Spool DeFi Insights — Understanding and Avoiding DeFi Scams
Since its inception, crypto and DeFi have proven a popular arena for scammers to operate. From events such as token rug pulls such as “Squid Game”, which was built so that only the founders could sell tokens, to complex phishing attacks targeting high-net-worth investors, billions of dollars worth of crypto have been stolen. Unfortunately, this has also somewhat tainted the image of DeFi, with the minority of projects that are either deliberate scams or users who fall foul of them, creating highly clickable news stories.
What is often glossed over, however, are comparisons to fraud in traditional banking. In 2021 in the UK alone, almost 900,000 reports of banking fraud were made to UK agencies, and 298 related to losses over £100,000 (SRC: Seon.io). While scams may seem common in DeFi, they are definitely not exclusive to it!
Why is DeFi a popular target for scams?
In essence, it comes down to two main factors.
The first is that the technology is new and often has not been “field-tested”. While decentralised money has been around since the launch of Bitcoin in 2009, with the advent of Ethereum and “programmable money” in 2015 new and more complex solutions have been evolving at a rapid pace. DeFi projects now are highly complex stacks of technology, touching multiple new and existing services, while pulling in data from various sources. This, combined with the potentially massive financial gain of having a first mover advantage in the space, has led to some projects launching with poorly tested code. As a result, bugs may be found once the platforms go live and, with the rapid pace of user adoption, these platforms may find they have access to millions of dollars of user assets that can be stolen.
The second is the classic “PICNIC” error which is far from new and affects all technological products. This is a fault code often used by IT support teams and stands for “Problem In Chair Not In Computer”. This refers to human error in using a computer system or software, rather than a technical bug in the code or fault with the technology. In DeFi protocols, the level of technical knowledge and skills required to understand their code and function is very high. This naturally reduces the number of users who are able to fully understand it and, in particular, the significance of certain actions they may be asked to take. Even for those who have the ability to, the complexity of the projects means it may be impractical to analyse a project in detail, meaning users can more easily be targeted.
In turn, these factors make it easier for scammers who identify weaknesses to convince users to take actions that give them access to their information and funds or gain access to them via a protocol, without users having to interact at all.
Rug pulls are the most common way for scammers to take advantage of DeFi investors using the above principles. In AnubisDAO for example, $60 million dollars was raised in a short period of time by investors who were given the native ANKH token in exchange. The wETH investors sent should have gone into a liquidity pool, however, 20 hours after the sale started, the address with control of the liquidity pool contract withdrew almost all the wETH and ANKH from the pool. Shortly later their Twitter page went offline, and the value of ANKH dropped to zero.
How do you identify reliable DeFi projects, while avoiding the scams which target them?
To be clear, the level of successful scams, in particular, the length of time scams are able to stay active within the DeFi space, is constantly decreasing. As the space matures, projects are proving themselves over time and new projects are adhering to stricter standards of quality and security.
However, there are still actions that individuals can take to decrease the likelihood of becoming a victim of a scam.
The first is to gain a core understanding of the essential aspects of crypto. The importance of things such as maintaining control of your private keys, being wary of what services you connect a wallet to, and the risks of custodial services. These don’t require a detailed technical understanding at a code level and can give you a baseline of where and what you need to be paying attention to when you see a new project or are contacted by someone offering you something relating to one.
The next thing to do is look at the individual DeFi protocol you are considering investing in. Assuming you don’t have the detailed knowledge to read and analyse the code, there are still a number of factors you can look at to help reduce your risk. To begin with, look at how long the protocol has been live and how many people have safely used it. The longer a protocol has been live and public the more likely it is that bugs, which scammers are able to take advantage of, have been identified and resolved. Linked to this, a code audit is something to look for with a reputable project. This is when the developers pass their code to a third party and they do an analysis of it to identify any potential issues.
Unfortunately, in the rapidly developing DeFi world where projects are constantly pushing the boundaries of what the technology can do, a code audit is by no means a guarantee of safety. However, they are likely to pick up major flaws and validate that the code has been written to industry standards. It also shows that the team has invested time and effort into the security and quality of their codebase, as quality audits are neither quick nor cheap.
Ideally, before the code is pushed into a live environment, you also want to check if bug bounties have been offered, and continue to be offered even once the project is live. These represent an opportunity for developers in the wider DeFi community to test a new protocol and be rewarded if they find a flaw and report it, as opposed to taking advantage of it once it goes live.
The final area to look at is the team behind a project. Are they an established team, with verifiable social profiles linked to the project, who have a range of experience in various fields? Or, are they an anonymous team with little more than a Twitter account as a form of identity, while holding a large percentage of tokens themselves? In turn, this research can also help you identify if you are being contacted by a genuine member of a team, or an imposter as is often the case.
Mitigation matters and user safety is always increasing.
Unfortunately, scams have existed as long as some people have had something other people wanted. Any new form of technology is particularly prone to them, in particular when it is in the early adopter stages such as those we are currently seeing in DeFi. There is no single guaranteed way to prevent being the target of a successful scam, even taking all of the above into account. However, the more you apply and are aware of, the less likely you are to fall for one. The key is mitigation and using as many methods as possible, or at least plausible, to keep yourself protected.
What we are seeing as well, is the advantages of decentralised technology and the public nature of the ledgers it operates on for dealing with DeFi scams. Users and investigators are more easily able to trace where the funds have moved and what has happened to them, particularly when compared to traditional physical cash. As a result, scammers are often finding they have stolen crypto which they are unable to use or move back into Fiat money. As legislation catches up, legal action can then easily be taken against the people behind the scams. In September 2021, for example, the CFTC filed charges against 14 scams claiming to offer compliant crypto derivative trading services (1). In addition, just this week we saw an arrest warrant issued by a South Korean court for 6 people including Do Kwon, relating to the collapse of Luna and TUSD.
At Spool, we are also leading the way in creating solutions, such as our Spool Smart Vaults for users to more easily see and understand the risk of their DeFi investments. For example, we are developing risk models driven by factors open for anyone to see and help improve on. To find out more about this please use this link.
The DeFi space is young, but it is maturing quickly. As it continues to mature we have already seen improvements across the board not only in scam prevention but in methods of identifying stolen funds and the scammers themselves. That will only continue and, as it does so, the ecosystem will continue to become safer for new individuals and organizations to enter.
Spool is a permissionless DeFi platform that connects Capital Aggregators with DeFi Yield Generators. Funds are dynamically and efficiently allocated to ensure optimized yields, for custom strategies, managed by DAO-curated Risk Models.
Spool was established as a DAO, with a selection of founding contributors representing a diverse cross-section of the blockchain community.
Stay tuned as we shine a spotlight on more Spool Team members over the coming weeks.