As the growth in the use of DEFI infrastructure settled, this upward movement of adoption attracted the attention of millions of people around the world seduced by the opportunity to be able to use their assets for the first time in the industry as collateral, deposit or to create bespoke financial products directly, apart from well-known staking, which was already an innovative and profitable service since 2017.
Unfortunately, this window of opportunity and prosperity also attracted many scammers or as I see it, exploited ingenuity of a few (creating authentic cases of financial engineering) to take advantage of others, who are not educated enough in this sector. This mixture of concepts was ideal to unleash the perfect storm, ensuring a disaster for vast majority of users. So in this article I will focus on those concepts that concern the security of the environment where we are going to move our assets.
By using DEFI there are two main reasons why losses occur:
-The first one for not having healthy security habits.
-The second for not planning and measuring DEFI activity, which is known as productivity.
In this article I will talk about safety. The “Modus Operandi” brilliant and effective procedure that you can’t see behind the screen.
A project is created, communication channels are created via RRSS. Users are attracted through marketing and campaigns with the catchphrase “what can go wrong, everything is profitable and safe!” Capital is raised in smart contracts (SC) containing a backdoor function, which allows manipulating the terms of the SC and stealing users ‘funds’.
The numbers go along with this theory, as $154 million was lost in 2020 alone as a result of SC security vulnerabilities, including losses from malicious projects that had not been audited by an independent third party. And from losses of legitimate projects, attacked by hackers.
However to determine exactly what differentiates a SC from being reliable to being dishonest is a difficult task to say the least. “SC scams” set up is changing, as they are improving and becoming imperceptible to the least qualified user. However it is possible to follow some basic security principles, which will help us on the one hand to analyze SCs and on the other hand to evaluate and identify the intentions of a project.
For this I will focus on smart contracts and project analysis, covering aspects such as suspicious functions within smart contracts, token inflation and even identifying the intentions of the project through its presence in social networks. I assure you that you don’t need to be an expert or a technician in this area, but you do need to show interest, willingness, commitment and desire to understand how and why malicious actors in the market are building these scams. This way you will be able to decide for yourself how safe and profitable an investment opportunity in DEFI is.
Smart Contract analysis
DEFI platforms are inevitably associated with contracts, these can be more or less complex but they all do the same thing, they fulfill the functions with which they have been programmed, which you accept once you sign it. Analyzing some of the functions of SCs will help us to build a much clearer view if we can trust the platform. What do we need to look at.
1. The biggest distrust I have in a SC is when it’s not owned by the platform itself, but by an external account. This contradicts the concept of decentralized finance. I don’t know what functions this external account can use. Being able to use functions that directly affect the security of the user’s funds, functions that affect the investment conditions of the project, the minting of tokens, the transfer of ownership or the change of fees and reward rates. I always encourage you, as a general rule, to choose SCs that are owned by the protocol and SCs that guarantee that the SC owner’s addresses are burned.
2. The infinite minting function within a SC represents a serious risk, as this function can be used to mint tokens and then to be sold in an uncontrolled way by taking the price to the absolute zero in an irretrievable form.
3. Inflation of tokens is a totally legitimate and clear possibility if the maximum supply of tokens is not clearly established in the SC, involving variables such as unlimited token minting or not, setting a token burning process will aggravate this further.
4. The migrate function can represent a serious risk for yield farmers, as it is often used by fraudsters to move funds from one contract to another (even centralized) in order to put them up for sale quickly and immediately.
5. As an unwritten rule, projects should introduce a lock-in period in SC conditions to prevent any user or even any team member from prematurely selling their allocated tokens. If the project implements a lockout period, make sure that it satisfies your risk assessment in terms of loss of token value.
6. Scary pause function, which allows its creator to pause a SC even if it has funds deposited in it. Therefore no one will be able to access its funds until the pause is over. To understand the magnitude of the damage that this function can do in a SC, apply it to the fact that if for example a vulnerability of the SC is detected during the pause and the funds must be transferred to a safe place until this situation is solved, you will not be able to do it while the SC is paused, and what is even worse, imagine that the price of the token during this pause period goes to 0. You will not be able to sell them to the market since this pause function prevents you from accessing your funds.
7. A smart contract may include functions that are suspicious and intentionally designed by the development team to take advantage of users’ funds. These functions will undoubtedly bring unfavorable results over time.
8. If a SC has a time block in its programming, your transactions will suffer delays in their execution, in other words, a sale or purchase order in the block itself is slowed down, thus controlling this process. This function is used to give both developers and bots a great opportunity to get ahead of your operation, greatly harming you in fees and in the final result of it as you will sell cheaper or buy more expensive because someone simply got ahead of you.
9. Always check and locate where the user funds are deposited and stored, as well as rewards. All this could be stored by a third party, or go to the hands of the development team by being deposited in a SC where they have absolute control of it.
10. Verify if the code of the SC matches the one that appears published with the one that is written and reflected in its blockchain. For this we will use the different block explorers that we have at our disposal. To be more specific, we will go to the explorer of the network, where the platform and it’s token have been created.
11. If a private owner has more than 15% of the tokens in the token distribution mode (tokenomics), there is a risk of lack of integrity with the project, which gives him an advantageous position when it comes to selling his tokens and bringing the price of the token to 0. Carefully review the distribution of tokens in terms of equipment and its vesting (locking) period.
In this case I am not referring to the technical analysis of the SC. I am referring to other aspects and characteristics to be able to identify scams outside the field of programming, and more in the field of internal management of the project itself. The key functions to be achieved, who directs it and how it is directed. For this I am going to try to detail some important and unique aspects that all projects have in common, regardless of the network.
1. Governance, it is important for a project to implement a decentralized governance system, where users can participate in decision making, providing a much safer investment environment. The detail is to verify whether the vote comes from the chain or from outside the chain, the execution is not the same and even the proposal to be voted on is not the same.
2. Documentation, its quality says a lot about a project in every way. We must check the white paper, its functionality or the system used for the creation of smart contracts. It is also interesting to be able to assess whether these documents only contain some general descriptions or whether the technical and fundamental specifications of the project are of great quality and detail.
In general all codes published in a repository should be clear and concise (GitBook or GitHub) so that users can easily read it and understand what functionality is underneath the project. If the code is complex it may be due to a clear intention to hide backdoors or other malicious functionality.
3. The positioning, behavior and track record of the development team is vital to understand if the project is open, flexible and responsive to a community, a problem and a solution. You should always be able to answer questions such as whether it is an open or anonymous team, whether the project includes an open software repository, what the development history of the project is, what experience the project team members have, or whether the reputation of the team members is trusted.
4. Their presence on social networks shows us if they are good communicators, if they post frequent updates on the development and status of the project. We can also assess how active their blog, website and other communication channels are to determine how regularly they communicate.
By logic we should avoid projects that do not provide complete information, ignore questions or do not respond to user requests. Also avoid projects that offer strange promotions or make suspicious promises of high profitability.
5. Uniqueness, before investing in a new project try to understand what it offers and what value it brings to the ecosystem (if it is a copy of a copy and is not original at all, neither will your results be). We must be aware of understanding the ecosystem itself. If there are no innovative ideas behind the project, there should be no reason to invest in it either.
6. Last but not least, the automation of certain processes, for example the security audit of SC. This point can be a great differential factor for your operations, your management and your confidence in the DEFI ecosystem. Follow and keep up to date with all those systems based on machine learning (AI) technology capable of auditing SC deployed in different networks.
“If you want to to put more focus on security, look for information on each protocol you will be interacting with. Whether or not it is multisignature (multisig), how many are multisigned and how many need to validate the signature and execute a transaction, whether or not it has an emergency plan in case something goes wrong, and whether it has a bonus program for finding bugs in the SC”