The Risks in DeFi Stack

Decentralized Finance or DeFi is a form of blockchain-based finance that offers financial services without any central intermediaries. What used to be a niche ecosystem with a TVL of less than $100 Million in the year 2017 grew to over $200 Billion at the peak of the last bull run in 2022. TVL or Total Value Locked is the value of the crypto assets locked in a DeFi smart contract. - Source The flip side of the tremendous growth is that it has become a honeypot for some of the most sophisticated hackers across the world. Billions of dollars have been lost to security vulnerabilities and economic failures. If you are a crypto believer, you can’t ignore the movement of Decentralized Finance. While the ecosystem is too nascent for us to identify all potential risks, a look at the DeFi stack can help us understand the different ways things can break and thus inform how we can go about participating in the ecosystem. None of what follows is financial advice. Neither will I claim to be an exhaustive list of risks in DeFi. Treat it more as a starting point and a framework for identifying different risks that may exist in a DeFi Investment Approach. The DeFi Stack We can look at the DeFi ecosystem as a combination of the following five layers. All DeFi protocols are deployed on a blockchain network. The blockchain network provides the computational platform for the execution of the smart contracts that power the DeFi service. Blockchain Networks - The tokens are the underlying assets that are used by the protocol to deliver a service. A Lending Protocol might enable the lending and borrowing of a particular crypto token to be used by traders as a form of leverage. A Decentralized Exchange might have a pool that allows users to swap one token for another. Crypto Tokens - DeFi Protocols are open-source computer programs that run on blockchain networks and provide financial services. Protocol - These are the web interfaces that users use to interact with the DeFi Protocols. Some wallets such as , , and offer in wallet integrations with Protocols too directly from the mobile. dApp Interface - Argent Coinbase Brew Money Cryptocurrency wallets hold the private keys that allow users to make payments, deploy and withdraw funds from defi protocols, and more. Wallets - Risks in Blockchain Network Layer Unlike popular perception, blockchains are not infallible. Security vulnerabilities can allow malicious actors to siphon off funds or take over control of the network. The 51% Attack A 51% Attack on a Blockchain Network is a scenario where one single entity or group has control over 50% of the network hash rate. The implication of this is that the group can censor transactions, and reorder and rewrite blocks leading to where a network participant can spend/utilize the same asset multiple times. double spending "Hashrate" refers to the total combined computational power that is being used to mine and process transactions on a Proof-of-Work blockchain, such as . - Bitcoin Source A 51% attack while complex and expensive to pull off is a risk that even mature blockchain networks such as Bitcoin have had to face at some point in time. Bitcoin’s reckoning with 51% Attack In 2014, ghash.io, a popular bitcoin mining pool for a brief duration of 24-48 hours had over 51% of Bitcoin’s hash rate. While GHash didn’t demonstrate any signs of malicious intent, it did raise debates on how bitcoin can avoid such scenarios of a pool or entity taking over 51% of the network’s hash rate. In this particular case, miners from the pool volunteered to move away from ghash. Moreover, ghash publicly vowed to limit its hash rate to 40% of the network’s hash rate. A is the pooling of resources by miners, who share their over a network, to split the reward equally, according to the amount of work they contributed to the probability of finding a . - mining pool processing power block Source Bitcoin hash rate is more widely distributed today. For instance, the last days of data for blocks mined look like the following. The largest mining pool makes up for 19% of the network’s hashrate. Pools Blocks % Unknown 259 41% AntPool 117 19% F2Pool 104 17% ViaBTC 55 9% Poolin 53 8% SlushPool 29 5% SBI 7 1% Solo 1 0% 51% Attacks on Ethereum Classic Ethereum Classic blockchain came into being after the infamous . It has a market cap of over $4 Billion. In August 2020 Ethereum Classic was and over $5 Million were siphoned off from the network through double-spending. The DAO Hack attacked three times Vulnerabilities in Blockchain Network Eventually, blockchain networks are powered by code and code can be buggy. In August 2010 an anonymous hacker was able to exploit a bug to . Bitcoin supply is supposed to be capped at 21 Million. The anomaly was detected by the Bitcoin community soon. Satoshi Nakamoto coded up a fix for the issue and rolled it out within 5 hours that soft forked the network to state before the faulty block was mined. create 184 Billion Bitcoin In technology, a soft fork is a change to the software protocol where only previously valid transaction blocks are made invalid. Because old nodes will recognize the new blocks as valid, a soft fork is backwards-compatible. This kind of fork requires only a majority of the miners upgrading to enforce the new rules. - blockchain Source In the recent past, Polygon, one of the leading scaling solutions for Ethereum and a sidechain, worth $ 2 million to a hack. Two white hat hackers reported the vulnerability and Polygon rolled out a fix within 48 hours. Polygon Foundation covered the money lost and paid out a sum of $3.5 Million in bounty to the two white hat hackers. lost over 800K Matic The Volatility in Crypto Assets Every asset class has inherent volatility. Crypto Assets more so. In stock markets, a 1% dip makes headlines and is reported as a crash. In crypto markets, it is fairly common to see such fluctuations in prices multiple times in a month. The above graph shows the trend of Bitcoin price volatility over time. While it may seem that over the years, the volatility is reducing a bit, but still, 5% up and down swings are not that uncommon. Volatility refers to . - Investopedia the amount of uncertainty or risk related to the size of changes in a security's value = Standard Deviation of the last 30 percentage changes in Total Return Price * Square-root of number of trading days 30-Day Rolling Volatility Token prices are a function of market perception. The perception can be based on how the specific project is doing or it can be more macro as in where the overall market is headed. For instance, the crypto market still has a very high correlation with bitcoin price. Whenever bitcoin price dips, we see people liquidating their other crypto assets bringing down the overall market. This is understandable considering even now bitcoin makes up almost 40% of the total crypto market. Earlier this year, in May, 2022 a wiped off $ 40 Billion from the market. Anchor Protocol was one of the most popular lending protocols on Luna that offered ~20% APY on US Terra Stablecoin deposits. While the protocol itself worked as it was supposed to, a known economical weakness in Luna ecosystem led to US Terra losing its peg to US Dollar. bank run on US Terra Stablecoin 1 US Terra = 3 cents as of now The Fault in the Protocols Security breaches, code exploits, and flash loan attacks led to the loss of billions of dollars in DeFi. As per , over $ 1.3 Billion were stolen in the first 3 months of 2022. Chainanalysis Security Breaches are instances when a hacker gains control of the private key or keys of wallets that have admin controls over the protocol. [The Ronin Hack](https://medium.com/uno-re/biggest-crypto-hack-of-all-time-a-breakdown-of-the-ronin-network-hack-ef8d9e25ba6b#:\~:text=The attacker discovered a backdoor,them using the stolen keys.) is one of the largest hacks in DeFi where allegedly a North Korean Hacking Group stole over $ 600 Million worth crypto tokens. Ronin is an Ethereum Sidechain developed and operated by Sky Mavis to support their popular play-2-earn game, Axie Infinity. Ronin Network has nine validators to process the transactions and as long as the majority of them approve a transaction it goes through. The catch was that the nine keys were controlled by just two entities. Sky Mavis had 4 keys and Axie DAO 5. However, Axie DAO had earlier provided Sky Mavis with access to sign transactions on its behalf for a short-term period. The access was never revoked. This miss allowed hackers to gain access to the majority of the keys and process the transactions. Code Exploits are faults in smart contracts that allow a hacker to siphon off funds. The where $610 Million worth of crypto assets were hacked ( ) is one of the largest hacks that happened due to code exploits. Polynetwork hack and later returned Polynetwork is a protocol that enables cross-chain assets transfer. In this particular case, the hacker was able to figure out a way to invoke a restricted smart contract that enabled them to take control of the wallets that held assets managed by Polynetwork and transfer them to a wallet they controlled. Frontend and DNS Exploits Users interact with DeFi protocols by connecting their wallet to a protocol through a web interface. In May 2022 a hacker was able to leverage a vulnerability in the DNS to inject a malicious smart contract on the , a leading DeFi protocol on Cronos chain, and diverted over $2 Million to their wallet. web interface for mm.finance The (i.e., “DNS”) is responsible for translating domain names into a specific IP address so that the initiating client can load the requested Internet resources. The domain name system works much like a phone book where users can search for a requested person and retrieve their phone number. - [Learn more](https://www.infoblox.com/glossary/domain-name-system-dns/#:~:text=The%20domain%20name%20system%20(i.e.,and%20retrieve%20their%20phone%20number.) domain name system Losing Private keys or Seed Phrase Cryptocurrency Wallets store the public key and the private key. The private key is used to access the fund and transfer them. The public key is your address. Private Keys or the more popular seed phrase where a 12 - 24 words phrase is used to generate the private keys. If a hacker is able to access your seed phrase or your wallet’s private keys, they can take over your assets. Malicious software on your computer or mobile, or phishing attacks that trick users into sharing their seed phrase on a website are some of the common ways in which hackers gain access to their seed phrase and steal assets in your wallet. In April 2022 an iPhone in his wallet when a hacker pretending to be an Apple representative tricked the user to share a secure code that was sent to the user’s number and use that to hack into their iCloud Account. From there on, they were able to access the user’s wallet seed phrase user lost crypto and NFTs Navigating DeFi Safely It is essential to practice caution when navigating DeFi considering the different risks that exist in the stack. As you delve into the DeFi Ecosystem, choosing the right platforms and ecosystems for your risk tolerance is a critical step. A few things to look for Track record How long has the blockchain or protocols been in existence? How have they performed in volatile market conditions? What has been the TVL's growth over time? What is the caliber of the core team working on the protocol or chain? Independent Audits Has it gone through independent security audits? How robust are their processes? Here processes can range from their development activities, and security practices, to taking key decisions with community participation Liquidity How much liquidity the asset or the protocol has? This is especially critical in selecting an asset or protocol. Low liquidity can translate to higher risks. How much AUM does the DAOs’Community’s treasury have? A lot of products have emerged that help with such research. A few of them are , , and . Beyond this, there are a few things you can do as a user that can ensure the safety of your funds DeFiLllama DeFi Safety Exponential Finance Maintain Wallet Hygiene Don’t hold all your assets in a single wallet. Use a Hardware Wallet Never share your seed phrase or private key online or offline Maintain multiple backups of your seed phrase Ensure safety in the devices where your wallets reside, desktop, mobile, or browser. Be cautious about the dApps you’re interacting with and the kind of permissions you are allowing. Do a regular audit of the funds You can do all of these yet, if the dapp or protocol you interact with has been hacked, you can end up losing your funds. Stay aware of the happenings in the chain, assets, and protocols you use. You can use twitter for that. Stay Informed - Despite these risks, DeFi presents multiple opportunities for early adopters to not only grow their crypto assets but also get familiar with an emerging phenomenon that will reimagine how financial services are delivered in the coming years. I’m the co-founder of where our goal is to make Defi accessible for everyone. Brew Money is a Non-Custodial Polygon Wallet that makes it simple for non-power users to earn yield on their crypto through blue chip DeFi protocols with self-custody. Brew Money