Cover photo

The 8 Dangers of DEFI

Built on open-source software, in a transparent degen-ridden environment where activity is irreversible and without legal recourse, Defi is a honeypot of massive value that is laden with risk.

Existing at the intersection of finance and technology, DEFI has been heralded as the frontier of innovation and the solution to the woes of the traditional financial system.

Over the last few years, a tsunami of protocols and applications have come to market, harping on this promise, all claiming to provide some kind of unique value proposition that will enrich the lives of its user and protect them from the evils of legacy finance…

Assuming that these projects did have good intentions (which most of them don’t) the moat of informational asymmetry due to the complexities of the technology itself creates an enormous spread between truth, security, and reality. Moreover, DEFI inherits the underlying primitive of sovereignty from crypto, where the responsibility of asset ownership and management is entirely in the hands of the users, a level of responsibility that consumers have never been faced with.

While this noble, utopian mission has attracted the attention of people from around the world and drawn in hundreds of billions of dollars in TVL, it has not been able to express the full scope of potential implications during its development.

Even though all of the experimentation that has been taking place has flooded networks with more value, the level of security in the industry has not changed at all. (arguably, with Ethereum moving to POS it might have even degraded).

Therefore the only genuine way to protect yourself and your assets from the whirlwind of fuckery that is monitoring your wallets and trying to steal your money is by equipping yourself with knowledge.

Sure, it may not sound sexy. But if you can understand the fundamental touchpoints that can cause financial ruin, you will be far more emotionally prepared and most likely much wealthier.

So without further ado, let's put into focus how genuinely broad and varied the surface area of risk in DEFI really is.

MEV (Maximum Extractable Value)

Ah, the good ole art of on-chain extortion.

MEV is a contentious topic in the world of crypto. Perhaps nowhere more so than in the DEFI sector.

Simply put, MEV is a botnet that is looking to front-run your transaction and squeeze out any potential excess value, that should trickle back to you. Imagine paying for a $17 shirt with a $20 bill and the clerk at the register told you there is no change because of the physical entropy he has to exert in order to manually organize the bills…

In DEFI, every single function from lending to trading is subject to MEV. These pretentious bots can reorganize/sandwich/delay your transactions, prioritize their own, and force you to miss opportunities. The best way to engage in on-chain finance is minimally; try to reduce the amount of interactions that must be done.

Oracle Manipulation

Given that DEFI protocols depend exist in blockchain environments that are not aware of information that exists outside of themselves, they need a method by which to get their data from somewhere.

This is done through oracles.

Oracles are the connective tissues between on-chain and off-chain data. They are pipelines that funnel information from the real world into the digital economy.

Whenever you go to an exchange like Uniswap and see the price of Ethereum, what is happening behind the scenes is that Uniswap is asking an Oracle network (chainlink) to quote you a price from trusted sources. That Oracle then scans/queries other venues that provide the requested data point (Binance, KuCoin, 1inch, etc) and provides a spot price to trade at.

In this process of receiving a request, going to find the request, and fulfilling the request, subversion exits in two general ways:

1) Origin of Data is corrupted.
The sources from which oracles get information collude to produce fake information or their servers are hacked and the data is spoofed. Chainlink might trust Binance for ETH price, but what happens if the information on Binance does something egregious (wicks the price 10x)?

2) Oracles themselves are corrupted.
Given how valuable the information that oracles provide is, it is not outside the realm of consideration that the oracles could be provoked through incentives by external forces to provide incorrect information.

Smart Contract Bugs

The most fundamental form of risk exists in DEFI.

Smart contracts may be mathematically sound, but when their hard-coded structures are met by extremely savvy hackers that can identify logical loopholes and find exploits to drain protocol liquidity, cause mass token minting, or manipulate protocol functions, it is the end user that ends up paying the ultimate price.

Besides being subverted by malicious entities, poorly coded contracts might just result in internal systemic failures. A function that is accidentally defined incorrectly can result in an error that locks liquidity permanently or a single line of code that does not map the relationship between token owners and their rights to send the token can freeze assets in wallets with no ability to ever move them.

Logic that might hold up in a closed alpha on a testnet somewhere will not be the same as the logic in a public mainnet.

The ultimate combination of the two smart contract failures can be seen with the painful example of Terra/Luna (r.i.p. billions of dollars).

Price Volatility

You might have heard this one before, crypto assets are volatile.. very volatile.

Where traditional financial instruments, such as stocks, might swing +/- 3% in a day, it is totally normal for a crypto asset to swing upwards of +/- 15% in that same day.

When it comes to DEFI, we're not talking about the price risk you have regarding just holding an asset, we are talking about how the price movement can impact the more exotic forms of portfolio exposure. There are two general classes of this exposure:

1) providing liquidity (impermanent loss)

When tokens are provided to an AMM and the price deviates from the exact rate at the moment of deposit, impermanent loss takes place. If ETH is at $2,000 and somebody provides liquidity to an ETH/USDC pool they would supply an equal amount of 1ETH+$2,000 USDC. Doing so would obviously incur basic transaction costs, already putting them in the hole, but then if the price of ETH rises to $2,200 then the user will only be entitled to claim 1.1 ETH + $1,800 USDT. Considering there would be another basic transactional cost incurred the user would have to be exposed to an unknown duration of providing liquidity to cover those base costs from the generated yield. Moreover, the user would have to now go through more intermediaries in order to balance out their position proportionally (selling the 0.1eth for USDT). The reason this is called impermanent loss is whenever price fluctuations exceed the returns that could have been had by simply holding the asset. Think about it, the person who provided liquidity provided $4,000 worth (1ETH @ $2,000 + $2,000). When they withdrew, they got $4,000 worth (minus fees). If instead of providing the liquidity they had just held the same assets they would have $4,200 (1ETH @ $2,200 + $2,000).

2) lending/borrowing (liquidations)

Image ETH is trading at $2,000. Say you want to borrow $2,000 USDT. In order to do this, you must provide excess collateral in ETH to take the loan. So you lock up 2 ETH ($4,000) and take out the loan. Next week, ETH plummets to $1,000. Now the collateral you posted is worth $2,000; a level that is algorithmically considered risky (if you only have $2,000 worth of collateral for a $2,000 loan, you are not incentivized to pay it back). To protect the lender, your assets get market sold (likely at $1,100ea) and you're stuck with $1,000 instead of your original 2 ETH.

Underlying Blockchain Mishaps

Even if a protocol is designed properly and everything seems to be working fine, there is a not-so-subtle dependency of that protocol on the network to which it is deployed.

Validators behaving out of line, consensus mechanisms proving to be inadequate, and sudden outages, among other things can trickle up the stack and result in damaging effects to the DEFI users.

Governance Issues

As a decentralized entity, a DEFI project must have some form of governance in place to steer the project’s development and oversee its operational specifications.

In the event of a sudden revolt from the governing committee that results in some radical parameter adjustment holds the DEFI user in a perpetual limbo of uncertainty. While most of the time the governing body will be aligned with a vision of progression, that vision is highly subjective to interpretation.

Not to mention that flash loan attacks have taken place where proposals are forcefully pushed by entities that acquire large enough token amounts on the open markets just to vote on their own proposals.

Social Engineering

Wicked, evil, and disgusting.

There are no heroes in this industry. Everybody is fighting for themselves. The insane majority of projects simply do not give a sh*t about you.

Scammers will create the most elaborate systems to subvert your conscious mind. They will pretend to be representatives from a project or exchange you are involved with. They will call you, text you, email you and do anything else possible to trick you into doing some kind of action.

The most common forms of social engineering are:
1. Pretending to offer you free tokens.
2. Pretending they are official reps from other projects.
3. Asking you for help through a DM and offering a reward.
4. Telling you they can help you make money.
5. Sending you a link to click… (this is financial suicide).

If anybody contacts you about anything remotely related to the above. IGNORE them. If you feel worried about anything, opt to go directly through the official interfaces (website/app) that you use and reach out to the projects. Official moderators/admins will not initiate contact with you directly without your prompting.

Misrepresentation (Rugpulls)

Still in its infancy, this sector lacks any standard framework of definitions. So many idiotic projects throw around buzzwords in an attempt to sound convincing and tempt unknowing users.

One of the most painful to watch is when a Memecoin starts offering people a DEFI ecosystem for NFT financialization that can help solve the interoperability problem between blockchains.

If the last message made sense to you, beware, you will be taken advantage of. If you caught on the stupidity of it, kudos you are protected.

The misrepresentation of intentions is called a Rug Pull. As the name might hint out, people put money into a project and then the rug gets pulled right out from under them. Shadowy super coders create fake contracts to collect money and then at some point just “poof” and disappear with the funds.

As a general rule of thumb, if a project’s slogan/mission statement is chock full of buzzwords, stay TF away.

There are many more complex security vectors that arise whenever interchain operations are introduced and advanced multi-lingual social engineering tactics are considered.

All that matters at the end of the day for your safety is the understanding that risk does not get removed with blockchain architecture, it is merely transformed into a new type of risk.

DEFI’s siren call is the displacement of human infrastructure with automated smart contract infrastructure. Trading off human error with mathematical logic. Even though intuition might guide us into believing that mathematics is more reliable than humans, the truth of the matter is that humans have room to correct errors, mathematics does not know the difference. Therefore, the risk profile of this transition of trust is nearly impossible to quantify.

Just don't forget that there is no such thing as a safe investment in crypto.

May your journey through Decentralized finance be fruitful and may your bags always be protected.

Stay safe out there!

Andrey Didovskiy logo
Subscribe to Andrey Didovskiy and never miss a post.
#defi#security#crypto#cryptocurrency#mev#blockchain