Published in


What Makes a Protocol Safe? Quick Tips for Deciphering Real dApps from Scams

With new DeFi applications coming out nearly every week, it’s important to understand when a project is a legitimate and safe investment. In this article, I will outline several tips to improve your research process when looking to find secure DeFi investments.

A basic rule of thumb for all of these tips: If it’s hard to find any of this information, be wary of investing in the application. If a project is making it difficult to find the information below, or they are outright omitting it, that alone should cause concern.

Docs Pages

A sure-fire way to learn about a DeFi application is by checking out their docs pages, which can often be found on their website’s home page. Docs pages explain an application’s purpose, token utility, tokenomics, and protocol design. Most DeFi applications worth their salt will have a comprehensive docs page that goes through enough granular detail to answer a majority of your research questions.

One important question you’ll want to answer is: “What is the purpose of this DeFi application?” For example, if the application is a Decentralized Exchange (DEX), their smart contract functions and tokenomics will look much different that a derivatives application. Moreover, if it’s not exactly clear what the protocol does or how it utilizes user funds, that should raise a flag for a potential scam.

Ultimately, if you’re struggling to find information that clearly explains how the application works, this is a cause for concern.

For example, you can learn about all these same concepts for Solace on our docs page here.

The Core Team

Who’s on the team building the application? Are they anonymous? It’s not necessarily bad to have an anon team, but what does matter is reputation. Before his departure from DeFi, any protocol with Andre Cronje’s name on it was swiftly considered legitimate due to his several past project’s success (e.g. Yearn, Fantom, etc.). A team’s reputation, as well as their investors and advisors, can give you a sense of how reputable the project is, and can improve the chances that it’s not a scam. If you’re struggling to find information about the team, this is a cause for concern.

Discover all of Solace’s core team member, investors, and advisors on our home page here.

The Smart Contracts

DeFi applications will often have explainers about their smart contract functions. For example, if you go to the Yearn docs, you’ll see a section named “Smart Contracts”.

Check out Yearn’s docs page here.

Smart contracts can tell us a great deal about the legitimacy of a protocol. Many docs pages will explain how each function or contract event behaves, what parameters it requires to be called, what return outputs are generated, and who has access to call the functions. This is especially important if you want to find out how funds are stored, transferred, and what parties (if any) have the capacity to move the funds.

HINT: Many rug-pull scams have a backdoor function in their smart contract that only the smart contract owner can call, which drains the liquidity once the owner decides they want to take the money and run.

Moreover, if you search the smart contract address in Etherscan (or other block explorers depending on the chain), you can find out how much money is locked into the smart contract, the contract creator, and age of the contract.

If a smart contract is older than 6 months, has a history of transactions, and stores a fair amount of tokens, it’s likely safer to invest into than a freshly produced smart contract with few transactions.

EXAMPLE: YFI Token Page — Contract Link in Red
YFI Smart Contract page — You can see it stores >$459K. Click on the txn highlighted in red.
The smart contract was deployed in July 2020, which in DeFi, is quite old (AKA safer).

You can check out all the information about Solace’s smart contracts on our Developer Docs pages here.

Audits & Code Reviews

DeFi applications that want to communicate the safety of their smart contracts will often hire audit teams or code review groups to do a deep dive in their smart contracts. While audit quality is still not consistent among the several groups, here are some names that have known for their audit quality:

  1. OpenZeppelin
  2. Consensys
  3. Trail of Bits
  4. Peckshield

Even then, some audits are better than none at all. The more eyes that can verify a smart contract’s safety, the better. Solace, for example, has had two audits done by Hacken and Quantstamp.

Code and quality reviews groups like DeFiSafety are also important resources that DeFi applications can take advantage of. Check out Solace’s DeFiSafety PRQ here.

If a DeFi application has no audits or reviews, and does not intend to get audited, this should be a major cause for concern.

Staying Safe in DeFi

As DeFi continues to grow, we hope to see smart contracts improve their resistance and resilience to exploits. In the meantime, it’s important users understand how to stay safe.

One way to do that is by purchasing DeFi insurance. Solace makes this process easy thanks to Solace Wallet Coverage — a single policy solution that protect your wallets positions over 180 DeFi applications across Ethereum and Polygon. Check out the video below to learn more:

Solace Wallet Coverage Explained — Dynamic Crypto Wallet Protection and Pricing

Another way is by learning how to personally protect yourself from getting rekt. Check out out our previous article on The Ultimate Guide to DeFi Security to learn more.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Head of Growth @ Solace | USC Grad Student | writing ✍️ | musician 🎸