
SlowMist: Fundamental Security Risk Analysis of Popular DeFi Projects
TechFlow Selected TechFlow Selected

SlowMist: Fundamental Security Risk Analysis of Popular DeFi Projects
This article aims to evaluate and analyze the foundational security risks of DeFi projects on the DefiLlama leaderboard.
Authors: Shanker, Mr.A, SlowMist Security Team
Background
In recent years, DeFi projects have experienced rapid growth, leading a revolution in financial innovation. DeFi leverages blockchain technology to offer decentralized financial services such as lending, trading, and asset management, enabling users to interact directly without relying on traditional financial intermediaries.
However, due to their significant capital scale and user base, DeFi projects have become attractive targets for hackers. Many project teams mistakenly believe that DeFi security solely refers to smart contract security—an incorrect perception, as DeFi also involves infrastructure such as domains and servers.
Given this context, various phishing and scam groups have emerged. Notably, the Angel Drainer group uses social engineering attacks. Over the past year, this phishing group has targeted DeFi projects including Balancer, Galxe, Frax Finance, VelodromeFi, and Aerodrome.Finance. Angel Drainer hijacks project domains by taking over their DNS configurations, injects malicious JavaScript code into frontends, tricks users into signing unauthorized transactions, and ultimately steals user assets.
Against this backdrop, this article aims to assess and analyze the foundational security risks of DeFi projects listed on the DefiLlama leaderboard. As a platform providing data and rankings for DeFi projects, DefiLlama’s leaderboard represents the most watched and widely used DeFi services in the market.
Test Scope and Methodology
We categorized projects based on their rankings on DefiLlama—Top 50, Top 100, Top 200, Top 500, and Top 3000—for statistical analysis. We collected and analyzed DNSSEC settings, domain WHOIS information, CDN usage, and source IP exposure for each project's domain.

DNSSEC Security Issues
DNSSEC (Domain Name System Security Extensions) is a technical extension designed to enhance the security of the Domain Name System (DNS). It ensures the integrity, authenticity, and validation of DNS query responses. Key benefits of DNSSEC include:
1. Data Integrity: DNSSEC uses digital signatures to sign DNS data, ensuring it hasn’t been tampered with during transmission. This prevents attackers from altering DNS responses to redirect users to malicious websites or hijack traffic.
2. Data Authenticity and Validation: DNSSEC verifies that DNS responses originate from legitimate authoritative DNS servers, not from spoofed or malicious sources, helping prevent DNS spoofing attacks.
3. Protection Against Cache Poisoning: DNSSEC prevents cache poisoning attacks, where false DNS records are injected into DNS caches. Digital signature verification allows DNSSEC to detect and reject forged records.
4. Enhanced DNS Security: As DNS is a critical internet infrastructure, securing it improves overall network safety. DNSSEC reduces the success rate of malicious attacks and strengthens cybersecurity for users and organizations.
In summary, DNSSEC enhances DNS security through digital signatures and cryptographic validation, ensuring response integrity and authenticity. Once enabled, DNSSEC allows verification of authoritative DNS servers, reducing the risk of domain hijacking and DNS fraud, thereby improving the trustworthiness of the internet.
In our tests, we used scripts and third-party tools like https://domsignal.com/ to analyze DNSSEC configurations, checking whether DNSKEYs were correctly set and RRSIGs valid. Example below:

Domain Registrar Security Issues
Domain registrars manage domain registration and renewal. Their security measures include protecting user accounts from unauthorized access, preventing domain transfers or modifications, and safeguarding domain registration data. A secure registrar typically offers two-factor authentication (2FA), regular security audits, and strong privacy protections.
Using an insecure domain registrar can lead to several DNS-related security issues:
1. DNS Hijacking: Insecure registrars may be vulnerable to DNS hijacking, allowing attackers to modify DNS responses and redirect users to malicious sites—potentially leading to phishing, malware infections, or other threats.
2. DNS Cache Poisoning: Attackers can feed fake DNS records to poorly secured registrars, polluting DNS caches and affecting large numbers of users by directing them to malicious websites.
3. Data Tampering: Weak registrars may be susceptible to man-in-the-middle attacks, where attackers alter DNS query data in transit, resulting in users receiving fraudulent responses and connecting to rogue servers.
4. Service Disruption: If an insecure registrar suffers from DDoS or other network attacks, its DNS servers may go offline, making websites and online services inaccessible.
5. Lack of DNSSEC Support: Some registrars do not support DNSSEC, increasing vulnerability to DNS spoofing and related attacks.
In short, using an insecure domain registrar exposes users and organizations to numerous cyber threats. Therefore, selecting a trusted registrar with robust security features—including DNSSEC support—is crucial. DeFi teams should carefully evaluate registrars to ensure reliability and security.
Our testing involved querying WHOIS data via services like https://www.godaddy.com/whois to collect domain registrar and nameserver information. Sample shown below:

CDN and Traffic Protection Security Issues
Content Delivery Networks (CDNs) improve website performance and security by distributing content across global nodes, reducing latency and accelerating access. Security features include DDoS protection, web application firewalls (WAF), and HTTPS encryption to secure data transmission.
An insecure CDN provider may introduce multiple risks:
1. Data Leakage: Inadequate data protection by a CDN could expose sensitive information such as user credentials or private documents, which attackers might steal via vulnerabilities.
2. Man-in-the-Middle Attacks: Attackers may intercept or manipulate traffic between the CDN and end users, stealing data or injecting malicious content.
3. Service Unavailability: If a CDN is hit by a DDoS attack, service disruption can render websites or apps unreachable, severely impacting availability and performance.
4. Malicious Content Distribution: Without proper content vetting, bad actors may abuse CDNs to distribute malware, malicious scripts, or harmful payloads.
5. Lack of Encryption: CDNs without strong TLS/SSL support leave data transmissions vulnerable to eavesdropping and interception.
6. Exploitation of Vulnerabilities: Attackers can exploit flaws in insecure CDNs to gain access to backend systems or control network resources.
7. Legal and Compliance Risks: CDNs operating in certain jurisdictions may raise data privacy and regulatory compliance concerns.
To mitigate these risks, DeFi teams must thoroughly assess a CDN provider’s security posture, privacy policies, and compliance standards. Choosing a reputable CDN with a proven security track record and dedicated security team is essential for protecting data and infrastructure.
In our study, we resolved domain IPs to identify usage of major CDNs such as Akamai, Azure CDN, Cloudflare, CloudFront, Fastly, Google Cloud CDN, and MaxCDN. Example below:

Source IP Exposure Security Issues
Source IP exposure occurs when an attacker discovers the real IP address of a website’s backend server, bypassing CDN protection and firewall rules to launch direct attacks. Exposed source IPs can lead to:
1. Direct Attacks: The exposed IP becomes a direct target for DDoS attacks, potentially taking the site offline.
2. Exploitation of Server Vulnerabilities: If the server runs software with known vulnerabilities, attackers can exploit them to gain unauthorized access.
3. Risk of Data Breach: Attackers may access sensitive internal data via the exposed IP, leading to data leaks.
4. Phishing and Impersonation: Hackers may spoof the server identity to conduct phishing campaigns or defraud users.
Therefore, protecting the source IP of web servers is a critical component of cybersecurity. Measures such as reverse proxy setups, secure DNS configurations, and hardened entry points help conceal the real IP and reduce the risk of direct attacks on origin servers.
In our test, we attempted to bypass CDNs using third-party tools to determine if a project’s origin IP was exposed. Example below:

Based on the above tests, we now present the results.
Results Summary
DNSSEC Security Findings
Sample results:

DNSSEC statistics:

(Quantity distribution)

(Percentage distribution)

Domain Registrar Security Findings
Sample results:

Registrar statistics:



CDN and Traffic Protection Findings
Sample results:

CDN usage statistics:


Notably, Akamai—the world’s leading secure CDN provider—has nearly zero adoption within the DeFi industry, highlighting how much work remains to improve foundational security awareness.
Source IP Exposure Findings
Sample results:

Exposure statistics:



The security implications of source IP exposure cannot be ignored. On December 7, the well-known gaming project @XAI_GAMES suffered a DDoS attack that rendered its official website inaccessible. Simultaneously, attackers posted a fake website link in the project’s Discord community, tricking users into visiting a phishing site and stealing approximately 400+ ETH. Therefore, DeFi teams must prioritize protecting their origin server IPs to minimize the risk of direct attacks.
Conclusion
From the comprehensive statistics above, it is evident that foundational security risks in current DeFi projects are severe. A large number of DeFi projects have insecure configurations, leaving them vulnerable to attacks.
This article illustrates that DeFi security extends beyond smart contracts—it is a holistic concern. The SlowMist Security Team has released the Web3 Project Security Practice Requirements (https://github.com/slowmist/Web3-Project-Security-Practice-Requirements) and the Web3 Industry Supply Chain Security Guide, both aimed at guiding and reminding Web3 project teams to implement comprehensive security measures. Additionally, the MistEye security monitoring system deployed by SlowMist covers contract monitoring, frontend/backend surveillance, and vulnerability detection alerts, offering end-to-end security oversight before, during, and after incidents. We encourage project teams to adopt the MistEye system to manage risks and enhance project security.
Acknowledgments: @DefiLlama @censysio
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News










