Decentralized finance has its ups and downs. For example, 3Commas, a Canadian-based cryptocurrency exchange offering automated trading bot services, lost $22 million in investor funds due to compromised API keys in December 2022. Nonetheless, for many investors, DeFi still provides an attractive alternative to centralized capital markets.
Despite DeFi's popularity, issues like the 3Commas hack and the FTX debacle highlight the importance of understanding DeFi risks. In this article, we'll review five risks that pose major threats to secure DeFi investing.
1. Smart contract flaws
Faulty smart contracts are among the most common risks of DeFi. Malicious actors eager to steal users' funds can exploit smart contracts that have weak coding.
Most decentralized exchanges enable trading through the use of liquidity pools. These pools generally lock two cryptocurrencies in a smart contract. The value of the primary currency is determined by the total number of secondary tokens locked in the contract divided by the number of locked primary tokens. For example, if a liquidity pool has 50 "A tokens" and 100 "B tokens" locked in the smart contract, you'd be able to buy one "A token" with two "B tokens."
All too many smart contracts make it easy for malicious users to drain the liquidity pool of tokens. For example, TinyMan, a popular Algorand DEX, was exploited for roughly $3 million worth of cryptocurrency in January 2022. DeFi protocols like TinyMan should return two types of cryptocurrency to a user's wallet when a liquidity pool token is burned. When a malicious user learned how to exploit the protocol to receive the same token twice, they drained the goBTC/ALGO pool of all of its goBTC.
Smart contract developers can protect users by hiring professionals to perform code audits before releasing DeFi products for public use. Professional auditors do extensive testing so they can observe bugs and flag them before investors are exposed to potential risks.
2. Vulnerability to bad actors
Whether they are dealing with blockchain networks or central banks, there are plenty of ways for people to lose their assets. Thieves, robbers, hackers — whatever you call them, they plague financial systems. Here's a look at some of the ways they attack DeFi applications.
Unsecured flash loan price manipulation
Unsecured flash loans are a type of DeFi lending that lets users borrow large sums of cryptocurrency without collateral as long as they can pay the loans back after a specific action. Although these flash loans have legitimate purposes, scammers often target them because they offer access to large sums of capital.
Some DeFi lending protocols use a single liquidity pool to track the price of a token. In flash loan attacks, malicious actors borrow a large sum of one token and swap it for another to manipulate the price of both tokens. They deposit their newly purchased tokens into another DeFi lending protocol to borrow large amounts of the token they originally swapped, and then use a portion of that token to pay off their flash loan.
This practice can directly harm various types of users, specifically those providing liquidity to the affected pool.
Reentrancy attacks are a common smart contract risk in the DeFi market. In this attack, exploiters create a loop that calls a withdrawal function multiple times before the contract checks the balance. Exploiters withdraw balances more times than they should be able to, draining the smart contract of funds in the process.
Rug pulls have become an all-too-common trend in the DeFi space. This exit scam is typically carried out by a token's creator, allowing them to take money from their DeFi investors.
In the typical rug pull, a token's creator owns large amounts of the token and sells them in stages into the liquidity pool. For example, say a malicious actor created a new cryptocurrency called "A coin," with a total supply of 1 billion. They then deposited 100 million A coins and 1 ETH to create a new liquidity pool on Uniswap. After shilling their token on social media and convincing people to buy it from the liquidity pool, it now contains 50 million A coins and 100 ETH. The creator then takes the 900 million A coins they have left and begins selling them into the liquidity pool until they've drained all of the ETH.
This malicious activity is surprisingly easy to pull off. It tends to hit new investors and those looking for the next "moon shot" in the crypto markets.
3. Impermanent loss
Impermanent loss is one of the most common and misunderstood DeFi market risks.
When a user provides liquidity, they must deposit two types of assets. As other users buy and sell tokens from the pool, the asset ratios shift, increasing the value of one while lowering the value of the other.
This process also shifts the ratio of the tokens deposited by liquidity providers. In most cases, these users end up holding less of the tokens that have increased in value, meaning they would have been better off keeping their tokens. Still, most DeFi protocols reward liquidity providers with a portion of the fees from each transaction, which may outweigh the impermanent loss. Those providing liquidity to pools with high volume and low volatility typically have the lowest risk.
4. Complexity risks
The DeFi industry is still in its early phases and remains quite complicated. In many cases, losses are the result of human error. People who don't understand the technology risk losing all their crypto assets. There's no need for deliberate attacks. People regularly lose large sums of money by misplacing their private keys or misunderstanding their crypto wallets.
Unlike traditional finance markets, many DeFi markets don't have customer service teams. A simple mistake, like sending money to the wrong address, could result in huge losses. You could contact the receiver at that wrong address and ask them to return the funds. They don't have to. Plus, it's quite possible that you'll have no way of finding the person or group attached to that address.
5. Regulatory risks
Governmental organizations like the Securities Exchange Commission could have a massive impact on DeFi platforms. The SEC recently won its case against LBRY, a cryptocurrency company that uses blockchain technology to let users share digital content and tip creators. The court found that LBRY was operating as an unregistered security, a decision that could profoundly impact the DeFi ecosystem, as it may lead to other cryptocurrencies facing the same scrutiny. Regulatory oversight is a major threat to this new financial system.
Minimizing DeFi risks
The risks associated with DeFi make it more important than ever to use tools, platforms, and DLTs with secure infrastructures. Hedera is committed to security and user safety. It's also governed by some of the world's leading organizations, such as Boeing, Dentons, Google, LG, and Ubisoft. The Hedera Hashgraph network offers asynchronous Byzantine Fault Tolerance (aBFT), meaning it achieves the highest level of security possible.