The decentralized finance (DeFi) space has grown exponentially over the last year, going from $540 million in total value locked in March of last year to over $43.6 billion at the time of writing.
Its growth has brought new opportunities to users, developers, and the industry in general, but has also brought new risks that investors may not be aware of but must endure nonetheless.
Most DeFi protocols are built on top of the Ethereum blockchain. Ethereum is the number two cryptocurrency by market capitalization, second only to Bitcoin itself, and has allowed blockchain projects to become more programmable through the use of Turing-complete smart contracts.
Smart contracts are essentially self-executing contracts. The code written within these contracts allows for pre-defined transactions and agreements to be carried out automatically among pseudonymous parties within the defined parameters and without any counterparty risk.
These self-executing contracts were first proposed in 1994 by Nick Szabo, the creator of Bitcoin’s predecessor “Bit Gold,” and allowed for the creation of numerous decentralized applications that brought new opportunities for cryptocurrency users. It’s now possible to mint algorithmic stablecoins, lend out funds and take out crypto-backed loans, just to name a few.
Decentralized exchanges with decentralized governance models were made possible by these smart contracts on Ethereum, creating a new digital land of opportunity which has now expanded into many other smart contract platforms like Binance Smart Chain, Polkadot, and Avalanche.
Protocols like Aave, Compound, Uniswap, and 1Inch.exchange, allow users to earn interest on their funds and trade crypto assets and even complex instruments like decentralized derivatives.
All of these new and exciting products have generated the aforementioned sector known as DeFi which is taking the financial world by storm and giving traditional finance a run for its money.
This new land of opportunity is, as mentioned, governed by lines of code written by smart contract developers. While most are open-source and even peer-reviewed and audited, others are not. Oftentimes, even on audited code vulnerabilities can be exploited and allow for unknown attack vectors to be exploited leading to massive losses for companies and users.
Ethereum smart contract vulnerabilities can have disastrous consequences. While protocols like Aave are run by professionals and regularly audited, security vulnerabilities could still see hackers steal millions worth of crypto assets and influence investors’ confidence in the protocol, leading to permanent losses for users or the company and leading to price volatility.
These vulnerabilities derive from the complexity of Ethereum’s native smart contract language and its account-based system which, in contrast to Bitcoin’s UTXO system, is much more flexible and, as such, prone to additional vulnerabilities and attack vectors.
Since Solidity and other smart contract languages are novel and extremely complex, developers can’t always be blamed for these vulnerabilities.
There are over 80 DeFi platforms built on top of Ethereum with new ones being launched every week. The smart contracts that use them are bound to have vulnerabilities, especially if they are not properly written and audited.
An investigation conducted by CyberNews found that nearly 3,800 Ethereum smart contracts had vulnerabilities that would allow bad actors to steal at least $1 million in crypto assets. The investigation also showed that there were a total of 13 different vulnerability types, with four high-severity ones ready to be exploited by malicious hackers.
A popular smart contract platform, Avalanche, has seen a vulnerability exploited earlier this year. High traffic due to the launch of a new decentralized exchange, Pangolin, triggered an error that led to an invalid mint which led to widespread panic.
Other high-profile platforms including Solana, Flow, Ziliqa, and Fantom have also been found to have errors within their contracts, as detailed by Messari founder Ryan Selkis via Twitter:
The first and most disastrous smart contract bug occurred in 2016. The Decentralized Autonomous Organization (DAO) ran on smart contracts and raised over $150 million at the time.
An unknown attacker managed to drain the ether collected from its crowdfunding, stealing over $150 million worth of ETH at the time.
In total, 3.6 million ETH were drained from The DAO’s wallets. Those tokens are now worth over $6.4 billion. The hack led to a contentious hard fork that split the network in two: Ethereum and Ethereum Classic.
While some agreed it was best to mitigate the damage and move the funds to addresses that their original owners could access, others argued the immutability of the blockchain could not be interfered with, leading to a technological and ideological slip within the community.
The original Ethereum blockchain, now known as Ethereum Classic, left the tokens stolen from the DAO in the hands of the hacker, choosing immutability, while Ethereum allowed the community to vote and returned the funds to their original owners, putting the consensus of the blockchain first.
Ethereum smart contracts can be vulnerable, this has been shown over and over again. The risk on the DeFi sector is, however, heightened by the composability. DeFi, as CryptoCompare defines it, can be seen as “lego money.” dApps can be combined with other dApps to build new applications greater than the sum of their parts because every app is public, open-sourced, and can be forked and developed on top of.
When we factor in composability, smart contract risk becomes worse as one application may leverage several others. If a vulnerability is exploited in one, the effects could be felt across the space. Flash loans are an example of how composability may affect every protocol.
While the complexity of the DeFi space can, at times, feel overwhelming, solutions are currently being worked on. One of these solutions is decentralized insurance, allowing investors to insure their funds invested in DeFi protocols.
These include Cover Protocol, and Nexus Mutual, the latter of which has even had one of its team members hacked (which is somewhat ironic).
Another solution is completely re-thinking the way smart contracts work. A great example of this is the Radix Engine development environment, which uses finite state machines which are specifically designed to produce predictable results on the blockchain.
Finite state machines completely change the programming environment and execution environment, allowing for more and safer achievements compared to turing complete smart contracts. They help avoid unexpected outcomes by more closely modeling real-world expectations for financial applications and tokens.
Components allow users to define what the contracts do via “Actions”, which make smart contract behavior easier to reason, design and analyze.
These Actions allow for the creators of transactions to use Components in order to define predictable outcomes and create guard rails that ensure smart contract vulnerabilities or composability are not a problem. Users would, essentially, be able to define what is possible with a transaction.
Composability using Components would see each application work as a gear in a gearbox. If all gears work to turn together, a transaction is successful. If not, a transaction would fail and users’ funds would not leave the users’ hands.
For example, imagine if a user were to transact in a Component with Actions defining a swap with another user. If a swap were to be presented with a different user, the guard rail would kick in as this was not defined in the transaction’s Actions.
When a hacker tried to move funds out of a protocol, not all gears would connect and the funds would stay where they are.
As we’ve seen, there are many ways to bring security, transparency to DeFi, and to ensure users can be safeguarded, the community must ensure education is accurate and widespread.