Building a DEX? Don’t bother starting without a security plan

Opinion by: Eric Waisanen, founder and CEO of Astrovault. 

It’s fair to say that nobody loves two-factor authentication (2FA).

Depending on the platform, it can be a massive hassle that adds time to a potentially urgent task. 2FA is now, however, a fundamental security step that ensures the safety of our valuable data. Despite the momentary inconvenience, the benefits of maintaining data integrity outweigh the minor headaches. 

Relying solely on 2FA or additional security measures is insufficient. Security is more than a checkbox or periodic review — it’s an ongoing commitment to staying ahead of threats as they evolve with new technology. That is particularly true for decentralized exchanges (DEXs), where the absence of central oversight and high asset values raise the stakes.

In this context, prioritizing security has been more urgent than ever to prevent losses and establish a framework upholding trust and reliability. If security isn’t your top priority as DEX developers, it could be time to reassess your role. 

The DEX security landscape 

One of the most attractive aspects of a DEX is its level of anonymity. A DEX grants users total control of their assets by removing the need for personal identification and verification. This level of control means users can manage their private keys and execute transactions without intermediaries while always retaining ownership of their funds. 

Compared to their centralized counterparts, DEXs still operate with limited regulatory oversight, meaning they’re free to innovate and implement features without the constraints of traditional financial regulations. With no central authorities in DEXs, which benefits privacy and control, their absence is a double-edged sword for security.

DEXs have not been spared from high-profile attacks. The first quarter of 2024 alone saw over $336 million in digital assets stolen from decentralized finance (DeFi) platforms. 

In the wake of these security challenges, the intensity of DEX hacking has risen, too. In August, “jaredfromsubway,” a notorious maximal extractable value (MEX) bot, relaunched with new and improved hacking techniques like adding and removing liquidity from DEX pools as part of a “sandwich” attack. 

You might be wondering what a sandwich has to do with decentralized exchanges. In the context of DEXs, a sandwich attack is a market manipulation tactic that exploits the transparency and immutability of blockchain technology. The attacker inserts themselves between two transactions involving a target asset, often to execute trades that benefit them while exploiting others. 

The intricate attacks have enabled the bot to amass millions of dollars in Ether (ETH) — and highlight the evolving nature of vulnerabilities in decentralized exchanges.

Security audits have previously been the obvious way to safeguard exchanges and instill user confidence. Even so, security audits alone can’t guarantee a system’s safety, as high-profile breaches have occurred on previously considered secure platforms. 

Recent: Clipper DEX says recent $450K hack wasn’t caused by private key leak

It’s now been eight years since the first DEX was launched. While it’s natural to expect some hiccups along the way, the industry must strengthen its defenses against known and emerging threats if we want users to feel safe managing their assets.

Beefing up inadequate security

You’re a DEX developer who has poured countless time, energy, and resources into a new feature or sophisticated algorithm, only for a security vulnerability to undo it all right before your eyes. 

The thrill of using an innovative new product or tool can quickly turn into a nightmare if user investments are compromised and every new feature or update opens an entry point for malicious actors.

Some decentralized protocol issues stem directly from design flaws rather than technical bugs. The more simplified and user-friendly a DEX system appears to be, the more effort has been put into securing its back end. Evaluating a protocol’s technical and economic aspects is necessary to identify potential weaknesses and ensure the system is efficient and secure.

If developers aren’t fully committed to securing their platform beyond basic measures, they may need to reassess their overall approach.

One effective tool in a security plan is parameterizing everything from day zero, even aspects a developer might not find necessary at first. Yes, the reality is that complex coding elements can make future changes more difficult. You have facilitated a safer environment by transitioning elements into parameters, even if different developers are involved. That enables adjustments through configurable parameters rather than modifying the core code directly, enhancing flexibility and security.

A DEX failing to protect its users will find its dreams of success short-lived. Despite the nature of decentralization, promoting access and transparency, DEX platforms have an inherent responsibility to enforce security measures that protect users.

As these platforms continue to grow and attract more participants into the DeFi space, the tension between pioneering technologies and safeguarding users against vulnerabilities goes hand in hand.

Eric Waisanen is the founder and CEO of Astrovault and has worked in the Web3 space since 2017. 

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts, and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.