized finance aims to do is to introduce a new way of establishing financial products that's both decentralized, not controlled in any way, is trustless and transparent. So if we look at the deafie set of protocols and applications, you can see that there's a whole range of different services that are being offered in the space. There's distributed exchanges which remove some of the concerns that many people have around working with traditional centralized exchanges. There's a variety of different loan products that are out there where you can take your cryptocurrency, pass it on to a platform and earn some interest in it instead of leaving that money to, let's say, decay over time. There's also the concept of stable coins where you can basically take your cryptocurrency, convert it into a stable coin, which is pegged against the US dollar or some other fiat currency. And that's another way of ensuring that your hard-earned cryptocurrency coins do not necessarily fluctuate in value as the market continues to be volatile. And, of course, all the other things like the asset swaps and derivatives that are also there. So how is as big as this market? Well, I found this quite fascinating, but earlier on in the year, the total value that was locked up in the DEFI various protocols and projects was around $1 billion. And over the last couple of months, it's actually shot up to just over $4 billion in value locked in. So what we can see here is there's this tremendous amount of growth that's taking place, and this may continue in the future as long as there aren't any big hacks that come up and the confidence in these products doesn't start to fail. In terms of distribution, you can see that from the lending side that that's one of the more popular platforms and products. I'm assuming that's because it's actually quite easy to understand. We're talking effectively about either borrowing money or loaning money into the system and then getting some profit out of that through some additional interest or being able to leverage the loans in order to invest in other products in the system. Distributive exchanges are gaining some value. Derivatives and payments still early days, but again the facilities are there and there's some very interesting ways in which these protocols can be configured which cannot actually be set up in the real world. So I suspect the investment bankers out there will be looking at DEFI as it continues to mature and seeing how they can exploit some of the value that it can provide. So how can you earn passive income crypto style? Well, if you have a look on the left-hand side of the slide, you can see a number of different projects, DEFI projects that are out there providing the various services that I mentioned, lending, derivatives, distributed exchanges, assets or stable coins, and you've got a whole pick there of different types of companies and platforms that you can go to. On the right-hand side, you can also see that as part of these platforms, there are also a variety of different interest rates associated with the different types of coins and tokens that you might want to invest in. So if you look at NEXO for example, you can get an 8% return if you invest in one of their products and perhaps buy some dye and look to get some value from that. If you go down the list, you owe 13.68%. So when you're looking at these numbers, of course, you're not going to earn this type of return from a bank today. But of course, there's obviously a lot more risk involved in this and that's why these prices tend to fluctuate a lot. So before you go any further, I thought I'd just talk a little bit about some terminology. Firstly, crypto wallets. So many of you will be familiar with crypto wallets. This is the place where you have your private keys and you hold your cryptocurrency and it's of course an area that you need to protect really well. In the context of distributed finance, the wallet is also used and can be the key towards holding source code or smart contracts and that becomes quite important as we look at the security of these platforms. So when we look at platforms such as Ethereum for example, it only has a cryptocurrency which is the ether but it has a whole distributed system available which is based on executing distributed code in the form of smart contracts. And once again, the control of those contracts when they're uploaded, what the contents of them are, etc. is all linked into the crypto wallets that's associated with those projects. In order to unlock those, we talk about admin keys and these are kind of like the keys to the kingdom. Almost similar to the domain administrator accounts in the Windows world for those of you that are joining from the security community today. And effectively, if you get hold of these keys, you can do a whole lot of bad stuff including potentially uploading or changing smart contracts. Now, why would that be important? Well, inside the wallet, you've got a whole lot of cash and smart contracts define a way in which transactions can communicate and can take place over the blockchain. So if we have a wallet that has a lot of cash in it and we have an ability to influence the logic by which that cash gets used, then it obviously can be very detrimental to the DEFI platform. There's also a concept of time lock and this isn't got anything to do with going back in time. But what it is is it's a method that owners of the DEFI platform can use to effectively slow down the transactions that are taking place on the blockchain. And this is very useful because it allows the owners or those that are governing the DEFI project to potentially have a look at any unusual transactions. And normally there's a time window, either it's four hours, 72 hours, 48 hours, that the owners of that platform or those that govern the platform can actually monitor the transactions and potentially reverse any transactions that have been introduced into the system by an unauthorized hacker or potentially even just by mistake. So that's something that's really key to look into. There's a big debate around decentralization and centralization, right? So we spoke at the beginning, the whole purpose of distributed finance is to have decentralized systems and finance that is not under anyone's control. And by putting in the time lock, we're effectively giving a level of that control back to the owners and those that run the project in order to better control it in the case of things going horribly wrong. But I think for most of us that are still, let's say, dabbling in this particular world, it's better to have some level of governance in place to protect the assets and the information and of course the currencies that are in there. We also have the concepts of an oracle and this can either be a system that's inside the decentralized ecosystem of the DEFI platform or it's something that the DEFI platform uses as a source of information in order to make decisions. So an oracle could, for example, be publishing prices for various types of coins like I showed you earlier that are coming from various exchanges and pumping that information back into the DEFI protocol and application so that it can use them in order to make decisions. Now, again, there's pros and cons on whether this oracle concept is a good idea or not. If we're looking to peg, for example, a currency against the dollar, then we do need an oracle that can tell us what the price of the dollar is and provide an accurate reflection of what's happening in the real world. So there are some benefits to it but of course, if we're able to influence or compromise the oracle, that can have devastating effects on the DEFI project. And finally, we talk about DApps or smart contracts and once again, this is the source code that's been run on the blockchain. It's source codes that is immutable. It runs forever on the blockchain. It's been signed. It's available to be reviewed and seen by those that transact with it and it forms the heart of the logic behind the DEFI platform. Okay, so how does this work in practice? So I'll just give you a quick example. Let's take a cryptocurrency investor and she decides she's got some Bitcoin. She's really worried about the fluctuation of the Bitcoin which I believe is about $11,000 today. If we went back a couple of months, it was a lot less than that. But if we went back maybe two or three years, we had obviously a real spike in the prices. So with a hard-earned Bitcoin, she's got a choice either to keep that in Bitcoin or to potentially loan it out to a DEFI platform and gain some interest or gain some potential value from that. So she deposits some Bitcoin into the DEFI platform. There'll be a smart contract within the DEFI platform that will effectively receive that Bitcoin. It might wrap it up or transfer it into a token. And in my case, I'm going to use the die token as an example. And that basically allows our investor to take these die tokens and potentially push them into other DEFI products in order to earn interest or potentially just to peg the value of their Bitcoin against the dollar one-to-one. Because as I mentioned, diecoin is a stable coin which is linked to the dollar. So she can then take that diecoin and actually push it into potentially another platform which might actually go ahead and invest that diecoin into other products which then could actually generate some level of return for her. At some point, she might then decide there's been some growth or perhaps there's been some stability in the diecoin but it's time to cash out and she wants her Bitcoins back. So she can go back to the platform and effectively the platform might again do some checks against the oracle to see the current price between the die and the Bitcoin and then push that Bitcoin back to her. Now, of course, this is what would happen in theory but sometimes that money might disappear. Why might it disappear? Well, potentially the DEFI platform which is holding these Bitcoins may not still have the Bitcoins that were provided by her and by other cryptocurrency investors. It is also possible and we talk about liquidity that there simply isn't enough cryptocurrency inside the DEFI to be able to pay out all the people that have loaned its money and that could also potentially be a problem. Or, of course, maybe somebody might intercept or influence the logic within the DEFI platform and basically change the smart contract to maybe push the money somewhere else rather than to the person that had requested it. So let's talk a little bit about the attacks on the blockchain and, yes, machine stacks, breaking blocks or loosening the chains for profits. So once again, the high-level scenario of our investor or person that has some cryptocurrency looking to engage with the DEFI ecosystem in order to get some value from their currency. You've got the oracle and the exchanges on the right-hand side that this particular DEFI application or platform is relying on. Of course, we might have a corporate entity that is owning and running and governing the DEFI platform. So let's look at some of the potential attacks that could occur throughout this lifecycle. Firstly, from the user's perspective, users can be fished. Their passwords and keys could potentially be stolen. As you've seen in the case of the Twitter attack that happened just over a month ago, social engineering scams are possible too. So hackers might not necessarily get in and steal the keys. But if they can convince the person to transfer some money across, then they can lose that way. And of course, there are potential vulnerabilities in the software that the user has downloaded or is using, which might intercept communications and potentially steal the keys. If we move into the distributed environments, and again, a good example of this is Ethereum, which leverages the ERC-20 tokens, there are still vulnerabilities in smart contracts and we'll talk a little bit about more of those. There is the possibility of key compromises. There are DDoS attacks, potential man in the middle attacks. Often that occur because there is often an interface between these DApps, a web interface or an API, and again, its users. And so again, depending on where the keys are and the way things get handled, there is some possibility to perform some attacks there. From a protocol perspective, again, all of these distributed apps, Ethereum itself, it's still relatively new and there may still be some underlying vulnerabilities in the way that the distributed system is working and I guess we still have to tell or tell whether some of those get out there in the wild or not. The oracles themselves, so again, the whole purpose for having the blockchain and these cryptocurrencies is that they are inherently secure and built with all the wonderful cryptography and so on that's inside them. But when they start relying on third parties, for example, the oracles and the exchanges, that's potentially when things can go wrong. So once again, the oracle might be manipulated to provide the wrong interest rates, for example, or an exchange might make a mistake and publish the wrong rates, which could then lead to people taking advantage of that. One thing that we've looked at in our research is the corporate entity itself and this is really important because these apps are run by people and by a company, often a startup, maybe it's a small organization to begin with that grows, but there are people in the side of that organization that communicates with customers and with individuals and those that have invested in the tokens and the cryptocurrencies. Some of those people also might operate and have access to the keys and the wallets. Some of them might have to update the smart contracts from time to time. And so the corporate entity itself needs to have a level of security that we would expect of a bank or another financial institution. But of course, because a lot of these organizations are still growing, they may not necessarily have matured yet to provide all the right opposite that we would expect. So another route into this environment could potentially be through the entity or the organization that is running the platform. Targeting either the employees or some of their resources, their email, their social media, et cetera. So if we look just in the last couple of months, there have been quite a few hacks that have taken place in the deafy world. Most notably the BZX hack, which I'll talk about a little bit later, but literally within a couple of days, they lost around a million dollars in a very sophisticated attack which impresses a lot of folks that have looked into this. Maker itself, it had a price crash. It wasn't specifically a deliberate attack, but there was a drop in ether that happened for a few seconds, and this landed up causing a lot of mayhem, and Maker actually had some liquidity challenges, which actually forced a lot of the users on the platform to have their loans effectively canceled in order for Maker to ensure that it had the right level of liquidity. And there's a big class action suit going on right now for those individuals that have lost money by loaning money into Maker and not being able to get it out again. Again, later in the year, we had IMBTC being hacked by an ERC777 reentry attack. Now, for those of you that know about the Dow attack that happened a few years ago on the Ethereum platform, this is a very similar type of attack. And interestingly, a day later, there was another platform, LendFME, that lost 25 million, because they were using the same source code in their smart contract as another organization. So again, these things kind of can happen in various different ways. Talking a little bit about the BZX hacks, and I don't want to spend too much time in this area, but when we think about hacks and exploits, the ninjas of the security community are running machine code and machine level assembly to smash the stacks and do buffer overloads and all sorts of things. And what we see here is a different type of hack. We see that somebody with a lot of knowledge was able to leverage the different protocols, leverage the different defy protocols out there, DYDX which was allowing loaning, compounds which was allowing interest, the carbon network and the uniswap network which were allowing people to swap coins. And they exploited basically a situation where an exchange was providing a very favorable rate of interest, we call it interest or pricing, for a particular coin combination. And they realized this. They took advantage of something called the flesh loan, which is a very interesting concept in the defy world that allows people to borrow money without providing any collateral. As long as they borrow the money, carry out a transaction and pay the money back very quickly, the platform is happy to support that. And that's exactly what happened in this particular instance. So they borrowed some money from the DYDX loan platform, $10,000 each. They then did some fancy transactions and manipulations. They took advantage of the price hedge, if you like, that they found in the markets. And then they were able to then pay back that loan and profit around $300,000 for that particular transaction. Literally a few days later, they did the same thing and managed to earn another $600,000. So in response to this, the BZX actually made some really dramatic statements which I'd like to read out. This attack was one of the most sophisticated we've ever seen, possibly only with an extremely in-depth knowledge of every defy protocol and its tools. This space is evolving quickly. The security is becoming increasingly more dire as the barriers to entry for executing and exploit drop to zero. There is no analog for this in the traditional finance system and we're now in uncharted territories. So if that doesn't give you a huge amount of confidence, then you might want to think twice about using these particular platforms. But with anything that's happened on the internet and e-commerce many moons ago, eventually the maturity of the industries get there and it becomes harder to do these types of things. So again, if you're looking to put so many into one of these platforms, how much you assess whether they're good, they're safe, they're bad, et cetera. So that's where our research comes in. And the first thing we did, which again, I find quite interesting, you know, you think you've got a good idea and you do some Googling and then you find out actually quite a lot of other people have come up with the same idea. So it's part of the early research. We found that there is an open source group or groups, there's a DEFI score as well as DEFI watch and the codify project as well, that essentially are starting to build out an index of various features on the DEFI platform that give us some indication of how risky they may be. So some of the types of things that the DEFI score provides, for example, is looking at, you know, this particular platform carried out any smart contract audits, how many audits? Do they use a time lock or do they not? Have they implemented some form of multi-signature for protecting those very special admin keys that I spoke about earlier? They also then look into some additional factors which are more linked to the financial viability of the platform and that includes the liquidity index, the centralization index and utilization index. But all of these things come together to form a score out of ten which is there to try and help and guide those that want to potentially put money in. You might get all excited about that 13% rate you're going to get but then, you know, you might want to check to see whether that particular platform has scored very well on a DEFI score or on some other score. So with that in mind, we thought we would build upon this platform and one thing that we did notice is that, again, the communities that developed this actually form part of the community and part of the crypto community. So the focus of this scoring was very much based on some of the things in the crypto world. And so we, coming from, let's say, a wider cybersecurity perspective, started to think about some of the other oceans that we might be able to find about those companies. So we took it a traditional approach. We looked at IP addresses, DNS records. We looked at the email platform that these particular providers were using. We looked at a couple of open sources connected to the internet, mail servers, web servers, et cetera. We looked on LinkedIn to see what kind of social media platform they have. We did some third intel to see whether there's any chatter involved in these particular projects. We also assessed the bug bounty and how ready or how mature they are in using the hacking community to find vulnerabilities and publish those. And also, you know, whether they were open source or closed source and whether there was any breach history. Finally, we also looked at privacy and cookies just to kind of get a perspective on whether, from a regulatory perspective, these guys are starting to think about some of those really important things that regulators look out for when you're dealing with individuals and consumers, especially those, for example, in Europe and the GDPR. On the crypto-ocean side, again, we kind of thought through the various indexes that the DEFI score had already provided. And then we thought about a few other things like, you know, general audits, publication of whether they've been assessed by third parties. You know, we wanted to look into cryptocurrency transactions and how well, whether there was any links between fraudulent transactions and the platforms, the financial backing, and also whether there's any mention of KYC, know your client's procedures. Once again, going back to the beginning of my talk, you know, if any of these platforms start to receive cryptocurrency funds as a result of a fraud or an attack, then they shouldn't be accepting them, or potentially if they have accepted them, maybe there's something we can do to see those assets before they go back to those that are stolen them. So I guess just to caveat in terms of the limitations of our research, we sampled 17 projects, both a mix of large, medium, and small DEFI projects. And we did this over a period of seven days. Because of the type of testing that we performed, which is very non-intrusive, obviously we don't have any permission to do any testing. So we could only look at open source information. And as a result of that, some of the findings might be false positives. And of course there are certain things that are very hard for us to gather from the open source. But also there are quite a few important things that we definitely were not able to look at. And things like incident response planning, being able to deal very quickly with a breach scenario where perhaps the keys have been stolen or there is a smart contract vulnerability. Key generation storage, people talk about the fact that they're using multi-figs, but are they really, you know, have that been audited? Have they done all the right things? The oracles and exchanges, we didn't look too much into that world. And of course some of these smart contracts themselves might be linked to other smart contracts. And I mentioned that protocol fuzzing and security is something that we didn't get into either. In terms of the scope and the way that we carried out the testing and the scoring, we did a subject to scoring, a fairly simple crude approach where we allocated a score of one if the practices are very poor, a two for medium or a three for high. We also took the view that we wouldn't necessarily skew any of the findings and weights against in a particular category. It's recognized that certain types of tests are going to have more of an impact than others. But also that might depend on the type of attack that we're worried about. So, you know, if we're worried about phishing attacks, then certain types of dimensions will actually carry more weight than others. If we're more worried about, for example, the smart contracts having poor code, then, you know, we would have a higher weight on some of the categories that link into smart contracts. So without further ado, I'll talk about some of the results. And as you can see on the left-hand side, we've basically segmented the vendors into large, medium, and small. The reds, again, are those organizations that have been marked as having very low security, in our opinion. Those in the middle with the yellow and those that are doing pretty well in the green. And as you can see, you know, if we start with a multi-seg, we have quite a lot of small and mid-sized companies that haven't gone with this multi-seg approach. And that's, I guess it's a bit disappointing in a way, because, you know, a lot of these projects are small, but they can grow very big very quickly. And if they haven't done the basics of setting up their wallets and their key administration the right way in the early days, then it can be quite difficult to retrofit that as the project kind of goes from zero to euro. Also interestingly, you know, in the large category, there was one that wasn't using multi-seg, which again was quite a surprise. And these kind of multi-segs also range from kind of two of two all the way to, you know, three of five or three of eight. So there were, you know, quite a few that are starting to adopt what I call very good practices around having potentially, you know, quite a few signatures, multi-segnatories on having access to the keys, often distributed across different organizations as well to really make it effective. But one of the issues here again is that it's very hard to tell exactly how this was implemented. You can have multi-segnatures, but, you know, you could have three signatures. Maybe they pay per base, but they're all in the same place. And therefore, the kind of opposite on the key management, something that is very hard to distill, they also weren't many talking about, if not any, talking about audits that these companies had done on their key generation process, which I think is fundamental and something that happens a lot in the traditional finance industry today. Time locks. So once again, you know, I mentioned this earlier, I think it's a pretty good idea to do this. It gives some confidence to those that are using the platform that if something goes wrong by mistake or potentially, again, because somebody's done something bad, there is a way to roll back. There's a way to monitor and get ahead of the transactions and do something about it. And once again, you can see a mixture of large, medium and small companies that actually haven't implemented this. As you move on to the other thing of interest on the time lock side was again, you know, some projects are using 48 hours, some are using four hours, others 72. Again, I kind of, as a more conservative individual, would rather go with a slightly longer period. It might mean that certain transactions take a little bit longer to take place, but at least I know that if I put my bit according to that platform and something goes wrong, you know, I've got a chance of keeping it rather than the purest approach of decentralization where effectively the transactions happen and there's nothing you can do about it. From an oracle perspective, again, some interesting results on those that are using oracles, external oracles, those are someone that are using their own. And we found some interesting concentration risk in this space where quite a few organizations are using the same external oracle. So that might potentially ring some alarm bells if those particular oracles are not set up in the right way. Something that was really disappointing was no real discussions around KYC. And again, you know, I think this is really important in the longer term if you want to have a legitimate business that's going to deal with the kind of wider markets, the wider finance markets. And this is something that for whatever reason these players are not necessarily too focused on today. I suspect that as the industry matures and some of the platforms do want to, you know, become more regulated, this will have to change. On the smart contract side, again, kind of a mix. For this particular dimension, we looked at whether the smart contacts were being reused by others and other organizations. And we found quite a few of those. A couple of smart contracts that had been compiled with older versions of compilers, some of which are known to have security weaknesses in them. And then quite a few that actually were not very forthcoming with publishing certain information about their smart contracts. We did see some very positive signs on the side of smart contract audits. And here are quite a few of the platforms are doing regular audits. It kind of ranged from two to 15. And that kind of got me thinking, well, maybe you need to audit these things a bit more frequently. But what was quite strange was that probably, you know, aligned to the whole open source methodology, the audit results were open sourced, as well as all of the audit reports. And this contains a wealth of information about what the testers did, you know, pieces of snippets of source code, and, you know, various types of vulnerabilities that they found, which, you know, personally I think might be a little bit unnecessary. You know, I think it's good that an audit has happened. It's good to understand that remediation was taken place. But, you know, really to show the full-blown audits every time might be giving a little bit away, especially if those testers didn't find all the holes. And, you know, perhaps there are a few extra things that aren't there. Great news for the community at DEF CON that are involved in bug bounty programs and supporting them. You know, some good indications that the DEFI industry is taking this on board as well. And if you're interested, go and have a look. You know, programs vary from $10,000 all the way up to $250,000. So put down those laptops and get started. Interestingly enough, a few projects are actually not offering to pay you in real money, but, you know, to pay you in their own tokens, which again, you know, potentially could be very valuable or potentially not depending on the circumstances. If we have a look at the general oceans. So, you know, one of the first things we did was we looked at whether, you know, these particular organizations had been hacked in the past. I decided to redact the findings in that section because it might kind of indicate some of the organizations involved in our study. So, you know, what I can say is that there was a mix, you know, of large, medium and small organizations that have been hit in the past. And, you know, again, is that an indicator that the company is bad or is it an indicator that because they've been hit, they've actually now put in a lot better controls. They've learned their lesson and they're improving their security. And often in my experience, those that have a breach do come out of it a lot better in the longer term if they're still around. So that's kind of one factor. We did look into credentials that are on the web and on the dark net that have been sold for, you know, particular platforms. And that was on average pretty good. As you can see, there was a surprisingly large organization that had quite a lot of data published. And this is something that we will need to take up with the vendor directly because I think it's something that they should be looking into. And, yeah, but otherwise, pretty good. And, you know, once again, this is the kind of thing that's a bit hit and miss. But it was interesting that we did get two results coming through that particular dimension. Anti-span protection. So, you know, obviously we discussed how important phishing is to either the users that could be targeted and also the individuals that are working for the platform. And here we did find that the maturity within the space, you know, was actually okay for protocols like SPF. But for DMARC, it was actually around 50%. And for Decom, it was very low as well. So I think there is definitely some room for improvements for these companies to be setting up their DNS records and ML records so that they can better protect themselves and their customers from, you know, phishing-related attacks. I mentioned infrastructure and, you know, we took a very hands-off approach to this. So we looked in Shodan and pointed some of the project IP addresses to the Shodan platform. And we came up with a couple of interesting results, some unnecessary ports, some remote access facilities that perhaps shouldn't be there. But again, kind of a mix and something that you probably would find if you did a proper scan on a lot of organizations. But definitely something that needs improvements for the reasons that I've spoken about before. We looked into the darknet chatter and we had a look to see, you know, who was talking about particular projects. And again, we found some information, you know, nothing earth-shattering. But definitely some talk about targeting or, you know, weaknesses, vulnerabilities, et cetera. And again, this is something that probably the project owners should definitely be dialing into just to make sure there's nothing major that's being discussed and, you know, giving them a head start to try and fix any issues that arise. From a social media perspective, we just chose LinkedIn. We had a look at individuals that belonged to these projects. Interestingly, I was looking for some CISOs or kind of security managers and I didn't find many. So either those involved are pretty good with their own oceans. Or perhaps, and I think this is more likely, there aren't too many people in these organizations that have the title of CISO or security manager. We saw a lot of CISOs. We saw a lot of COOS. But, you know, not that many people with a security title. And that again, you know, is just something to be wary of. You know, if you don't have anyone focused and dedicated in the space, then you might fall short. And that's kind of why you need to take these things a little bit more seriously. Quite a few people in the IT department are publishing information about themselves. And again, you know, that could be potentially used as a target. Kind of very old oceans around who is, you know, most people did this very well. We did come across one company that was allegedly in stealth mode, but, you know, had leaked some of the details in the who is information. But, you know, pretty good on that side. And then, you know, data privacy policies as well as cookies. We did a quick check on whether these particular aspects would be taken care of on the websites. We found that most were not compliance to GDPR. And actually, some of the privacy policies felt short of some of the requirements that are expected. So once again, you know, these organizations dealing with consumers might need to dial into this vector as well because it could come back to bite them. On a hosting side and as well as on an e-mail platform side, we saw some concentration risk on, you know, particular vendors being chosen to host websites, to support DDoS platforms and also to support the e-mail platform as well. So I guess some of the highlights again, smart contracts, 64% were being audited, but the full results were published. 64% of the smart contracts required some kind of improvements either through because of reuse or all the compilers being used. You know, some vendor concentration in the use of external oracles timelocks, again, 58% not using them. That's a bit disappointing. Almost 50% not using multi-signatures and, you know, missing audits in the key management space as well as per KYC and privacy activities. Right, on the hosting side, great registration of the IP, mixed DNS results as I mentioned, some chatter going on, credentials being dumped, per cookies and privacy policy management, and so on. So with the scoring, we basically put together our score and allocated out the various companies against the score. And you kind of see kind of a mix. It's not a huge differential. Some of that differentiation was coming in two very particular dimensions that we assessed. Interestingly, looking at the DEFI score itself, we actually found that of the companies we looked at, 50% of them had the same kind of ranking as our scoring, but actually 33% were worse and 70% were slightly better. And therefore, you know, our conclusion in this is definitely that, you know, we need a combination of both, you know, crypto and an open OSINT in order to tackle this thing correctly. You know, about breaking it up into large, medium and small, some of the results that can be seen there do indicate as expected the larger projects, you know, probably are ahead in certain areas. But, you know, definitely there is some room for improvement. And similarly, when we look at the OSINT, we can see there that there are a couple of large projects that actually fall behind the mark compared to some of the medium and small businesses, but often the smaller medium ones are the ones that actually do need to improve. Okay, so wrapping up, our conclusion is that, you know, DEFI needs to do even more to maintain trust and stay out of the headlines. Whilst we're encouraged that there are some community-driven activities to provide transparency and raise the bar, not everybody is covered in these community-driven activities, and there are a few extra dimensions around security and OSINT that we think need to be added. A lot of goodness out there, but not really full consistency. And as I described, there are a few of the larger players that are mature, but there are some that actually are not fully there and are missing the mark. We did find some isolated, highly vulnerable indicators of potential issues. We do see some high potential for phishing attacks given the concentration of usage of certain email platforms that the industry is relying on. And also some smart contracts, improvements on the management of those contracts that need to be done, especially around reuse and looking into the compilers that are compiling the code. Once again, I think I mentioned this a few times, but just wanted to repeat it again. Lack of transparency on the key object. So, you know, again, if those keys get stolen, there is a chance of the smart contracts being rewritten and changed. But, you know, we don't know how well that's been done. And I think the industry and stakeholders would be keenly interested to see how that happens in practice. And as we move towards a more regulated environment, data privacy and KYC are also extremely important. So, some final recommendations. Lock down your G-sweets and Office 365 environments. Train your staff to minimise public information leaks and phishing attacks. Dip into the world of first intelligence and look into stolen credentials and chatter just to make sure that you're not on the list. Check out and make sure that your dependency on vendors is appropriate and that there's not too much concentration risk associated with certain suppliers, vendors, oracles, etc. Make sure that you're using the right level of security on your email domains. On the crypto side, again, tuning into the threat intelligence is important. Regular code reviews that don't necessarily publish everything. Provide greater assurance over the OPSEC. Ensure that those oracles are protected and can be really trusted. For those of you that are not implementing bug bounty programs, have a look at them. I think there's a lot of value in them. And, you know, make sure the keys are adequately protected. Whilst I know there's a strong move towards decentralisation, I do think an element of governance for centralisation is the way to go. And I see that as the kind of future stable way in which DEFI projects will succeed. From a research perspective, I think that there's still quite a lot to do here. It would be great to have an automated scoring process very similar to what DEFI score has for the crypto controls. I think we can expand out into the general OSINT, as I mentioned before. It would be great to have some better tools and visibility on SWAT contract code that's automated, that can be published and is available to the community. I think further adoption of transaction analysis for KYC and fraud is going to be really important to make DEFI kind of hit the prime time in the future. And, of course, doing protocol stress testing and further digging into the key management is also really important. With that, I'd like to give a very special thanks to some folks that helped me through this presentation. Specifically, Danny Howard, who was responsible for the illustrious slides that have been put together, and Nick and Faray has helped out with some of the research. This particular piece of work also couldn't have been done without leveraging a lot of valuable resources from the DEFI score project, the DEFI watch project, codifier project, and also DEFI Prime. So I encourage you to read out, link out and reach out to these particular sites if you want to learn more. And then I think I might have a little bit of time for questions. So I am listening in on the presentation that's happening right now, so feel free to reach out with any questions that I can answer. And appreciate it and hope to see you next year in Vegas for another chat. Goodbye and stay safe.