Security Conscious - The Daily Gwei #366
Ensuring a safe DeFi experience for everyone.
We all know that there has been numerous DeFi exploits/hacks, rug pulls and scams over the last 18 months with the most recent exploit happening just yesterday to Cream Finance (where $100 million was stolen). Unfortunately, these sorts of things are just par for the course in DeFi and users need to be well aware of all the risks when interacting with this ecosystem.
As Cyrus notes above, there are only a certain number of apps that he’s willing to put more than 50% of his net worth into and I’m in the same boat as him. The apps that he’s listed are built by world-class teams, have been around for a long time, don’t play cowboy with users funds and take a very conservative approach across all areas of the protocol. Now, of course, some of them have been exploited in various ways such as Compound’s latest COMP-related exploit and Maker becoming undercollateralized after the “covid crash” back in March of 2020. Though none of the protocols mentioned in Cyrus’ tweet have suffered massive losses of user funds - yet.
Unfortunately, there is simply no way to guarantee that a piece of software is 100% bug free no matter how many audits or eyeballs it has had on it. The most that developers can strive for when building software is to follow general best practices and try to keep the code as simple as possible as complexity is quite literally the enemy of security. Obviously as time goes on security practices get better, auditors get more skilled, protocols become more battle-hardened and user protections mature but while we’re in the pioneer/early adopter phase, we should all strive to keep users informed about the risks of using these protocols.
There are other ways that developers can protect users early on during the product life-cycle. The concept of a “guarded launch” has become quite popular recently where developers can have hard caps on the amount of money that can flow into the protocol or they can have some sort of centralized controls in case of an exploit. On top of that, there are protocols that have built-in “insurance” mechanisms so that if an exploit was to happen, some or all of the user funds could be paid back. Maker is famous for this as the protocol will print more MKR tokens in order to cover any shortfall which is exactly what it successfully did in March of 2020. And on the topic of insurance - there are numerous protocols like Nexus Mutual that allow users to take out cover on their deposits in various DeFi protocols.
In saying all of the above, I think that most users of DeFi still vastly underestimate just how risky a lot of the newer products are and think that they are safe just because the protocol has had an audit or two. Well, this couldn’t be further from the truth - there have been plenty of protocols that have gone through multiple rounds of audits only to get exploited shortly after. So given this context, I believe that users need to take security much more seriously than they currently do if they want to stay safe in the DeFi ecosystem over the long run. It’s all fun and games “aping” 5% of a portfolio into some ponzi yield farm, but when it comes to actually putting most of a portfolio to work there needs to be a risk framework that an individual uses to protect themselves. If they just stuff their entire portfolio into a brand new DeFi protocol, there is a high chance that they could lose some or all of their money - it’s just not worth it - even for some crazy yields. Though of course, I understand that if one has a gambling/degen mentality then risk is the last thing they are thinking about.
I think ultimately a lot of this stuff is going to fall on the interfaces that users interact with. There could be warning labels and curated lists of “safe” protocols that the interfaces show users so that they don’t fall prey to scams and don’t put their life savings into a protocol assuming it’s safe. This may be an unpopular opinion, but I do believe that as long as the risks are presented to the user and they understand them then anything that happens from there is their own responsibility. For the users who don’t want to do any of this stuff on their own, they’ll most likely just use centralized custodial services to access things like DeFi - and I think this is totally fine.
Have a great day everyone,
Enjoyed today’s piece? I send out a fresh one every week day - be sure to subscribe to receive it in your inbox!
Join the Daily Gwei Ecosystem
All information presented above is for educational purposes only and should not be taken as investment advice.