The DeFi risks everyone should know about
This is a comprehensive but easy to understand guide to all the risks associated with DeFi
There is a very high chance that the first thing that lured you into learning about DeFi was the 200x return on investment within a month or the 100% APY yield farms. You’ve probably seen random people on twitter, youtube, TikTok, and instagram boast about the millions they’ve made through DeFi or you’ve seen people close to you make it through DeFi. While all of this is true, we need to also focus on the parts of DeFi that are overshadowed by the unreal gains. These parts of DeFi are endless number of risks associated with this space. These risks come in various different forms and almost everyone who made millions in DeFi has probably been a victim of one of these risks.
#1 Rug Pull
Lets begin with the most popular one of all, A classic rug pull. If you’ve heard the phrase “I’ve been rugged” it’s probably referring to this. So, Lets run through what a rug pull is. It usually takes place on a Decentralised exchange (DEX) such as Uniswap, PancakeSwap, or SushiSwap. A developer can make a token with a random name and list it on the exchange paired with popular tokens such as ETH, USDT, or USDC. After this, the developer can take multiple routes to get people to invest in his/her token. They can make influencers shill it on twitter, promote it with fake promises of being a legitimate project, use buzzwords like “deflationary token”, or promote in telegram and discord groups. The target audience is usually newcomers to the space who have been sold the dream of making a quick buck and once they’ve fooled enough people to buy their token they immediately dump every token for the ETH, USDT, or USDC. What happens here is that all the newcomers are essentially buying all the tokens that the developers own which is the majority of the supply, this sends the price to $0 and people who invested are left hurt and helpless because the developers are likely anonymous and have spread the tokens across multiple wallets.
Rug Pulls happen almost every week in DeFi because it’s an easy & safe way to make money for the scammers, and they will always have just enough people who they can fool into believing that they will become filthy rich if they invest.
#2 Liquidity Provider (LP) risks
As the name suggests, a liquidity provider is someone who funds a pool of assets such as ETH/DAI or SUSHI/USDT and gets rewarded in token for providing liquidity. The most common risk with being a LP is impermanent loss which stems from the volatile nature of the space. Impermanent loss is basically when the price of assets in a pool changes, the total value of the tokens deposited by the LP may decreases and they would have been better off simply holding the tokens rather than depositing them. The loss is impermanent because the funds are still in the pool as the price of the asset changes and hence the losses can keep accumulating. Once the LP withdraws the funds the loss becomes permanent.
Let’s look at a random example, the pool is ETH/USDC. You have provided liquidity to this pool in the form of $1k ETH and $1k USDC. If the price of ETH doubles, you should theoretically have $2k ETH and $1k USDC and and walk away with $3k. But, with the way most DEX’s work they have to rebalance the pool to ensure that the equilibrium is maintained. Hence, it rebalances to $1.5k ETH and $1.5k USDC to maintain the equilibrium and in the process you have lost out on 50% more profit which you could’ve gotten by just holding ETH instead of using it to provide liquidity. Similarly, if ETH drops 50% in price you have $500 ETH and $1k USDC which will rebalance to $750 each and the further the price drops the further the losses compound with each dip making the pain much worse than the previous one.
#3 Smart Contract bugs
As discussed in previous articles, smart contracts are one of the foundational pillars of DeFi. Crucial to almost every transaction that takes place in the system. While smart contracts have managed to make program money and make it more efficient, the code can often have bugs. Bugs can arise due to rushed coding work, poor auditing work or no auditing work at all, or no prior testing of the code. When Malicious actors spot these bugs in the code, they ruthlessly exploit the smart contract for all they can. It is estimated that on the Ethereum blockchain 1 in every 20 smart contracts are at risk of being hacked and from 2017 till today there has been an estimated $2 billion of stolen funds. That number is absolutely outrageous, but it also means that overtime the code of smart contracts will continue to improve in resiliency to hacks.
Having a bugged smart contract is a situation where you as a user will be left helpless as you see your funds being stolen. To avoid this, you need to learn the basics of how to audit code because most protocols have their code open-sourced so you can see if there are any risks. Also, you can check to see if there are any renowned hackers, auditors, and developers who have previously audited the code you are looking at and whether they think it is safe.
#4 Decentralised Exchanges (DEXs) & Automated Market Maker (AMM) shitcoins
This is the darker side of Decentralising finance. On a DEX anybody make a coin and list it because there are no barriers to using them. Hence, some people take advantage of this to swindle millions of dollars by developing & promoting shitcoins. A quick browse through Uniswap or Pancakeswap and you’ll notice that there is no shortage of shitcoins. The names also usually have common characteristics, something related to cute pets with either safe, poly, or moon in the name, sometimes related to sex, and sometimes related to random internet memes. The tokenomics of these coins are also always the same, its “deflationary” and has 5-10 decimal points, and tokens will be “redistributed” to hodlers. The promotion of these coins will usually include “going to the moon” and “imagine when it hits $1”. The trend recently (July 2021) has been “charity tokens” which is even worse than before because now people are being scammed while under the impression that they are donating to a good cause.
I’ve seen tons of people get annihilated on these scam coins and it’s usually the newbies who are chasing a quick pump. Chasing a quick pump isn’t a bad thing, everyone has that urge but it’s imperative to make sure that you aren’t throwing away money for no reason. One way to identify a scam coin is in the code, when you look at it there will be an “ensure” modifier that basically allows people to only buy and not sell so the developer has ample time to rug the token. Another way, which is much easier is to quickly look at the wallets of the token holders. If a significant amount of token are concentrated in 1 or 2 wallets then its very likely that the token will be rugged. Usually around 80% of the supply of the token is concentrated in a few wallets and that’s commonly a red flag. Basically, be careful. I understand that it’s tempting to quickly jump into these ponzi's for a quick 5x return, but you’ll be better off over the long run if you’re just thorough with your research.
#5 Stablecoin Risks
Stablecoins are possibly the most imperative hurdle to overcome for DeFi space in order to achieve global adoption. Stablecoins are essentially coins that are pegged 1:1 to a fiat currency such as USD or other stable assets like gold. The purpose is to combat the volatility of cryptocurrencies in general. If you want to invest in a coin, or use DeFi for daily payments and wages then using BTC or ETH is not feasible due to how volatile it is. Many stablecoins have been made but all of them can be classed as the most successful disaster in the space right now. They’re successful because they have seen widespread use across the ecosystem with billions of dollars worth of stablecoins being minted every week, but they are a disaster because almost every stablecoin has massive flaws.
The obvious issue across all stablecoins is that they frequently lose their peg to the underlying asset and in turn leads to huge loss of value. However, when looking into the specific stablecoins they all have their individual issues. USDC is the coinbase stablecoin which is backed 1:1 by the US dollar but it is heavily centralised in its control which isn’t the correct way forward for DeFi. USDT is made by tether and has the same 1:1 peg as USDC. While it is more decentralised than USDC they have not provided transparency to their reserves. One investigation suggested that tethers reserve can only back 75% of the stablecoins minted which is very concerning because without transparency they can mint as many new coins as they want and we as the users simply have to take their word for it.
Another stablecoin is more of its own sector called Algorithmic stablecoins or Algo-stables. Algo-stables aim to maintain its peg only through software and rules without the need to have any assets in a bank or reserve. Many have tried and many have failed with the most notable one being the death spiral of Titan where the Algo-stable lost its peg and spiraled to $0. There is no doubt that a truly decentralised algo-stable is an important way forward for the DeFi space because if any project succeeds then it can scale infinitely and really bolster the space. An Algo-stable that deserves a shoutout is UST on the Terra ecosystem. They have slowly built it up and so far it has not lost its pef and fallen into the death spiral. The mechanism it uses is that if you want to mint UST worth $1 then $1 worth of LUNA (the native cryptocurrency of the Terra ecosystem) is burned. So far UST has been successful but its success depends on utility. If demand for UST suddenly decline for whatever reason then it could face a similar death spiral to Titan. Therefore, stablecoins should be appreciated and continuously improved but in their current state there is a fair amount of risk involved with them.
#6 Scamming and Phishing
The beautiful thing about DeFi is the community. Projects have discord groups where you can openly communicate with founders and developers, there are telegram groups where people discuss DeFi topics and investments, and you can openly talk to the most prominent and smartest figures in the DeFi space on twitter. This accessibility is not seen in any other industry but as you would expect there are alot of malicious actors who take advantage of this. Making fake twitter accounts, fake discord channels, and fake telegram groups in order to scam unsuspecting people into sending funds to the wrong addresses or making them give up their seed phrase/keys. While this type of scam may sounds overly simplistic, it has proven to be very effective because as I mentioned earlier there will always be a handful of newbies who can be swindled by these scammers and it’s something that is very unlikely stop. So, be careful when using these apps.
The Second part of this is phishing scams which are somewhat related to the scam i mentioned in the previous paragraph. Instead, with this scam they simply copy the website of a project and when people click on the website, the scammers can get access to your private data and if you connect your wallet then they also get access to your wallet and will repeatedly drain your funds. As time passes the scams get even more sophisticated and due to the anonymity in the DeFi space they often get away with it and continuously repeat it. So when using any DeFi protocol please be alert for these scams. Most importantly, NEVER EVER GIVE OUT YOUR PRIVATE KEYS AND SEED PHRASES.
#7 Oracle failures
You may be wondering what the hell are oracles? Oracles in its most simplest definition are third party service that provide real-time data from outside the blockchain/ecosystem onto smart contracts. The most popular use of oracles is for price on exchanges. As you can imagine, they are very vulnerable to attack. All through 2020 many DeFi protocols got exploited for millions of dollars through oracle failures. The most common attack was to use multiple flash loans to buy and sell an asset which manipulated its price for a few minutes and that creates an arbitrage opportunity. For example, let’s say the asset being manipulated is ETH, and on the attacked application the price of ETH become $1000 after the flash loans, but every other application is selling ETH for $100. Hence, the attackers sell the $1000 ETH and go to the other exchange to buy back more ETH at $100 and can repeat this process for the time that oracle failure isn’t fixed.
A major reason for this is that currently most DeFi applications depend on centralised oracle services because there is no decentralised oracle service which is truly secure. While many projects are now working on making better decentralised oracles, the centralised oracles were easily manipulated which allowed millions of dollars to be exploited.
#8 Knowing where you get your information from
As I’ve mentioned multiple times through this article the DeFi space is still very young. With this immaturity comes a lot of froth especially from the point of view of price speculation. This creates a situation where most of the information out there on DeFi will always have some bias or just be incorrect altogether because people want to squeeze every drop of profit out of this space and then leave. It’s imperative that when you’re reading an article by someone or taking people’s advice on twitter that you check their track record. It may be extremely annoying and boring but it is worth it if you want genuinely beneficial information because many people have a vested interest in misleading newcomers (I’m speaking from experience).
You have to do a deep dive on the people you follow for information. Check the calls they’ve made in the past, what protocols they have worked and what they contributed to the team, what other people in the space think about them, Have they previously mislead their followers, do they always do paid shills of dogshit coins, if you manage to find their wallets then try and do a quick scan to see if you notice anything suspicious, and also try and see for how long they have been in the space. I have noticed that as a newcomer to the space you get two types of information. One type is the very easy to understand information that reassures you that you know what’s happening and makes you think you can 15x your money, the other type is the very high level information where you don’t understand most of it even though the information is valuable. Hence, be careful with where you get your information from and be absolutely certain that its reliable or you are very likely to get burned.
Conclusion
I hope this article has given you an introduction to the most prominent risks in DeFi. The information provided in this article is barely scratching the surface of the risks. I would recommend that you look into each risk mentioned in this article in greater detail depending on what you aim to get out of your DeFi journey.
Thank You for reading,
If you enjoyed then please consider subscribing to the DeFining substack.