Participating in decentralized finance (DeFi) requires doing a lot of due diligence (DD). Security is one of the most important issues you shouldn't slack on when it comes to doing your DD, and in this article, we'll enumerate some things to check before clicking the "deposit" button on a DeFi platform.
In our previous article on DeFi security best practices, we detailed a few things you can do to reduce the risk of being personally exploited. In this article, we'll cover some things you can do to check if the DeFi protocol you trust your funds with is taking security seriously.
Context: How Smart Contracts are Like Vending Machines
First, DeFi platforms operate on smart contracts, which are lines of code that facilitate transactions instead of humans. One useful analogy for understanding smart contracts is the soda vending machine, which is essentially a smart contract everyone has encountered IRL: you put in enough money, press a button, and a can is dispensed.
Soda machines are programmed to work by themselves, as are smart contracts, but just about everyone who has rendered the services of vending machines for a while knows that things can go wrong. For example, the machine can eat your money, or it could spit out a can of Pepsi instead of Coke.
There are also all sorts of tricks a bad actor can play on a vending machine, like using fake coins or pressing certain combinations of buttons, to rob it of goods or money. Bad actors who take advantage of a vending machine's glitches or security failures are exploiting the way the machine was programmed for their enrichment, and unfortunately, this can happen with DeFi smart contracts as well.
What is an Exploit and How Some Devs Can Rug Pull
If a hacker notices a flaw or bug in the way a smart contract was written, they can force the contract to behave in unintended ways, like an infinite mint. To simplify things, a smart contract exploit can be like someone figuring out how to get a free soda from a vending machine, but they manage to steal for more valuable assets than fizzy sugar water.
Billions of dollars worth of tokens have been stolen from various exploits over the last few years. There are numerous ways hackers have exploited DeFi smart contracts, but the good news is that developers are quickly learning what to avoid and how to take precautions against these kinds of attacks.
Now, if a person who owns a vending machine programs it so that the machine keeps your money but doesn't give you a soda, then this could be described as a rug pull. There are several ways developers can set up a rug pull and con users out of their funds.
Some rug pulls involve coding a "back door" into the smart contract that allows developers to sneakily withdraw deposits. Another kind of rug pull involves selling off the project's token after users take an interest, effectively driving the price to zero and draining decentralized exchanges of the stablecoins these now worthless tokens are paired with.
Find Projects with Multiple and Regular Security Audits
A smart contract audit is one of the prime ways to avoid exploits and back doors. When a third-party security firm examines a smart contract's code, they can advise teams about ways to improve their smart contracts, so they can be less likely to fall prey to an exploit.
It's usually a good idea to avoid projects that have not undergone an audit. Additionally, if a DeFi protocol has been certified by a trustworthy auditor, it's also incredibly unlikely that they have added any malicious code to a smart contract that has passed a security audit.
The rekt.news exploit leaderboard is full of unaudited DeFi projects, so taking audits for granted seems like a really bad idea by now. Projects that continuously audit their smart contracts, especially after making any changes to the code, are much further ahead in the game than unaudited projects.
Some major names in smart contract auditing services include Kudelski Security, OtterSec, Sec3 (formerly Soteria), Halborn, and CertiK. Remember, just because a project has undergone an audit does not mean that its code is 100% safe, and some security firms are more thorough than others when it comes to their auditing practices.
What to Check to Avoid Becoming the Victim of a Rug Pull
What about the projects that have audited their code but dump tokens in a cash grab? Researching the project's background can save you a lot of grief in this department.
Find out as much as possible about the project's team, and read the project's white paper, especially the tokenomics. If something about the project's vision doesn't make sense, it's probably not built to succeed, and if the tokenomics show that a disproportionate amount of tokens are allocated to the team, then this is a bad sign.
Public teams that have been doxxed are much less likely to rug pull than anonymous teams. If you can, try and find out as much as possible about the team behind a DeFi project, and join the project's social media channels to get an inside look at what's going on and who is involved.
There have been instances where DeFi projects that started off with good intentions "hit the eject button" and sold all of their tokens for a quick profit, but this is exceedingly rare. The team's reputation has been so tarnished that they can only work anonymously in the future.
Do Your Due Diligence Thoroughly and Grow with DeFi
The DeFi ecosystem is improving year over year. It can be said that the users who do their DD and participate with caution can reap the benefits of this growth, despite some growing pains.
If you're using a hardware wallet and taking other pains to ensure your funds remain safe while you participate in DeFi, the next step is to make sure the protocols you deploy these funds with are taking security measures as well.
In the end, DeFi is a peer-to-peer financial system, and it can only get stronger with a more informed and security-minded community of peers.
Keep in Touch