The Risks in DeFi Stack

Decentralized Finance or DeFi is a form of blockchain-based finance that offers financial services without any central intermediaries. What used to be a niche ecosystem with a TVL of less than $100 Million in the year 2017 grew to over $200 Billion at the peak of the last bull run in 2022.

TVL or Total Value Locked is the value of the crypto assets locked in a DeFi smart contract. - Source

The flip side of the tremendous growth is that it has become a honeypot for some of the most sophisticated hackers across the world. Billions of dollars have been lost to security vulnerabilities and economic failures.

If you are a crypto believer, you can’t ignore the movement of Decentralized Finance. While the ecosystem is too nascent for us to identify all potential risks, a look at the DeFi stack can help us understand the different ways things can break and thus inform how we can go about participating in the ecosystem.

None of what follows is financial advice. Neither will I claim to be an exhaustive list of risks in DeFi. Treat it more as a starting point and a framework for identifying different risks that may exist in a DeFi Investment Approach.

The DeFi Stack

We can look at the DeFi ecosystem as a combination of the following five layers.

Blockchain Networks - All DeFi protocols are deployed on a blockchain network. The blockchain network provides the computational platform for the execution of the smart contracts that power the DeFi service.

Crypto Tokens - The tokens are the underlying assets that are used by the protocol to deliver a service. A Lending Protocol might enable the lending and borrowing of a particular crypto token to be used by traders as a form of leverage. A Decentralized Exchange might have a pool that allows users to swap one token for another.

Protocol - DeFi Protocols are open-source computer programs that run on blockchain networks and provide financial services.

dApp Interface - These are the web interfaces that users use to interact with the DeFi Protocols. Some wallets such as Argent, Coinbase, and Brew Money offer in wallet integrations with Protocols too directly from the mobile.

Wallets - Cryptocurrency wallets hold the private keys that allow users to make payments, deploy and withdraw funds from defi protocols, and more.

Risks in Blockchain Network Layer

Unlike popular perception, blockchains are not infallible. Security vulnerabilities can allow malicious actors to siphon off funds or take over control of the network.

The 51% Attack

A 51% Attack on a Blockchain Network is a scenario where one single entity or group has control over 50% of the network hash rate. The implication of this is that the group can censor transactions, and reorder and rewrite blocks leading to double spending where a network participant can spend/utilize the same asset multiple times.

"Hashrate" refers to the total combined computational power that is being used to mine

and process transactions on a Proof-of-Work blockchain, such as Bitcoin. - Source

A 51% attack while complex and expensive to pull off is a risk that even mature blockchain networks such as Bitcoin have had to face at some point in time.

Bitcoin’s reckoning with 51% Attack

In 2014, ghash.io, a popular bitcoin mining pool for a brief duration of 24-48 hours had over 51% of Bitcoin’s hash rate. While GHash didn’t demonstrate any signs of malicious intent, it did raise debates on how bitcoin can avoid such scenarios of a pool or entity taking over 51% of the network’s hash rate. In this particular case, miners from the pool volunteered to move away from ghash. Moreover, ghash publicly vowed to limit its hash rate to 40% of the network’s hash rate.

A mining pool is the pooling of resources by miners, who share their processing power over a network, to split the reward equally, according to the amount of work they contributed to the probability of finding a block. - Source

Bitcoin hash rate is more widely distributed today. For instance, the last days of data for blocks mined look like the following. The largest mining pool makes up for 19% of the network’s hashrate.

51% Attacks on Ethereum Classic

Ethereum Classic blockchain came into being after the infamous The DAO Hack. It has a market cap of over $4 Billion. In August 2020 Ethereum Classic was attacked three times and over $5 Million were siphoned off from the network through double-spending.

Vulnerabilities in Blockchain Network

Eventually, blockchain networks are powered by code and code can be buggy. In August 2010 an anonymous hacker was able to exploit a bug to create 184 Billion Bitcoin. Bitcoin supply is supposed to be capped at 21 Million. The anomaly was detected by the Bitcoin community soon. Satoshi Nakamoto coded up a fix for the issue and rolled it out within 5 hours that soft forked the network to state before the faulty block was mined.

In blockchain technology, a soft fork is a change to the software protocol where only previously valid transaction blocks are made invalid. Because old nodes will recognize the new blocks as valid, a soft fork is backwards-compatible. This kind of fork requires only a majority of the miners upgrading to enforce the new rules. - Source

In the recent past, Polygon, one of the leading scaling solutions for Ethereum and a sidechain, lost over 800K Matic worth $ 2 million to a hack. Two white hat hackers reported the vulnerability and Polygon rolled out a fix within 48 hours. Polygon Foundation covered the money lost and paid out a sum of $3.5 Million in bounty to the two white hat hackers.

The Volatility in Crypto Assets

Every asset class has inherent volatility. Crypto Assets more so. In stock markets, a 1% dip makes headlines and is reported as a crash. In crypto markets, it is fairly common to see such fluctuations in prices multiple times in a month.

Bitcoin 30-Day Volatility Trend

The above graph shows the trend of Bitcoin price volatility over time. While it may seem that over the years, the volatility is reducing a bit, but still, 5% up and down swings are not that uncommon.

Volatility refers to the amount of uncertainty or risk related to the size of changes in a security's value. - Investopedia

30-Day Rolling Volatility = Standard Deviation of the last 30 percentage changes in Total Return Price * Square-root of number of trading days

Token prices are a function of market perception. The perception can be based on how the specific project is doing or it can be more macro as in where the overall market is headed.

For instance, the crypto market still has a very high correlation with bitcoin price. Whenever bitcoin price dips, we see people liquidating their other crypto assets bringing down the overall market. This is understandable considering even now bitcoin makes up almost 40% of the total crypto market.

Earlier this year, in May, 2022 a bank run on US Terra Stablecoin wiped off $ 40 Billion from the market. Anchor Protocol was one of the most popular lending protocols on Luna that offered ~20% APY on US Terra Stablecoin deposits. While the protocol itself worked as it was supposed to, a known economical weakness in Luna ecosystem led to US Terra losing its peg to US Dollar.

1 US Terra = 3 cents as of now

The Fault in the Protocols

Security breaches, code exploits, and flash loan attacks led to the loss of billions of dollars in DeFi. As per Chainanalysis, over $ 1.3 Billion were stolen in the first 3 months of 2022.

Security Breaches are instances when a hacker gains control of the private key or keys of wallets that have admin controls over the protocol. [The Ronin Hack](https://medium.com/uno-re/biggest-crypto-hack-of-all-time-a-breakdown-of-the-ronin-network-hack-ef8d9e25ba6b#:\~:text=The attacker discovered a backdoor,them using the stolen keys.) is one of the largest hacks in DeFi where allegedly a North Korean Hacking Group stole over $ 600 Million worth crypto tokens.

Ronin is an Ethereum Sidechain developed and operated by Sky Mavis to support their popular play-2-earn game, Axie Infinity.

Ronin Network has nine validators to process the transactions and as long as the majority of them approve a transaction it goes through. The catch was that the nine keys were controlled by just two entities. Sky Mavis had 4 keys and Axie DAO 5. However, Axie DAO had earlier provided Sky Mavis with access to sign transactions on its behalf for a short-term period. The access was never revoked. This miss allowed hackers to gain access to the majority of the keys and process the transactions.

Code Exploits are faults in smart contracts that allow a hacker to siphon off funds. The Polynetwork hack where $610 Million worth of crypto assets were hacked (and later returned) is one of the largest hacks that happened due to code exploits.

Polynetwork is a protocol that enables cross-chain assets transfer.

In this particular case, the hacker was able to figure out a way to invoke a restricted smart contract that enabled them to take control of the wallets that held assets managed by Polynetwork and transfer them to a wallet they controlled.

Frontend and DNS Exploits

Users interact with DeFi protocols by connecting their wallet to a protocol through a web interface. In May 2022 a hacker was able to leverage a vulnerability in the DNS to inject a malicious smart contract on the web interface for mm.finance, a leading DeFi protocol on Cronos chain, and diverted over $2 Million to their wallet.

The domain name system (i.e., “DNS”) is responsible for translating domain names into a specific IP address so that the initiating client can load the requested Internet resources. The domain name system works much like a phone book where users can search for a requested person and retrieve their phone number. - [Learn more](https://www.infoblox.com/glossary/domain-name-system-dns/#:~:text=The%20domain%20name%20system%20(i.e.,and%20retrieve%20their%20phone%20number.)

Losing Private keys or Seed Phrase

Cryptocurrency Wallets store the public key and the private key. The private key is used to access the fund and transfer them. The public key is your address. Private Keys or the more popular seed phrase where a 12 - 24 words phrase is used to generate the private keys.

If a hacker is able to access your seed phrase or your wallet’s private keys, they can take over your assets. Malicious software on your computer or mobile, or phishing attacks that trick users into sharing their seed phrase on a website are some of the common ways in which hackers gain access to their seed phrase and steal assets in your wallet.

In April 2022 an iPhone user lost crypto and NFTs in his wallet when a hacker pretending to be an Apple representative tricked the user to share a secure code that was sent to the user’s number and use that to hack into their iCloud Account. From there on, they were able to access the user’s wallet seed phrase

Navigating DeFi Safely

It is essential to practice caution when navigating DeFi considering the different risks that exist in the stack. As you delve into the DeFi Ecosystem, choosing the right platforms and ecosystems for your risk tolerance is a critical step. A few things to look for

Track record

How long has the blockchain or protocols been in existence? How have they performed in volatile market conditions?

What has been the TVL's growth over time?

What is the caliber of the core team working on the protocol or chain?

Independent Audits

Has it gone through independent security audits?

How robust are their processes? Here processes can range from their development activities, and security practices, to taking key decisions with community participation

Liquidity

How much liquidity the asset or the protocol has? This is especially critical in selecting an asset or protocol. Low liquidity can translate to higher risks.

How much AUM does the DAOs’Community’s treasury have?

A lot of products have emerged that help with such research. A few of them are DeFiLllama, DeFi Safety, and Exponential Finance. Beyond this, there are a few things you can do as a user that can ensure the safety of your funds

Maintain Wallet Hygiene

Don’t hold all your assets in a single wallet. Use a Hardware Wallet

Never share your seed phrase or private key online or offline

Maintain multiple backups of your seed phrase

Ensure safety in the devices where your wallets reside, desktop, mobile, or browser.

Be cautious about the dApps you’re interacting with and the kind of permissions you are allowing. Do a regular audit of the funds

Stay Informed - You can do all of these yet, if the dapp or protocol you interact with has been hacked, you can end up losing your funds. Stay aware of the happenings in the chain, assets, and protocols you use. You can use twitter for that.

Despite these risks, DeFi presents multiple opportunities for early adopters to not only grow their crypto assets but also get familiar with an emerging phenomenon that will reimagine how financial services are delivered in the coming years.