Cointime

Safety Best Practices for Crypto Users to Avoid Being a Victim of DeFi Hacks

Ann· 6 min read

The DeFi space can’t seem to catch a break. We just suffered another massive hack. To be precise, a $190 million bridge hack. Several hours later, Reaper Farm, a yield aggregator on Fantom blockchain is exploited for $1.6 million. And then, as I am writing this right now, a widespread Solana wallet hack is currently ongoing.

Hacks are inevitable in DeFi. It is a part of the risk of venturing into the unknown DeFi land. (I know, it sucks.) Trying to look into the silver lining, we can hope with every event, hacks would make the crypto space more anti-fragile.

Meanwhile, we can do our best to protect ourselves by practicing DeFi safety best practices.

Stablecoin best practices to avoid hacks

Stablecoins often give a false sense of security. Especially on a bear market, the phrase “I’m in stables” means you took profit, and have a lot of cash to buy the dip. But the recent Nomad hack, and before, Harmony’s Horizon bridge hack revealed a hidden danger of stablecoins many weren’t aware of before.

Stablecoins aren’t always native to the chain you’re using them in. Like ETH on Cosmos ecosystem, for example, your ETH isn’t exactly real. It’s merely a contract that proves you have the ETH.

When you bridge, you gave a smart contract your USDC on the origin chain, and the protocol mint you a USDC-like contract on the destination chain. Your USDC on the origin chain is no longer in your custody. It left your wallet and dwell on the bridge contract until you redeem back later when you bridge back. These USDCs can be stolen if the contract gets hacked, just like what happened in Nomad, and Horizon Bridge.

When the ‘original’ assets are stolen, your ‘not-real’ stables on the destination chains will be no longer backed. It is practically worthless.

You must take a good look at the native status of a stablecoin. Take example USDC.

  From their official website


As it turned out, your USDC will only be a native asset on just 8 chains. Beyond that, you are dealing with ‘fake’ USDC. In EVMOS, it’s madUSDC. In Harmony, it’s 1USDC.

Meanwhile, for Tether/USDT 👇.

it’s safer to hold USDC and USDT on Tron than on a respectable L2 like Arbitrum. (Just in case you aren’t aware, Tron is viewed as a joke in the crypto industry.)

It also applies to other stables too, including algorithmic ones. An algostable is not always natively deployed. For example, DAI and FRAX are only native to Ethereum while MIM is available natively on 6 chains.

So, what can we do to minimize the risk of unbacked stablecoins?

Picking stables based on your purpose

Plenty of us likes to hold in stables to wait for a better price. For holding:

  • If you want to be safe, hold it on Ethereum. As it is practically the home of major stablecoins.
  • Hold a stablecoin where it is native to that chain.
  • Riskier stablecoins are useful if you want to indulge yourself in more risky activity. For example, MIM is great for leverage, but MIM is not a good idea for holding because it’s de-pegging risk.
  • Once you’re done degen-ing, switch back to the safer stables while holding and waiting for the next opportunity.

Consider native assets

Native stablecoins. Native tokens. Native coins.

That means owning a coin on its own native blockchain. Store your ETH on the Ethereum network, Bitcoin on Bitcoin, $ATOM on a cosmos wallet, and so on.

Bridging makes it possible for assets to move cross-chain, but just like the stables above, when you own BTC on an Ethereum chain, you will get the wrapped version of BTC (WBTC). It’s not the ‘real’ Bitcoin.

Owning native assets on native chains is best practiced for investing/DCA, holding in a cold wallet, or simple staking.

However, I can’t tell nor discourage people to stop farming on a ETH pool on non-Ethereum chain, as not only that degen gonna degen, but also some best opportunity often comes from these high-risk opportunities. Hacks not gonna stop people for bridging ETH to farm airdrops in a new chain.

But to minimize risk, of course, use basic DeFi common sense such as not using more than you can afford to lose. I think most safety practices in DeFi boil down to understanding what you’re getting into.

Understand the risks of protocol

Some types of dApps are riskier to get hacked than others. Since the birth of DeFi in 2019-2020, we can see a pattern on which types of dApps are risky, and which ones are less risky.

Know your level of risk before using them.

Lending protocol and yield aggregators get hacked frequently. (Notable lending protocol hacks and aggregators: Cream Finance, BadgerDAO, Hundred Finance.)

Since 2021, the year when the cross chain becomes popular, bridges shoot up to be #1 most exploited type of dApp. Notable bridge hacks include Ronin Bridge, PolyNetwork, Wormhole, Harmony Horizon Bridge, and recently, Nomad.

Those three are ripe for hacking. On those protocols, a lot of money is pooled in one place, often in one smart contract. The smart contracts code is far more complicated than say, on a DEX, especially on anything that involves cross-chain. The more complicated the code, the higher the chance devs slip up and unknowingly introduce vulnerabilities.

On the other hand, simple staking, LP pools, and swapping barely got hacked due to a much simpler smart contract logic.

Safety best practices for wallets

The crypto space was a mess when wallets are drained on Solana Blockchain and people don’t understand what was wrong. Another slap in the face and a reminder about how safety wallet practice is a must for crypto users.

A lesson taken from the incident is still the good old ‘Freaking use a hardware wallet.’

It’s always the number one rule.

I know, that hardware wallets in some cases can be inconvenient. Especially for activities where speed is important (sniping NFTs, trading, and bots.) But that’s what wallet categorization is for.

Phew.

Finishing this guide made me think how complicated DeFi sometimes can be. With more control — of your wealth — crypto does come with more responsibility. (Insert “we’re still early” meme). It’s also a price to pay for higher profit than in any other assets class. The classic ‘higher risk righer return.’

But trust me, though it might look overwhelming at first, eventually you’re get used to the safety practices above.

All Comments