One Click DeFi Risk Framework

More than $78 billion worth of digital assets had been lost as a result of various types of hacks, attacks, and exploits in web3. A big part of it comes from protocols in decentralized finance.

When analyzing DeFi as an investable universe, it’s important to be aware of the types of risks associated with it.

In this article, I aim to summarize all the most important DeFi risks with examples and steps on how to potentially identify them.

The risks are grouped into 3 major categories:

1. Protocol Risks — risks related to DeFi platforms with which you interact.
2. Asset Risks — risks related to assets in a portfolio.
3. Yield Pool / Strategy Risks — risks related to specific pools or strategies available on DeFi protocols.

This research is brought to you by One Click Crypto — Your Gateway to DeFi.

1. Protocol Risks

1.1 Smart Contract Risk

Smart contract risk is the most common DeFi risk, yet is quite atypical to traditional finance.

DeFi relies on smart contracts, which are self-executing contracts with the terms of the agreement directly written into code. There is a risk that these contracts contain bugs or vulnerabilities that can be exploited, leading to loss of funds.

For instance, the hack on The DAO in 2016, which resulted in a loss of 3.6m ETH, occurred because of a vulnerability in its smart contract.

The way to prevent hacks is through exhaustive and diligent technical audits performed by world-class reputable auditing firms.

Questions to ask when analyzing smart contract risk:

1. When was the last audit of the smart contract performed?
2. Who performed the audit and what were the findings?
3. Is there a bug bounty program in place and what’s its maximum payout?
4. Have there been any security incidents in the past? If so, how were they handled?

1.2 Primary Platform Risk

This risk is related to the centralization of DeFi platforms. Although DeFi is meant to be decentralized, the primary platform (or network) on which these protocols operate (e.g., Ethereum, BNB Chain, Solana) can have systemic issues that can negatively affect all associated DeFi protocols. If the platform experiences a problem like network congestion, high transaction fees, or security vulnerabilities, it can affect your interactions with the DeFi protocol.

For example, Solana chain experienced a 7-hour outage in May 2022, as a result of a high volume of NFT activity which congested the network. All the protocols and dApps on Solana were unusable during that time.

Questions to ask when analyzing primary platform risk:

1. On what blockchain platform does the protocol operate?
2. How secure is this platform? What is the history of attacks on this platform?
3. How is the platform maintained and upgraded?
4. Is there a risk of congestion or high fees affecting transactions?

1.3 Interoperability or Systemic Risk

As the blockchain space grows, the interaction between different chains and protocols becomes more important. However, this interoperability can also bring risks. If one protocol is compromised, it may affect others due to their interconnectedness.

This is a risk where a major collapse could occur across the entire DeFi market due to a cascade of failures. This could be triggered by a black swan event, but it can also occur due to the interconnectedness of different protocols.

Example: In Dec 2022, Ankr protocol suffered an internal exploit of its aBNBc token, which let the attacker mint an unlimited quantity of aBNBc. Another staking protocol, Helio, which supported aBNBc asset in its borrowing pools, allowed the attacker to borrow against the newly minted exploited tokens and steal ±$15M worth of assets.

Questions to ask when analyzing interoperability risk:

1. Does the protocol rely on other platforms or protocols for its operation?
2. How secure and reliable are these dependencies?
3. What happens if one of these dependencies fails or is attacked?

1.4 Oracle Risk

DeFi protocols often rely on oracles to provide off-chain data. If an oracle provides inaccurate information, or if an attacker manipulates it, it can cause significant issues. For example, an attacker could manipulate the price feed of a lending protocol to artificially inflate the value of their collateral, leading to an undercollateralized loan.

Example: In October 2022, Mango Markets (a decentralized perpetual trading exchange) was drained for more than $116m through an oracle manipulation attack.

Questions to ask when analyzing oracle risk:

1. What oracles does the protocol use for price feeds or other data?
2. How reliable are these oracles? Have they been manipulated or attacked in the past?
3. Are there any centralized points of failure in the oracle system?
4. Does the protocol use multiple oracles for redundancy?

1.5 Governance Risk

Many DeFi projects have governance tokens that allow holders to vote on protocol changes. However, this can lead to issues if a small number of holders accumulate a large number of tokens, leading to centralization of decision-making power. There’s also the risk of malicious proposals being voted in. For example, if a proposal is approved that is beneficial to a small group but detrimental to the protocol as a whole, it could damage the protocol and its token’s value.

Examples:

In February 2022, an attacker gained access to BUILD Finance contracts, treasury, and minting keys through a malicious governance proposal that was passed which resulted in a loss of ±$1.6m.

In April 2022, Beanstalk, an Ethereum-based stablecoin protocol, was hacked for $76m due to a governance attack.

Another major case was where the Ronin network, which powered a popular web3 game, Axie Infinity, was exploited for more than $615m in March 2022. Through social engineering, the exploiter gained access to 5 out of 9 validator nodes in the network, which effectively, gave him the “god-level” controls over the system.

Questions to ask when analyzing governance risk:

1. How are decisions made in the protocol?
2. Are voting rights fairly distributed, or are they concentrated in a few hands?
3. Is there a risk of malicious actions by governance token holders?

1.6 Rug Pull Risk

Rug pull refers to a type of scam where developers abandon a project and run away with users’ funds. The developers typically remove liquidity from the market, leading to the price of the tokens crashing down to zero.

In DeFi, rug pulls can often occur amongst new projects with anonymous teams.

Examples:

In October 2021, during the AnubisDAO pre-sale, $60m-worth of funds were withdrawn from the contracts by the developers, with operations then halted.

In 2023 in particular, memecoins became increasingly popular. Some exploiters capitalized on the trend, one of them stealing $23m in a BALD token rug pull that was deployed on a then-new Base chain.

Others even become “serial rug-pullers”, another exploiter deploying 29 different memecoins on the Base chain and rugging every one of them for ±$1m.

Questions to ask when analyzing rug pull risk:

1. Is the team behind the protocol anonymous or known and reputable?
2. Are the project’s financials transparent and auditable?
3. Are there mechanisms in place to prevent a “rug pull” or sudden withdrawal of liquidity?

1.7 Admin Key Risk

Some DeFi protocols have admin keys that allow the developers to pause contracts, upgrade them, or change certain parameters. While these keys can be beneficial for managing the protocol, they can also be a central point of failure. If the keys are compromised, it could lead to loss of funds. Moreover, there’s also a risk of malicious intent by the team themselves.

For example, in April 2021, the lending protocol EasyFi’s admin key was compromised, which resulted in a loss of $60m in funds. EasyFi’s founder said that the hacker gained access to the computer that held the admin key remotely.

1.8 Proxy or Upgradeable Contract Risk

DeFi protocols often use upgradeable contracts to ensure that their smart contracts can be improved and bugs can be fixed over time. These contracts work by using a proxy contract that forwards calls to an implementation contract, which can be swapped out for a new version.

While this provides flexibility and maintains the integrity of the contract’s address and state, it also introduces risks:

• If the protocol’s governance process allows for contract upgrades, it’s possible for a malicious upgrade to be implemented if the governance is compromised. This new contract could have functions that allow for unauthorized access or even the direct withdrawal of funds.
• If a single developer or small group of developers have control over the upgrade process, this becomes a central point of failure. If their keys are compromised, an attacker could upgrade the contract to a malicious version.
• Upgradeable contracts are more complex than standard smart contracts, which increases the potential for bugs and vulnerabilities. Each upgrade also needs to be thoroughly audited and tested, as it could introduce new vulnerabilities.

For example, in 2020, the Akropolis project was exploited due to a re-entrancy attack related to its upgradeable contracts, leading to a loss of $2 million.

Another example is an attack on Safemoon’s SFM token pool which resulted in a loss of $8.9m. The attack was made possible due to a recent contract update introduced by the team.

Questions to ask when analyzing admin key or upgradable contract risk:

1. Who has access to admin keys or upgradeable contracts?
2. What safeguards are in place to prevent misuse of these keys or contracts?
3. Has there been any past incidents related to admin key misuse or contract upgrades?

1.9 Regulatory Risk

As DeFi grows, it’s likely to face increased scrutiny and regulation from governments. Changes in regulatory frameworks can significantly impact DeFi projects. For instance, the introduction of anti-money laundering (AML) rules could affect how DEXs operate.

For example, the notable Ethereum-based transaction mixer Tornado Cash has been blacklisted by the US Treasury Department as well as other jurisdictions which made it inaccessible in some parts of the world.

Questions to ask when analyzing regulatory risk:

1. In which jurisdiction(s) does the protocol operate?
2. Are there any pending or potential regulatory changes in these jurisdictions that could affect the protocol?
3. Has the protocol received any legal or regulatory scrutiny in the past?

2. Asset Risks

2.1 Volatility Risk

Cryptocurrencies are known for their price volatility, meaning you can see ±10% ups and downs in your crypto portfolio on a daily basis.

The price of Bitcoin itself dropped by more than 70% four times in its 14-year history. And other assets like altcoins can be even more volatile.

These price fluctuations can result in a temporary or a permanent loss of funds.

Questions to ask when analyzing volatility risk:

1. How volatile has the asset’s price been in the past?
2. Are there factors that could cause significant price fluctuations in the future?
3. How does the asset’s volatility compare to other similar assets?

2.2 Small Market Cap Risk

Assets with small market capitalization are even more susceptible to volatility.

Cryptocurrencies with less than $1B in market cap are generally considered small. Markets below $50M in capitalization are considered micro-caps.

Questions to ask when analyzing small market cap risk:

1. What is the current market cap of the asset?
2. How does the asset’s market cap compare to other similar assets?
3. Are there factors that could lead to significant changes in the market cap?

2.3 Low Circulating Supply or Inflation Risk

For protocols that have a native token with a high inflation rate, token holders face the risk of their holdings being diluted. While this is more of an economic risk than a technical one, it’s still something users should be aware of.

For example, in the tokenomics model of CurveDAO, a total of 3.3B CRV tokens are unlocked and distributed gradually over the 6-year period.

As of October 23, 2023, only 893,664,233 CRV tokens are currently in circulation, about 25% of the theoretical maximum supply.

Therefore, if you decide to purchase CRV today and hold until 2026, there will be at least 3 times more CRV in circulation. Given no changes in CurveDAO fundamentals and metrics, it will essentially mean that your CRV position will get diluted by 66% with the newly unlocked supply.

Of course, if during this time the project keeps growing and the fundamentals become stronger, the potential upside of holding CRV may be more profitable than the inflationary downside. But this question requires further detailed research and analysis.

2.4 Liquidity Risk

While the notion of liquidity is often incorporated into other types of risk (like impermanent loss), it’s worth highlighting on its own. Liquidity risk refers to the possibility that an investor might not be able to buy or sell an investment as and when they wish because opportunities are limited. In the context of DeFi, it might be that a particular pool or pair lacks sufficient depth for an investor to exit their position without substantial slippage.

For example: Early purchasers of the infamous PEPE memecoin, couldn’t liquidate their positions without dumping the price to oblivion.

“With 5.9 trillion PEPE tokens in their portfolio, it would take 46,200 years to liquidate these assets, assuming non-declining demand,” Grzegorz Drozdz, market analyst at Conotoxia Ltd. “An attempt to sell the wealth could lead to a collapse in their share price.”

Another example is the MIDAS token of the Midas.Investment platform that was shut down in December 2022. When the announcement of platform insolvency became public, investors rushed on to sell their MIDAS tokens on Uniswap, however, almost all the liquidity was drained from the pool. This is what happens when you trade in a low-liquid pool:

A buyer purchased MIDAS at a price of $1.26 and in just 10 minutes, another user is selling at a price of $0.018. That’s a pretty bad price to pay for a trade.

2.5 Concentration of Supply Risk

If the majority of the token supply is concentrated in the hands of a few, this could lead to significant volatility and price manipulation.

Several blockchain analytics platforms allow you to check holder distribution of a particular token. For example, De.Fi Scanner highlights such risks and displays holder distribution ratio.

Whenever the top-10 holders hold more than 50% of the supply, this can be considered dangerous. However, this can also depend on, for example, if the funds are locked in a liquidity pool or another smart contract. So you might always review each top-10 owner’s address to determine if that’s a real holder or funds pooled together in a smart contract.

Questions to ask when analyzing the concentration of supply risk:

1. How is the supply of the asset distributed?
2. Are there entities that hold a large percentage of the total supply?
3. Are there safeguards in place to prevent manipulation by large holders?

2.6 Uncapped Supply / Mintable Risk

Sometimes, malicious token creators add functions to smart contracts that allow them to mint a substantial or unlimited amount of new tokens.

Usually, these issues can be identified by smart contract scanners. However, if left unnoticed, all the token holders are likely to get rekt. The most likely scenario for a token creator is to mint new tokens and sell them into a liquidity pool on a decentralized exchange pocketing a profit.

Some examples and cases include YFFC and DARK DeFi.  

Questions to ask when analyzing the uncapped supply / mintable risk:

1. Does the asset have a maximum supply limit?
2. If not, how is the supply managed to prevent devaluation?
3. Can the token creator mint new tokens?

2.7 Honeypot Risk

A Honeypot is a type of ERC-20 token that appears to be tradable, but due to malicious code, can only be bought and not sold. Scammers set up these tokens along with a liquidity pool, usually paired with ETH, and allow users to buy the token. However, due to restrictions placed in the token’s code, only the creator or those whitelisted by the creator can sell the token back for ETH. To outsiders, the token seems legitimate and tradable until they attempt to sell it and find out they cannot. This results in the token buyers being stuck with a worthless asset, while the scammer can drain the ETH from the liquidity pool, making a profit from the scam.

Examples of such scams occur regularly on Uniswap. One instance where a scammer created a fake project and paired it with around $300k of ETH in a liquidity pool. After several transactions, the total ETH pool was worth $343k, netting the scammer a profit of $43k as they were able to withdraw the ETH from the pool, while the buyers of the honeypot token were unable to sell it.

To avoid honeypot risk, study the smart contract code or use audit scanners that will identify the malicious contracts.

2.8 Bridged Asset Risk

Bridges are used to transfer assets between different blockchain networks. They carry risk in that if the bridge contract is buggy or exploited, users’ funds may be lost.

For example, you bridged your ETH from the Ethereum network to Wrapped ETH (WETH) on a new unknown network. Usually ETH and WETH have a 1:1 exchange ratio, however, if the bridge gets exploited, your WETH may become worthless.

One notable incident was the Wormhole bridge attack in February 2022, where attackers siphoned 120,000 Wrapped Ether (WETH) tokens, valued at over $320 million at the time, from the Wormhole bridge. This was a significant exploit that affected the value of the bridged wETH tokens​.

Another instance involved the Multichain bridge, which experienced unannounced token outflows that stripped the bridge of nearly all its holdings, including wBTC, USDC, USDT, and a variety of altcoins, with the assets valued at over $130 million. This would have rendered the bridged tokens on the Fantom bridge essentially worthless as their backing assets were drained​.

Some DeFi protocols heavily rely on the usage of bridge assets and they are inherent in their design. This poses huge risks of protocol going under if the bridged asset goes down.

Questions to ask when analyzing the bridge risk:

1. Is the token a bridged asset?
2. If so, what is the reputation and track record of a bridge in question?
3. How decentralized is the bridge?
4. Is there an insurance fund or a mitigation plan in case of an exploit?

2.9 Depeg Risk

This risk mainly relates to stablecoins. Stablecoins are designed to maintain a peg to another asset, usually a fiat currency like USD. If they lose this peg, it can cause losses.

Some notable depegs are UST in May 2022 due to faulty algorithmic stabilization mechanism, and USDC/DAI in March 2023 as a result of problems with USDC issuer Circle and its custodian bank SVB.

Investigate mechanisms in place to maintain the peg. For algorithmic stablecoins, understand the underlying algorithms and the conditions that could lead to a depeg. Algorithmic stablecoins have a specifically nasty track record of depegs, cases including UST, IRON, USDN, aUSD, and others. For asset-backed stablecoins, it would make sense to confirm the reliability and liquidity of the backing assets.

Questions to ask when analyzing depeg risk:

1. What is the stablecoin backed by?
2. How transparent is the stablecoin issuer with their reserves?
3. What is the issuer’s track record?
4. How does the stablecoin maintain its peg?

2.10 Regulatory Risk

Regulatory risk in crypto token investing refers to the uncertainty and potential financial loss that arises due to changes in laws and regulations affecting the crypto industry. This risk is particularly volatile because the legal framework for cryptocurrencies can be ambiguous and varies greatly by jurisdiction. Regulatory actions can include the reclassification of tokens, enforcement actions against non-compliant entities, and outright bans on trading certain assets. These actions can lead to market instability, as they often prompt quick selloffs and can significantly impact the liquidity and value of crypto assets.

A recent prominent example is the June 2023 lawsuit filed by the SEC against Binance, alleging that tokens such as BNB, SOL, and MATIC were unregistered securities. This action led to a market selloff as these assets were deemed securities, causing their values to plummet.

Questions to ask when analyzing regulatory risk:

1. Is the crypto asset or platform I’m investing in compliant with current regulatory standards in my jurisdiction?
2. How could potential or pending regulatory changes affect my investment?
3. Is the issuer of the crypto asset prepared to adapt to regulatory changes?
4. Does the asset have the potential to be classified as a security, and what would be the implications?

3. Pool / Yield Strategy Risks

3.1 Yield Source & Long-term Sustainability

Yield in DeFi pools is derived from various sources like trading fees, farming rewards, or lending interests. The sustainability of this yield is crucial; it could be impacted by changing market conditions, the end of liquidity mining incentives, or shifts in user behavior.

For instance, Yearn.finance initially offered high yields through farming rewards which were subject to reduction as the protocol matured and the market adjusted. It’s also important to compare the yield with market averages and question its long-term stability, scalability, and the mechanisms in place to support it.

Also, some DeFi projects may offer exceptionally lucrative returns when in reality they might not backed by anything and are simply masked pyramid schemes.

Ask yourself these questions:

1. What is the source of the yield (e.g., trading fees, farming rewards)?
2. Is the yield generated sustainable in the long term or does it rely on factors that may disappear (e.g., temporary liquidity mining incentives)?
3. How does the yield compare with the average market yield for similar risk profiles?
4. Are there any mechanisms in place to ensure yield stability?
5. How scalable is the strategy?
6. Can yield get lower/diminished?
7. How sustainable the current yield and how long can be maintained?

3.2 Lack of Track Record

A DeFi pool without a substantial track record poses higher risks due to the lack of historical data on performance and response to market conditions.

For example, a new pool might not have faced significant market downturns, and its stability during such times is unproven. SushiSwap, in its early days, lacked a long history which made its yield projections and reactions to market volatility uncertain.

Ask yourself these questions:

1. How long has the DeFi pool been operating?
2. Has the pool experienced any significant losses in the past? If so, what were the causes and how were they addressed?
3. Have the projected yields been stable, or have they varied significantly?
4. How has the pool reacted to market volatility in the past?
5. TVL / history of returns

3.3 Leverage Risk

Leverage risk involves the potential for amplified losses due to borrowed funds used in a DeFi strategy.

For example, the Compound protocol allows for leveraged borrowing which can lead to liquidations if asset prices move unfavorably.

Ask yourself these questions:

1. Does the pool or strategy involve leverage? If so, how much?
2. What mechanisms are in place to prevent excessive leverage or deleveraging spirals?
3. How does the pool’s leverage level compare with industry standards?
4. What would be the impact of a significant price movement on the pool’s leveraged position?

3.4 Impermanent Loss Risk

Impermanent loss (IL) occurs when providing liquidity to Automated Market Makers (AMMs) and the price of the deposited assets changes compared to when they were deposited.

Pools like those in Uniswap can expose liquidity providers to IL, particularly in volatile asset pairs. To mitigate IL, some pools may offer active portfolio management or IL insurance.

Ask yourself these questions:

1. Does the pool involve liquidity provision to an AMM that could lead to impermanent loss (IL)?
2. How significant is the potential for IL given the pair of assets in the pool?
3. What mechanisms, if any, are in place to mitigate IL (e.g., active portfolio management, IL insurance)?
4. How have similar pools managed IL in the past?

3.5 Risk of Ruin

The risk of ruin in DeFi pools encompasses scenarios where total loss could occur, such as through smart contract failure or governance attacks. This was seen in the case of the Harvest Finance exploit where a smart contract vulnerability led to significant losses.

Ask yourself these questions:

1. What are the main risks that could lead to a total loss in the pool (e.g., smart contract failure, governance attack)?
2. Are there mechanisms in place to mitigate these risks (e.g., insurance, bug bounties)?
3. What is the worst-case scenario for the pool in terms of potential loss?
4. How likely is this worst-case scenario based on the current market conditions and the pool’s risk mitigation measures?
5. Can the strategy result in a complete loss of funds?

4. Borrowing/lending Risks

There is a specific category of risks related to the usage of DeFi lending protocols.

4.1 Currency Risk

Currency risk refers to the potential for losses due to movements in the exchange rate of two currencies. For example, if you’re lending or borrowing in a currency other than your native one, exchange rate fluctuations could affect your returns.

4.2 Default Risk / Credit Risk

In DeFi, users can borrow assets using collateral. If the value of the collateral falls significantly, it can result in automatic liquidation of the collateral to repay the loan. If the market moves quickly and the value of the collateral falls below the borrowed amount before it can be liquidated, the protocol may suffer a loss. This loss usually is referred to as “bad debt”.

A recent example of a bad debt being incurred by the protocol is the attack of a famous DeFi hacker Eisenberg on AAVE protocol by manipulating the price of CRV token. This attack had left AAVE with $1.6m worth of bad debt.

5. DEX trading/swapping risk

Another niche category of risks is related to trading on decentralized exchanges (DEX).

5.1 MEV Risk or Sandwich Attack

Miner Extractable Value (MEV) is the profit a miner can make through their ability to include, exclude, or reorder transactions within the blocks they produce. MEV can result in frontrunning, where a miner can see a pending transaction and place their own first with a higher gas price. This can lead to losses for users, particularly in the context of high-value trades on a DEX.

Overall, MEV is a complex topic and can be discussed separately in another article.

6. User Error Risk

This risk is associated with the user themselves. Cryptocurrencies and DeFi are complex, and there is the risk that the user may make a mistake such as sending funds to the wrong address, not properly understanding how a protocol works leading to loss, or falling victim to phishing attempts.

Conclusion

As we’ve seen, the DeFi sector is full of opportunities but also riddled with risks, resulting in billions of lost funds. This guide has outlined the key dangers, from platform-related issues to asset volatility and strategy pitfalls. Moving forward, be well-informed and cautious in your DeFi endeavors and always degen responsibly.

This research is brought to you by One Click Crypto — Your Gateway to DeFi.

‍