AAVE itself has touched $60B deposits, but it's still SCARY to use DeFi -- did you know a while ago SAFE, the standard for managing billions of dollars in crypto had it's front-end hacked front-end hacks have stolen billions of dollars in crypto why? and how to improve?

a front-end of a dapp itself is a lot of moving pieces and variables each touching many different parts of a transaction lifecycle originating from the user a front-end of a dapp has many attack vectors possible including domain registrar itself to it's team pushing a bad commit

i think it should be very important and a standard security practice for each app to do disclosures around how they manage the domain itself which registrar, has the domain provider ever been hacked before? and if they do get hacked, what are failsafes against it

after proper domain maintenance hygiene is done, dapp developer should then disclose or should have clear rules about commit, merge and review i think maybe SEAL team should also publish best practices around that and always, always, ask your devs to never download anything from the work laptop

it's better if you can give work laptops which are pre-loaded with all the restrictions like how corporates do this ik it sounds weird, but its important to set proper firewalls against scenarios like SAFE hack, where one dev downloaded a malware unknowingly and that injected a malware into the front-end itself

i mean even if you do all that, and someone's wallet itself got hacked also due to a front-end hack, you still are at risk imagine someone took over a tier-2 extension wallet and attempted to get the private keys itself or just the password then also you're f*cked

what should we do then? i think every dapp to best of their extent try to focus and create a front-end that is super secure against these kind of attacks, there's no perfect way. you just have to be paranoid all the time, thinking anything that can go wrong will go wrong. and be fast in detecting and responding to any such kind of issue -- forget that you have a life if you're building in defi

on top, always do kyc of your employees, do good domain hygiene, good git access control hygiene, work-laptop hygiene and block by default any wallets that you think are shady limit access by wallets that follow the best standards only

or introduce a yolo and safe mode for your users in yolo mode, every wallet is allowed, and think are yolo and but in safe mode you're really really focused purely on the safety, which means you're completely even hosted over an ipfs and only necessary things are accessible for analytics, users can see in yolo mode

to conclude, i just want to make it clear that building in defi has many attack vectors and it takes more than textbook reading to really serve your users in the best way possible we at @SuperlendHQ take this very seriously for what we are building -- a unified intergace for onchain finance

btw, this was only about front-end attack vectors, i am sure there might be more scenarios as well which we are constantly debating and working on but there's a whole lot of pandora box when we talk about economic security itself of defi protocols itself more on than soon, about how do we handle all aspects of security at @SuperlendHQ while building the best ux

@SuperlendHQ interface* excuse the typos