What are the risks of DEFI?
What you'll learn
- What does DEFI stand for in crypto?
- What is DEFI and how does it work?
- What are the types of DEFI risks?
- Are the risks worth it?
DEFI gives anyone with an internet connection and a supported cryptocurrency wallet access to financial services previously off-limits or restricted by KYC. Centralised intermediaries have been replaced by decentralised and permissionless services automated by Smart Contract. Though removing the middleman democratises financial services it doesn’t remove the risk, which is instead transferred wholly to the user. So what are the risks of DEFI?
What does DEFi stand for in cryptocurrency?
DEFI stands for decentralised finance and is a catch-all for a range of blockchain-based financial services automated by Smart Contracts and delivered through digital applications (dApps) that users can connect directly to without any formal vetting process.
According to DefiLama, over $200bn of cryptocurrency is currently locked in DEFI applications with over half of that accounted for by the Ethereum blockchain.
What is DeFi and How Does it Work?
DEFI is only possible because of the Turing Complete nature of the Ethereum blockchain. Being Turing Complete simply means that Ethereum is capable of executing any instruction that can be reduced to mathematics. Those mathematical instructions are programmed using a purpose-written language called Solidity to craft Smart Contracts, which automate financial services.
That Smart Contract logic is then delivered through digital applications - dApps - on desktop and mobile devices where end-users can simply connect an Ethereum wallet to access the service.
Ethereum’s brain, known as the EVM - Ethereum Virtual Machine - processes these Smart Contract instructions for a fee. That fee is paid to its network of validators to ensure the validity of transactions without needing any central intermediary like a bank or payment service.
Ethereum’s architecture builds in a set of standards for creating and transferring value in the form of new cryptocurrencies and tokens, which, when combined with Smart Contracts provided the foundation for an entirely new permissionless digital economy we now know as DEFI.
Though using a new operating model DEFI offers familiar financial services:
Saving & Loans - Protocols like Compound use Smart Contracts to algorithmically offer interest on deposits and lend out funds against collateral. Compound alone has over $10bn in Ethereum based assets earning interest.
Decentralised Exchanges - Smart Contracts enable Automated Market Making - automatically providing liquid pools of tradable asset pairs without any central process or oversight. A DEX will incentivise users to provide liquidity (LPs) and then use algorithms to provide constant pricing and balanced liquidity pools.
DEX’s can also offer the same kind of complex derivatives trading offered by centralised exchanges but with much greater freedom, control and access to liquidity. dYdX and Uniswap are two of the most popular decentralised exchanges.
Yield Aggregation - Given the explosive growth in opportunities to generate a return from DEFI protocols, Smart Contract-based services will find the best strategies to optimise return, also known as Yield Farming.
What are the types of DEFI Risks?
The huge attraction of DEFI is that it empowers cryptocurrency holders to consume financial services typically only available to accredited investors while allowing them to retain control over their funds. The flipside of this autonomy is that users assume the risks usually borne by traditional intermediaries such as banks.
We can group the different types of DEFI risks into four main categories, which we’ll explore in detail below:
- Technical risk
- Asset risk
- Procedural risk
- Financial risk
Technical risks of DEFI
DEFI is programmable finance, so it is only as safe as the code that powers it. Unfortunately, Smart Contracts have proven to present a significant risk to end-users through poorly written and poorly considered code.
Because Smart Contracts are automated, bad actors are constantly on the lookout for bugs in Smart Contract code that they can exploit. Poorly written code can often mean funds are drained from DEFI protocols in minutes with nothing the user can do.
DEFI recently suffered its biggest ever hack when a bridge between the Ronin network - which supports Axie Infinity, a play-to-earn game - and Ethereum was exploited for the loss of over $600million.
Reputable DEFI services will engage Smart Contract auditors to check their code before it is committed but numerous hacks have still occurred despite the contracts being vetted in advance.
Even when the Smart Contracts function as intended, that logic can have unexpected consequences that put users' funds at risk. The most traumatic event in Ethereum’s history - the DAO Hack back in 2016 - resulted in the blockchain forking into two separate chains, Ethereum and Ethereum Classic, because there was disagreement about how to deal with a hacker taking advantage of vulnerabilities in The DAOs construction.
On that occasion, the exploit was a reentrancy bug, just one of many techniques that can use Smart Contract logic against themselves.
The problems of Smart Contracts bugs and vulnerabilities are compounded by the fact that DEFI is open source, leading to the common practice of wholesale copying of Smart Contracts that creates an information cascade of in-built errors.
DEFI risks from dApps
Smart Contracts can be thought of as the backend of DEFI, while dApps are the frontend, the actual websites and apps that allow users to interact with the Smart Contract through a User Interface. dApps are equally at risk from malicious actors looking to inject viruses or manipulate code to siphon off funds.
The hack of Badger DAO in August 2021 is an example of this. The frontend application was exploited, enabling hackers to change the permissions that users granted when interacting through their crypto wallets, resulting in the loss of $150million.
Wallets represent another technical risk vector within DEFI that falls squarely under the user's responsibility. Firstly, there is the risk of granting dApps broad permissions to access funds, as in the Badger example above.
Then there is the general security risk associated with using a hot wallet - hot meaning being online by default. The most commonly used hot wallet used in DEFI is MetaMask, which is non-custodial, meaning that the user is fully responsible for protecting funds through a recovery Seed.
Hackers will use all means to access the Seed, either by injecting the user’s wallet with a virus or using social engineering to trick them into sharing it. To mitigate the wallet specific risks of DEFI, users should employ thorough infosec practices.
- Automatically updating browser & OS software
- Using virus scanning software
- Never click on unsolicited links or attachments
- Using strong passwords & email addresses specific to crypto
The most robust mitigation against the risks associated with Hot Wallets is to use them in conjunction with a Cold Wallet, keeping funds offline up to the point where a connection with a DEFI dApp is required via MetaMask.
“According to Chainalysis, 97% of all cryptocurrency stolen in the first three months of 2022 was from DEFI” Source
Asset-based risks with DEFI
One of the most popular DEFI services is the Decentralised Exchange (DEX), allowing users to swap crypto-pairs while completely controlling their funds and identity. A DEX creates markets automatically, with users adding liquidity into pools of asset pairs, earning trading fees in return.
Given the volatility of assets and varying amounts of liquidity, swapping two coins using a DEX exposes you to the risk of slippage. Slippage is the difference between a quoted price and the actual transaction price resulting from changes in liquidity.
Those providing liquidity are also exposed to another explicit DEFI risk directly from the volatility of the assets expressed in a euphemism known as impermanent loss.
Impermanent Loss is the unrealised loss in the value of funds added to a liquidity pool due to the impact of price change on your share of the pool. It's a factor of the automated nature of DEFI and the volatility of the price of asset pairs.
It’s impermanent because it is only realised when withdrawing funds. Users can claim the proportion of assets added to a lending pool rather than the equivalent amount of value they added to the pool. Impermanent loss can positively and negatively impact liquidity providers depending on market conditions.
Though impermanent loss might sound confusing, it is just the tip of the iceberg regarding the complexity and risk of DEFI. Flash loans are the clearest example of how deep the DEFI rabbit hole can go.
A flash loan is a way to borrow crypto funds from a lending pool without collateral, provided the liquidity is returned within the space of one block confirmation.
If the funds are not returned within one block, all the associated actions are reversed as if they never happened.
However, if funds are returned within the space of one block, the lending pool the funds were borrowed from doesn’t lose out because the funds are returned. The person who took out the Flash Loan then gets to keep whatever value they were able to generate across a complex series of transactions, net of the transaction costs associated with each step in the chain.
Flash Loans use custom-written Smart Contracts to exploit arbitrage within the DEFI ecosystem - market inefficiencies across tokens and lending pools. Arbitrage is a natural part of how financial markets mature. Still, Flash Loans are also being used to manipulate and distort crypto asset prices and generate massive returns for those with the skills to understand the dark side of DEFI.
Chainalysis reported that $364million was stolen via Flash Loan attacks on DEFI protocols in 2021.
Procedural Risks of DEFI
Some of the risks within DEFI relate specifically to the processes and procedures required to access dApps or their absence.
Given that DEFI requires no KYC or account creation when you hit the ‘Connect’ button, you should carefully review what privileges you are granting the service concerning your crypto wallet.
The same is true for when you confirm transactions. Understand what privileges you grant in terms of access to your wallet, and make sure that you remove any access rights when you stop using the service. Make it part of your routine to review your wallet connections regularly.
You should also become familiar with the charges for interacting with DEFI applications, paid in something called GAS, as separate from the cost of simply sending cryptocurrency. There is a real risk that the returns you make through DEFI are net negative once you factor in all the associated GAS and the opportunity cost.
Certain DEFI services may require you to commit your funds for a minimum period (bonding) and apply restrictions when you want to withdraw (unbonding). Bonding and unbonding are commonly misunderstood aspects of DEFI, carrying the risk of your funds being tied up when you may desperately need access to them.
There are no specific regulations that govern how DEFI services work, so you should be constantly vigilant, but there is a real risk that the ongoing nature of DEFI scams and hacks will push regulators to act.
Financial Risks of DEFI
DEFI’s unique selling point, the absence of intermediaries and ease of access, is also the source of risk. One of the main justifications for how traditional finance restricts access to financial services is to protect users from danger, whether that is explicit from bad actors or implicit from not being equipped to understand the risk.
DEFI has no such protection. There is no guarantee against the loss of funds and there are no tests to establish whether you understand the risks involved in DEFI. The only way to mitigate the risk of getting involved in something you don’t understand is to do your own research (DYOR). This is one of the central mantras of crypto and should extend to:
- researching the promises that DEFI services make in terms of crazy returns
- understanding the fees charged by DEFI services
- being aware of the dangers rug pulls
The non-existent returns within traditional finance push people to explore other means of generating wealth. DEFI represents a huge range of opportunities across a risk spectrum, from modest and low-risk returns on Stablecoins to triple-digit APYs for farming meme coins. And though DEFI is a new world, some of the fundamental rules of analogue finance still apply - if something seems too good to be true, it probably is.
Before diving into high-yielding DEFI practices, learn about tokenomics, as this will give you the tools to understand whether high-yields can be justified.
Given the structural nature of DEFI your research needs to extend to the teams behind projects and their track record. The absence of regulation encourages a particular type of crypto scam known as a Rug Pull.
A Rug Pull is a DEFI service that may appear legitimate but is created to con users out of their funds. When the time is right, the service is shut down without warning, with the creators disappearing with all the funds.
Chainalysis estimated that rug pulls accounted for 37% of all crypto scam revenue in 2021, at a value of $2.8bn.
Are DEFI’s risks worth it?
DEFI only emerged a few years ago yet has already grown to manage over $200bn in crypto funds. There is clearly a huge demand for services that enable crypto investors to generate active returns from their funds rather than just hodling.
However, DEFI’s immaturity, decentralised nature and allure of financial opportunity have generated significant risks that make it feel a bit like the Wild West with no Sheriff. Those risks will gradually be addressed, whether through innovation or regulation, but right now, anyone thinking about committing their crypto to DEFI applications should do so with a clear understanding of the risks involved.