Staying safe in defi and how to not get rekt
What’s a crypto samurai to do to stay SAFU?
It’s been a rough couple of weeks for Binance Smart Chain, and crypto in general, with large projects getting rugged, exploited or accidentally losing users’ funds left, right and center, all in the middle of one of the biggest market corrections in history.
In times like these, what’s a crypto samurai to do to stay SAFU?
Here’s a bit of what I’ve learned.
HODL. Don’t trade. Don’t leverage.
Trading is the fastest way to get rekt.
I run arbitrage/market making/liquidation/etc bots, both on-chain and on CEXs. Humans have no chance against bots. They react in milliseconds. They will front-run you, sandwich-attack your transactions… even when you think you are winning, they are taking a big chunk of your profits. You just have no idea. Then the market moves and you get liquidated.
Humans also have a huge tendency to buy high and sell low. We are emotional creatures driven by fear and greed. Who wins? Bots, exchanges, brokers, banks...
If you believe in a token/project/company, just buy and HODL. Sell when you no longer believe.
Bias towards large caps and liquidity
When evaluating risk and return, I value large capitalization and liquidity across the board. The larger the capitalization and liquidity, the lesser the potential for manipulation, and the more accurate the market’s pricing will be — I can be more confident taking on positions with lower levels of research and due diligence.
Avoid low caps/exotics/derivatives. Whether tradfi or defi. Unless you really know what you’re doing and have done extreme DYOR. If you don’t know what you’re doing, improper DYOR will likely hurt more than help you.
Diversify. Manage your risk.
Don’t hold everything in crypto. Hold tradfi — shares, property, a bit of cash. Buy large cap growth/tech equities. Balance it with some (large cap, as always) value/income stocks. Maybe a touch of art, wine, watches, cars...
Again, avoid low caps/exotics/derivatives. Unless you are a bank/salesperson/broker, you are almost guaranteed to be on the wrong side of that trade.
Chains, projects, CEXs (centralized exchanges)
Hold the megacaps — BTC, ETH, BNB. Spread it out over multiple chains and projects. Hold less in CEXs, and spread them out if you can. Again, always favour the large caps.
Don’t hold everything in 1 wallet.
Use hardware wallets. Keep backup hardware wallets.
If possible, use devices exclusively for crypto. That is, use phones, tablets, computers that are only used for crypto and nothing else. Split wallets/keys between the devices and don’t mix/share them.
Do your own research.
But be realistic about how much you really know.
DYOR will only get you so far. Again, if you don’t know what you’re doing, this tends to hurt you more than help you. Take your time to really understand how things work. Then take a breath and DYOR some more.
“Verify, don’t trust” is kind of rubbish. I write code for a living, do I perform a comprehensive smart contract review/audit of the projects I invest in? Am I qualified to? Probably not. Some of the most well-audited projects have been exploited and hacked. These are audits done by large teams of seasoned security experts. What chance do I have of catching something they missed? What chance do you?
You need to trust the devs.
The biggest vulnerability for most projects I feel is not even in the smart contracts, but in the UI/dapps. Many projects tend to have poor opsec around their websites and UI, and there are so many attack vectors to secure. I’m surprised these have not been more widely exploited. All it takes is for an exploiter to change the approval address on the website and they can take all your tokens.
PancakeSwap and C.R.E.A.M. got their sites taken over by hackers in March. This could have been so much worse if the attackers had been more sophisticated and more subtle about the changes they made. How many users actually check and verify the address they are approving tokens to? Do this if you can, and use tools like unrekt to help. I believe there will be a wave of these type of attacks coming soon, resulting in much bigger losses to users.
When you see 4+ digit APYs on the newest hyped projects, ask yourself — where does the yield come from? Is it sustainable? What value is being created by this project? Is there any longevity? When there is no clear answer then the project is likely a pure-farm/ponzi/degen play.
Yes, some people make money from them. But it’s a zero sum game. So unless you’re a master manipulator/pump and dumper with a strong following on Telegram and Twitter… There’s better ways to make money.
Who can you trust then?
Again, favour large capitalization and liquidity. How long have they been around? Who are they affiliated with? Have they been exploited/hacked before? Have they accidentally lost users’ funds before?
If they are owned by Binance, chances are they will be able to do things like inject 2,000 BTC and 2,000 ETH of their own funds into their protocol within an hour of an exploit happening to contain the damage, and do it again when the same thing happens a few months later.
If they are properly affiliated/listed with Binance and/or other large reputable exchanges/companies/projects this would already indicate some level of due diligence having been done.
Does not mean things can’t still go wrong though.
Flash loans, exploits, and ACryptoS
We are now being asked countless times on our Telegram: “Is ACryptoS vulnerable to flash loan attacks? With all these attacks happening, what preventative measures are you taking so you don’t get exploited?”
We haven’t done anything.
There have been so many flash loan attacks from way before BSC even existed. They all essentially use a flash loan to manipulate some sort of pricing that a protocol incorrectly uses — it could be to calculate a reward or to price a deposit/withdrawal, etc. We have always been cognizant of this and have taken special care from the start not to rely on any external pricing in our smart contracts. The only place we may possibly be exposed is when we harvest the Vaults and sell the harvested tokens — but the exposure is minimal, limited only to the amounts harvested.
Does this mean we are invulnerable to flash loan attacks? Can we guarantee we won’t get exploited? It would be foolhardy of me to say yes.
However, I can say the ACryptoS approach has always been a bit different, with a prevailing focus on safety and sustainable tokenomics. As always, DYOR and proceed with caution.