The decentralized finance market is one of the fastest-growing segments of the cryptocurrency economy, with more than $82 billion worth of value locked up in various smart contracts, up from just over $55 billion a year ago.
The growth of DeFi is extraordinary, but not all that surprising to adherents given the numerous lucrative opportunities for investors in the sector. There are hundreds of different ways to earn money in DeFi, through lending and trading, providing liquidity to asset pools, staking to secure networks, yield farming, and more. These opportunities are real, but as with any fast-growing and lucrative new sector, the risks are just as great as the rewards. DeFi is nothing new in that regard, attracting a whole host of scammers looking to seize the funds of honest investors using an assortment of nefarious tricks and techniques.
In case you’ve been hiding in a cave, DeFi refers to the growing number of blockchain-based crypto financial services that allow users to partake in lending and borrowing, provide and obtain insurance, deposit tokens into yield-bearing accounts, invest in new crypto projects and more.
DeFi is like traditional finance in many ways, with the biggest difference being its reliance on smart contracts as opposed to an intermediary such as a bank. Smart contracts are the computer code that underpins agreements in DeFi. They’re really just self-executing algorithms that enforce contractual agreements between parties, doing so automatically as and when the agreed conditions are met.
Smart contracts power everything in Defi, from lending protocols to decentralized cryptocurrency exchanges. But as essential as they are, it’s important not to have blind faith in smart contracts. In fact, many of them contain bugs and vulnerabilities that attackers can exploit to drain the wallets of users.
What’s worse is that smart contract bugs are just one of a number of risks in the world of DeFi. Because the space is entirely decentralized, the onus falls squarely on the shoulders of the user to be aware of these risks. Not only that, they must know how to mitigate them too, because it’s highly unlikely that any victim of a scam will ever be able to recover their tokens.
Smart Contract Risks
One of the main dangers of DeFi lies in the smart contracts themselves. Smart contracts are written using open-source code that anyone can inspect for the purpose of transparency. However, that means technically-savvy attackers are also free to inspect the code, and if they happen across any vulnerabilities there’s nothing to stop them from taking advantage to steal funds from other users.
Indeed, that’s exactly what happens, all too often. Last year, attackers made off with more than $1.3 billion worth of funds stolen by exploiting vulnerabilities in smart contract code, according to a report by blockchain security firm CertiK.
Smart contracts have other risks too. For instance, if a user makes a sloppy decision and sends funds to the wrong address or uses the wrong network, those tokens are likely to be irretrievable. There is no centralized intermediary such as a bank that’s able to reverse the transaction and help users to recover their funds.
A third risk inherent in smart contracts relates to their use of oracles. Oracles are required by many smart contracts that need access to external, third-party data. They provide information such as price feeds from various exchanges, for example. If those oracles falter or become compromised through malicious activity, this creates a risk that smart contracts will execute in a way that was not intended.
Smart contracts can be abused in other ways too if for example the developers are sloppy and leave loopholes that sophisticated attackers can take advantage of. A recent example of this happened earlier this month, when one user made a profit of more than 300 ETH ($820,000) from ApeCoin’s latest token airdrop by exploiting a flash loan service that allows users to create liquid markets for illiquid NFTs.
To eliminate the risks inherent with smart contracts, a lot of DeFi services commission companies such as Hacken or PeckShield to audit their code, allowing them to fix any issues that arise. Another way DeFi projects try to mitigate the risk is to offer bounties to white-hat hackers via platforms such as Immunefi, offering rewards to anyone who is able to discover and inform them of bugs in their code. The idea is that the good guys will discover any problems before the attackers can.
The most trustworthy DeFi projects will advertise these audits and bounty programs on their websites, so it’s a good idea to look out for them before considering investing in a project. Even so, users should beware that no audit is fool-proof and that a number of projects that went through the highest level of scrutiny have since fallen victim to exploits.
The good news is that there are strong companies aiming to do something about security. Nym Technologies, for example, is aiming to boost privacy through its innovative use of mixnets to obscure transaction data. With its mixnet, Nym can obscure all blockchain transaction metadata, meaning it’s impossible for messages to be traced or tracked even when using advanced analytics software to try and do so.
Nym’s mixnet relies on proxy servers that mix metadata packers with one another before emitting them in a random order, helping to hide the origin and destination of transactions. The thinking is that by hiding your DeFi transactions, it’ll be much more difficult for hackers to target individual users
DeFi users can also attempt to check the reliability of smart contract code themselves using free tools such as Token Sniffer on Ethereum and PooCoin on Binance Chain.
Complexity of DeFi Protocols
One of the major risks of DeFi that’s rarely spoken of is the incredible complexity of some of the services on offer. The user experience in DeFi is notoriously tricky, requiring knowledge of not only the protocols but also concepts such as staking, liquidity provision, yield farming and more.
Along with the multitude of tools offered by popular DeFi protocols such as Aave, Curve and Compound are the incredibly high annual percentage yields they claim to offer, ranging from 5% to as much as 50%. They are offering some jaw-dropping returns, but the danger is that many users don’t understand the complexity of the protocols they’re using, and just how big the danger is they could see their entire deposit wiped out in the blink of an eye if the market moves in the wrong direction.
To counter the complexity of DeFi, new traders can opt for a service such as HyperDEX. It’s a service that greatly simplifies DeFi by bundling complex financial products as easy-to-understand “cubes” that spell out the level of risk versus reward. Cautious investors who can’t afford to lose will appreciate the benefits of HyperDEX’s Fixed Income Cube, which takes away the complexity of staking and guarantees a fixed return over a specific time frame simply for depositing some tokens. HyperDex also has cubes that simplify the concepts of algorithmic trading and asset speculation, with those products offering variable returns if investors can tolerate the substantial risk that they might lose their assets if they make the wrong guess.
DeFi Rug Pulls
The old-fashioned “rug pull”, in which a scammer creates a fake project then pulls the rug out from under the feet of its investors, is another common scam in DeFi.
Rug pulls in DeFi are exit scams where predators create a new crypto token and a liquidity pool to enable that token to be traded. In the liquidity pool, the new token will be paired with a base token such as ETH or a stablecoin like USD Coin, in order to fulfill trades between the two on decentralized exchanges.
As part of the scam, the creator of the fake coin will retain a significant amount of the total supply after the token launches. Assuming they have been successful in their efforts to market the new token, lots of people will snap them up in order to add liquidity to the pool, incentivized by the prospect of earning transaction fees. However, when liquidity reaches what the scammer deems to be a desirable level, they will dump all of their tokens into the pool and withdraw all of the ETH or USDC or whatever token it’s paired with. That sends the value of the new token to zero, while the scammer quickly sells or hides the assets he or she removed from the pool.
Spotting rug pulls in DeFi isn’t always easy. A good indication a project might be a scam is if just a few wallets control around half of the circulating supply. It’s possible to check token distribution on a blockchain explorer service such as Etherscan for ERC20 tokens.
The danger of rug pulls is not exaggerated. A study from November 2021 found that almost half of all token listings on Uniswap, one of the most popular DEXs, were likely to be scams.
DeFi users also have to stay on their toes and beware of so-called “phishing attacks”. Phishing is an older technique that has been ported to from the world of traditional finance.
Phishing refers to attempts by hackers to steal the login credentials of users’ crypto and DeFi wallets, and they will do so using some very clever methods. The most common way is to send an email or a message containing a link that appears to direct the user to a legitimate DeFi website or portal. The user will be prompted to enter their login credentials to the fake site. Doing so is a big no-no as the login credentials will immediately be sent to hackers, who may even use malicious bots to instantly drain the user’s wallet of their funds, even if they realize their error straight away.
The number of phishing scams going on in DeFi is unreal. Twitter is one of the favorite vehicles for crypto phishers, home to swarms of bots that will direct users to a Google form asking them to share a wallet seed phrase or other sensitive info. Others will pose as famous celebrities and crypto influencers, sending messages to Twitter users and appearing to make some kind of offer of assistance or a promotion, before asking them to share sensitive information.
Scammers often scour the blockchain and social media for promising phishing targets. Unfortunately, it’s all too easy for determined hackers to link social media users to their crypto wallets using the blockchain, meaning they can identify some tempting targets and make repeated phishing attempts through multiple emails and messages.
With any luck, things will soon get much harder for phishing scammers, thanks to a number of promising projects aiming to anonymize blockchain transactions. Manta Network for instance, which is a privacy project stemming from the Polkadot ecosystem, has come up with a way to obfuscate wallet addresses using a layer-1 system that relies on zkSnarks. For the uninitiated, zkSnarks are a cryptographic technique that enables two entities to verify information without sharing the underlying data.
Using the Manta Pay service, DeFi users can mask their portfolio activity and hide their wealth away from prying eyes, which is the surest way to avoid the crosshairs of phishing attacks.