Lifting the Veil of DeFi Security: The Ultimate Security Guide to DeFi Protocols
Original Author: Ignas
Original compilation: Crush, Biteye core contributor
The FTX debacle demonstrated the importance of self-custody and risk management. But in DeFi, there are still many loopholes, Rug Pull and contract bugs, and you will lose money if you are not careful.
In today's article, I will talk about how to evaluate the security of a project to protect your own assets.
If you are an experienced smart contract developer yourself, it would be great to be able to verify the security of the project code yourself, but I believe most people are not.
So there is no way, we can only evaluate a project based on other data, which involves a certain degree of trust.
Is a high TVL necessarily safe?
As we all know, most people evaluate the quality of a DeFi project by the value of assets deposited in smart contracts. Therefore, many people think that TVL can reflect the safety of this project to a certain extent.
The more assets locked, the higher the security of the protocol. You can think of it this way, for an agreement that can lock up so much funds, those depositors must have conducted a full investigation and confirmed the security of the agreement before they dared to put the money in.
Unfortunately, TVL often gives a false sense of security. On the one hand, you think that protocols with high TVL are more secure, but hackers will also focus on these protocols to attack, because attacking these protocols can make more profits. On the other hand, a low TVL doesn't necessarily mean the protocol is insecure.
Therefore, judging the security of a protocol only by TVL is somewhat specious.
We rank existing DeFi projects according to TVL:
After viewing this picture
Do you still think that a high TVL must represent safety?
Which agreements in the picture do you think are untrustworthy? Why?
personally verify
"No trust, only verification" is why we conduct smart contract audits. If not, we probably don't need an audit. Because the code is open source, the community can find all the problems in the code. However, the community may not have the right motivation, incentive or expertise to validate the code.
Therefore, auditors must be professional enough, but more importantly, auditors themselves cannot make mistakes. For example, many projects audited by the well-known auditing company Certik are still hacked, which can be said to be impossible to prevent.
At the same time, audit firms are building their reputations. Giving the impression of being unprofessional if a protocol they audit (and assess as safe) is hacked. In fact, Certik has reviewed more than 3422 projects, so it is inevitable that some of them will be hacked or have vulnerabilities.
So just that the process is audited, it doesn't mean the protocol is secure. I've seen projects proudly declare "audited complete", only to find out that their security score is actually low when you read the audit report.
The lesson this taught me is not to blindly believe the audit announcement of the project party, but to verify the results by reading the actual audit report.
What if I don't like to read audit reports?
In fact, most people don't read audit reports, but Certik has a data dashboard of all audited projects. In this dashboard, you can check the project's "trust score", with higher numbers indicating safety.
Other audit institutions, such as Hacken, will have similar data dashboards. Or you can simply read the audit summary, such as the Trader Joe's example below, which was done by a Paladin audit.
Translator's Note: Trader Joe is a one-stop trading platform on Avalanche. Provide trading and lending functions, and combine them to provide leveraged transactions.
From the data here, it is not difficult to see that Trader Joe has fixed all medium and high risk problems, but there are still some low risk problems that have not been fixed.
Auditing is just the beginning
To evaluate the security of a project, you need to consider more:
full test
bounty campaign
Openness and transparency of documents
management control
Oracle documentation
There are too many aspects to consider. If you verify all of them yourself, you may be exhausted first. Speaking of which, we have to mention DeFi Safety. It conducts a verification of these protocols and then gives a security score.
Based on the results they provide, we can clearly see that Liquity Protocol, Synthetix, and Angle Protocol are the most secure of all proven DeFi protocols.
On Defi Safety, you can also check out the more detailed section. For example, the Liquidy protocol still requires formal verification.
Translator's Note: In the design process of computer hardware and software systems, the meaning of formal verification is to use mathematical methods to prove its correctness or incorrectness according to one or some formal specifications or properties.
In addition, you can also conduct a security assessment of your wallet portfolio through Exponential DeFi.
The "Evaluation Wallet" function will provide you with a risk analysis of your current investment. For example, $4.5 million of Tetranode’s assets are deposited in higher-risk (grade C) protocols.
Translator's Note: Tetranode is an anonymous ancient giant whale. It is rumored that he is worth about 1 billion US dollars in encrypted assets. He came into contact with Bitcoin in 2009 and has always maintained a high degree of interest in it since then. Belief.
Elemental DeFi will give a score based on the project evaluation, evaluating the security of the blockchain that considers asset risk, code quality, and asset storage. This simple and easy-to-understand risk description makes me unable to put it down.
Take Abracadabra's stablecoin MIM as an example, it will directly warn that SPELL being used as collateral may lead to bad debts.
Translator's Note: Abracadabra is an interest-earning asset stablecoin protocol. Users can use interest-earning certificates to pledge and print the protocol's native stablecoin MIM.
Ask if you don't understand
The last method I want to introduce to you is to directly join the project community, and then think about the following questions:
Do they have an insurance fund?
Do they avoid asking questions?
What are they doing to improve security?
For example, I previously asked the Stargate team if they have an insurance fund to protect the project from being hacked. But sometimes it is not so simple to get an accurate answer, and the project side often avoids the problem in various ways. This seems to be a red flag that makes people have to be vigilant.
But no matter what happens, DeFi is still young and has a long way to go, so it’s best not to put all your eggs in one basket!
