Defender is a software suite that provides teams with alerts when an exploit is taking place, as well as automated scripts to respond to that exploit in real time.
Since cropping up last summer, yield farming applications and other DeFi markets have populated the Ethereum blockchain and attracted billions in capital. These pools of capital have also become lucrative honeypots for cyberattacks.
Perhaps the most common is the flash loan exploit, wherein an attacker borrows tokens from several lending pools at once and uses each loan to pay down the others, all the while using the excess to extract value from other markets. To ensure the attack goes through quickly, the attacker(s) pay a much-higher-than-average transaction fee.
From Yearn to Compound to Cream, decentralized financial platforms have collectively lost nearly $150 million from these exploits since 2020.
Defender suite, OpenZeppelin CTO Jonathan Alexander told CoinDesk, is meant to mitigate the effects of these attacks and give teams automated tools to respond to them as they are happening – something that could help reduce losses in the future.
"If you detect something you can notify the team, but you can also automate actions. You can call an admin function to pause the smart contract or move tokens from one place to another. Monitoring is great practice ... but now you can also respond with automated action."
How does Defender work?
The key to Defender ensuring a proper response time to an exploit, Alexander said, is that it monitors and alters teams to exploits and offers them ready-to-deploy code to respond to the attack. These pre-coded scripts can do things like pause or upgrade a smart contract, or they can perform more menial, quotidien automated tasks, like transaction relays.
Two of the more important features, Defender Sentinel and Defender Admin, could help put a stopper in the flash loan attacks that have swindled hundreds of million in tokens in the past year.
In one $11 million exploit, Yearn attackers manipulated the exchange rate of DAI in Yearn vaults by taking out flash loans on Aave for USDT and USDC; these were then deposited into Curve Finance pools to fudge the exchange rate involving USDT, USDC and DAI, which affected the price of DAI in Yearn vaults causing liquidations and losses.
Defender would pinpoint these attacks as they are happening by scanning blocks for high transaction fees. If there’s an irregularity, the team receives a notification (on Slack, for example) and they can choose from one of Defender’s automated scripts to respond to the attack. One of these could halt all operations on chain, for instance, or blacklist addresses.
Right now, Defender can’t stop an exploit before it happens, but it could be used to stop it in its tracks before the exploiter takes off with a bunch of coins. In the future, OpenZeppelin hopes to release a version that can track malicious transactions in Ethereum’s mempool (a virtual holding tank for transactions), though this will take time.
"We're monitoring block by block. Right as a block is mined, the Sentinels will run and fire autotasks, so we're talking about seconds reaction time. That still is after the fact," Alexander said, "but quick reaction in past exploits could have saved millions of dollars."
Whereas before response coordination to these attacks has relied on social media and message platforms, fixes took anywhere from minutes to hours. If Defender works as described, the minutes and seconds edge it gives teams in the race against the blockchain clock could add up to millions in saved funds.
In a demo shown to CoinDesk using a historical state of the Ethereum blockchain, OpenZeppelin replayed an old DeFi exploit to demonstrate Defender’s reaction and response. Alexander said that any team can replay their old exploits using the software to see how things could have gone differently.
A potential 'game changer' for flash loan mitigation
OpenZeppelin is already working with players like Yearn, dYdX, Synthetic and others to get their solution working in the wild.
“We are especially excited about being able to implement automation knowing that security best practices are built in. Above all, Defender has helped us tackle the unknown-unknowns of security so we can keep building,” said Aparna Krishnan, co-founder of Opyn, a DeFi options platform, calling the new tool a "game changer."
Brendan Asselstine, the CTO of prize pool DeFi protocol PoolTogether, said his platform uses Defender “to automate several aspects of our protocol” and “rely on it as a key part of our infrastructure."
Give the rate of flash loan attacks on the DeFi ecosystem, now that Defender is launched, it may not be long before we see its capabilities in action.
CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk offers all employees above a certain salary threshold, including journalists, stock options in the Bullish group as part of their compensation.