DApps: Security Issues, Hacks, and Preventive Measures 

DApps: Security Issues, Hacks, and Preventive Measures 

DApps: Security Issues, Hacks, and Preventive Measures 

DApps: Security Issues, Hacks, and Preventive Measures 

DApps: Security Issues, Hacks, and Preventive Measures 

Read Time: 4 minutes

Decentralization in every walk of life is the new code of the upcoming era. DApps are here to revolutionize how we operate apps, merging data privacy and ownership qualities. 

Let’s get into the depth of the blog.

What are DApps?

DApps are decentralized applications that use blockchain to process data through a distributed network and execute transactions. Unlike centralized apps, DApps are operated by peer-to-peer networks. 

Once the developer releases the codebase for the DApp, several apps can be built on top of it. There is no single authority, and hence no single point of failure as the P2P network runs them. 

DApp helps create numerous applications such as web applications, games & entertainment, social media apps, etc.       

Significant Characteristics Of DApp

Here are a few pointers on the key attributes of DApp

  • They are open-source code and are user-controlled. This means any changes or new additions are voted on and implemented. 
  • Decentralization is the core aspect through which all the details are held in the publicly distributed ledger.
  • DApps employ tokens native to the platform to reward users for participating or mining them.

News on DApps’ usage

According to the reports by DAppRadar, the number of users engaging in decentralized applications is growing by 396% every year, with now 2.4 million. 

Among which gaming DApps account for over 50% of the user activity in Q1 of 2022, and NFTs made a huge collection of about $12 billion. 

DApp Coding Security Issues

Having known about the overall idea of DApp, let us now explore some of the common technical errors associated with them.

Signature check: The use of check format “case_=> true” in the @verifier function of DApp coding prohibits the transfer transaction while allowing other transaction types.

{-# STDLIB_VERSION 3 #-}
{-# CONTENT_TYPE EXPRESSION #-}
{-# SCRIPT_TYPE ACCOUNT #-}

match (tx) {
	case t:TransferTransaction => false
	case _ => true # NEVER DO THIS!
}

But using this type of code, any user can perform transactions except transfer transactions. By entering the public key in the “senderPublicKey” field without adding signatures, it gives access to any users to run a transaction. 

{-# STDLIB_VERSION 3 #-}
{-# CONTENT_TYPE EXPRESSION #-}
{-# SCRIPT_TYPE ACCOUNT #-}

match (tx) {
	case t:TransferTransaction => false
	case _ => sigVerify(tx.bodyBytes, tx.proofs[0], tx.senderPublikey)
}

Therefore, it is crucial to ensure the presence of a signature check in the DApp coding to be devoid of the mentioned vulnerability.

Entering keys: The operations in the DApp involve the key-value storage. The common mistake is that a developer would write to one key and read that from another. So, care should be taken while writing keys. 

let NONE = "NONE"

func keyVoteByAddress(votingId: Int, address: String) = "voting_" + votingId + "_vote_" + address


@Callable(i)
func vote(id: Int) => {
	let voteKey = keyVoteByAddress(id, i.caller.toBase58String())
	let vote = getString(this, voteKey).valueOrElse(NONE)

	# alternative option

	let vote = match getString(this, voteKey){
    	case s: String => s
    	case _ => NONE
	}

	if (vote == NONE) then ...
	else ...
}

Another mistake is that instead of giving default values, attempting to read values from the variables such as value() or extract() is not suggestible.

Controlled transactions: DApp operations involves several interdependent operations to run in sequence. In such cases, it is safe to have the function “waitForTxWithNConfirmations” to receive confirmations once after the first transaction is added to the block.

Generic Issues Concerned With DApps

Low liquidity level of DApps: Low liquidity levels on decentralized applications make it difficult to buy or sell tokens at the expected price, causing slippage. Slippage is the difference between the expected and executed prices, which may lead to a loss in funds.

Users can track the liquidity of the assets based on their trading volumes and make smart decisions before buying or selling a token

Security breach or failure:  DApps function through smart contracts and those with bugs in their coding are ideal targets for hackers. Under extreme market conditions or due to code exploits, the devaluation or loss of funds in DApps becomes inevitable.

Auditing the code by third-party firms does greater good in overcoming this issue. 

Phishing DApp: If there is a compromise in the coding of the DApp, phishing links are circulated on their official sites. On clicking them unknowingly, they drain off all the funds from the user wallets. 

Therefore, double-check URLs before adding the funds from your wallets or entering the wallet information. 

Status Of DApp Hacks And Scams In 2022

The downside of DApps is the fact that they are vulnerable to hacks. From the data published by DAppRadar, the DApp scams alone accounted for a $1.2 billion loss. 

Highlights of the major hack events include,

Ronin bridge hack: Gaining access to the validator nodes, the hacker was able to forge fake transactions in Axie Infinity’s Ronin bridge network that led to a loss of $600 million. 

Wormhole protocol: The hacker exploited a security flaw in the Wormhole protocol code, resulting in a $325 million loss. 

Here’s How To Stay Secure And Preventive Methods To Adopt For DApp Security

Overcoming security flaws solves the major part of the problem for DApps. There are a few ways to sort it out. 

  1. Take up auditing services: A thorough coding analysis by an auditing firm like QuillAudits eliminates the bugs from the ground level. 
  2. Penetration testing: Penetration testing gains the upper hand in finding hidden/node vulnerabilities, testing APIs and discovering new attack paths. 

General Preventive Measures For DApp Security

  1. Maintain the secrecy of the private seed phrase to access the funds from the wallet
  2. Verifying the authenticity and legitimacy of the DApp website
  3. Be wary of links or texts with grammatical errors.
8,216 Views

Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:

1

Refer QuillAudits to Web3 projects for audits.

2

Earn rewards as we conclude the audits.

3

Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+