Since the creation of Uniswap in November 2018, Decentralized Finance (DeFi) protocols have been the dominant form of smart contracts on Ethereum and in other blockchain ecosystems. More recently, Traditional Finance (TradFi) institutions have begun to embrace smart contract technology. First through tokenization of Real World Assets (RWA) then through the development of increasingly complex Permissioned Capital Market (PCM) protocols, enabling on-chain trading and settlement of tokenized RWAs within a regulated, compliant environment.
While openly accessible publishing of audit reports and smart contract security vulnerability deep dives is common for DeFi protocols, TradFi audit reports are almost never openly published at the request of the institutional clients who value discretion. This article will showcase different categories of TradFi vulnerabilities uncovered during Cyfrin private audits while respecting and maintaining the confidentiality of our TradFi clients.
There are three major differences between TradFi and DeFi protocols: Permission To Participate, Capital Requirements, and Regulatory Compliance.
DeFi protocols are commonly permissionless. Meaning anyone can create a wallet, fund an address, and freely interact with it. In “pure” DeFi protocols, once tokens or other resources are acquired, a user has “sovereignty” over those assets such that they can’t be frozen or seized by protocol admins; they are free to transact without dependency upon, or liability to, a trusted third-party “administrator.”
While maximizing individual freedom and liberty, this also makes DeFi the most hostile environment in which to deploy code. One consequence of allowing anyone to interact with DeFi protocols has been the many spectacular multi-million dollar hacks executed by completely permissionless & anonymous entities.
Around the height of the prior bull market in 2022, DeFi’s highest TVL reached $137 billion but a staggering $3.7 billion (2.7%) was stolen by hackers that same year!
In contrast to DeFi’s open and permissionless nature, TradFi PCM protocols allow only known, pre-approved participants to interact with the protocol who are typically subject to KYC/AML and can pass “qualified investor” checks.
While this may limit participation, it also eliminates an entire class of attack vectors found in permissionless DeFi. When PCMs are correctly configured, permissionless attackers are unable to call any state-changing functions and therefore have no entry-point into the protocol.
A secondary aspect of PCM protocols is that trusted administrators typically have the power to freeze and seize tokenized RWAs from users. Users who have acquired RWAs don’t have full sovereignty over those assets and are dependent upon the continued permission of protocol admins for their ownership of those assets.
While this further restricts the freedom and ownership rights of individual users, it also greatly enhances the potential security response in the event of a hack. Fast-responding admins can seize a hacker’s stolen assets and return them to their rightful owners.
This exact scenario recently played out in the “pseudo DeFi” world of alt-L1 chains without a truly distributed validator set and L2 chains using centralized sequencers. Protocol teams censored hacker transactions, froze their funds [1, 2], and even used extraordinary powers to seize hacker assets.
The reality today is that while some pure DeFi protocols do exist, the majority of DeFi protocols, including major “decentralized” blockchains, are actually pseudo DeFi. They use decentralization for marketing while in reality are highly centralized, with effective power to restrict user freedom to transact and freeze/seize assets.
In this regard there’s little difference between PCM and pseudo DeFi protocols, except that PCM protocols:
Many DeFi protocols do not impose capital requirements on users. Or, if they do, they are relatively small such that almost any human in the developed world can meet them.
In contrast, PCM protocols often impose high capital requirements and require transaction minimums in the many thousands or even millions of dollars.
While the philosophical debate over the freedom to transact and sovereignty over assets is interesting, the more practical reality of capital requirements means that the vast majority of humanity, even in the developed world, is financially unable to participate.
DeFi is effectively the wild west. New innovations compete side-by-side with meme coins, ponzi schemes and rug-pulls for user capital and attention. TradFi PCM protocols, on the other hand, operate within a highly regulated and compliant environment, even when operating on the same blockchains.
To satisfy regulatory and business compliance requirements, PCM protocols implement on-chain and off-chain infrastructure code to track multiple data points and enforce compliance rules on investors and products.
When users transact with DeFi smart contracts they are interacting with only that code, often with no clear legal entity or government-approved regulatory framework to oversee the interaction.
In contrast, when users interact with PCM smart contracts, they are interacting and transacting with known, regulated entities. Users have full legal recourse including the ability to appeal to government regulatory bodies that license and oversee regulated financial entities.
Over multiple Cyfrin private audits for TradFi institutional partners, we have uncovered the following range of PCM vulnerability classes:
To enforce regulatory and business compliance rules on-chain, PCM protocols:
A consistent class of high-impact vulnerabilities we have identified result in this tracking data becoming corrupted due to:
The most common impacts of tracking data corruption bugs are:
Larger more complicated PCM protocols also have a range of admin actions designed to be used in scenarios to enforce regulatory or business compliance rules.
Our audits have found vulnerabilities and bugs are frequently found in complex admin function code that is not commonly used and that must operate over a large range of potential user and protocol states. Examples include:
PCM protocols must be carefully configured with fine-grained access controls and specific levels of privileged access for all users.
We have found a variety of bugs within the access control logic such as:
While front-running attacks and economic exploits are common in DeFi, the restricted and permissioned nature of TradFi PCM protocols reduces the impact of such attack vectors.
In our TradFi PCM audits to date we have found one way that front-running could be abused. It allowed users to evade admin actions (such as a forced redemption to revert) by front-running and transferring tokens to another address they control.
Similar to DeFi, TradFi protocols involve financial calculations and must be careful about input validation, rounding direction, slippage and precision loss errors. Round up fees against users, specifying slippage parameters, being aware of precision scaling, rounding down to zero errors–we have found all the same DeFi bugs in our TradFi audits including:
Advanced PCM protocols operate cross-chain, allowing users to bridge both credentials and tokenized RWAs to other blockchains. When auditing cross-chain PCM functionality some vulnerabilities we have found include:
In Rust-based ZK and Solana audits for PCM protocols, we have identified a range of missing or under-constrained vulnerabilities such as:
TradFi smart contract protocols can be especially “heavy” due to the large amount of defensive armor and tracking/compliance checks required, in addition to the normal code.
For EVM-based protocols, the same gas optimization techniques [1, 2] apply including:
Despite PCM protocols generally not allowing audit reports to become public, there is a lot researchers and security professionals can learn from them.
Novel use cases and unique vulnerabilities introduced by the compliance and regulatory requirements of permissioned TradFi protocols augment the overlap in bugs found between TradFi and DeFi protocols.
Understanding the multitude of potential attack surfaces is essential to better security and a stronger blockchain industry. By generalizing these findings, we hope to extend industry knowledge enabling researchers to better hone their craft.
If you are building an institutional RWA or PCA (TradFi) application or DeFi protocol seeking to strengthen your security, Cyfrin Audits can help, contact us today!