Understanding the Risks of DeFi
DeFi for Beginners | Part 2 of a 2-part series
Despite rapid growth in the DeFi space and its open-source ecosystem with the potential to democratise banking and finance, there are significant risks for participants to be aware of. Several projects have been vulnerable to hacks and theft of funds, which has led to safety questions about using DeFi products. Hacks in the DeFi space accounted for nearly 76% of all major hacks worldwide in 2021 so far, according to a report by security firm AtlasVPN. Analysts think that hackers will target DeFi more aggressively to exploit security lapses in new projects and inexperienced users.
This article discusses five risks that DeFi users would commonly face and how to navigate this evolving technology safely.
1. Smart Contract Risks
Smart contracts are coded agreements that are tamper-resistant and self-executing on a blockchain network. One of its benefits is reducing (or entirely mitigating) counterparty risk. But since the terms of a transaction in the smart contracts are written to minimise the risk of compensating for fraudulent claims by the financial institution, the transaction is irrevocable if you transfer funds to the wrong address or across the wrong network by mistake.
Another technology risk for smart contracts is oracles. Oracles are necessary to execute many smart contracts that rely on external data, providing information such as price feeds. But when those oracles falter or are compromised through malicious activity, it risks the intended execution of a smart contract.
2. Exploits and Vulnerabilities
Composability is one of the core features of DeFi. As mentioned in our previous article, the open-source code of DeFi works like Lego blocks that allow high interoperability for structuring contracts and assets. That means you can interact with protocols in creative combinations, stacking your activities on top of one another like building blocks. However, allowing interaction among protocols also increases the complexity and risk of creating a vulnerability.
Smart contracts can have bugs. As DeFi runs on pieces of code visible to everyone, technically-savvy people can observe bugs in the code and exploit them. While some bugs are revealed unintentionally, others result from deliberate attacks.
Extensive testing and best practice code audit, bug bounties, regular testings, and maintenance in the dApps should be conducted to mitigate the inevitable technology risk. Although these programs reduce the chances of exploits, they do not eliminate the risks. Nevertheless, whenever you are engaging in the DeFi ecosystem, you must be aware of the potential technology risks.
3. Market Risks
The crypto-asset market is volatile, and exposure to the underlying currency risk and derivative assets, such as protocols built on top of blockchains, comes with significant risk. Cryptocurrencies can crash overnight due to panic selling. Crypto asset hodlers can also suddenly wake up to a green market.
Regulators’ views and reactions to DeFi are also evolving rapidly. Long term, there remains significant uncertainty about the impact of regulation on DeFi as governments seek to find the right balance between the opportunities created by the technology and the potential risks they pose to the financial system.
4. Scams — Rug Pull
“Getting rugged” is a common phrase in the crypto space. A November 2021 study found that 50% of all token listings on Uniswap are scams. Hence, it is important to understand and know the projects you are looking to invest in.
A rug pull is an exit scam in which developers create a crypto project with malicious intent. They launched a new token, built a liquidity pool and paired the token with a stablecoin, say ETH or DAI. Then they marketed it to the broader crypto community so that investors would begin adding liquidity to the pool to earn a portion of transaction fees charged to traders who use it. They dump their tokens into the pool, withdraw all the stablecoin, syphoning off the investors’ money from the liquidity pool and then abandon the project. This action sends the newly created token price to near-zero, leaving investors holding worthless coins while the rug pullers walk away with a profit.
It is a massive red flag when just a few wallets control nearly half the circulating supply of a token. You can check the token distribution on a blockchain explorer — Etherscan for Ethereum — by clicking on a token contract’s “Holders” tab.
5. Impermanent Loss
Impermanent Loss (IL) is one of the common risks for liquidity providers in DeFi. Impermanent loss is when a liquidity provider has a temporary loss of funds because of volatility in a trading pair, which results in an unbalanced market and significantly lesser gain if you compare it to just holding your assets. Here is an excellent article by the Binance team explaining further about impermanent loss.
Since stablecoins have price stability, liquidity pools that utilise stablecoins can be less exposed to impermanent loss. Akropolis launched Vortex to help users generate sustainable yields while remaining market-neutral with a single asset USDC or BUSD as impermanent loss happens no matter which direction the price changes. Vortex fixes this by removing the directional price risk from the short position while maintaining the Funding Rate advantage, enabling users to generate market-neutral yields.
The DeFi space is not immune to theft and fraud. Hacks are an ever-present technology risk for DeFi users. Hackers can steal crypto assets under your nose, and crypto scams are not uncommon. It would help if you did your due diligence before participating in a DeFi application or protocol.
- You can start by looking into a project or token’s website, where it’s available to buy, its white paper or documentation, and its listed developers or founders. Vet the applications you’re exploring to ensure they are secure and audited. When assessing an application, you should check if the code is being shared publicly and peruse online forums to see if other people have raised security concerns.
- Your private keys — the string of letters and numbers similar to a password used to unlock access to cryptocurrency must remain undisclosed to the public. Many wallet options are available to store and secure your investments and private keys. With a non-custodial, or self-custody, wallet, you are in control of your private keys, and you own your cryptocurrency holdings. Though there are still risks, cold wallets or hardware wallets are widely considered the safest option to store private keys.
- Join their community group chat like Telegram or Discord. The team’s admin should be responsive within 24 hours (consider that the admin may be in a different timezone). It is important to remain sceptical when receiving irrelevant messages regarding your crypto wallet or technical support. Be aware of fake accounts claiming to be crypto influencers, celebrities or the team’s admin. The team’s admin or community managers will never message you first in most project community group chats.
Akropolis provides decentralised finance products that give users access to efficient and sustainable passive yield generation on multiple chains. As part of the Yearn ecosystem, Akropolis offers a range of optimised vaults, focusing on innovative products and strategies that don’t predominantly rely on inflationary emissions as the primary yield source and generate returns regardless of the market conditions.