More than $78 billion worth of digital assets had been lost as a result of various types of hacks, attacks, and exploits in web3. A big part of it comes from protocols in decentralized finance.
When analyzing DeFi as an investable universe, it’s important to be aware of the types of risks associated with it.
In this article, I aim to summarize all the most important DeFi risks with examples and steps on how to potentially identify them.
The risks are grouped into 3 major categories:
This research is brought to you by One Click Crypto — Your Gateway to DeFi.
Smart contract risk is the most common DeFi risk, yet is quite atypical to traditional finance.
DeFi relies on smart contracts, which are self-executing contracts with the terms of the agreement directly written into code. There is a risk that these contracts contain bugs or vulnerabilities that can be exploited, leading to loss of funds.
For instance, the hack on The DAO in 2016, which resulted in a loss of 3.6m ETH, occurred because of a vulnerability in its smart contract.
The way to prevent hacks is through exhaustive and diligent technical audits performed by world-class reputable auditing firms.
Questions to ask when analyzing smart contract risk:
This risk is related to the centralization of DeFi platforms. Although DeFi is meant to be decentralized, the primary platform (or network) on which these protocols operate (e.g., Ethereum, BNB Chain, Solana) can have systemic issues that can negatively affect all associated DeFi protocols. If the platform experiences a problem like network congestion, high transaction fees, or security vulnerabilities, it can affect your interactions with the DeFi protocol.
For example, Solana chain experienced a 7-hour outage in May 2022, as a result of a high volume of NFT activity which congested the network. All the protocols and dApps on Solana were unusable during that time.
Questions to ask when analyzing primary platform risk:
As the blockchain space grows, the interaction between different chains and protocols becomes more important. However, this interoperability can also bring risks. If one protocol is compromised, it may affect others due to their interconnectedness.
This is a risk where a major collapse could occur across the entire DeFi market due to a cascade of failures. This could be triggered by a black swan event, but it can also occur due to the interconnectedness of different protocols.
Example: In Dec 2022, Ankr protocol suffered an internal exploit of its aBNBc token, which let the attacker mint an unlimited quantity of aBNBc. Another staking protocol, Helio, which supported aBNBc asset in its borrowing pools, allowed the attacker to borrow against the newly minted exploited tokens and steal ±$15M worth of assets.
Questions to ask when analyzing interoperability risk:
DeFi protocols often rely on oracles to provide off-chain data. If an oracle provides inaccurate information, or if an attacker manipulates it, it can cause significant issues. For example, an attacker could manipulate the price feed of a lending protocol to artificially inflate the value of their collateral, leading to an undercollateralized loan.
Example: In October 2022, Mango Markets (a decentralized perpetual trading exchange) was drained for more than $116m through an oracle manipulation attack.
Questions to ask when analyzing oracle risk:
Many DeFi projects have governance tokens that allow holders to vote on protocol changes. However, this can lead to issues if a small number of holders accumulate a large number of tokens, leading to centralization of decision-making power. There’s also the risk of malicious proposals being voted in. For example, if a proposal is approved that is beneficial to a small group but detrimental to the protocol as a whole, it could damage the protocol and its token’s value.
Examples:
In February 2022, an attacker gained access to BUILD Finance contracts, treasury, and minting keys through a malicious governance proposal that was passed which resulted in a loss of ±$1.6m.
In April 2022, Beanstalk, an Ethereum-based stablecoin protocol, was hacked for $76m due to a governance attack.
Another major case was where the Ronin network, which powered a popular web3 game, Axie Infinity, was exploited for more than $615m in March 2022. Through social engineering, the exploiter gained access to 5 out of 9 validator nodes in the network, which effectively, gave him the “god-level” controls over the system.
Questions to ask when analyzing governance risk:
Rug pull refers to a type of scam where developers abandon a project and run away with users’ funds. The developers typically remove liquidity from the market, leading to the price of the tokens crashing down to zero.
In DeFi, rug pulls can often occur amongst new projects with anonymous teams.
Examples:
In October 2021, during the AnubisDAO pre-sale, $60m-worth of funds were withdrawn from the contracts by the developers, with operations then halted.
In 2023 in particular, memecoins became increasingly popular. Some exploiters capitalized on the trend, one of them stealing $23m in a BALD token rug pull that was deployed on a then-new Base chain.
Others even become “serial rug-pullers”, another exploiter deploying 29 different memecoins on the Base chain and rugging every one of them for ±$1m.
Questions to ask when analyzing rug pull risk:
Some DeFi protocols have admin keys that allow the developers to pause contracts, upgrade them, or change certain parameters. While these keys can be beneficial for managing the protocol, they can also be a central point of failure. If the keys are compromised, it could lead to loss of funds. Moreover, there’s also a risk of malicious intent by the team themselves.
For example, in April 2021, the lending protocol EasyFi’s admin key was compromised, which resulted in a loss of $60m in funds. EasyFi’s founder said that the hacker gained access to the computer that held the admin key remotely.
DeFi protocols often use upgradeable contracts to ensure that their smart contracts can be improved and bugs can be fixed over time. These contracts work by using a proxy contract that forwards calls to an implementation contract, which can be swapped out for a new version.
While this provides flexibility and maintains the integrity of the contract’s address and state, it also introduces risks:
For example, in 2020, the Akropolis project was exploited due to a re-entrancy attack related to its upgradeable contracts, leading to a loss of $2 million.
Another example is an attack on Safemoon’s SFM token pool which resulted in a loss of $8.9m. The attack was made possible due to a recent contract update introduced by the team.
Questions to ask when analyzing admin key or upgradable contract risk:
As DeFi grows, it’s likely to face increased scrutiny and regulation from governments. Changes in regulatory frameworks can significantly impact DeFi projects. For instance, the introduction of anti-money laundering (AML) rules could affect how DEXs operate.
For example, the notable Ethereum-based transaction mixer Tornado Cash has been blacklisted by the US Treasury Department as well as other jurisdictions which made it inaccessible in some parts of the world.
Questions to ask when analyzing regulatory risk:
Cryptocurrencies are known for their price volatility, meaning you can see ±10% ups and downs in your crypto portfolio on a daily basis.
The price of Bitcoin itself dropped by more than 70% four times in its 14-year history. And other assets like altcoins can be even more volatile.
These price fluctuations can result in a temporary or a permanent loss of funds.
Questions to ask when analyzing volatility risk:
Assets with small market capitalization are even more susceptible to volatility.
Cryptocurrencies with less than $1B in market cap are generally considered small. Markets below $50M in capitalization are considered micro-caps.
Questions to ask when analyzing small market cap risk:
For protocols that have a native token with a high inflation rate, token holders face the risk of their holdings being diluted. While this is more of an economic risk than a technical one, it’s still something users should be aware of.
For example, in the tokenomics model of CurveDAO, a total of 3.3B CRV tokens are unlocked and distributed gradually over the 6-year period.
As of October 23, 2023, only 893,664,233 CRV tokens are currently in circulation, about 25% of the theoretical maximum supply.
Therefore, if you decide to purchase CRV today and hold until 2026, there will be at least 3 times more CRV in circulation. Given no changes in CurveDAO fundamentals and metrics, it will essentially mean that your CRV position will get diluted by 66% with the newly unlocked supply.
Of course, if during this time the project keeps growing and the fundamentals become stronger, the potential upside of holding CRV may be more profitable than the inflationary downside. But this question requires further detailed research and analysis.
While the notion of liquidity is often incorporated into other types of risk (like impermanent loss), it’s worth highlighting on its own. Liquidity risk refers to the possibility that an investor might not be able to buy or sell an investment as and when they wish because opportunities are limited. In the context of DeFi, it might be that a particular pool or pair lacks sufficient depth for an investor to exit their position without substantial slippage.
For example: Early purchasers of the infamous PEPE memecoin, couldn’t liquidate their positions without dumping the price to oblivion.
“With 5.9 trillion PEPE tokens in their portfolio, it would take 46,200 years to liquidate these assets, assuming non-declining demand,” Grzegorz Drozdz, market analyst at Conotoxia Ltd. “An attempt to sell the wealth could lead to a collapse in their share price.”
Another example is the MIDAS token of the Midas.Investment platform that was shut down in December 2022. When the announcement of platform insolvency became public, investors rushed on to sell their MIDAS tokens on Uniswap, however, almost all the liquidity was drained from the pool. This is what happens when you trade in a low-liquid pool:
A buyer purchased MIDAS at a price of $1.26 and in just 10 minutes, another user is selling at a price of $0.018. That’s a pretty bad price to pay for a trade.
If the majority of the token supply is concentrated in the hands of a few, this could lead to significant volatility and price manipulation.
Several blockchain analytics platforms allow you to check holder distribution of a particular token. For example, De.Fi Scanner highlights such risks and displays holder distribution ratio.
Whenever the top-10 holders hold more than 50% of the supply, this can be considered dangerous. However, this can also depend on, for example, if the funds are locked in a liquidity pool or another smart contract. So you might always review each top-10 owner’s address to determine if that’s a real holder or funds pooled together in a smart contract.
Questions to ask when analyzing the concentration of supply risk:
Sometimes, malicious token creators add functions to smart contracts that allow them to mint a substantial or unlimited amount of new tokens.
Usually, these issues can be identified by smart contract scanners. However, if left unnoticed, all the token holders are likely to get rekt. The most likely scenario for a token creator is to mint new tokens and sell them into a liquidity pool on a decentralized exchange pocketing a profit.
Some examples and cases include YFFC and DARK DeFi.
Questions to ask when analyzing the uncapped supply / mintable risk:
A Honeypot is a type of ERC-20 token that appears to be tradable, but due to malicious code, can only be bought and not sold. Scammers set up these tokens along with a liquidity pool, usually paired with ETH, and allow users to buy the token. However, due to restrictions placed in the token’s code, only the creator or those whitelisted by the creator can sell the token back for ETH. To outsiders, the token seems legitimate and tradable until they attempt to sell it and find out they cannot. This results in the token buyers being stuck with a worthless asset, while the scammer can drain the ETH from the liquidity pool, making a profit from the scam.
Examples of such scams occur regularly on Uniswap. One instance where a scammer created a fake project and paired it with around $300k of ETH in a liquidity pool. After several transactions, the total ETH pool was worth $343k, netting the scammer a profit of $43k as they were able to withdraw the ETH from the pool, while the buyers of the honeypot token were unable to sell it.
To avoid honeypot risk, study the smart contract code or use audit scanners that will identify the malicious contracts.
Bridges are used to transfer assets between different blockchain networks. They carry risk in that if the bridge contract is buggy or exploited, users’ funds may be lost.
For example, you bridged your ETH from the Ethereum network to Wrapped ETH (WETH) on a new unknown network. Usually ETH and WETH have a 1:1 exchange ratio, however, if the bridge gets exploited, your WETH may become worthless.
One notable incident was the Wormhole bridge attack in February 2022, where attackers siphoned 120,000 Wrapped Ether (WETH) tokens, valued at over $320 million at the time, from the Wormhole bridge. This was a significant exploit that affected the value of the bridged wETH tokens.
Another instance involved the Multichain bridge, which experienced unannounced token outflows that stripped the bridge of nearly all its holdings, including wBTC, USDC, USDT, and a variety of altcoins, with the assets valued at over $130 million. This would have rendered the bridged tokens on the Fantom bridge essentially worthless as their backing assets were drained.
Some DeFi protocols heavily rely on the usage of bridge assets and they are inherent in their design. This poses huge risks of protocol going under if the bridged asset goes down.
Questions to ask when analyzing the bridge risk:
This risk mainly relates to stablecoins. Stablecoins are designed to maintain a peg to another asset, usually a fiat currency like USD. If they lose this peg, it can cause losses.
Some notable depegs are UST in May 2022 due to faulty algorithmic stabilization mechanism, and USDC/DAI in March 2023 as a result of problems with USDC issuer Circle and its custodian bank SVB.
Investigate mechanisms in place to maintain the peg. For algorithmic stablecoins, understand the underlying algorithms and the conditions that could lead to a depeg. Algorithmic stablecoins have a specifically nasty track record of depegs, cases including UST, IRON, USDN, aUSD, and others. For asset-backed stablecoins, it would make sense to confirm the reliability and liquidity of the backing assets.
Questions to ask when analyzing depeg risk:
Regulatory risk in crypto token investing refers to the uncertainty and potential financial loss that arises due to changes in laws and regulations affecting the crypto industry. This risk is particularly volatile because the legal framework for cryptocurrencies can be ambiguous and varies greatly by jurisdiction. Regulatory actions can include the reclassification of tokens, enforcement actions against non-compliant entities, and outright bans on trading certain assets. These actions can lead to market instability, as they often prompt quick selloffs and can significantly impact the liquidity and value of crypto assets.
A recent prominent example is the June 2023 lawsuit filed by the SEC against Binance, alleging that tokens such as BNB, SOL, and MATIC were unregistered securities. This action led to a market selloff as these assets were deemed securities, causing their values to plummet.
Questions to ask when analyzing regulatory risk:
Yield in DeFi pools is derived from various sources like trading fees, farming rewards, or lending interests. The sustainability of this yield is crucial; it could be impacted by changing market conditions, the end of liquidity mining incentives, or shifts in user behavior.
For instance, Yearn.finance initially offered high yields through farming rewards which were subject to reduction as the protocol matured and the market adjusted. It’s also important to compare the yield with market averages and question its long-term stability, scalability, and the mechanisms in place to support it.
Also, some DeFi projects may offer exceptionally lucrative returns when in reality they might not backed by anything and are simply masked pyramid schemes.
Ask yourself these questions:
A DeFi pool without a substantial track record poses higher risks due to the lack of historical data on performance and response to market conditions.
For example, a new pool might not have faced significant market downturns, and its stability during such times is unproven. SushiSwap, in its early days, lacked a long history which made its yield projections and reactions to market volatility uncertain.
Ask yourself these questions:
Leverage risk involves the potential for amplified losses due to borrowed funds used in a DeFi strategy.
For example, the Compound protocol allows for leveraged borrowing which can lead to liquidations if asset prices move unfavorably.
Ask yourself these questions:
Impermanent loss (IL) occurs when providing liquidity to Automated Market Makers (AMMs) and the price of the deposited assets changes compared to when they were deposited.
Pools like those in Uniswap can expose liquidity providers to IL, particularly in volatile asset pairs. To mitigate IL, some pools may offer active portfolio management or IL insurance.
Ask yourself these questions:
The risk of ruin in DeFi pools encompasses scenarios where total loss could occur, such as through smart contract failure or governance attacks. This was seen in the case of the Harvest Finance exploit where a smart contract vulnerability led to significant losses.
Ask yourself these questions:
There is a specific category of risks related to the usage of DeFi lending protocols.
Currency risk refers to the potential for losses due to movements in the exchange rate of two currencies. For example, if you’re lending or borrowing in a currency other than your native one, exchange rate fluctuations could affect your returns.
In DeFi, users can borrow assets using collateral. If the value of the collateral falls significantly, it can result in automatic liquidation of the collateral to repay the loan. If the market moves quickly and the value of the collateral falls below the borrowed amount before it can be liquidated, the protocol may suffer a loss. This loss usually is referred to as “bad debt”.
A recent example of a bad debt being incurred by the protocol is the attack of a famous DeFi hacker Eisenberg on AAVE protocol by manipulating the price of CRV token. This attack had left AAVE with $1.6m worth of bad debt.
Another niche category of risks is related to trading on decentralized exchanges (DEX).
Miner Extractable Value (MEV) is the profit a miner can make through their ability to include, exclude, or reorder transactions within the blocks they produce. MEV can result in frontrunning, where a miner can see a pending transaction and place their own first with a higher gas price. This can lead to losses for users, particularly in the context of high-value trades on a DEX.
Overall, MEV is a complex topic and can be discussed separately in another article.
This risk is associated with the user themselves. Cryptocurrencies and DeFi are complex, and there is the risk that the user may make a mistake such as sending funds to the wrong address, not properly understanding how a protocol works leading to loss, or falling victim to phishing attempts.
As we’ve seen, the DeFi sector is full of opportunities but also riddled with risks, resulting in billions of lost funds. This guide has outlined the key dangers, from platform-related issues to asset volatility and strategy pitfalls. Moving forward, be well-informed and cautious in your DeFi endeavors and always degen responsibly.
This research is brought to you by One Click Crypto — Your Gateway to DeFi.
We regularly prepare insightful reports and case studies about crypto trading and the blockchain industry.
We sent you a link to complete your sign-up.
Check your inbox, verify your email, and unlock all functionalities of your OB Trader account.
You were added to our waitlist. You will get an email within 3-5 days If you are shortlisted.