Table of Contents
DeFi has the potential to be a wild place at times. Seemingly bulletproof protocols can resist in an instant or suffer exploits from which token prices will never recover.
In keeping with The Defiant’s security awareness mission, I’m going to outline some tips on how to spot a potential disaster before it happens. I spend my days identifying how projects drive development and measuring how they end up deploying their code. After evaluating over 200 protocols, we collected some insights to identify bad development practices in DeFi.
Inverse Finance and Axie Infinity have recently suffered exploits that have resulted in significant fund losses. Katana, the only decentralized exchange on Axie’s Ronin chain that was developed by the same team (with the same development practices), scored 5% in its assessment. Inverse scored much better, but still lagged behind in some critical areas. Both were unaudited, had no bug bounties, and provided extremely limited testing evidence or none at all. Katana was especially opaque when it came to explaining how it worked. Despite identifying these issues, these exploits still happened and users still lost their life savings.
With this checklist, I want to arm you – the humble ape/farmer/degen – with some tips and tricks tailored to your risk profile as you navigate the DeFi minefield.
Please note that none of these checks is a perfect solution that can guarantee a completely secure DeFi experience. DeFi remains an incredibly risky place and one protocol can easily pass all these checks and still be exploited. Please use this checklist as a non-prescriptive checklist and be sure to always conduct your own due diligence before you do the jacking.
Can I find the GitHub repository? Is it well designed?
Let’s start with the most fundamental question you should ask yourself before interacting with any contract. Can I find the GitHub repository that the protocol uses?
For the uninitiated, GitHub is a site that teams use to coordinate software development. You should easily find a team’s GitHub by searching for a protocol name, followed by GitHub.
The main question you should ask here is whether it’s public. Let’s compare the examples from the Bancor GitHub repository and the Grim Finance repository, which was hacked for $30 million in December 2021. See how well-developed the Bancor repository is: multiple folders, an overview of the README.md protocol, public contributors, 4000+ submissions. Compare that to Grim Finance – it’s private. You have no idea which contracts you are interacting with.
What’s especially important to note is that private repositories make audits useless, because you can never be sure that the contracts the developers have deployed are the same ones the auditors have reviewed if you can’t verify them yourself. Transparency is an important part of DeFi development: it leads to stronger code, allowing everyone to scrutinize it. Private repositories impede transparency and undermine the open source spirit of web3.
Is the protocol well documented? Is the ownership of the contract identified?
A second step is to browse the protocol documentation. This is usually linked to the main page of the site and can be written in GitBook or a similar medium. It should provide a high-level overview of how the protocol works and other relevant information written in plain language so that you or I can understand what we are about to use.
A good example of this is PancakeSwap: see how cute and understandable the little wabbits are!
Good documentation means that the protocol knows its code inside out. Protocols can easily fork other protocols with little idea of how things work, which can increase the likelihood of an incident. Relevant documentation usually means they understand it, as they can synthesize the information into something more digestible.
A key area to remain especially vigilant about is whether or not the owners and permissions of the contracts you are interacting with are listed. Some contracts can be changed at will, which can expose your funds to new risks. Make sure you feel comfortable with whoever is in control: just because you see other people trusting a protocol doesn’t mean it’s safe. See how Tracer explicitly states that your DAO is the owner of your contracts.
You should also pay attention to the contract addresses. Make sure they are the same as the ones you are interacting with on the protocol website. Gearbox explicitly states and links them to etherscan so you can verify them yourself. This simple action could have helped users avoid the BadgerDAO front-end attack in which $120 million was taken.
Is the code audited?
A third check you should perform is to see if the code has been audited. Auditing firms provide a valuable new pair of eyes on the code you want to use. The audit must be public and the contracts reviewed by the auditors must be listed. See if the audit highlighted any issues and if they were resolved, such as the 0x Protocol audit where an issue was identified and then corrected.
Highlighted in red is a major issue that has been identified and in green that has been fixed. Major issues can result in user funds being lost, so it’s critical that 0x Protocol have a second set of eyes to verify their code.
Other questions you might consider asking are:
- Is the audit detailed or a superficial inspection?
- How many people worked on the audit?
- How long did the audit take to complete?
- Was the audit performed prior to code deployment?
- Is there a technical breakdown of the problems encountered?
While audits are not foolproof, they do provide an additional layer of security.
Is there a Bug Bounty?
The penultimate check you should run is whether there is a bug bounty. Protocols often set aside funds so hackers have a way to identify exploits to developers without actually using them. When running these programs, armies of white hat hackers are targeted to test the protocols. Bigger rewards attract more attention, leading to more testing and, eventually, better code. These values are often eye-watering to ensure that hackers use these programs.
As evidence of the effectiveness of these programs, see how armor.fi has increased its reward from $27,000 to $700,000. A day later, a bug that could have crashed the protocol was identified and fixed. These programs go a long way in ensuring that the code becomes more secure, which means that your funds are also more secure.
Is the development team public and proactively engaging with their community?
The final check you should do is on the development team itself. Some developers remain anonymous, while others reveal their identities. Public development teams will hesitate before stealing your funds as their names will be tarnished by it forever. Anonymous teams don’t have the same disincentive. While it’s important to remember that some anonymous developers are DeFi’s most valuable contributors, you have to balance this with their ability to disappear. In short, public developers are held accountable through their public identities.
Good teams must also value communication and facilitate contact with them. It is an important outlet for complaints and suggestions – all of which strengthen the protocol. A discord channel or community telegram should be linked on your website, allowing you to ask questions. Can you see someone trying to contact a community manager or even a developer? Are they helpful/friendly? Do they dismiss your worries? All of these are important considerations.
Using this guide, you will be able to complete some quick last minute checks before approving your transactions and hopefully be a little safer as a result.