Securing the Lending and Borrowing in Web3 Space

Securing the Lending and Borrowing in Web3 Space

Securing the Lending and Borrowing in Web3 Space

Securing the Lending and Borrowing in Web3 Space

Securing the Lending and Borrowing in Web3 Space

Read Time: 6 minutes

Web3 space is all about creating decentralized services and a transparent flow of information. Lending and borrowing, a crucial part of financial models worldwide, have been a part of the web3 ecosystem for a while now.

Protocols like AAVE, Compound, and dYdX brought lending and borrowing to our web3 space beating the traditional bank-based loan-taking procedures and limitations. These protocols are the pioneers of decentralized lending & borrowing. 

As the Web3 community grew, lending and borrowing became very useful, thus making the TVL(total value locked) of these protocols cross billions quickly. 

Imagine someone gave you $4 billion to take it later from you. What in the world would you not do to keep it safe? Similarly, imagine how crucial the matter of security is for these protocols. It is as simple as this. There is no lending and borrowing protocol without security, and no financial model can sustain without such lending and borrowing services.

As an attempt to serve the web3 community and educate you about what important checks such protocols must go through to ensure complete trust and justice to the users, QuillAudits, like always, is here to help you understand several security checks that need to be taken care of before going public. Let’s start.

Tips to secure lending and borrowing

In this section, we will go through some of the important aspects and services lending and borrowing have, build an understanding and then share some tips on how they can be made secure. In the end, we will see some common checks that need to be ensured. Let’s go.

Tips to Secure Lending and Borrowing

1. Flash Loans

This is something really interesting. This mechanism holds the power of making you a millionaire(just for a few seconds, though), but if used correctly, it is very helpful in many scenarios. But what is it?

Imagine this as a teenager. You are out on a bike to buy something from a shop you have been visiting for a long time, and the shopkeeper knows you. You reach there, you tell the shopkeeper, “Listen, I got a plan. I need some money. I promise to return it to you before going home. I just have to make a few transactions”, but the shopkeeper still wants some assurance of whether he will get it back, so he listens to your plan, you tell him “Give me $10, I will by apples from A market where the price is $5 per apple, and sell it in market B where the apple price is $7” shopkeeper now assured that the amount will be returned to him gives him the money, and that’s it, you do it and get a handsome return of $4 and return the $10 to the shopkeeper and then go home happy!

This is what Flash Loan is, just with more added security. Flash loan allows you to borrow a huge sum of money, in millions, without any collateral but with one condition: you would return all the money before adding a new block in the chain(a matter of seconds). But even in seconds, there are huge applications for flash loans. Flash loans were also used for some of the most damaging hacks executed on some protocols in web3. These hacks also involved the working of an oracle. Let’s learn about oracles from a security point of view.

2. Oracle

Blockchain is a whole new world in itself which is cut from the physical world data, but with the help of oracles, we can bridge the gap between the blockchain data and the physical world data. Why is that necessary?

If you think about it, this plays a crucial part in the blockchain. Let’s say you create a protocol which gives insurance to farmers. You draft a contract saying that every month-end farmer will provide a premium of $100, and if there is a temperature above 100 Fahrenheit for five days straight, he is eligible for a claim of $1000 for the loss of his crops. A simple contract that ensures farmers. But how would the blockchain know the temperature was over 100 Fahrenheit for five days? Here is when oracles come into play.

2.1 Security

Oracles provide actual physical world data for on-chain calculations and conditions. Thus, our protocol is dependent on the correctness of the oracles. You see, computations are often based on certain conditions whose data is supplied by the oracles. Still, if this data is corrupted or somehow the oracle is compromised, it will mean that the protocol has been compromised. And they have HUGE losses just due to this fact.

For lending protocols to determine the price of an asset, a price oracle is used to fetch prices either on-chain or off-chain. On-chain oracles have suffered a lot of problems that allow price manipulation. Therefore these protocols rely on off-chain oracles, like Chainlink, for price reporting. This is more secure because prices are fetched from various sources (e.g. exchanges) from trusted parties. It is always advised to go for an oracle which is well known in the web3 space, and their integration in the protocol should be properly taken care of.

3. NFT-based borrowing

We can borrow tokens by keeping owned NFTs as collateral in decentralised lending and borrowing. How it works is one party keeps the owned NFT locked for a fixed amount of time and, in exchange, gets a loan of the agreed amount with the agreed-upon interest rate. Now if the party fails to repay the principal + interest amount, the lender receives the ownership of the NFT. This system is equivalent to keeping your land as collateral to borrow, which has existed for so long in society.

3.1 Security

As discussed above, the price oracles needed should be reliable and non-compromisable. In the case of NFT, the well-known models are opeansea/looksrare, So when working on this, It should be ensured that the price oracles are from opensea/looksrare.

Some protocols allow changing loan/interest terms between the taken loan over NFT. If you want to work on such a feature, you should check and work on formalizing how the changes affect the loan/interest values and then incorporate it securely.

4. Common strategies

In the sections above, we learned about a few aspects not directly related to the protocol. They are the design and feature-based security aspects which play a major role in the security-related issues in a protocol. Now we are going to focus on different protocol checks.

  1. CounterTokens:- Whenever a user deposits some tokens, he receives aTokens in return, which can be redeemed to the token or used as collateral. These aToken contracts should meet with all the safety-related audits ERC20 tokens go through.
  1. Mint/Burn:- Whenever there is a deposit or borrow, there is a process of minting and burning aTokens. Make sure to incorporate the logic correctly.
  1. Slippage fee:- Slippage is the price difference between when you submit a transaction and when the transaction is confirmed on the blockchain. We need to ensure the user cannot manipulate the slippage fee.
  1. Edge cases:- Always test for edge cases in the testing phase of the protocol development, like taking out a huge proportion of an asset from a liquidity pool and see how it behaves etc. To learn more about testing and formal verification, refer to


Lending and borrowing protocol has been a part of the web3 ecosystem for some time, this area was the first to be explored in the web3 space, so it has seen a lot of attacks and hacks. It has worked through that there are continuous new attacks which need to be taken care of by these protocols, and the constant upgrade of such protocols also creates room for attacks.

Big protocols like AAVE also understand the need for security and have outsourced the security responsibility to auditors. QuillAudits has created its name in the web3 security space and, with notable audits, holds expertise in securing some of the most complex and interesting protocols. If you want an audit, visit our website and get your protocol audited today.


Blockchain for dog nose wrinkles' Ponzi makes off ~$127M🐶

Project promised up to 150% returns on investment in 100 days, raising about 166.4 billion South Korean won — or about $127 million — from 22,000 people.

Latest blogs for this week

Understanding Fuzzing and Fuzz Testing: A Vital Tool in Web3 Security

Read Time: 5 minutes When it comes to smart contracts, ensuring the robustness and security of code is paramount. Many techniques are employed to safeguard these contracts against vulnerabilities
Read More

How EigenLayer’s Restaking Enhances Security and Rewards in DeFi

Read Time: 7 minutes Decentralized finance (DeFi) relies on Ethereum staking to secure the blockchain and maintain consensus. Restaking allows liquid staking tokens to be staked with validators in
Read More

ERC 404 Standard: Everything You Need to Know

Read Time: 7 minutes Introduction Ethereum has significantly shaped the crypto world with its introduction of smart contracts and decentralized applications (DApps). This has led to innovative developments in
Read More

DNS Attacks:  Cascading Effects and Mitigation Strategies

Read Time: 8 minutes Introduction DNS security is vital for a safe online space. DNS translates domain names to IP addresses, crucial for internet functionality. DNS ensures unique name-value
Read More

EIP-4844 Explained: The Key to Ethereum’s Scalability with Protodanksharding

Read Time: 7 minutes Introduction  Ethereum, the driving force behind dApps, has struggled with scalability. High fees and slow processing have limited its potential. They have kept it from
Read More

QuillAudits Powers Supermoon at ETH Denver!

Read Time: 4 minutes Calling all the brightest minds and leaders in the crypto world! Are you ready to build, connect, and innovate at the hottest event during ETH
Read More

Decoding the Role of Artificial Intelligence in Metaverse and Web3

Read Time: 7 minutes Introduction  Experts predict a transformative shift in global software, driven by AI and ML, marking the dawn of a new era. PwC predicts AI will
Read More

Transforming Assets: Unlocking Real-World Asset Tokenization

Read Time: 7 minutes In the blockchain, real-world assets (RWAs) are digital tokens that stand for tangible and conventional financial assets, including money, raw materials, stocks, and bonds. As
Read More
Scroll to Top

Become a Quiffiliate!
Join our mission to safeguard web3

Sounds Interesting, Right? All you have to do is:


Refer QuillAudits to Web3 projects for audits.


Earn rewards as we conclude the audits.


Thereby help us Secure web3 ecosystem.

Total Rewards Shared Out: $200K+