The huge attraction of DEFI is that it empowers cryptocurrency holders to consume financial services typically only available to accredited investors while allowing them to retain control over their funds. The flipside of this autonomy is that users assume the risks usually borne by traditional intermediaries such as banks.
We can group the different types of DEFI risks into four main categories, which we’ll explore in detail below:
- Technical risk
- Asset risk
- Procedural risk
- Financial risk
Technical risks of DEFI
DEFI is programmable finance, so it is only as safe as the code that powers it. Unfortunately, Smart Contracts have proven to present a significant risk to end-users through poorly written and poorly considered code.
Because Smart Contracts are automated, bad actors are constantly on the lookout for bugs in Smart Contract code that they can exploit. Poorly written code can often mean funds are drained from DEFI protocols in minutes with nothing the user can do.
DEFI recently suffered its biggest ever hack when a bridge between the Ronin network – which supports Axie Infinity, a play-to-earn game – and Ethereum was exploited for the loss of over $600million.
Reputable DEFI services will engage Smart Contract auditors to check their code before it is committed but numerous hacks have still occurred despite the contracts being vetted in advance.
Even when the Smart Contracts function as intended, that logic can have unexpected consequences that put users’ funds at risk. The most traumatic event in Ethereum’s history – the DAO Hack back in 2016 – resulted in the blockchain forking into two separate chains, Ethereum and Ethereum Classic, because there was disagreement about how to deal with a hacker taking advantage of vulnerabilities in The DAOs construction.
On that occasion, the exploit was a reentrancy bug, just one of many techniques that can use Smart Contract logic against themselves.
The problems of Smart Contracts bugs and vulnerabilities are compounded by the fact that DEFI is open source, leading to the common practice of wholesale copying of Smart Contracts that creates an information cascade of in-built errors.
DEFI risks from dApps
Smart Contracts can be thought of as the backend of DEFI, while dApps are the frontend, the actual websites and apps that allow users to interact with the Smart Contract through a User Interface. dApps are equally at risk from malicious actors looking to inject viruses or manipulate code to siphon off funds.
The hack of Badger DAO in August 2021 is an example of this. The frontend application was exploited, enabling hackers to change the permissions that users granted when interacting through their crypto wallets, resulting in the loss of $150million.
Wallets represent another technical risk vector within DEFI that falls squarely under the user’s responsibility. Firstly, there is the risk of granting dApps broad permissions to access funds, as in the Badger example above.
Then there is the general security risk associated with using a hot wallet – hot meaning being online by default. The most commonly used hot wallet used in DEFI is MetaMask, which is non-custodial, meaning that the user is fully responsible for protecting funds through a recovery Seed.
Hackers will use all means to access the Seed, either by injecting the user’s wallet with a virus or using social engineering to trick them into sharing it. To mitigate the wallet specific risks of DEFI, users should employ thorough infosec practices.
- Automatically updating browser & OS software
- Using virus scanning software
- Never click on unsolicited links or attachments
- Using strong passwords & email addresses specific to crypto
The most robust mitigation against the risks associated with Hot Wallets is to use them in conjunction with a Cold Wallet, keeping funds offline up to the point where a connection with a DEFI dApp is required via MetaMask.
“According to Chainalysis, 97% of all cryptocurrency stolen in the first three months of 2022 was from DEFI” Source
Asset-based risks with DEFI
One of the most popular DEFI services is the Decentralised Exchange (DEX), allowing users to swap crypto-pairs while completely controlling their funds and identity. A DEX creates markets automatically, with users adding liquidity into pools of asset pairs, earning trading fees in return.
Given the volatility of assets and varying amounts of liquidity, swapping two coins using a DEX exposes you to the risk of slippage. Slippage is the difference between a quoted price and the actual transaction price resulting from changes in liquidity.
Those providing liquidity are also exposed to another explicit DEFI risk directly from the volatility of the assets expressed in a euphemism known as impermanent loss.
Impermanent Loss is the unrealised loss in the value of funds added to a liquidity pool due to the impact of price change on your share of the pool. It’s a factor of the automated nature of DEFI and the volatility of the price of asset pairs.
It’s impermanent because it is only realised when withdrawing funds. Users can claim the proportion of assets added to a lending pool rather than the equivalent amount of value they added to the pool. Impermanent loss can positively and negatively impact liquidity providers depending on market conditions.
Though impermanent loss might sound confusing, it is just the tip of the iceberg regarding the complexity and risk of DEFI. Flash loans are the clearest example of how deep the DEFI rabbit hole can go.
A flash loan is a way to borrow crypto funds from a lending pool without collateral, provided the liquidity is returned within the space of one block confirmation.
If the funds are not returned within one block, all the associated actions are reversed as if they never happened.
However, if funds are returned within the space of one block, the lending pool the funds were borrowed from doesn’t lose out because the funds are returned. The person who took out the Flash Loan then gets to keep whatever value they were able to generate across a complex series of transactions, net of the transaction costs associated with each step in the chain.
Flash Loans use custom-written Smart Contracts to exploit arbitrage within the DEFI ecosystem – market inefficiencies across tokens and lending pools. Arbitrage is a natural part of how financial markets mature. Still, Flash Loans are also being used to manipulate and distort crypto asset prices and generate massive returns for those with the skills to understand the dark side of DEFI.
Chainalysis reported that $364million was stolen via Flash Loan attacks on DEFI protocols in 2021.
Procedural Risks of DEFI
Some of the risks within DEFI relate specifically to the processes and procedures required to access dApps or their absence.
Given that DEFI requires no KYC or account creation when you hit the ‘Connect’ button, you should carefully review what privileges you are granting the service concerning your crypto wallet.
The same is true for when you confirm transactions. Understand what privileges you grant in terms of access to your wallet, and make sure that you remove any access rights when you stop using the service. Make it part of your routine to review your wallet connections regularly.
You should also become familiar with the charges for interacting with DEFI applications, paid in something called GAS, as separate from the cost of simply sending cryptocurrency. There is a real risk that the returns you make through DEFI are net negative once you factor in all the associated GAS and the opportunity cost.
Certain DEFI services may require you to commit your funds for a minimum period (bonding) and apply restrictions when you want to withdraw (unbonding). Bonding and unbonding are commonly misunderstood aspects of DEFI, carrying the risk of your funds being tied up when you may desperately need access to them.
There are no specific regulations that govern how DEFI services work, so you should be constantly vigilant, but there is a real risk that the ongoing nature of DEFI scams and hacks will push regulators to act.
Financial Risks of DEFI
DEFI’s unique selling point, the absence of intermediaries and ease of access, is also the source of risk. One of the main justifications for how traditional finance restricts access to financial services is to protect users from danger, whether that is explicit from bad actors or implicit from not being equipped to understand the risk.
DEFI has no such protection. There is no guarantee against the loss of funds and there are no tests to establish whether you understand the risks involved in DEFI. The only way to mitigate the risk of getting involved in something you don’t understand is to do your own research (DYOR). This is one of the central mantras of crypto and should extend to:
- researching the promises that DEFI services make in terms of crazy returns
- understanding the fees charged by DEFI services
- being aware of the dangers rug pulls
The non-existent returns within traditional finance push people to explore other means of generating wealth. DEFI represents a huge range of opportunities across a risk spectrum, from modest and low-risk returns on Stablecoins to triple-digit APYs for farming meme coins. And though DEFI is a new world, some of the fundamental rules of analogue finance still apply – if something seems too good to be true, it probably is.
Before diving into high-yielding DEFI practices, learn about tokenomics, as this will give you the tools to understand whether high-yields can be justified.
Given the structural nature of DEFI your research needs to extend to the teams behind projects and their track record. The absence of regulation encourages a particular type of crypto scam known as a Rug Pull.
A Rug Pull is a DEFI service that may appear legitimate but is created to con users out of their funds. When the time is right, the service is shut down without warning, with the creators disappearing with all the funds.
Chainalysis estimated that rug pulls accounted for 37% of all crypto scam revenue in 2021, at a value of $2.8bn.
Leave a Reply