DeFi Protocol Security: What to Check, Audits, and Exploits

In this article, we'll cover some things you can do to check if the DeFi protocol you trust your funds with is taking security seriously.

Note: This article is not financial advice. Hubble Protocol does not endorse any of the tokens or platforms mentioned in this article.

Key Takeaways

  • It's essential to research DeFi projects before trusting them with funds.
  • Avoid projects that do not regularly perform third-party security audits.

Participating in decentralized finance (DeFi) requires doing a lot of due diligence (DD). Security is one of the most important issues users shouldn't slack on when it comes to doing their DD, and in this article, Hubble will enumerate some things to check before clicking the "deposit" button on a DeFi platform.

In a previous article on DeFi security best practices, the protocol detailed a few things users can do to reduce the risk of being personally exploited. This article will cover some things every user can do to check if a DeFi protocol is taking security seriously.

Context: How Smart Contracts are Like Vending Machines

First, DeFi platforms operate on smart contracts, which are lines of code that facilitate transactions instead of humans. One useful analogy for understanding smart contracts is the soda vending machine, which is essentially a smart contract everyone has encountered IRL: put in enough money, press a button, and a can is dispensed.

Soda machines are programmed to work by themselves, as are smart contracts, but just about everyone who has rendered the services of vending machines for a while knows that things can go wrong. For example, the machine can eat your money, or it could spit out a can of Pepsi instead of Coke.

There are also all sorts of tricks a bad actor can play on a vending machine, like using fake coins or pressing certain combinations of buttons, to rob it of goods or money. Bad actors who take advantage of a vending machine's glitches or security failures are exploiting the way the machine was programmed for their enrichment, and unfortunately, this can happen with DeFi smart contracts as well.

What is an Exploit and How Some Devs Can Rug Pull

If a hacker notices a flaw or bug in the way a smart contract was written, they can force the contract to behave in unintended ways, like an infinite mint. To simplify things, a smart contract exploit can be like someone figuring out how to get a free soda from a vending machine, but they manage to steal for more valuable assets than fizzy sugar water.

rug pull smart contract audit white paper tokenomics
A recent massive exploit took advantage of unaudited code.

Billions of dollars worth of tokens have been stolen from various exploits over the last few years. There are numerous ways hackers have exploited DeFi smart contracts, but the good news is that developers are quickly learning what to avoid and how to take precautions against these kinds of attacks.  

Now, if a person who owns a vending machine programs it so that the machine keeps your money but doesn't give you a soda, then this could be described as a rug pull. There are several ways developers can set up a rug pull and con users out of their funds.

Some rug pulls involve coding a "back door" into the smart contract that allows developers to sneakily withdraw deposits. Another kind of rug pull involves selling off the project's token after users take an interest, effectively driving the price to zero and draining decentralized exchanges of the stablecoins these now worthless tokens are paired with.

Find Projects with Multiple and Regular Security Audits

A smart contract audit is one of the prime ways to avoid exploits and back doors. When a third-party security firm examines a smart contract's code, they can advise teams about ways to improve their smart contracts, so they can be less likely to fall prey to an exploit.

It's usually a good idea to avoid projects that have not undergone an audit. Additionally, if a DeFi protocol has been certified by a trustworthy auditor, it's also incredibly unlikely that they have added any malicious code to a smart contract that has passed a security audit.

The rekt.news exploit leaderboard is full of unaudited DeFi projects, so taking audits for granted seems like a really bad idea by now. Projects that continuously audit their smart contracts, especially after making any changes to the code, are much further ahead in the game than unaudited projects.

Some major names in smart contract auditing services include Kudelski Security, OtterSec, Sec3 (formerly Soteria), Halborn, and CertiK. Remember, just because a project has undergone an audit does not mean that its code is 100% safe, and some security firms are more thorough than others when it comes to their auditing practices.

What to Check to Avoid Becoming the Victim of a Rug Pull

What about the projects that have audited their code but dump tokens in a cash grab? Researching the project's background can save users a lot of grief in this department.

Find out as much as possible about the project's core contributors, and read the project's white paper, especially the tokenomics. If something about the project's vision doesn't make sense, it's probably not built to succeed, and if the tokenomics show that a disproportionate amount of tokens are private allocations, then this is a bad sign.  

Protocols with contributors that have been doxxed are much less likely to rug pull than anonymous teams. If you can, try and find out as much as possible about the community behind a DeFi project, and join the project's social media channels to get an inside look at what's going on and who is involved.

There have been instances where DeFi projects that started off with good intentions "hit the eject button" and dumped all of their tokens for a quick profit, but this is exceedingly rare. Reputations can be tarnished so badly that these offenders can only build anonymously in the future (and many do).

Do Your Due Diligence Thoroughly and Grow with DeFi

The DeFi ecosystem has seen a lot of growth since it first started. It can be said that the users who do their DD and participate with caution can join this growth trajectory, despite some of DeFi's growing pains.

For any user plugging in a hardware wallet and taking other pains to ensure their funds remain safe while they participate in DeFi, the next step is to make sure protocols are taking security measures as well.

In the end, DeFi is a peer-to-peer financial system, and it can only get stronger with a more informed and security-minded community of peers. Still, this is DeFi, and anything can happen, so users should never participate in any protocol with more than they can afford to lose.

Keep in Touch

Website | Twitter | Telegram | Discord | Email | Reddit

You've successfully subscribed to Hubble Blog
Great! Next, complete checkout to get full access to all premium content.
Error! Could not sign up. invalid link.
Welcome back! You've successfully signed in.
Error! Could not sign in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.