Cointime

Download App
iOS & Android

How to Stay Safe in DeFi: A Simple Guide to Evaluate Project Safety

The collapse of FTX proved the importance of self-custody and risk management.

But it’s so easy to lose money in DeFi if you are not careful with many exploits, rug pulls, contract bugs around.

In this blog I’d like to share how to evaluate safety of DeFi protocols to protect your assets.

It’s great if you’re an experienced smart contract developer and can verify the code yourself. But most of us aren’t.

It leaves us with no other choice, but to evaluate projects based on other data, that involves some degree of trust.

Total Value Lock, ultimate proof of security?

It’s no secret that the majority evaluate DeFi projects by how much value is deposited to the smart contracts. So, TVL is the ultimate proof of trust.

The higher the Total Value Locked, the higher the implied security of a protocol. If a lot of money is deposited, it means ‘someone’ did due diligence, and that protocol is secure.

Unfortunately, it gives a false sense of security. And high TVL protocols are actively targeted by hackers. At the same time, low TVL doesn’t mean a protocol is not secure.

Take a look at the top DeFi protocols by TVL.

  • Do you think that the TVL represents the level of security/safety?
  • Is there any protocol you wouldn’t trust with your money? Why?

There might be biases in you based on what you read online.

Trust, but verify?

‘Don’t trust, verify’ is the reason we have smart contract audits.

If that wasn’t the case, we might not need audits, because code is open source and community could find all the issues in the code. Yet the community might not have the right motivation, incentives or expertise to verify code.

Auditors are supposed to have the right technical expertise, but at the end of the day, we also have to trust them to do the right job.

Remember Twitter backlash against Certik because a few of their audited protocols ended up hacked?

Audit companies are building their reputation too. If the protocols they audit (and evaluated as safe) are exploited, then it shows lack of expertise. In fact, Certik has audited 3,422 projects, so no wonder some of them got hacked or had a bug.

Just having an audit doesn’t mean the protocol is safe. I’ve seen projects proudly announcing ‘Completed audit’, but when you read the audit the safety score is actually low.

The lesson is not to trust the announcements blindly, but verify the result by reading the actual audit.

What if you don’t read the audits?

The majority doesn’t read the audits anyway.

Knowing that Certik has a dashboard with all their audited projects. You can check the ‘Trust Score’ with higher number implying safety.

https://www.certik.com/

Other auditors like Hacken has a similar dashboard, or you could simply read the audit summary. Check the example, of Trader Joe’s audit done by Paladin.

You can see here that Trader Joe fixed high and medium severity issues, but not all low severity issues has been resolved.

https://paladinsec.co/projects/trader-joe-launchpeg/

Audit is just a start.

A lot more is needed to evaluate safety:

  • Adequate testing
  • Bounty campaigns
  • Documentation clarity
  • Admin controls
  • Oracle documentation

and much more… It’s a nightmare to verify it all yourself.

I really like what DefiSafety is doing. Its Process Quality Review verifies protocols and gives them a safety score.

https://www.defisafety.com/app?orderBy=finalScore

According to the PQR results, Liquity Protocol, Synthetix and Angle Protocol are the safest of all verified DeFi protocols.

On DefiSafety you can then check every element and see where the protocol scores the best/worst.

For example, Liquidy still needs Formal Verification.

Additionally, you can start by rating your portfolio safety on Exponential DeFi.

Its ‘Rate my wallet’ feature provides you with a custom risk analysis of your current investments. For example, $4.5M of Tetranode’s assets are deposited into riskier (C rank) protocols.

Elemental DeFi gives a score based on the project evaluation.Assessment takes into account asset risk, code quality and blockchain security to which the assets are deposited.

I like their easy to understand explanation of risks.

For example, take a look at Abracadabra’s MIM. It warns of SPELL being used as collateral which could result in bad debt.

If in doubt, ask!

Finally, I recommend joining the project community groups and ask:

Do they have an insurance fund?

Do they avoid questions?

What are they doing to increase security?

I asked Stargate team if they had an insurance fund in case they get hacked, but it sometimes more difficult to get an answer than I thought, which poses red flags.

But whatever happens, DeFi is still young, so better not to put all your assets into one protocol.

Do you have more useful tips how to evaluate projects and protect your assets?

Comments

All Comments

Recommended for you

  • SBF ordered to forfeit more than $11 billion

    SBF has been ordered to confiscate more than 11 billion US dollars. SBF has now been sentenced to 25 years in prison.

  • Former CEO of FTX and Alameda Research Sentenced to 25 Years in Prison for Fraud and Money Laundering

    Sam Bankman-Fried, the co-founder and former CEO of FTX and Alameda Research, has been sentenced to 25 years in prison for fraud and money laundering. The judge criticized Bankman-Fried's behavior during the trial and deemed a 25-year sentence to be sufficient. Bankman-Fried's sentence may send a message to the crypto industry and there is no possibility of parole, but he may earn "good time" credit for good behavior while incarcerated. Bankman-Fried was found to have misused over $8 billion in customer funds and will be serving time in prison for his actions. The trial emphasized the importance of not using customers' funds without their knowledge or approval.

  • Web3 AI training company FLock raises $6 million in seed funding

    Web3 artificial intelligence training company FLock has raised $6 million in seed funding led by Lightspeed Faction and Tagus Capital. FLock will use these funds to develop its team and build a federated learning-driven artificial intelligence training platform.

  • Prisma: Vault owners need to prohibit delegation of contracts related to LST and LRT

    The LSD stablecoin protocol Prisma Finance stated in a post that for vault owners, please prohibit delegating authorization of the LST contract starting with 0xcC72 and the LRT contract starting with 0xC3eA.

  • MAS: Singapore is working on global first-tier fund tokenization regulation

    Chia Der Jiun, Managing Director of the Monetary Authority of Singapore, introduced some fund tokenization pilots at an event for asset managers. These pilots are part of the Project Guardian and MAS Global Layer 1 (GL1) tokenization plans. Chia Der Jiun emphasized the advantages of tokenization in real-time settlement and process automation, which can improve efficiency and achieve greater customization of funds. UK asset management company Schroders and fund distribution platform Calastone are exploring this as part of the Project Guardian public blockchain trial in Singapore. A recent survey by Calastone showed that 96% of asset management companies in the Asia-Pacific region plan to launch tokenized products within three years. Chia stated that as these Project Guardian pilot projects approach commercialization, MAS is working with the pilot project managers to study the legal and regulatory treatment and impact of tokenized investment funds."

  • Indonesia's Financial Services Authority to Regulate Crypto Industry in 2025 with Evaluation in Regulatory Sandbox

    Indonesia's Financial Services Authority (OJK) will take over regulation of the crypto industry from the commodities agency Bappebti. Crypto firms must undergo evaluation in a regulatory sandbox before being licensed to operate in the country. The OJK aims to prioritize consumer protection and education, and firms operating without evaluation in the sandbox will be considered illegal. The sandbox provides a safe and isolated environment for testing and innovation development, helping to enhance security and responsible management in the financial sector. Once under OJK's oversight, crypto assets will likely be reclassified as financial instruments.

  • The Shenzhen Illegal Fund Raising Prevention Office issued a risk warning on the "DDO digital options" business

    The Shenzhen Office for Preventing and Dealing with Illegal Fundraising issued a risk warning regarding the "DDO digital option" business. The activities related to the DDO digital option business conducted in the name of Dingyifeng International are essentially the issuance and trading of virtual currencies. According to the "Notice on Further Preventing and Dealing with Risks of Speculation in Virtual Currency Trading" jointly issued by ten departments including the People's Bank of China in September 2021, it is clear that virtual currency-related business activities are illegal financial activities, and overseas virtual currency exchanges providing services to residents within China are also illegal financial activities. The activities conducted by Dingyifeng International in the name of serving residents within China are suspected of illegal fundraising and other illegal financial activities. Our office has organized relevant departments to carry out work, resolutely deal with illegal fundraising and criminal activities, and seriously investigate the legal responsibilities of relevant personnel. (Shenzhen Local Financial Supervision and Administration Bureau)

  • The Hong Kong Legislative Council plans to review the relevant stable currency consultation and sandbox legislation at the end of this year or next year

    Hong Kong legislator Wu Jiezhuang revealed that Hong Kong will release stablecoin consultation and sandbox (computer security mechanism), which will allow the industry to innovate digital asset projects in the sandbox environment. Relevant legislation will be reviewed in the Legislative Council at the end of this year or next year, which will help the entire digital asset industry ecosystem. Hong Kong has been improving the digital asset (virtual asset) market on different legal levels. Last year, there were regulations on virtual currency trading platforms and issuance systems.

  • Vitalik: Humanity needs to create a world where blockchain and artificial intelligence work together

    Vitalik Buterin, the founder of Ethereum, stated at BiddleAsia 2024 held at Signiel Seoul in the Songpa district on March 28 that artificial intelligence is a huge market and its importance is increasing day by day. We need to create a world where blockchain and artificial intelligence work together. Artificial intelligence can now create applications with 100 to 500 lines of code. Vitalik also stated that the ability to write 10,000 lines of code can eliminate most of the bugs in the Ethereum virtual machine.

  • South Korean RWA blockchain technology development company PARAMETA completed a new round of financing of approximately US$7.5 million

    South Korean RWA blockchain technology development company PARAMETA announced the completion of a new round of financing of KRW 9 billion (approximately $7.5 million), with Shinhan Hyperconnect Investment Fund under Shinhan Venture Investment and Korea Asset Investment & Securities participating. As of now, the company's total financing has reached KRW 25 billion (approximately $20.8 million). PARAMETA plans to use this investment to expand its own blockchain technology research and development capabilities to meet RWA technology needs and expand from core technologies such as engines/chains to service applications. Relevant services are expected to be launched within the year.