Latest news about Bitcoin and all cryptocurrencies. Your daily crypto news habit.
The decentralized finance market is one of the fastest-growing segments of the cryptocurrency economy, with more than $82 billion worth of value locked up in various smart contracts, up from just over $55 billion a year ago.
The growth of DeFi is extraordinary, but not all that surprising to adherents given the numerous lucrative opportunities for investors in the sector. There are hundreds of different ways to earn money in DeFi, through lending and trading, providing liquidity to asset pools, staking to secure networks, yield farming, and more. These opportunities are real, but as with any fast-growing and lucrative new sector, the risks are just as great as the rewards. DeFi is nothing new in that regard, attracting a whole host of scammers looking to seize the funds of honest investors using an assortment of nefarious tricks and techniques. Â
In case youâve been hiding in a cave, DeFi refers to the growing number of blockchain-based crypto financial services that allow users to partake in lending and borrowing, provide and obtain insurance, deposit tokens into yield-bearing accounts, invest in new crypto projects and more.Â
DeFi is like traditional finance in many ways, with the biggest difference being its reliance on smart contracts as opposed to an intermediary such as a bank. Smart contracts are the computer code that underpins agreements in DeFi. Theyâre really just self-executing algorithms that enforce contractual agreements between parties, doing so automatically as and when the agreed conditions are met.Â
Smart contracts power everything in Defi, from lending protocols to decentralized cryptocurrency exchanges. But as essential as they are, itâs important not to have blind faith in smart contracts. In fact, many of them contain bugs and vulnerabilities that attackers can exploit to drain the wallets of users.Â
Whatâs worse is that smart contract bugs are just one of a number of risks in the world of DeFi. Because the space is entirely decentralized, the onus falls squarely on the shoulders of the user to be aware of these risks. Not only that, they must know how to mitigate them too, because itâs highly unlikely that any victim of a scam will ever be able to recover their tokens.Â
Smart Contract Risks
One of the main dangers of DeFi lies in the smart contracts themselves. Smart contracts are written using open-source code that anyone can inspect for the purpose of transparency. However, that means technically-savvy attackers are also free to inspect the code, and if they happen across any vulnerabilities thereâs nothing to stop them from taking advantage to steal funds from other users.Â
Indeed, thatâs exactly what happens, all too often. Last year, attackers made off with more than $1.3 billion worth of funds stolen by exploiting vulnerabilities in smart contract code, according to a report by blockchain security firm CertiK.Â
Smart contracts have other risks too. For instance, if a user makes a sloppy decision and sends funds to the wrong address or uses the wrong network, those tokens are likely to be irretrievable. There is no centralized intermediary such as a bank thatâs able to reverse the transaction and help users to recover their funds.Â
A third risk inherent in smart contracts relates to their use of oracles. Oracles are required by many smart contracts that need access to external, third-party data. They provide information such as price feeds from various exchanges, for example. If those oracles falter or become compromised through malicious activity, this creates a risk that smart contracts will execute in a way that was not intended.Â
Smart contracts can be abused in other ways too if for example the developers are sloppy and leave loopholes that sophisticated attackers can take advantage of. A recent example of this happened earlier this month, when one user made a profit of more than 300 ETH ($820,000) from ApeCoinâs latest token airdrop by exploiting a flash loan service that allows users to create liquid markets for illiquid NFTs.Â
To eliminate the risks inherent with smart contracts, a lot of DeFi services commission companies such as Hacken or PeckShield to audit their code, allowing them to fix any issues that arise. Another way DeFi projects try to mitigate the risk is to offer bounties to white-hat hackers via platforms such as Immunefi, offering rewards to anyone who is able to discover and inform them of bugs in their code. The idea is that the good guys will discover any problems before the attackers can.Â
The most trustworthy DeFi projects will advertise these audits and bounty programs on their websites, so itâs a good idea to look out for them before considering investing in a project. Even so, users should beware that no audit is fool-proof and that a number of projects that went through the highest level of scrutiny have since fallen victim to exploits.Â
The good news is that there are strong companies aiming to do something about security. Nym Technologies, for example, is aiming to boost privacy through its innovative use of mixnets to obscure transaction data. With its mixnet, Nym can obscure all blockchain transaction metadata, meaning itâs impossible for messages to be traced or tracked even when using advanced analytics software to try and do so.Â
Nymâs mixnet relies on proxy servers that mix metadata packers with one another before emitting them in a random order, helping to hide the origin and destination of transactions. The thinking is that by hiding your DeFi transactions, itâll be much more difficult for hackers to target individual users
DeFi users can also attempt to check the reliability of smart contract code themselves using free tools such as Token Sniffer on Ethereum and PooCoin on Binance Chain.Â
Complexity of DeFi Protocols
One of the major risks of DeFi thatâs rarely spoken of is the incredible complexity of some of the services on offer. The user experience in DeFi is notoriously tricky, requiring knowledge of not only the protocols but also concepts such as staking, liquidity provision, yield farming and more.Â
Along with the multitude of tools offered by popular DeFi protocols such as Aave, Curve and Compound are the incredibly high annual percentage yields they claim to offer, ranging from 5% to as much as 50%. They are offering some jaw-dropping returns, but the danger is that many users donât understand the complexity of the protocols theyâre using, and just how big the danger is they could see their entire deposit wiped out in the blink of an eye if the market moves in the wrong direction.Â
To counter the complexity of DeFi, new traders can opt for a service such as HyperDEX. Itâs a service that greatly simplifies DeFi by bundling complex financial products as easy-to-understand âcubesâ that spell out the level of risk versus reward. Cautious investors who canât afford to lose will appreciate the benefits of HyperDEXâs Fixed Income Cube, which takes away the complexity of staking and guarantees a fixed return over a specific time frame simply for depositing some tokens. HyperDex also has cubes that simplify the concepts of algorithmic trading and asset speculation, with those products offering variable returns if investors can tolerate the substantial risk that they might lose their assets if they make the wrong guess.
DeFi Rug Pulls
The old-fashioned ârug pullâ, in which a scammer creates a fake project then pulls the rug out from under the feet of its investors, is another common scam in DeFi.
Rug pulls in DeFi are exit scams where predators create a new crypto token and a liquidity pool to enable that token to be traded. In the liquidity pool, the new token will be paired with a base token such as ETH or a stablecoin like USD Coin, in order to fulfill trades between the two on decentralized exchanges.Â
As part of the scam, the creator of the fake coin will retain a significant amount of the total supply after the token launches. Assuming they have been successful in their efforts to market the new token, lots of people will snap them up in order to add liquidity to the pool, incentivized by the prospect of earning transaction fees. However, when liquidity reaches what the scammer deems to be a desirable level, they will dump all of their tokens into the pool and withdraw all of the ETH or USDC or whatever token itâs paired with. That sends the value of the new token to zero, while the scammer quickly sells or hides the assets he or she removed from the pool.Â
Spotting rug pulls in DeFi isnât always easy. A good indication a project might be a scam is if just a few wallets control around half of the circulating supply. Itâs possible to check token distribution on a blockchain explorer service such as Etherscan for ERC20 tokens.Â
The danger of rug pulls is not exaggerated. A study from November 2021 found that almost half of all token listings on Uniswap, one of the most popular DEXs, were likely to be scams.Â
Phishing Attacks
DeFi users also have to stay on their toes and beware of so-called âphishing attacksâ. Phishing is an older technique that has been ported to from the world of traditional finance.Â
Phishing refers to attempts by hackers to steal the login credentials of usersâ crypto and DeFi wallets, and they will do so using some very clever methods. The most common way is to send an email or a message containing a link that appears to direct the user to a legitimate DeFi website or portal. The user will be prompted to enter their login credentials to the fake site. Doing so is a big no-no as the login credentials will immediately be sent to hackers, who may even use malicious bots to instantly drain the userâs wallet of their funds, even if they realize their error straight away.Â
The number of phishing scams going on in DeFi is unreal. Twitter is one of the favorite vehicles for crypto phishers, home to swarms of bots that will direct users to a Google form asking them to share a wallet seed phrase or other sensitive info. Others will pose as famous celebrities and crypto influencers, sending messages to Twitter users and appearing to make some kind of offer of assistance or a promotion, before asking them to share sensitive information.Â
Scammers often scour the blockchain and social media for promising phishing targets. Unfortunately, itâs all too easy for determined hackers to link social media users to their crypto wallets using the blockchain, meaning they can identify some tempting targets and make repeated phishing attempts through multiple emails and messages.Â
With any luck, things will soon get much harder for phishing scammers, thanks to a number of promising projects aiming to anonymize blockchain transactions. Manta Network for instance, which is a privacy project stemming from the Polkadot ecosystem, has come up with a way to obfuscate wallet addresses using a layer-1 system that relies on zkSnarks. For the uninitiated, zkSnarks are a cryptographic technique that enables two entities to verify information without sharing the underlying data.Â
Using the Manta Pay service, DeFi users can mask their portfolio activity and hide their wealth away from prying eyes, which is the surest way to avoid the crosshairs of phishing attacks.Â
Disclaimer
The views and opinions expressed in this article are solely those of the authors and do not reflect the views of Bitcoin Insider. Every investment and trading move involves risk - this is especially true for cryptocurrencies given their volatility. We strongly advise our readers to conduct their own research when making a decision.