Part 1. Teaser
by Dona Mara
Launching any DeFi product is similar to launching a rocket: after the rocket takes off, you have a minimal toolset to influence its flight. You can send commands or even update the software. However, any unforeseen event could lead to a disaster, and you have no way of influencing it any further. You become a passive observer.
DeFi is similar to this in many ways. You create code, conduct a security audit, launch your smart contract into space (blockchain) and start praying that everything goes according to plan.
HAPI, a new product that enters Hacken Foundation, a leading security consulting company specialised in blockchain security, is a special module for these ‘rockets,’ allowing you to fix vulnerabilities on the fly. It provides an opportunity to deploy a rescue team and patch the hole in the rocket.
How do cybersecurity risks occur at DeFi?
Before we introduce HAPI, let’s have a look on how most DeFi projects work and what kind of security issues might arise.
- Blockchain:
A Blockchain is a database stored on multiple computers at once. And all of these computers are verifying that no one deceives one another and all of the records within this database are correct. A smart contract is a program that can be run within this database.
Example #1: 0x1111 is Alex’s wallet. We can write a smart contract crediting 10 HAI tokens to Alex if he has 10 ETH in his wallet. Every time Alex runs this contract, 10 HAI tokens will be sent to his wallet (as long as there are enough tokens on the smart contract). In this case, the program will verify whether there are 10 ETH on Alex’s wallet every time.
Example #2: 0x1111 is Alex’s wallet. We can write a smart contract crediting 10 HAI tokens to Alex if the price of gold on stock exchange is higher than $2000.
However, where can the smart contract get the price of gold from?
This is one of the big challenges in building smart contracts — we can use only the on-chain data in smart contracts’ implementation (only those that are already in our distributed database).
So, how can we record this data into the blockchain?
2. Oracles:
This is how Oracles have appeared — servers recording our necessary data onto the blockchain. Smart contract defines what kind of data it needs in blockchain. Oracles monitor these requests by taking the information from the outside world (usually via API) and recording it onto the blockchain.
However, this is where security issues might arise. Smart contracts are not aware of where the information is coming from and how reliable it is.
3. API or Application Programming Interface:
An API is an interface we can use to interact with programs, apps or devices. You can login into the bank’s client app and it will show you your balance by connecting to the Bank’s server via an API. You can also launch Coingecko’s mobile app and use the API to show you cryptocurrencies. In this case, the request is sent in a very precise form (if you want to receive the required information — learn to ask the right questions).
This is what we get — the user launches a smart contract, it contacts the Oracle’s smart contract and requests data. Oracles (servers) contact the required place (bank, exchange) via API, receive the necessary information and record it into the blockchain.
Introducing HAPI: An onchain cybersecurity protocol to create trustless Oracles
HAPI is a set of cross chain smart contracts that are embedded into DeFI products that allow them to reach a new security level. Also, HAPI's Oraclizing and DAO system delivers SaaS in the DeFi environment that prevents hack attempts.
How does HAPI work?
Who is a Data Provider?
The main Data Provider is selected by the voting process in HAPI. It analyzes and marks all of the suspicious addresses. This data provider becomes the main provider of information to the blockchain. Upon request from exchanges (via API), service records all of the suspicious addresses into the blockchain and their ban period varies from 12 hours to a permanent ban.
HAPI example usecase: blocking the movement of stolen coins between DeFi and exchanges
Let’s say a hacker breaks into an exchange’s hot wallet and begins to transfer funds out of the exchange.
The exchange sends the address and coin details immediately to HAPI.
Every exchange connected to HAPI receives this information almost instantly and can block these transactions and funds until the situation is resolved. DEXs use smart contracts, allowing them to reject requests from suspicious addresses using HAPI. The momentum of the attack is slowed, and a portion of the funds is blocked.
Key points
- Will be built for most popular blockchains (Ethereum, Vechain, Polkadot etc.)
- All DeFi projects will substantially increase their security, if add HAPI module
- HAPI is to become a security standard for DEXs, lending protocols, derivatives protocols and other DeFi classes
- The data provider is voted via a DAO
- The cost of reputational loss to a Data Provider is significantly higher than the potential damage caused by false data
- The data would be onchain. Publically available
- Request to change or add additional data will have a fee
- HAPI is created by Dona Mara
- Hacken Foundation will act HAPI BD
- Prepare your HAI
Conclusion
After analyzing a lot of different smart contracts and hacker attacks and by using the best financial world practices, we prepared a list of those methods and data, which are required by the DeFi at its current stage. We are building a protocol that will improve the security of decentralized apps (and centralized ones as well) using only the required data, analyzed in advance
This is the way.
