DeFi: A Playground of Fire?
Over the past few months, DeFi (Decentralized Finance) has pretty much consumed my life. The innovation taking place, the speed at which it is occurring, and the implications of it, is really unparalleled elsewhere. Banking the unbanked, and true wealth sovereignty & fluidity, are just two promises the ecosystem is working towards. And making great progress, at that!
Of course, it isn’t just blue skies, the space is filled with risk everywhere you go. And it is very likely that you will get burnt, even with a disciplined approach. This is the cost of being early. But, if you manage your risk, you could come out way ahead than where you started.
Thus, after a few of my friends started asking me about DeFi, I thought I’d create a quick framework to think of the various risks associated with playing in this ecosystem. In fact, a lot of them are not restricted to DeFi, but are applicable to the broader crypto space as well. So, whether DeFi becomes your thing or not, it is prudent to create a mental model for all the risks you are exposing yourself to.
Lastly, before we get into the meat of the matter, it is important to remember that these are only my personal categorizations; if you delve into the details, not only will you find much overlap between categories, but also will you realize how much I am simplifying. Today, I shall sacrifice accuracy for comprehensibility. And, of course, this list is non-exhaustive. I don’t want to scare anyone away from DeFi, before they’ve had their first dopamine hit from experiencing a 1000%+ APY, in real time! ;))
With that, let’s begin.
Fat Finger Risk
Essentially, this is you being lazy. Not double checking the withdrawal address, not adding that memo when required, and sometimes even going through the motions without consciously paying attention to the various transactions you are approving.
If you’re new, I understand how keeping track of the basics can seem difficult. But the fact remains, this is the easiest risk to mitigate. Out of all the ways to lose money in DeFi, this isn’t one you want to fall victim to.
Remember, on a blockchain, there is no going back.
Like in the real world, anytime you lend, you are betting on the borrower to pay you back. The same applies for DeFi. Yes, borrowing/lending DeFi platforms (like AAVE) are over-collateralized, but a sudden drop in value of the collateral coupled with a panic across depositors could lead to you holding the bag… empty.
The entire crypto market collapses, chances are your holdings will too. Simple.
This is a deceptively difficult concept to grasp. Every time I feel like I’ve understood it, a new edge case pops up that makes me reevaluate my understanding. So, don’t worry if you can’t wrap your ahead around it on your first attempt.
To begin, we’ll first need a basic understanding of ‘liquidity pools’ — a key primitive underpinning the existence of DEXs (decentralized exchanges), and thus the entire DeFi ecosystem — analogous to the order book system used in centralized exchanges such as the NYSE. Without getting into the specifics, think of liquidity pools as a vault that has a large quantity and equal value of two tokens. Enabling people to trade between the two as they wish. So, if we have a pool of X and Y, I can provide Token X to get Token Y in return (and vice versa), for a fee that is. This fee then goes to the individuals who provided the tokens in the vault, so that the trade was possible in the first place.
Okay, now that we have firm footing on liquidity pools, let’s come back to impermanent loss. Essentially, it is the opportunity cost of providing liquidity to the pool, as opposed to simply holding the tokens individually. In other words, it is the difference between the gain/loss from providing liquidity versus not providing liquidity. What happens is, due to the mechanism with which most DEXs work, a drastic change in the price between the two pooled assets, causes your share of tokens to be worth less than if you simply held your tokens idle in your wallet. And it’s called impermanent, simply because if the price delta reduces as time goes on, the unrealizes loss goes away.
With newer projects, the volume the token is traded might not be sufficient for you to sell your holdings without it incurring significant “slippage”. This means that by the very act of you selling, the price falls, thereby making your realized gain to be less than your unrealized gain. This is especially true if you are trading larger quantities. In some cases, you might not be able to sell at all, making all your paper profits worthless.
This is common sense. If the project you’ve invested in doesn’t deliver on their promises, or if the consensus community belief is that they will underdeliver, the token price will tend to underperform the market. Doesn’t matter if you’re generating 1000x APY, if the value of the token being farmed keeps on falling in value.
Smart Contract Risk
All Dapps (Decentralized Applications) are built on the premise that the smart contract used to build the application actually works. This holds true for DeFi, as well. For whatever reason, if the smart contract fails, well, anything can happen really; software bugs are notorious for their unpredictability. However, if the smart contract itself is hacked, then I think we all know what will probably happen.
An Oracle is a key component of the Web3 tech stack. While blockchains are very good with maintaining security and verifiability of information “on-chain” (i.e. on the blockchain), we still require them to access information off-chain. Without which, they would seldom provide material real-world utility; for example, we wouldn’t be able to trade, on chain, synthetic securities of popular stocks like Amazon, Apple, etc. To enable blockchains to access this real-world data, we call on Oracles.
As you would guess, the risk comes in when the subject data is inaccurate or manipulated in some fashion, thereby compromising the reliability of the application using this data.
Another fundamental innovation that has allowed the entire crypto ecosystem to flourish, is the Stablecoin. These are tokens pegged to real life currencies; the most adopted ones being pegged to the US dollar. Now, there are multiple ways this peg is achieved: some do by a real world fiat reserve backing their token, while others utilize algorithms to maintain the peg. Both have their pros and cons, and both have the risk of losing peg. There have been cases where some collapse to zero altogether.
If this happens, the stablecoins you’ve parked on the sidelines, waiting for a good buy opportunity, might not be there when you need it the most.
These include some of the many methods scammers use to directly access your funds.
Rug Pull is so common nowadays, that “getting rugged” is seen as a rite of passage by some.
Remember liquidity pools? Well, in a rug pull, the scammers first create a new token (let’s call it XYZ), launch a liquidity pool for it paired with an established coin (like BTC). Which, after marketing, attracts people to add liquidity into the pool with hopes to earn yield via the transaction fees. Critically, unknown to the public, the project developers either retain a large chunk of XYZ, or simply mint (i.e create) a large quantity using a backdoor they embedded in the original source code. Then, once the pool value hits a certain critical mass, they dump their XYZ in the pool and withdraw all the BTC. Thus causing the price of XYZ to plummet, and investors holding bags of worthless coins.
Phishing is probably one of the most common internet scams we see today. Often the scammers pretend to be either a famous company or personality, in order to get you to reveal sensitive information such as your password or secret key. Social media, emails, or even phone calls are possible channels for a phishing attack.
A more sophisticated version of Phishing. There have been situations where people go through elaborate setups to gain someone’s trust, thereby allowing scammers to deceive the victim through any of the many attack vectors. Case in point.
When making a transaction on a decentralized application, you will be prompted to approve it on your wallet. Only by doing so will the application’s smart contract be able to execute whatever action you are trying to do. Before giving your approval, always go through the details! This is especially true for using newer, unestablished protocols. Because it is very possible that the approval the protocol is asking for, may not be the one it leads you to believe. End result is as you’d expect — a complete loss of you funds.
Let’s go through a quick example. You’ve just landed on YetAnotherSwap, a new DEX (decentralized exchange). You connect your wallet to the application, select the BTC-USDT pair, and the quantity you want to trade between. Now, before executing this trade, your wallet prompts you for “approval”, to allow YetAnotherSwap access the USDT in your wallet to purchase the BTC. You, having seen BTC pump 5x in 1 week, can’t wait any longer and hastily approve it. On an established platform, this is seldom anything to worry about. However, YetAnotherSwap is new, with no solid track record. And in your rush of FOMO, what you didn’t see is that the approval you gave for was not for the exact quantity of USDT to be traded, but for an unlimited amount. Congratulations, the scammer can now withdraw all your USDT.
Miner Extractable Value
On a blockchain, the network progresses with every new block (of transactions) added to the preceding one. To facilitate this process, miners are called upon to take the unconfirmed transactions and create the aforementioned subsequent block.
While other stakeholders (known as validators) must reach consensus (i.e. all validators must verify the block’s mathematical accuracy) before it is permanently appended to the chain, the block itself is created by one and only one miner. Giving this individual control over what order the transactions should be placed in within the block. Using this ability, miners can profit from various ways (such as front running) at the expense of the oblivious transacting users.
Be aware of your local regulations. Ideally, stay within all defined boundaries and don’t step into grey areas. But, being a DeFi explorer, if it must be done, stay within a reasonable limit of the original intent of the law.
Not Doing Your Own Research Risk
This is the granddaddy of all risks. Crypto being crypto, things move rapidly. Being unaware of the latest developments can be critical in your pursuit to use any application. As a rudimentary example, take Gas Fees (if you’re unaware, think of it as a transaction cost). Gas Fees are fundamental to how blockchains work, but the fact remains, making a simple transaction could be a net negative if you’re oblivious for the accounting adjustments made by such fees. For the slightly more savvy user, the same principal applies for when we have deposit/withdrawal/reward fees on farms.
Another implication of the rapid pace of innovation is that it’s inevitable for risks that aren’t present today, to emerge tomorrow. Be aware of the distinction between known and unknown risk. The best way to hedge against this is first principals thinking and common sense. An alternate route you may take is to go slow. Don’t do too much, too fast (I’ve been guilty of this as well). Understand what you’re getting yourself into, and only take bets you can afford to lose.
To build on risk management, similar to literally every other facets of the financial world, while there is no way to eliminate all risk, there are many ways to minimize it. How? Well, here’s a quick list of a few techniques I use.
1. Actually do your own research. I don’t care if it’s tiring or takes too much time. If not, you will get burnt.
2. Look for projects that have bug bounty programs, passed reputed audits, teams with a solid track records (if KYC’d, even better), an existent and active social media presence, and an accessible core team (via channels like Discord). Social proof is always a huge plus.
3. See what popular Risk Assessment communities have to say. Some popular ones include Rugdoc and Whatthefork. Of course, don’t forget Reddit.
4. Use a cold wallet wherever possible.
5. Traction traction traction! The larger the Total Value Locked in a protocol, the more likely people have vetted the tech and trust it with their hard earned money. Longevity, too, is reassuring.
6. Question their value creation model. Does the project actually have a use case? Is it just another fork of a successful project? Where are they generating their yields from? Is it sustainable?
Given what’s at stake here, I must reiterate, there is nothing more important than you actively searching out the relevant information needed to make your DeFi activities as safe and profitable as possible. If you’re reading this, you’re on the right path. What I have provided you here with is a high level overview of some of the major risks. Now, it is your responsibility to figure out how to minimize the downside, given your personal situation. Also, it’s entirely possible that I may be wrong in some areas. Hell, I’ve probably made a dozen mistakes since last night. I’m still learning, just like you. So…