You can lose 100% of your money in any DeFi app or protocol. So above all else, apply a simple rule of thumb to help mitigate this risk: don’t deposit more than you’re willing to lose.
Here’s a rundown of the 7 most common risks (or 7 most deadly DeFi sins) that everyone should consider before getting involved.
- Smart contract bugs. A bug is what allowed hackers to drain 3.6 million ETH from The DAO back in 2016, the first major project to resemble what we call DeFi today. Now, the most reputable DeFi teams attempt to mitigate the risk of bugs by hiring better developers and submitting their code to auditing teams. However, time after time, we’ve seen unaudited code and audited code fail a DeFi community, sometimes leading to losses as big as tens of millions of dollars. If you’re looking to mitigate the risk of smart contract bugs, thankfully there’s DeFi insurance, like Nexus Mutual, which covers bugs. You should also check to see whether the app you’re using has been audited, and importantly, what those audits have found.
- If you give up your seed phrase or are tricked into entering the seed phrase into a fake website or app, you can lose everything in your wallet. This holds true not just for DeFi, but for all of crypto: Never enter your seed phrase, or share it, or store it digitally in a place like your phone or computer.
- Oracle failure has been a major vector of attack in DeFi in 2020. This is where bad actors use a flash loan to buy or sell an asset, which manipulates the asset price long enough for them to arbitrage the difference and exploit a protocol for millions of dollars. Think of it this way: If the application on-chain thinks an apple is worth $100 for even a few seconds while the rest of the world is buying and selling apples at $1, a bad actor can sell apples at $100 and walk away with a large profit. By that time anyone realizes what they’ve done, there’s often no way to retrieve the funds because of the unchangeable nature of the blockchain and the trustlessness and permissionlessness that enables someone to remain anonymous. Oracle failure is part of the reason why Chainlink is such a revered project solving such a huge challenge in the face of DeFi’s adoption.
- Admin key risk. Always be on the lookout for centralized admin controls that allow a developer or team to lock or move funds deposited into the DeFi app. Normally, the most reputable teams in DeFi, like Compound, will put in a time lock preventing code changes from happening without approval from multiple parties or a DAO that governs upgrades and proposals, and a second time delay so the community can be warned if a potentially unfavorable or controversial change is coming to the protocol. Check to see how much control the teams behind the apps that your using have over the code.
- Liquidity crises. This refers to a lockup of funds and a lack of liquidity. A simple example is if you lend DAI to Aave but all the DAI gets borrowed and the app indicates 100% of DAI is “utilized”, you cannot withdraw your DAI until some borrowers return the funds. This is less likely to happen and is much less concerning as a risk, but is a risk nonetheless due to the overcollateralized loans that dominate DeFi.
- Governance failure. There are debates whether whales can exert such influence as to vote in their own best interest and hurt the community, while others might argue whales wouldn’t self-sabotage a protocol with their money in it. There are also ongoing debates about deep pocketed CeFi exerting its influence on DeFi governance to protect the interests of the mega large exchanges.
- Any time you’ve got exposure to stablecoins or pegged assets like WBTC, there’s risk that the stablecoins or pegged assets could de-peg, causing all sorts of issues (like an AMM liquidity pool going to $0). This is exactly why baskets of stablecoins exist, like mUSD by mStable, which aims to establish a stablecoin made up of the most liquid and popular stablecoins in case one ever fails.
The key takeaway is that there are a lot of risks that can kill you in DeFi, so be sure you limit your exposure to DeFi in your overall portfolio until you are more educated and willing to take on the risks.
But remember, what doesn’t kill us makes us stronger, and in DeFi, everyday these risks are being better addressed and mitigated. Still, it leaves individual investors with a tremendous amount of responsibility and accountability for where we invest our money.