Smart Contract Risk Assessment - What to watch out for

Updated: Oct 11, 2021

When it comes to investments, risk assessment is a crucial part of the process. In DeFi investing and yield farming, risk assessment applies to the smart contracts of the protocols one wants to deposit funds in.


In 2020, the world witnessed multiple hacks, which took advantage of vulnerabilities in DeFi protocols. As a result, depositors have incurred millions of dollars in losses.


Drawing on our extensive experience, we would advise DeFi investors to keep an eye out for two main types of risks related to smart contracts - scams (notoriously known as "rug pulls") and bugs/vulnerabilities.


Scams

The DeFi ecosystem has been growing exponentially, but profit-hungry scammers haven't been idle either. They have been coming up with different creative ways to steal money.


A popular approach involves forking a well-known DeFi protocol and marketing it as a new alternative. The scammers attract depositors by offering them hefty rewards, often reaching whopping annual returns of 10,000%. Usually, a new governance token which the scammers themselves had created serves as a reward payout. Thanks to a modification in the source code of the forked protocol, the scammers use a mechanism that allows them to divert the deposited funds to an address they control. The exit scam involves either a function that a privileged address can call or a lack of timelock protection of a critical mechanism.


Usually, such protocols do not attract a large pool of funds, as experienced security experts notice the backdoors right away. In such a scam, the amount of stolen funds is generally south of $500,000. Compared with vulnerability exploits or centralized exchange hacks, the sum is much lower, but it is still an unpleasant loss for the scammed parties. The good news is that such financial damage, no matter how small it is, is easily preventable if there is an expert one can consult about the safety of a given protocol.


Compounder was the biggest scam of 2020, as it managed to steal around $12 million. In this case, an anonymous developer cloned Yearn Finance and motivated participants to deposit liquidity by promising them large rewards paid out in the native CP3R token. The protocol had run for around a month before the developers submitted malicious changes into its timelock. As the name suggests, timelock contracts provide participants in the protocol with time to review the changes and withdraw their funds if they want to. In Compounder's case, none of the participants kept an eye on the modifications, and after 24 hours, the changes came into effect, allowing the dev team to siphon all the funds.


The unfortunate side of the story is that depositors had 24 hours at their disposal to review the submitted changes and withdraw their funds, but nobody kept tabs. That is why it is crucial to monitor each timelock contract of the protocols one invests in and scrutinize any changes submitted there.


Bugs and vulnerabilities

Bugs and vulnerabilities are the other culprits that could lead to lost funds in DeFi. Despite not being added by the developers on purpose, bugs could become easy prey to hackers who want to steal funds by exploiting the vulnerabilities in a protocol. The new kid on the block is the so-called sandwich attack. During such an attack, an attacker looks for a pending transaction on a network of their choice. The term comes from the method the nefarious trader uses. They place one order right before the trade and one right after it, thereby sandwiching it.


The ultimate goal of this method is to manipulate asset prices and create an artificial price increase. In a protocol, a sandwich attack takes place through the deployment of a specialized smart contract, which executes the following several steps in a single transaction:

  1. Takes out one or more flash loans borrowing millions of dollars in tokens;

  2. Manipulates the token price on a decentralized exchange by swapping the borrowed assets;

  3. Executes some actions in the victim protocol, which at this point sees the artificially hiked prices;

  4. Buys back the borrowed assets and returns the market price to the normal levels;

  5. Returns the flash loans.


These steps grant the hacker substantial profits as the victim protocol uses a manipulated price for its calculations, which allows the attacker to end up with more funds than they are supposed to. That puts the protocol in the red and leads to depositors losing investments partially or fully.


Even though the vulnerability is known, reviewing the code might not always lead to its detection. Generally, DeFi protocols are very sophisticated or work with other complex money legos, such as baskets of tokens; therefore, it is hard to detect problems during a security review. Unfortunately, the person who manages to find the bug is usually the one who will exploit it. Sometimes, the hacker could be an ethical one, a.k.a. a white hat, and could return the funds once the protocol or platform has fixed the bug. Such was the recent case of Poly Network. In August, a hacker hit the platform but returned most of the stolen money. Subsequently, Poly Network promised the hacker a $500K bounty and even invited them to become the platform's chief security advisor.


However, most of the time, hackers have malicious intent, which means that after a bug exploit, depositors will have to wave goodbye to any chances of seeing their money again.


An in-depth assessment of the complexity of new protocols is instrumental in mitigating the risk against such bugs.


Like with cryptocurrencies, protocols (e.g., Yearn Finance, Compound, Aave, Uniswap) that have been around longer and have made a name for themselves are considered safer. However, this doesn't mean that they are immune to issues. One example of why one should always be cautious is a security problem in Aave disclosed after the protocol had been operating for many months.


Conclusion

An expert can spot some risks quite easily, while other problems are harder to detect and usually go unnoticed. The biggest challenge is assessing the unknown liabilities and being prudent about the protocols in which one is interested.


Here is where Finexify steps in. As the security of our clients’ funds is of utmost importance to us, we do comprehensive due diligence during the protocol selection process. Moreover, our experienced team of blockchain experts performs ongoing code security reviews to ensure that the respective protocols meet our risk appetite.


Thanks to this approach and the business acumen we have developed over the years through different projects in the blockchain and fintech industries, we have a spotless track record of investments in lucrative protocols without any hidden risks for our clients.


 

About Finexify

Finexify is a boutique investment firm that provides one of a kind opportunity to get into and profit from the Decentralized Finance (DeFi) space – the most promising and complicated space of the blockchain industry.


The limited access to DeFi means extraordinary alpha with limited exposure to the cryptocurrency market volatility. Reserved only for the most crypto- and tech-savvy, the team of experts is more than prepared to exploit this profit opportunity for its investors.