Smart contracts are the foundation of DeFi (decentralized finance) protocols - they allow for these applications to automatically run on their own, eliminating the middlemen and allowing for peer-to-peer trading on another level.
While they offer these amazing benefits and much more, there are inherent risks that one should be aware of before stepping into the realm of DeFi.
Hacks & Cyberattacks
Smart contracts are constantly exploited across the blockchain ecosystem, with hackers taking advantage of flaws in the code. The number of funds that were lost as a result of DeFi hacks was over $1.3 billion in 2021 alone, a nearly 100% increase from the year prior.
One way cyberattacks occur is when hackers gain control of private or admin keys, allowing them to deplete all of the liquidity within pools of certain projects, among others.
Oracle & Flash Loan Vulnerability
Oracles are the mechanisms that feed and relay specific information to smart contracts on the blockchain. Many dApps (decentralized applications) used TWAP, or the time-weighted average price, of Uniswap V3 pools as price oracle. Overall, these oracles allow for far greater utility and applicability with what these smart contracts can do since they have a continuous feedback loop of reliable data coming in from external sources.
However, if inaccurate data is provided, the contract may not function properly and become vulnerable to bad actors.
Then come flash loan attacks, where cyberattackers tap into a protocol's smart contract by borrowing a large number of digital assets without needing to put down collateral. To successfully carry out the attack, they manipulate the price of a specific token on an exchange and will resell it using arbitrage tactics on a different one, walking away with a handsome profit at the expense of user funds within the pool.
Sometimes with certain projects or applications that have been forked (i.e copied) from existing one, the developers may not correctly patch or fix an existing issue in the parent protocol which leaves it exploitable. This makes the smart contract of that application open to known hacks or vulnerabilities, and malicious bad actors can easily take advantage of this.
That’s why it’s important to entrust your funds in a regularly monitored and audited protocol backed by a strong, reliable team.
Verifying smart contract ownership and the addresses that are able to update information is crucial. The ability to verify this information allows you to ensure that the smart contract you want to use is genuine and has been created by the protocol’s team. It’s also important to make sure that the core protocol smart contract can’t be updated by a single address but instead through a multi-sig with a timelock - or better by the governance address, as it’s key to safeguarding your assets against rug pulls or exit scams.
Most importantly, all of this information can be verified on the blockchain so you know the data is legitimate.
While this may seem overwhelming, we have good news: Coinchange works diligently to assess and mitigate Smart Contract risk as part of our yield strategy. We do this in two main phases:
As part of our risk assessment process, the Coinchange Research Team carefully evaluates any protocol we are looking to integrate into our strategy. This process includes a code security audit, verification of the protocol ownership and a bounty program.
If the protocol is a fork, we also look at code changes between the protocol and the parent protocol.
If any of these points has too high of a risk threshold, we stop any work toward integrating the protocol into our strategy.
DeFi Algorithm Mitigation:
Once a protocol is integrated, we have a number of ways we can continue to mitigate Smart Contract Risk. The most important is our strategy diversification, which insures that our AUM is spread across multiple chains and protocols. In the event of a vulnerability, the assets we manage are safely spread across multiple strategies, minimizing the effect.