Defi

“We do believe that if we can create more tokenization of assets and securities – that’s what bitcoin is – it could revolutionise finance” “Instead of investing in gold as a hedge against inflation, a hedge against the onerous problems of any one country, or the devaluation of your currency whatever country you’re in – let’s be clear, bitcoin is an international asset, it’s not based on any one currency and so it can represent an asset that people can play as an alternative.”
June 2023
Larry Fink
BlackRock CEO

Definitions

Decentralised finance” or DeFi refers to crypto-asset services akin to traditional financial offerings but operate without intermediaries. By leveraging blockchain technology, DeFi aims to democratise finance, enabling global access to a broader range of financial services. It extends the concept of technical decentralisation pioneered by blockchain technologies, emerging from advancements in crypto-assets, particularly through the widespread use of smart contracts and the advent of stablecoins, known as “stablecoins”.

Several criteria characterise DeFi, though no single one fully defines a use case, and many DeFi services don’t meet all these criteria:

An architecture on public blockchains signifies decentralisation, eliminating the need for authoritative or trusted intermediaries. This openness ensures transparency and equal participation opportunities.Private blockchains, however, are controlled by an authority that sets participation rules.

Protocols rely on smart contracts—computer programs executed automatically when conditions are met. These contracts execute transactions based on predefined rules, reducing the potential for errors and manipulation

Decentralised governance depends on community-based management, often through a “decentralised autonomous organisation” (DAO), without a central authority or dominant user group controlling the protocol—though this is rarely achieved in practice.

Non-custodial: In a decentralised setup, users must manage their crypto assets directly, meaning they hold the private keys needed for blockchain access, bypassing intermediaries. This arrangement empowers users by giving them complete control over their digital assets.

Use cases (definitions provided by ACPR)

There are various DeFi applications, given below by relative order of importance (considering the impact on the market, their innovative value, the security and risk management, the user adoption and potential growth). 

These applications not only offer alternatives to traditional financial systems but also introduce levels of efficiency, accessibility, and transparency that are unprecedented.

The primary activity in DeFi, this mirrors traditional finance’s repurchase agreements (repos), where loans are secured by collateral that hedges against crypto-asset volatility and default risk. If the collateral value drops below a certain threshold, it is automatically liquidated. This system is foundational in managing risk and facilitating stable, secure lending transactions in the volatile crypto market.

Occurring on decentralised exchanges (DEXs), these have evolved from traditional order book systems to Automated Market Makers (AMMs), which enable trading against a pool of tokens deposited by users rather than individual counterparties. This innovation significantly enhances liquidity and trading efficiency by allowing transactions without direct reciprocal orders.

Linked to transaction validation on Proof of Stake (PoS) blockchains, these protocols involve validators who secure the network by staking governance tokens as a validation guarantee. The evolution towards liquid staking allows users to stake tokens within a liquidity pool, receiving a liquid token in return, which can be further utilised within the ecosystem, enhancing flexibility and liquidity for stakeholders.

Users lock crypto assets into a smart contract in return for yields, supporting the functioning of decentralised services. This process parallels staking but is applicable across a broader array of tokens, providing critical liquidity to the DeFi ecosystem.

Cover DeFi-specific risks and real-world assets, offering a bridge between digital and physical value systems. These tools expand the utility and reach of DeFi into conventional financial markets and risk management.

Include traditional setups like futures and options with a crypto-asset as the underlying asset, and unique structures like perpetual futures which are an equivalent to contracts for difference (CFDs) in traditional finance.

These uncollateralized loans must be repaid within a single transaction and are used for exploiting arbitrage opportunities across exchanges. This innovative financial product leverages advanced IT to enable profit from short-term price differentials, enhancing market efficiency.

These innovations contribute significantly to the democratisation of finance, allowing individuals and small entities the same opportunities as large corporations to access financial services and grow wealth. Moreover, the integration of advanced security protocols in these applications addresses significant risks associated with traditional financial systems, increasing trust and adoption among a broader user base. Lastly, the continuous evolution and adaptation of these platforms promise to keep pace with technological advancements, ensuring that DeFi remains at the cutting edge of the financial sector.

Risks

Since DeFi is built on complex software layers, most risks are in fact related to the code. They cover both: 

  • Intrinsic code risks, embedded within the smart contract or blockchain software itself. They include bugs, vulnerabilities, or design flaws that can lead directly to malfunctions, exploits, or failures in execution. 
  • Derivative code risks – Risks that emerge as a consequence of how the code is utilised or governed. This includes issues arising from the governance structures, such as how decisions are made (e.g., through DAOs) and who makes them. 

Together, these risk categories highlight the critical need for robust software development practices, thorough testing, and continuous monitoring to maintain the security and reliability of DeFi platforms. 

Ensuring that both intrinsic and derivative risks are managed effectively is essential for the long-term sustainability and success of decentralised finance.

  1. Smart Contract Vulnerabilities: Smart contracts, the fundamental nature of DeFi,  are self-executing contracts with terms directly written into code. If this code contains bugs or logical errors, it can lead to catastrophic effects.
    For example, the DAO (Decentralised Autonomous Organization) hack which occurred in June 2016 was one of the most significant security breaches in the cryptocurrency space at that time. The hack exploited vulnerabilities in the smart contract code of the DAO , leading to the theft of approximately 3.6 million Ether, which was valued at around $50 million USD at the time.
  2. Blockchain risks: Issues with the underlying blockchain can affect the reliability and functionality of DeFi applications, including risks of transaction delays or failures.
  3. Oracles Failure: Oracles are third-party services that feed external data to smart contracts. If this data is incorrect or delayed, it can lead to inappropriate contract executions. An example is a synthetic asset pegged to a real-world commodity mispriced due to delayed price feed updates.
  4. User Interface Risks: Poorly designed user interfaces can lead to user errors, potentially causing unintended transactions or security breaches.
  5. Bridge Risks: Bridges facilitate the transfer of assets across blockchains but can be vulnerable to attacks, leading to significant asset losses.
  6. MEV risks: MEV (Miner Extracted Value) risk arises when participants in a blockchain network exploit their position to manipulate transaction order for profit. This includes front-running (placing their transaction ahead of a known future transaction to capitalize on price changes) or sandwich attacks (manipulating prices by placing orders around a large transaction). These actions can distort market prices and undermine trust in the fairness and security of the DeFi ecosystem.
  7. Composability Risks: DeFi protocols are designed to work together; however, dependencies between these protocols can lead to systemic risks. For example, a malfunction in one protocol could cause cascading failures across others that rely on it, similar to a “domino effect”.
  8. Interoperability Challenges: DeFi protocols often struggle to interact seamlessly due to different standards or technologies. This lack of interoperability can limit the systems’ efficiency and users’ ability to move assets across platforms smoothly. 

Scalability and Network Congestion: As DeFi platforms grow, they may face challenges in handling increased transactions, leading to slower confirmations and higher fees. The Ethereum network has experienced congestion during high usage periods, affecting all applications running on i

Pertain to how decisions affecting the protocol are made, who has the power to make those decisions, and the potential impacts of these decisions on users and the protocol’s integrity.

  • Custodial risk: This involves scenarios where a central authority or a small group of actors has significant control over the assets or operations of a DeFi protocol. If these actors act maliciously or incompetently, they can endanger the assets under their control, leading to potential loss for users and stakeholders. Examples include the risk of these custodians engaging in unauthorised transactions, freezing assets, or even absconding with funds.
  • Tokenomics risk: These risks arise from the economic models and incentive structures built into the DeFi protocols through their tokens. Poorly designed tokenomics can lead to issues such as over-concentration of voting power, token price manipulation, or unsustainable rewards systems that might prioritize short-term gains over long-term viability. This can result in rapid token value depreciation, unfair practices, or economic attacks such as “rug pulls” where developers abruptly withdraw support and abscond with investors’ funds. 

 

  • Operational Risks: These include risks from human error, system failures, or procedural flaws. An operational failure example could be the loss of private keys needed to access funds stored on a blockchain.
  • Regulatory Uncertainty: Unclear or evolving regulations can pose significant compliance challenges, potentially leading to operational restrictions or penalties.

These risks arise when a DeFi protocol or related technology fails to adhere to established industry standards or technical specifications, potentially leading to interoperability issues, security vulnerabilities, or non-compliance with regulatory requirements.

  • Accounting conformance risks: These involve the potential for financial reporting issues when DeFi transactions do not align with traditional accounting standards such as GAAP (Generally Accepted Accounting Principles) or IFRS (International Financial Reporting Standards). This misalignment can lead to inaccuracies in financial statements and difficulties in audits.
  • Operational accounting risks: These risks stem from inaccuracies or failures in the operational aspects of accounting within DeFi protocols. They include mismanagement of funds, mismatches between reported and actual positions, or inadequate internal controls, which can lead to financial losses or misrepresentation of a protocol’s financial health.

These risks refers to the potential for loss that lenders face when borrowers fail to fulfil their debt obligations. This can occur if the collateral securing a loan is insufficient to cover the loan amount during liquidation events, or if there is insufficient demand from liquidators to cover the outstanding debt fully. 

 

These arise when one party fails to fulfil their part of the deal. For instance, if a custodian of a wallet’s private keys is compromised, users could lose access to their assets.

 DeFi markets are susceptible to manipulations 

  • Pump-and-dump schemes: This risk arise, where prices are artificially inflated and then rapidly sold off by insiders. This can leave regular investors with significant losses.
  • Liquidity Risks: This risk occurs when there isn’t enough liquidity on a platform to support user transactions without large price impacts. For instance, if a large withdrawal causes a liquidity pool’s value to plummet, remaining users may find their assets significantly devalued. 

 

As our CEO and founder say 

“Web3 will someday be renamed WallStreet3”

Famous hacks

The history of digital currencies is punctuated by a series of high-profile hacks that have exposed vulnerabilities across various platforms and technologies. Here we chronicle these significant security breaches, which highlight the ongoing battle between advancing cryptographic techniques and the ingenuity of cybercriminals. 

Smart Contract code is publicly visible when the contract is deployed on the blockchain. This allows hackers to look for bugs or configuration errors that they can exploit to attack the DeFi system and steal or destroy value

These incidents collectively illustrate the diverse array of security challenges that the cryptocurrency industry faces, ranging from smart contract vulnerabilities and infrastructure weaknesses to sophisticated cyber-attacks on governance structures.

In 2016 a Smart Contract-based investment fund called The DAO was hacked, resulting in the theft of approximately $50 million worth of Ether. The hack was made possible by a flaw in the DAO’s code, which allowed the attacker to drain funds from the fund’s account. 

BitForex, an online cryptocurrency exchange, vanished after withdrawing nearly $57 million from its hot wallets on February 23, 2024. Users were subsequently blocked from accessing their accounts, highlighting Hong Kong’s ongoing struggle with suspicious crypto entities.In July 2023, a reentrancy weakness in certain versions of the compiler for Vyper (the second most common language used to write Smart Contracts for EVMs, at about 15%), enabled attacks on various Liquidity Pools. Approximately USD 50M was stolen by malicious actors, while attempts to take a further 20M were stopped or reversed by white-hat hackers. 

The Ronin Bridge was targeted in March 2022, with hackers stealing an estimated $624 million from its contract. This incident underscores the heightened Liquidity Risk associated with bridges that necessitate market-driven liquidity for asset transfers.

On February 9 and February 12, 2024, the crypto gaming and NFT platform PlayDapp experienced exploits, resulting in the minting of 1.79 billion PLA tokens valued at over $290 million. According to blockchain analytics firm Elliptic, the hacker began laundering the funds following the exploits.

In April 2022, Beanstalk Farms, an Ethereum-based stablecoin protocol, was exploited for $182 million. The attacker took out a flash loan on lending platform Aave, which was used to amass a large amount of Beanstalk’s native governance token, STALK. With the voting power granted by these STALK tokens, the attacker was able to quickly pass a malicious governance proposal that drained all protocol funds into a private Ethereum wallet. 

Mt. Gox was a Bitcoin exchange that at one point handled more than 70% of all Bitcoin transactions. In 2014, the exchange filed for bankruptcy after it was revealed that it had lost 850,000 Bitcoins, worth approximately $450 million at the time, due to a hack that exploited a weakness in the exchange’s security system

On January 30, 2024, Abracadabra Finance, which issues the Magic Internet Money (MIM) stablecoin, was hacked, resulting in a $6.5 million loss. This incident caused MIM to deviate from its pegged value. According to CoinMarketCap, MIM’s market capitalization dropped sharply from $100 million to just $0.76 before recovering, thanks to prompt intervention by the project’s team. The cause was a smart contract vulnerability linked to a « precision loss » from a rounding error.

Mitigation (Dowsers)

We leverage our extensive experience in formal methods and the application of the 50128 standard to complex software systems comprising hundreds of thousands of lines of code, including those where human safety is paramount. Given that smart contracts are computer programs, our analysis comprehensively assesses the behavior of smart contract code and ensures risk-free execution with the data received.

The exceptional mathematical rigor of formal methods allows us to analyze smart contract code with precision and accurately assess its security level.

Initially, we retrieve the code and on-chain and bring it to our off-chain platform to analyze it thoroughly in various simulated environments.

We classify code functions according to their risk level using internally developed safety indicators inspired by SIL levels from the 50128 standard. These indicators guide our choice of the most appropriate method to verify that the function meets our security properties. This ranges from interface code testing to formal proof for the most critical functions.

These properties are crafted by our experts using the FMEA (Failure Modes and Effects Analysis) method. For the most sensitive cases, formal proof provides assurance by covering all possible scenarios to mathematically demonstrate the absence of bugs, while tests can only prove their presence.

  1. Smart Contract Vulnerabilities : these risks  are covered by our analysis through the verification of our security properties. 
  2. Blockchain Risks : These risks are addressed in our analysis through the verification of our security properties. 
  3. Oracles Failure : These risks are addressed in our analysis through the verification of our security properties. 
  4. User Interface Risks : These risks are addressed in our analysis through the verification of our security properties.
  5. Bridge Risks : Bridges, as a type of smart contract, can be analysed using the same methodologies applied to all smart contracts. 
  6. MEV Risks :These risks are addressed in our analysis through the verification of our security properties.
  7. Composability Risks : These risks are addressed in our analysis through the verification of our security properties.
  8. Interoperability Challenges : These risks are addressed in our analysis through the verification of our security properties.
  9. Scalability and Network Congestion : these risks  are these risks  are covered by our analysis through the verification of our security properties
  1. Custodial risk: this risk  is covered by our analysis through the verification of our security properties.
  2. Tokenomics risk:  this risk  is covered by our analysis through the verification of our security properties.
  1. Operational Risks: These risks are addressed in our analysis through the verification of our security properties, with the exception of human error, which is unrelated to any malfunction in the code.
  2. Regulatory Uncertainty: These risks are addressed in our analysis through the verification of our security properties.
  1. Accounting conformance risks: These risks can be addressed in our analysis through the verification of our security properties
  2. Operational accounting risks: These risks are addressed in our analysis through the verification of our security properties.

 

 These risks are addressed in our analysis through the verification of our security properties.

 These arise when one party fails to fulfil their part of the deal. For instance, if a custodian of a wallet’s private keys is compromised, users could lose access to their assets.

  1. Pump-and-dump schemes: These risks are addressed in our analysis through the verification of our security properties.
  2. Liquidity Risks: These risks are addressed in our analysis through the verification of our security properties.

 Hacks in DeFi cost digital asset investor a staggering $2 billion per year and erode trust in builders and their protocols.

Avoid hacks