179
DeFi started making its mark on the world, from being mentioned in the mainstream media, to attracting traditional investors as well as being seen as a serious contender in reshaping financial industry services. Most importantly, DeFi is slowly gaining broader adoption. More and more users are intrigued to experiment with the different applications and tools that have sprung in this incredible ecosystem.
We’re witnessing more growth in the number of DeFi users and ETH locked in smart contracts than ever before, though the changed market sentiment has slowed this quite a bit. It seems users are leaving CeFi for DeFi at an unprecedented rate. Ether supply is officially at the all-time low on exchanges, not seen since 2018. Though it delights us to see this, this kind of growth always brings alongside scammers and fraudsters in their hunt for the uneducated. Since there was crypto, there were scammers. The decentralized and self-custodial nature of DeFi doesn’t make all this any easier.
With great power comes great responsibility, goes the Peter Parker principle. As a user in DeFi, you are both in control and in charge of your actions and assets to a vastly higher degree than is the case in CeFi or traditional finance. While in CeFi there is always someone else sharing the potential risks, in DeFi there are not only more risks involved but you are the only one taking them on, with nobody else to blame.
As developers though, we have a great responsibility too. DeFi is still young and everything is still evolving, and rapidly. A lot of tools that surging numbers of users are using are still far from the UI and UX we’re accustomed to in our everyday lives. Nothing is even close to being just a few clicks away, and though security is taken seriously by established projects in the space, hacks happen, scams happen and people lose their hard-earned money. As we keep polishing and working to remove the unnecessary friction still inherently present in those young solutions, there are a lot of things you as a user could do to stay vigilant as you journey through DeFi.
Fraudulent, phishing attempts via messaging on Telegram and Discord have been a regular occurrence in crypto since the early days, but more recently there has also been a growing number of fake sites, imitating popular DeFi apps, that ask users for their secret seed phrase. In the last several weeks, at DeFi Saver we witnessed many attempts like this. We’re always on the lookout for potential scammers and community members really help us out with that as well. At the same time, we’re trying to put some security practices in place and educate users on the importance of staying safe in this innovative space. Some of our users reported losing sizable amounts, themselves acknowledging this occurred due to some rookie mistakes. Every user should be aware of the common risks generally present in DeFi or crypto space which are up to us, as developers, to mitigate, as time goes by.
What are then some of those general risks and some safety practices that every user engaging with protocols, applications, and tools in DeFi should be aware of? Let’s dive in.
General DeFi Risks
Below are some of the general risks to consider when engaging with DeFi applications:
Smart Contract
Smart contract risk should always be considered as potentially present and most abused in DeFi by malicious actors. All DeFi applications are based on smart contracts. Smart contracts are immutable scripts that exist on the blockchain and serve a particular function, but they are still pieces of code written by humans. They can be written poorly or quite well. Simply put, like every other piece of code they are prone to bugs, hacking, and errors. Instead of centralized institutions in traditional finance and CeFi, instead, you now put your trust in smart contracts, so you should try to make sure they don’t have vulnerabilities prior to interacting with them. Most users, however, don’t have the time or the expertise to really dive in and check everything themselves, nor should they. Issues with smart contracts are omitted by the team and even sometimes even experts from the community.
One of the most famous smart contract hacks in fact was that of The DAO back in 2016, which is sort of the inception of the whole DeFi movement. Using an exploit, an attacker managed to drain $3.6M of ETH from The DAO smart contracts, leading to the famous fork of the Ethereum that also resulted in the Ethereum Classic spinoff. There were also many examples of exploits involving smart contracts since the beginning of 2020. Yet, with every hack and exploit, teams, projects, and the ecosystem are all maturing and reducing the space for them to occur.
Nowadays, most trustworthy teams hire professional, external auditing teams to inspect and review their code. In terms of DeFi Saver, both our new overall architecture and current Automation have been audited by Dedaub and Consensys Diligence teams, and we will continue running regular audits for any new integrations.
Other than audits, there are also bug bounties. Try to find out whether a team has an open bug bounty at a reasonable ratio to its TVL. Most reputable teams have them in place. Recently, Yearn project awarded a bounty of $200k to a security researcher that caught a vulnerability in their code, leading to a quick fix and no loss of funds. At DeFi Saver we also have a live bug bounty on the leading bug bounty platform Immunefi.
Always check whether the DeFi project you intend to use or invest in, in whatever way, has been audited regularly and if there is a live bug bounty.
Governance
Some DeFi protocols have decentralized, community governance in place. Using governance tokens, token holders propose and vote on key decisions to be implemented about the specific platform. A notable example is the most famous DeFi protocol - Maker DAO which as the name suggests acts as a Decentralized Autonomous Organization. MKR token has an important function in the functioning of the organization and the protocol itself, serving as an incentive mechanism for holders to act in the best interest of the protocol, its users, and therefore themselves.
Some of the debated issues with governance are the potential passing of bad choices, whale attacks, or even whale apathy, where inactivity of some gives more room for collusion to others. It comes as intuitive that holders of large positions wouldn’t pass a vote on a decision that would hurt the community or risk a project where they have funds.
DeFi Saver is a dedicated team and not a DAO, which is why we don’t have any governance in place. Additionally, we don’t have a token and provide a discrete functionality, which for the time being doesn’t require governance. For projects that do have it, especially in which you are also invested, it’s advisable to keep track of changes, particularly major ones, and see how they affect you or your positions.
Admin keys
Most DeFi protocols have some level of admin control that can usually be exercised through a multisig, with needed signers being either team or community members. These are usually multisig accounts that make modifications to the protocol or an application and are used for introducing updates for example. However, they can also be used for changing the rules or modifying smart contracts that power the protocol in a way that favors some particular interest. You should always be aware of the level and necessity of control that a team behind a project has.
Usually, protocol updates are secured with two mechanisms: multisig and timelock. Established teams and DAO’s have both of these in place, the first one requiring the approval of a certain number of private key holders before being able to introduce a change, and the second one providing a fixed delay before introduced changes take effect, creating additional room to react in case of any wrongdoing.
In the case of our app, there is a varying degree of admin controls depending on the features. For a user's smart wallet or dsproxy, we have no access or admin control whatsoever, making it solely owned and controlled by you. Smart contracts DeFi Saver app users interact with can be regularly updated by our team, but these changes are not something that could affect any user in particular. Lastly, and most importantly, our primary feature Automation, which trustlessly manages user funds, Lastly, but probably most importantly, the smart contracts of our flagship feature, Automation, that contain logic for handling user position adjustments can be upgraded, but these upgrades are behind a 24h timelock and require multiple multisigs as described here.
Composability
Although this characteristic enables some incredible and unique use-cases to flourish in DeFi space, it also brings some additional risk. Composability is enabled by the open-source nature of Ethereum and contributes greatly to faster innovation. We love it and in fact, it is what enables us to provide nearly all of our features to users.
However, each and every application and protocol has a different design, potential trade-offs, and potential bugs that are all also introduced upon integration. Additionally, as integrations multiply, this creates room for new and unintended potential exploits.
We often get questions and requests regarding the addition of new protocols and projects that could work well and integrate with our signature Boost and Repay functions or would perhaps benefit from Automation. Some of the previously mentioned risks and this one in particular highlight why we go through a thorough due diligence process making sure that all risks are mitigated.
Oracle manipulation
In DeFi, oracles are usually third-party services that fetch, and provide smart contracts with, external off-chain price data and are one of the essential middle layers. Without going into too many technical details, they solve the essential problem of having an accurate source of potentially off-chain information, including prices, that isn’t dependent on any single party.
The risk to be considered is the fact that Oracle could feed a smart contract with incorrect off-chain price data or an Oracle doesn’t update the smart contract fast enough, creating room for an exploit. This is for example, why Maker relies on multiple external price feeds through its median oracle to mitigate this type of risk as much as possible. The additional solution Maker has adopted is a 1-hour oracle update delay, which effectively only updates the price of assets once every hour, creating a window to react in case of a potential attempt at oracle manipulation.
Various other protocols as well have started relying on a similar mechanism provided by the leading decentralized oracle network provider Chainlink with other options such as Tellor also gaining traction. Their work becomes fundamental for the DeFi ecosystem as it solves the above problem by aggregating prices from multiple external sources.
Tread carefully in DeFi, and try to determine how a project you’re getting involved with has addressed this issue. DeFi Saver mitigates this type of risk by only integrating time-tested protocols and DEX’es for all of our features.
Rug pull
There are several ways this type of scam is executed. A rug pull is a special type of scam that you need to pay attention to. Targets of this type of scam are often new and inexperienced users that recently got into crypto, but many, even the experienced have fallen prey to it. Typically, rug pull refers to a situation where malicious developers launch a project, try to attract investors, and collect their funds, afterward taking those funds, shutting down the project, and running away. They usually delete all traces and activity on social media relating to it.
While it was possible to execute this type of maneuver in various ways, one has become dominant in DeFi. With the rise of decentralized exchanges which enable simple creation and adding of new tokens, rug pulls became more prevalent. New tokens are listed and usually paired with ETH to create a liquidity pool pair and promise unrealistic APY’s. After investors swap their ETH for tokens and enough funds have been collected, developers can easily drain the liquidity pool, leaving investors with tokens that are worthless or rapidly losing value.
To avoid getting rug pulled, always research projects you intend to invest in, in detail. High APY does not always mean that a project is a scam, but ridiculously high returns should ring everyone’s bells. Use Etherscan to check the number of token holders as a low number should raise an alarm.
Not your keys, not your coins
Now, our focus in this post was on DeFi risks and safety practices. Still, plenty of our users rely on centralized exchanges nonetheless. The famous ‘not your keys, not your coins’ phrase used by hardcore crypto fans in the past has become the norm, especially with DeFi gaining its momentum and growing popularity. In short, it refers to the fact that in order to be truly in control of your digital assets you need to own the private key for the wallet associated with those assets. This means that if you keep them on a centralized exchange, you are putting your trust in a third party. We can imagine a scenario in which an exchange decides to lock the users out of their assets, as this has happened in the past. This is also the reason, as mentioned in the intro, why we consider it a good thing that many users seem to be moving their funds, especially ether, away from exchanges to the wallets they themselves control.
Do you still keep your funds on some centralized exchange? Consider transferring your funds to a non-custodial wallet. Although it depends on the balance of security, responsibility, and convenience you want to achieve, it’s definitely better to be the sole custodian of your funds. Only then are those coins truly yours.
Some safety practices to keep in mind
Check the URL - Bookmark your DeFi Sites
Our website was a target of this type of scam several times. This is one of the reasons why you see a banned the first time you visit it. To this day it’s one of the most frequent scams, being the easiest one to set up. Scammers do their best to create a nearly identical visual copy of our website trying to trick you into providing your account details. Accustomed and educated users usually see through this immediately, but even they sometimes visit these by accident. This usually occurs due to users using search engines to visit our website and application. Scammers abuse search engines to direct users to these “copies” and fake versions of our website. In the case of our app always make sure that the URL you are visiting to interact with our app is defisaver.com and app.defisaver.com.
The easiest and simplest way to mitigate the risk of opening a fraudulent, fake site is to always bookmark the URL and open any DeFi app that you use through that bookmark. Don’t type addresses by hand or search them using search engines.
Beware of Ads and phishing scams
This one goes hand in hand with the previous. Some DeFi apps or websites might be promoting their products using search engines Ads. While we may promote DeFi Saver using search engine ads in the future, this is currently not the case and not in our plans.
Search engine ads are unfortunately often the way that scammers try to direct users to a fake site where they will try to drive users into giving away their private key or secret words (seed phrase). This is most often done using URLs that resemble the original one. In the case of our app, for example, we’ve identified deflsaver.com and defsaver.com. As you can see the difference is small but important. Phishing scams can also happen via e-mail in which links are compromised.
If you ever notice anyone impersonating our app, please report this to us via Twitter, Discord, or the in-app chat widget. You can also report phishing scams yourself using any and all of the following links:
- Netcraft - https://report.netcraft.com/report
- Google - https://safebrowsing.google.com/safebrowsing/report_phish/
- Cryptoscam - https://cryptoscamdb.org/report
Use a hardware wallet
Get yourself a hardware wallet immediately, if you don’t have one. Due to the nature of the Ethereum platform and the way smart contracts are executed, we highly recommend this. In fact, this is considered essential for protecting your funds. It’s one of the safest and easiest ways to secure your ETH, BTC, and token assets. We suggest getting Trezor or Ledger. Both are very good, they cost less than $100 and it’s just a matter of preference. The great thing about having a hardware wallet is that not only is it an added layer of security, they also require you to sign or confirm each transaction you initiate which is like 2FA. DeFi Saver supports both of these wallets both through software wallets like METAMASK as well as directly using our interface integration.
It’s important to note that once you rely on a hardware wallet for securing your assets and signing transactions, nobody, not even our team members can interact with your address or perform actions without it, only you can. That’s why it’s important to both keep it safe as well as to have it on you when needed.
Never share your private key or seed phrase with anyone.
Wallets in crypto and DeFi are accessed using a key pair: public key which serves as the identifier, and private key which is required to send assets or sign transactions. Private keys are basically long passwords. Since they are usually randomly generated (since we humans suck at it), to make it easy to remember them, private keys are generated using your seed phrase. The seed phrase is used to access your wallet, so it’s extremely important to keep it safe. Anyone with access to your seed phrase can instantly gain control of your assets and send them to a different address. Seed phrase usually consists of 12 to 24 words, for which the order or sequence is important.
Always be aware that our app or team members will never ask you to provide or share your private key or secret words (seed phrase) for any reason. If a website, service, application, or a person asks for your private key or seed phrase - it’s a scam. Don’t share it, get tricked into entering it, nor store it digitally.
Now your public address is something else. It’s derived from your public key and is your unique public identifier on the Ethereum blockchain. It’s similar to your email address. In order to receive assets from other people, you need to share your address. Also if you decide to send assets to some other address, be aware that the recipient can now see your wallet portfolio, your previous transactions and will be able to see the future ones as well. No one can steal your digital assets by knowing only your wallet’s public address. Our team members or customer support may ask you to provide your public address in case you require assistance from us regarding some potential, specific issues you encounter using our application.
Review token permissions
As you traverse DeFi you’ll approve tokens for many different functions provided by DeFi apps. Due to their decentralized nature, to use DeFi apps, you are required to grant permission for each token to be used in smart contracts, whether solely for exchanging or to perform some more advanced functions like providing liquidity or lending assets. However, once provided these permissions remain active until you revoke them manually. Generally, it’s a good practice to review your token permissions periodically and remove them for any no longer used smart contracts.
To review and revoke permissions granted to various smart contracts you can use apps such as Approved.Zone or Revoke.Cash.
Before we wrap up, we’d also like to mention our friends at DeFi Safety. They are a great team rating DeFi protocols and applications in terms of their safety and security, covering many of the aforementioned risks. You can check many of the currently active projects and see their performance.
We’ve addressed some of these practices and risks in our knowledge base as well, but we want to emphasize once again several important points.
We will never ask for your:
- Private key
- Seed phrase
- MetaMask or other Web3 wallet passwords
We will also never contact you first directly using DM on Discord or other channels. As a user, you should approach us first. Be sceptical about anyone presenting themselves as our team members. Also if you require help or would like to engage in communication with our team, try doing so using our support on the website or community channel on Discord.
