Decentralized Finance or DeFi is a form of blockchain-based finance that offers financial services without any central intermediaries. What used to be a niche ecosystem with a TVL of less than $100 Million in the year 2017 grew to over $200 Billion at the peak of the last bull run in 2022.

The flip side of the tremendous growth is that it has become a honeypot for some of the most sophisticated hackers across the world. Billions of dollars have been lost to security vulnerabilities and economic failures.

If you are a crypto believer, you can’t ignore the movement of Decentralized Finance. While the ecosystem is too nascent for us to identify all potential risks, a look at the DeFi stack can help us understand the different ways things can break and thus inform how we can go about participating in the ecosystem.

The DeFi Stack

We can look at the DeFi ecosystem as a combination of the following five layers.

1. Blockchain Networks - All DeFi protocols are deployed on a blockchain network. The blockchain network provides the computational platform for the execution of the smart contracts that power the DeFi service.
2. Crypto Tokens - The tokens are the underlying assets that are used by the protocol to deliver a service. A Lending Protocol might enable the lending and borrowing of a particular crypto token to be used by traders as a form of leverage. A Decentralized Exchange might have a pool that allows users to swap one token for another.
3. Protocol - DeFi Protocols are open-source computer programs that run on blockchain networks and provide financial services.
4. dApp Interface - These are the web interfaces that users use to interact with the DeFi Protocols. Some wallets such as Argent, Coinbase, and Brew Money offer in wallet integrations with Protocols too directly from the mobile.
5. Wallets - Cryptocurrency wallets hold the private keys that allow users to make payments, deploy and withdraw funds from defi protocols, and more.

Risks in Blockchain Network Layer

Unlike popular perception, blockchains are not infallible. Security vulnerabilities can allow malicious actors to siphon off funds or take over control of the network.

The 51% Attack

A 51% Attack on a Blockchain Network is a scenario where one single entity or group has control over 50% of the network hash rate. The implication of this is that the group can censor transactions, and reorder and rewrite blocks leading to double spending where a network participant can spend/utilize the same asset multiple times.

A 51% attack while complex and expensive to pull off is a risk that even mature blockchain networks such as Bitcoin have had to face at some point in time.

Bitcoin’s reckoning with 51% Attack

In 2014, ghash.io, a popular bitcoin mining pool for a brief duration of 24-48 hours had over 51% of Bitcoin’s hash rate. While GHash didn’t demonstrate any signs of malicious intent, it did raise debates on how bitcoin can avoid such scenarios of a pool or entity taking over 51% of the network’s hash rate. In this particular case, miners from the pool volunteered to move away from ghash. Moreover, ghash publicly vowed to limit its hash rate to 40% of the network’s hash rate.

Bitcoin hash rate is more widely distributed today. For instance, the last days of data for blocks mined look like the following. The largest mining pool makes up for 19% of the network’s hashrate.

51% Attacks on Ethereum Classic

Ethereum Classic blockchain came into being after the infamous The DAO Hack. It has a market cap of over $4 Billion. In August 2020 Ethereum Classic was attacked three times and over $5 Million were siphoned off from the network through double-spending.

Vulnerabilities in Blockchain Network

Eventually, blockchain networks are powered by code and code can be buggy. In August 2010 an anonymous hacker was able to exploit a bug to create 184 Billion Bitcoin. Bitcoin supply is supposed to be capped at 21 Million. The anomaly was detected by the Bitcoin community soon. Satoshi Nakamoto coded up a fix for the issue and rolled it out within 5 hours that soft forked the network to state before the faulty block was mined.

In the recent past, Polygon, one of the leading scaling solutions for Ethereum and a sidechain, lost over 800K Matic worth $ 2 million to a hack. Two white hat hackers reported the vulnerability and Polygon rolled out a fix within 48 hours. Polygon Foundation covered the money lost and paid out a sum of $3.5 Million in bounty to the two white hat hackers.

The Volatility in Crypto Assets

Every asset class has inherent volatility. Crypto Assets more so. In stock markets, a 1% dip makes headlines and is reported as a crash. In crypto markets, it is fairly common to see such fluctuations in prices multiple times in a month.

The above graph shows the trend of Bitcoin price volatility over time. While it may seem that over the years, the volatility is reducing a bit, but still, 5% up and down swings are not that uncommon.

Token prices are a function of market perception. The perception can be based on how the specific project is doing or it can be more macro as in where the overall market is headed.

For instance, the crypto market still has a very high correlation with bitcoin price. Whenever bitcoin price dips, we see people liquidating their other crypto assets bringing down the overall market. This is understandable considering even now bitcoin makes up almost 40% of the total crypto market.

Earlier this year, in May, 2022 a bank run on US Terra Stablecoin wiped off $ 40 Billion from the market. Anchor Protocol was one of the most popular lending protocols on Luna that offered ~20% APY on US Terra Stablecoin deposits. While the protocol itself worked as it was supposed to, a known economical weakness in Luna ecosystem led to US Terra losing its peg to US Dollar.

The Fault in the Protocols

Security breaches, code exploits, and flash loan attacks led to the loss of billions of dollars in DeFi. As per Chainanalysis, over $ 1.3 Billion were stolen in the first 3 months of 2022.

Security Breaches are instances when a hacker gains control of the private key or keys of wallets that have admin controls over the protocol. [The Ronin Hack](https://medium.com/uno-re/biggest-crypto-hack-of-all-time-a-breakdown-of-the-ronin-network-hack-ef8d9e25ba6b#:\~:text=The attacker discovered a backdoor,them using the stolen keys.) is one of the largest hacks in DeFi where allegedly a North Korean Hacking Group stole over $ 600 Million worth crypto tokens.

Ronin Network has nine validators to process the transactions and as long as the majority of them approve a transaction it goes through. The catch was that the nine keys were controlled by just two entities. Sky Mavis had 4 keys and Axie DAO 5. However, Axie DAO had earlier provided Sky Mavis with access to sign transactions on its behalf for a short-term period. The access was never revoked. This miss allowed hackers to gain access to the majority of the keys and process the transactions.

Code Exploits are faults in smart contracts that allow a hacker to siphon off funds. The Polynetwork hack where $610 Million worth of crypto assets were hacked (and later returned) is one of the largest hacks that happened due to code exploits.

In this particular case, the hacker was able to figure out a way to invoke a restricted smart contract that enabled them to take control of the wallets that held assets managed by Polynetwork and transfer them to a wallet they controlled.

Frontend and DNS Exploits

Users interact with DeFi protocols by connecting their wallet to a protocol through a web interface. In May 2022 a hacker was able to leverage a vulnerability in the DNS to inject a malicious smart contract on the web interface for mm.finance, a leading DeFi protocol on Cronos chain, and diverted over $2 Million to their wallet.

Losing Private keys or Seed Phrase

Cryptocurrency Wallets store the public key and the private key. The private key is used to access the fund and transfer them. The public key is your address. Private Keys or the more popular seed phrase where a 12 - 24 words phrase is used to generate the private keys.

If a hacker is able to access your seed phrase or your wallet’s private keys, they can take over your assets. Malicious software on your computer or mobile, or phishing attacks that trick users into sharing their seed phrase on a website are some of the common ways in which hackers gain access to their seed phrase and steal assets in your wallet.

In April 2022 an iPhone user lost crypto and NFTs in his wallet when a hacker pretending to be an Apple representative tricked the user to share a secure code that was sent to the user’s number and use that to hack into their iCloud Account. From there on, they were able to access the user’s wallet seed phrase

Navigating DeFi Safely

It is essential to practice caution when navigating DeFi considering the different risks that exist in the stack. As you delve into the DeFi Ecosystem, choosing the right platforms and ecosystems for your risk tolerance is a critical step. A few things to look for

1. Track record

   1. How long has the blockchain or protocols been in existence? How have they performed in volatile market conditions?
   2. What has been the TVL's growth over time?
   3. What is the caliber of the core team working on the protocol or chain?

2. Independent Audits

   1. Has it gone through independent security audits?
   2. How robust are their processes? Here processes can range from their development activities, and security practices, to taking key decisions with community participation

3. Liquidity

   1. How much liquidity the asset or the protocol has? This is especially critical in selecting an asset or protocol. Low liquidity can translate to higher risks.
   2. How much AUM does the DAOs’Community’s treasury have?

A lot of products have emerged that help with such research. A few of them are DeFiLllama, DeFi Safety, and Exponential Finance. Beyond this, there are a few things you can do as a user that can ensure the safety of your funds

1. Maintain Wallet Hygiene

   1. Don’t hold all your assets in a single wallet. Use a Hardware Wallet
   2. Never share your seed phrase or private key online or offline
   3. Maintain multiple backups of your seed phrase
   4. Ensure safety in the devices where your wallets reside, desktop, mobile, or browser.
   5. Be cautious about the dApps you’re interacting with and the kind of permissions you are allowing. Do a regular audit of the funds

2. Stay Informed - You can do all of these yet, if the dapp or protocol you interact with has been hacked, you can end up losing your funds. Stay aware of the happenings in the chain, assets, and protocols you use. You can use twitter for that.

Despite these risks, DeFi presents multiple opportunities for early adopters to not only grow their crypto assets but also get familiar with an emerging phenomenon that will reimagine how financial services are delivered in the coming years.