Cloud Outages Expose Vulnerabilities in DeFi dApps

On October 20, a minor disruption in Amazon's US-EAST-1 region triggered a significant chain reaction throughout the cryptocurrency landscape. Coinbase experienced service degradation, while Infura and Alchemy issued incident notes linked to AWS, and numerous wallets and rollups began to timeout.

The root of these failures did not lie within the blockchains themselves, as consensus mechanisms remained intact. Instead, the issues originated from the surrounding infrastructure: cloud databases, RPC gateways, DNS, indexers, and key-management systems that are essential for transforming a blockchain into a functional application.

This incident served as a stark reminder that a significant portion of Web3 still heavily relies on Web2 technologies. When one AWS region faltered, it caused a ripple effect that impacted about a quarter of the crypto ecosystem's user interface.

Beneath the surface of decentralization rhetoric exists a dependency framework that is alarmingly centralized. A conventional decentralized application (dApp) typically begins with a frontend hosted on services like S3 or Cloudflare Pages, distributed through a CDN such as Fastly, and resolved via Route 53 or Cloudflare DNS.

Underneath this frontend layer are read and write RPCs, usually provided by Infura, Alchemy, or QuickNode, most of which are hosted on AWS or one of the other major cloud providers. Further down the stack are indexers like The Graph or Covalent, sequencing services on rollups, and custody or key-management solutions such as Fireblocks. Each layer introduces potential points of failure.

When AWS's DynamoDB and DNS services experienced issues, several layers were affected at once. Coinbase's API slowed down, Infura and Alchemy communicated upstream AWS challenges, and multiple rollups encountered stalled sequencers, necessitating manual intervention. Notably, The Graph’s indexer for zkSync had already displayed similar vulnerabilities just weeks prior.

The illusion of redundancy also collapsed under pressure. Two separate RPC service providers may guarantee "four-nines" uptime, yet if they both rely on the same cloud region, their failures are interconnected. Statistically, this interdependence can lead to a high effective correlation, reaching as much as 0.9 among AWS-centric stacks.

This concentration of dependency is not limited to the crypto sector. AWS commands approximately 30-32% of the global cloud market share, Azure holds around 20%, and Google Cloud captures about 13%. A six-hour disruption in a major region can have cascading effects on DNS, object storage, and database services utilized by thousands of companies.

For decentralized applications, this means that anywhere from 10% to 30% of Ethereum Virtual Machine (EVM)-based frontends or read functions may become degraded during such an outage. Furthermore, writes and transactions that depend on sequencers or custodial signing pathways can be entirely halted.

It's crucial to distinguish between on-chain resilience and application resilience. Blockchains like Ethereum or Solana maintain consensus through a network of global nodes; however, the tools that users depend on frequently rely on centralized intermediaries. For instance, Solana experienced a five-hour halt in February 2024 due to an on-chain issue, while the AWS outage was an off-chain problem—a situation far more prevalent.

Each layer of the infrastructure adds its own vulnerabilities:

These vulnerabilities expose the fragility of the current decentralized finance (DeFi) ecosystem, highlighting how much it still depends on centralized cloud services. While blockchain technology is often touted for its resilience, the reality for many decentralized applications shows that they remain susceptible to the same weaknesses that affect traditional web services.