Analyzing the Risk in Decentralized Finance (DeFi)

The new world of decentralized finance does not escape risk analysis, which has the same meaning for traditional finance, and that is to evaluate the investment for decision making.

The analysis focuses on the relationship between risk and return, whether these are investments in the centralized economy or in the decentralized ecosystem. The difference between the two models of participation does not exempt the analysis.

Dear reader, this article is not intended to be exhaustive, but rather to guide you and encourage you to do your research before making investment decisions, because ultimately it is you yourself who must take care of your money.

Let’s first take a look at traditional risk analysis and then take it to the DeFi world.

The subjective risk profile of the investor is one of the pillars of analysis, which considers the risk aversion of the person, his economic situation and age, among other factors for decision making.

In the area of objective analysis, which I am going to develop, the evaluation of an investment requires, at least, the assessment of the dimensions of liquidity, profitability and risk, but other issues must also be considered, such as diversification, projection, and the legal risk presented by the business.

The two basic variables in finance are return and risk.  To the extent that an investment is riskier, a higher return should be required.

Yield is the interest measured over a period of time, usually annually, that the investment generates. Risk is the measure of the likelihood that the expected return can be realized.

Risk can begin to be analyzed as systemic or market risk, which is the risk that affects the entire sector in which the bet is developed, regardless of the company in which it is invested, and then, the non-systemic risk, which affects the specific company, conditioned by its own factors.

As a non-systemic risk, liquidity risk refers to the possibility that the investment does not have sufficient immediate resources to be able to develop its business.

Decentralized finance will come to Cardano in a few months, after the Alonzo hard fork is executed, and will bring a renewed ecosystem, with even greater impact, than we saw with the Mary hard fork, which implemented native tokens, and the explosion of NFT.

They will require from the community more preparation, study and research to acquire the necessary knowledge to live up to the opportunities.

We can take as a known example the two DeFi ecosystems that are developing, the larger one on the Ethereum blockchain, and Binance Smart Chain, its direct competitor, which is growing month by month.

From them we can learn, taking the successes and correcting the mistakes to evolve, which is the same philosophy that IOHK (Input Output Hong Kong), the developer behind Cardano, has.

To get an idea of the volume being traded in the DeFi industry, I present to you a report from Messari, Q2’21 DeFi Review, where it reports that DEX (decentralized exchange) volumes continued their explosive growth in Q2, reaching $405 billion in the quarter, up 117 times year-over-year, and 83% from Q1. May alone accounted for more than half of the quarter’s volume, which unsurprisingly also marked the market’s peak.

The lending sector cooled during the second quarter, after a booming first quarter. However, the first half of the quarter was a continuation of the previous quarter’s momentum. From March through the May slump, loan deposits soared from $25 billion to a peak of $45 billion (an 81% increase in just six weeks) as investors sought to capture the exorbitant loan yields available across all lending protocols. The party came to a sudden halt when the market crashed. 

It is in this ecosystem where exploits and scams are developed.

An exploit is when an exploit takes advantage of a vulnerability in the security of an information system, to achieve an undesired behavior of the same, from a fragment of data or sequence of commands, generally to steal information, or tokens in the case of DeFi.

The scam, on the other hand, is a fraudulent design, designed from the beginning with the intention of stealing.

Chainalysis is a global blockchain forensic research consultancy, with services to government agencies, stock exchanges, financial institutions, and insurance and cybersecurity companies in more than 60 countries. It issued a report in February 2021, called The 2021 Crypto Crime Report.

The document explains that while scams remain the most profitable form of cryptocurrency-based crime, total scam revenue fell dramatically in 2020, from around $9 billion to just under $2.7 billion. Interestingly however, the number of individual payments to scam addresses increased from just over 5 million to 7.3 million, suggesting that the number of individual scam victims increased by over 48%.

Total cryptocurrency value received by scammers vs. Total Number of transfers to scammers 2017 – 2020

In 2020, more than $520 million in cryptocurrencies were stolen from services and individuals through hacks and non-technical attacks such as social engineering or phishing efforts. 

Total value stolen and number of attacks by victim type | 2020

What makes DeFi platforms vulnerable to attack?

DeFi platforms received $86.5 billion in cryptocurrencies in 2020, representing a 67x increase over the 2019 total. 

However, cybercriminals stole more than $170 million from DeFi platforms in 2020, which is disproportionately high compared to the share of total cryptocurrency activity that DeFi represents. 

The main reason for this is that DeFi platforms are uniquely vulnerable to price manipulation attacks, which was the key to almost all notable attacks on the platforms in 2020. Transactions occur almost instantaneously on DeFi with very few mechanisms to prevent suspicious trades, so bad actors can make huge profits, manipulating the price of a cryptocurrency on one or more DeFi platforms.

DeFi platforms rely on tools to obtain asset price data from an external source, usually an exchange, or a data provider such as CoinMarketCap, to ensure that their assets are priced in line with the rest of the market. However, most DeFi platforms use centralized pricing oracles, which rely on a single node to feed data, and often rely on a single source of pricing data, making them more vulnerable to attack.

Price manipulation might seem like an unlikely attack method for cybercriminals, since raising the price of any crypt oasset, requires up-front capital to increase its value, right? Not so at DeFi, thanks to flash loans. 

Flash loans allow DeFi users to instantly receive loans without putting up collateral, use the borrowed funds to transact elsewhere, and repay the loan in a single instant transaction. If they fail to repay the loan, the entire transaction is instantly voided, meaning that the lender receives the original principal as if the loan never existed, something that is only possible with smart contracts. 

In effect, this means little or no risk for both parties, if the transaction the borrower wants to do with the borrowed funds doesn’t work out and they can’t repay the loan, neither they nor the lender, lose anything. This also means that lenders can charge very low interest on flash loans. Traders often use flash loans to raise the funds needed for arbitrage opportunities, using the borrowed funds to take advantage of price disparities between platforms and make a small profit after repaying the loan.

However, in 2020, cybercriminals turned flash loans into a weapon by using borrowed funds to buy a cryptoasset, raise its price, and sell it at a large profit, allowing them to easily repay the original loan, and pocket the remaining funds.

This world that seems far removed from the Cardano ecosystem, will not be when programmability for smart contracts is implemented, because similar risks will occur.

Numerous proposals are being submitted in Cardano for the Goguen era, both in Catalyst, chosen by community vote to be funded by the Cardano Treasury, and those seeking funding by other methods.

So far, in Catalyst, 95 projects have been funded out of the 553 submitted, according to the following breakdown: 

FUND1: 8 projects chosen from a total of 45 submissions, 

FUND2: 11 chosen from a total of 78 submissions, 

FUND3: 20 selected out of 150 proposals submitted, and

FUND4: 56 proposals funded out of 280 total proposals submitted.

Of course, projects do not ensure the success of their implementation. To minimize risks, Catalyst’s governance has a control mechanism, first with the opinion of the Community Advisors, and then with the allocation of funds in stages to those who were chosen, depending on the progress of the development. This control model helps but is not infallible, and does not prevent you from doing your research before investing your money in these projects.

Let’s get to what you were waiting for, the practical advice on what to analyze in a DeFi investment.

DeFi risk analysis guide

In decentralized finance it is essential to investigate the whitepaper, the team of developers, the platform, the model, the business object, the tokenomics, the source code and the communication.

These study variables do not have the same weight of incidence on the success or failure of the development, each one has a different impact. It is not the same that the source code shows defects, or that the communication of the project to the community is not adequate, of course, the first factor is more important.

I will present you a guide of the main categories to evaluate, with their 3 most important risk factors.

To simplify the analysis of a project, the most important categories and risk factors are ordered first. 

This guide will alert you to the likely failure if, at least, 3 factors from different categories are present. Of course, the more factors you find, the more likely failure will increase.

Whitepaper

1. no whitepaper or no detailed plan
2. did not meet the above deadlines
3. does not identify its founders

Team

1. no proven track record, and no members with Haskell / Plutus knowledge
2. some team members were involved in proven scams
3. some members are questioned by peers in the community

Source code

1. source code is not published on GitHub, (not open source)
2. the source code was criticized for bugs or faulty design
3. shows a fork of another development as the only code (Github clarifies forks)

Business

1. it is not clear what problem it is trying to solve
2. the proposed solution does not make sense
3. it is a clone of a successful project that exists in the marketplace

Monetary policy (tokenomics)

1. no planning for token issuance
2. founders retain less than 10% of tokens or more than 80% of tokens
3. pre-sale of large amount of its tokens, with urgent deadlines and large discounts to early participants, with too much emphasis on promotion with Airdrops and Giveaways

Platform

1. does not update or show progress reports
2. only trades on Automated Market Makers (AMM) platforms
3. no demonstrable external audit

Model

1. ensures profitability
2. promises short terms to recover investment
3. low liquidity, low volumes, or low transactions in the last 48 hours.

Communication

1. no social networks, Reddit, Telegram, Discord, Twitter, Facebook, Instagram, or its community is not large, or is fictitiously large (fake users).
2. few people making hype, and advertising with image and name of media celebrities
3. ask for the public keys of your wallet to deposit money