DeFi Security Philosophy can be concluded as three principles for DeFi financial security of layer defense concept.
1.Protect the platform from attack and invasion
2.Protect the assets once the platform is invaded
3.Minimize the loss when the assets are no longer secure
The DeFi financial security system is a comprehensive multi-layersystem. Decentralization is the core and the foundation, but it is not the only and everything. A secure and reliable open finance application with good scalability, capacity to serve tens of millions of users in the future, and complete risk control ability, is impossible to buildby merely relyingon decentralized infrastructure.
GEL refersto Global Emergency Lockdown.
In the DeFi system, all smart contract interfaces that involve asset changes have a GEL switch. Once a problem occurs to the contract, the switch can be manually or automatically triggered and all incoming and outgoing transaction interfaces will be banned, to protect the assets locked in the contract.
CALM refers to Cooperative Automatic Lockdown Mechanism.
CALM is anoff-chain risk control mechanism. It adopts finance-level risk control standards, utilizes an independent high availability master-slave cluster with a hot standby configuration, and runs 24/7.CALM checks the contract state once every 5 seconds and conducts strict bookkeeping and reconciliation for all financial assets in the contract. Once a potential asset risk is discovered, the GEL will be immediately and automatically triggered to stop all interfaces related to the involved assets, to minimize asset loss. Meanwhile, it will notify administrators and the operation team to react quickly and introduce human intervention and investigation.
MAK refers to Multisig Admin Keys.
DeFi adopts the admin keymechanism, where the administrator can use the key to set various permissions, likecontract router updatepermission, oracle price feed permission, global lock flag setting permission,etc. The administrator key can add, delete and update subordinate permissions. When the subordinate permission key is leaked, itcan be replaced quickly.
In order to avoid the loss of the admin key, we have adopted a multi-signature mechanism. Currently we use 3-2 multi-signature, and with the volume increase of locked assets on the platform, we will gradually upgrade to 5-3 or even 7-5 mechanism.
Taking 3-2 multi-signature as an example, three admin keys are stored in the contract. When performing actions with the highest security level, such as replacing the admin key, at least two admin keys must be used to perform multi-signature at the same time, to make the action happen.
The multi-signature mechanism of the admin key guarantees that
If an admin key is stolen, the attacker cannot use the key to complete high-level permissions. And the platform administrator can use the multi-signature mechanism to delete the leaked key andmake it invalid.
If an admin key is lost, the remaining admin keys can be used to add a new admin key and delete the lostone.
The adminkey multi-signature mechanism makes every high-level authority operation depend on collective decision-making and execution, which has effectively prevented internal control risks and further protectedthe assets.