DeFi has the potential to be a wild place at times. Seemingly bulletproof protocols can crumble in an instant or suffer exploits whose token prices will never recover.
In keeping with the Defiant’s safety awareness mission, this article will give you some pointers on how to identify a potential disaster before it happens. DeFiSafety is an organization that identifies how projects conduct development and measures how they end up deploying their code. After evaluating over 200 protocols, we gathered some insights to identify bad development practices in DeFi.
Axie Infinity and Inverse Finance Exploits
Inverse Finance and Axie Infinity have recently suffered exploits resulting in significant loss of funds. Katana, the only decentralized exchange on Axie’s Ronin chain that was developed by the same team (with the same development practices), scored 5% in the DeFiSafety rating. Inverse performed much better, but still lags behind in some critical areas. Both were unaudited, had no bug bounty, and provided extremely limited, if any, testing evidence. Katana was particularly opaque when it came to explaining how it worked. Despite identifying these issues, these exploits were still occurring and users were still losing their savings.
This checklist with some personalized tips and tricks based on your risk profile as you navigate the DeFi minefield.
Note that none of these verifications are a perfect solution that can guarantee a completely safe DeFi experience. DeFi remains an incredibly risky place and a protocol could easily meet all of these checks and yet be exploited. Please use this checklist as a non-prescriptive list and ensure that you always perform your own due diligence before investing in digital assets.
Is the DeFi protocol open source?
Let’s start with the most basic question you should ask yourself before interacting with any Contract. Can I find the GitHub repository used by the protocol?
For the uninitiated, GitHub is a website teams use to coordinate software development. You should be able to easily find a team’s GitHub by searching for the name of a protocol, followed by GitHub.
The main question you should ask yourself here is whether it is public. Let’s compare examples from Bancor’s GitHub repository and Grim Finance’s, which was mined for $30M in December 2021. Look at how well-packed Bancor’s repository is: multiple folders, a README.md overview of the protocol, collaborators audiences, 4000+ submissions. Compare that to Grim Finance’s – it’s private. You have no idea what contracts you are interacting with.
It’s especially important to note that private repositories make audits unnecessary, because you can never be sure that the contracts deployed by developers are the same ones the auditors reviewed if you can’t verify it yourself. Transparency is an important part of DeFi development: it leads to stronger code by allowing everyone to examine it. Private repositories prevent transparency and undermine the open source spirit of web3.
Is the protocol well documented? Is contract ownership identified?
A second step is to go through the protocol documentation. This is usually linked to the main page of their website and can be written in GitBook or similar medium. It should provide a high level overview of how the protocol works and other relevant information written in plain language so that you or I can understand what we are going to use.
A good example of this is PancakeSwap: look how cute it is and understandable the little wabbits are!
Good documentation means that the protocol knows its code inside out. Protocols can easily fork from other protocols with little idea of how things work, which can increase the likelihood of a crash. Relevant documentation usually means they understand it, as these protocols can synthesize the information into something more digestible.
A key area to be particularly vigilant about is whether or not the owners and permissions of contracts you interact with are listed. Some contracts can be changed at will, which may expose your funds to new risks. Make sure you feel comfortable with who is in control: Just because you see other people trusting a protocol doesn’t mean it’s safe. See how Tracer explicitly declares that its DAO owns its contracts.
Verify Blockchain Contract Addresses
You should also remain vigilant for contract addresses. Check that they are the same ones you interact with on the protocol website. Gearbox explicitly points them out and links them to etherscan so you can check them yourself. This simple action could have helped users avoid BadgerDAO’s frontal attack in which $120 million was taken.
Is the code audited?
A third check you should perform is to see if the code has been audited. Auditing firms offer a fresh and valuable look at the code you want to use. The audit should be public and the contracts reviewed by the auditors should be listed. See if the audit found any issues and if they were fixed, such as the 0x protocol audit where a problem was identified and then fixed. Highlighted in red is a major issue that has been identified, and in green that it has been resolved. Major problems could result in the loss of user funds, so it is essential that the 0x protocol has a second set of eyes to verify its code.
Other questions you might consider asking are:
- Is the audit detailed or a superficial inspection?
- How many people worked on the audit?
- How long did the audit take?
- Was the audit done before deploying the code?
- Is there a technical breakdown of the issues detected?
Although audits are not foolproof, they provide an additional layer of security.
Does the DeFi protocol have bug bounties?
The second-to-last check you need to perform is whether there is a bug bounty. Protocols often set aside funds so hackers have a way to identify exploits to developers without actually using them. While running these programs, armies of hackers are tasked with testing the protocols. Larger bounties attract more attention, which leads to more testing and eventually better code. These amounts are often exorbitant to ensure hackers use these programs.
As proof of the effectiveness of these programs, watch how armor.fi increased its bounty from $27,000 to $700,000. A day later, a bug that could have potentially crashed the protocol was identified and fixed. These programs go a long way in ensuring that the code becomes safer, which means your funds will also be safer.
Is the development team public and proactively engaging with their community?
The final check you need to do is with the development team itself. Some developers remain anonymous, while others reveal their identities. Public dev teams will be reluctant to steal your funds since their names will be forever tainted. Anonymous teams don’t have the same deterrent. While it’s important to remember that some anonymous developers are DeFi’s most valuable contributors, you have to balance that with their ability to disappear. In short, public developers are held accountable through their public identities.
Good teams should also value communication and make it easy for you to connect with them. It’s an important release valve for grievances and suggestions – all of which reinforce a protocol. A community discord or telegram channel should be linked on their website allowing you to ask questions. Can you see anyone trying to get in touch with a community manager or even a developer? Are they helpful/friendly? Do they dismiss their concerns? These are all important considerations.
Using this guide, you should be able to do a few quick last minute checks before approving your transactions and hopefully be a little safer as a result.
Is all DeFi high risk?
River0x works for defisafety.com, which reviews DeFi protocols and measures development practices. This is done by scoring them fully on a variety of quantitative data points, contacting the development team for clarification, and then releasing the report for free. Generally speaking, the higher the score, the less likely a protocol is to experience some form of exploit.
DeFi lending doesn’t have to be high risk, provided you use established and reputable protocols. Lower TVL protocols on less established blockchains are more risky. Projects such as DeFiSafety rank DeFi lenders based on risk.
The main risks of DeFi are your funds being taken by an exploiter, the loss of your private keys, governance failures, token design, smart contract vulnerabilities, or blockchain failure.
DeFi cannot be easily regulated. Since DeFi is code deployed on an immutable blockchain with no location, it cannot be censored or regulated. DeFi can be regulated at endpoints, like where the front-end website is hosted from or how you deploy code on the blockchain.