From retail crypto enthusiasts jumping in headfirst to institutional giants dipping their toes in, decentralized finance (Defi) is quickly becoming a valued aspect of the new financial revolution.
However, shaken by recent market turmoil in the wake of Covid-19, DeFi’s true test has only just begun. If it succeeds, it’ll emerge stronger than ever; if it fails, it could sound the death knell for Defi. With risks abound, institutions need to be fully prepared before diving into Defi.
As previously reported by Cointelegraph, in one year alone, the total ETH value locked in the Defi market has crossed the $1-billion mark. With the level of activity increasing, Defi is on track for mainstream popularity. However, security, interoperability, and usability continue to hinder mass adoption.
Defi encompasses a vast array of crypto offerings. From digital asset creation to Ethereum smart contracts facilitating the production of decentralized apps (dApps), enabling lending, borrowing, and advanced trading. At its core, Defi strives to become an alternative to the financial system – serving crypto-centric trading on decentralized exchanges, enabling crypto loans collateralized by other cryptocurrencies, and providing the ability to earn interest on crypto holdings via multiple lending markets. The possibilities are seemingly endless.
It’s not without its altruistic aspects either. Conservative estimates place the number of those without access to financial services at 1.7 billion worldwide this is one of the greatest motivations behind the rise of Defi. But despite well-intentioned ideals, some latent risks remain. So how do players protect themselves when entering the emerging sector?
The risks and rewards of Defi
Crypto institutionalization has arrived. This is mainly thanks to recent regulation, making it safer for institutional market entry. Data from analytics platform Defipulse.com reveals that the current value of the market represents an almost-300% increase from 12 months ago.
Now, it seems, mainstream institutional players instrumental to widespread adoption of the Defi sector are starting to take heed. But rather than merely investing in a preexisting Defi enterprise, more adventurous hedge funds are opting to diversify their portfolios by directly venturing into actual Defi protocols. And it’s easy to see why. Defi interest rates range anywhere from 2.5% to 14% and sometimes even higher. Compare that to traditional savings instruments, such as US treasuries with their 1.5% yield, and it’s not difficult to understand why some funds are expanding into Defi.
However, while potentially increasing their reward, these funds expose themselves and their client’s capital to higher risk, in a largely unregulated space.
These risks scale from smart contract bugs to malicious hacks and even unforeseen loopholes, resulting from the nascency of the space. A prime example of these hazards was observed within ‘attacks’ on the Defi lending protocol box last month. Assailants harnessed a bug in a box smart contract, along with the low-liquidity of a decentralized exchange, to carry out a sophisticated trade that siphoned approximately 3600 ETH from the platform.
Another particular ubiquitous Defi quandary arises from the lack of user control. As soon as funds are filtered into the ecosystem, the user essentially relinquishes authority over to a Defi protocol. Let’s take protocols Maker and Compound as examples. Thanks to their various emergency controls–such as the ability to pause transactions–as well as their off-chain pricing model, the decentralization aspect becomes fairly subjective, and user funds rest at the mercy of an unauthorized entity. As a consequence, one of the most prevailing concerns about Defi among crypto funds is the absence of appropriate Defi compatible custody solutions and regulatory due diligence.
Not all smart contracts are created equal. Some undergo exhaustive audits and trials; others allow for unintended attack vectors. Because of this, a solution needs to be in a place that enables the user to choose between which apps should and shouldn’t be used. Fortunately, via the use of custodial wallets, this solution already exists. Safeguards such as whitelists ensure funds are only permitted to move between pre-approved entities. For example, custodians can compile a whitelist or ‘walled garden,’ to include officially published exchange, and individual public addresses. On-chain, these whitelists can similarly filter out undesired smart contracts associated with various dApps allowing access to some while obscuring others.
Securing Defi: A focus on DEXs
A DEX encompasses all the paragons of decentralization, enabling cheaper and faster transactions than traditional exchanges by eliminating costly intermediaries. To achieve this, DEXs favor peer-to-peer transactions and permission-less paradigms, removed from any centralized authority. In place of the jettisoned middlemen are smart contracts. As long as coding is airtight, these novel protocols permit a variety of trades and transactions to occur seamlessly.
Unfortunately, one major pitfall of smart contracts is their innate vulnerability. The aforementioned box attack is a prime example of this. Moreover, in 2018 researchers flagged 34,200 smart contracts exhibiting obtrusive exploits. Consequently, external controls on private keys across DEXs are becoming essential. Whitelists once again come into use here. Protocols exhibiting signs of risk, i.e., dApps which have not undergone appropriate due diligence processes, such as smart contract auditing, can be filtered out and avoided altogether.
There is no attack vector more prominent, and dangerous, than private key exploitation. Ironically, while DeFi’s raison d’etre is a move away from the single point of failure inherent in centralized finance, one compromise of private keys and it’s game over for Defi investors.
To interact with Defi apps, such as DEXs, users must employ third-party applications such as MetaMask to sign transactions. MetaMask signs user transactions in the browser then submit them to a configured node such as Infura. The problem is MetaMask stores your private keys in the browser, creating a significant security risk.
Fortunately, a few workarounds exist. One such solution involves integrating MetaMask with a hardware wallet. This markedly increases security as hardware wallets use secure element chips to isolate private keys, protecting from malicious attacks. However, the necessity to connect a hardware wallet every time you need to sign a transaction generates inevitable efficiency issues and exposes users to hacking risks as they are now connected on-line. Moreover, if the hardware wallet is lost, so are the funds.
Another solution is custodial wallet integration. Custody wallets can provide all the benefits associated with hardware wallets, with none of the latency pitfalls. However, users should tread carefully when choosing between services. Only segregated and real-time custodial wallets are capable of both supporting Defi and carrying out speedy transactions, whereas cold storage custody wallets are not.
Along with the added security of a third-party insured custodian which can offset risk and liability, custodial wallets also ensure account recovery, meaning that private keys can never go missing. Moreover, depending on the type of custodial wallet, KYC/AML procedures should be accounted for.
Due to the decentralized nature of Defi, some believe that the same rigorous requirements expected of traditional firms don’t apply – or cannot be applied. However, many custodial wallet providers carry out the standard KYC/AML due diligence, providing a route to regulatory compliance that otherwise doesn’t exist for Defi. This is essential for investment firms which, as regulated institutions, may need to set specific parameters around transactions, including which apps to exclude, as well as providing access to accredited investors only.
In this way, proponents wishing to comply with existing standards can seek out a similarly compliant partner to trade or loan with. This kind of organization can be easily implemented via decentralized oracle services (i.e., on-chain data sources,) such as Chainlink, which can provide whitelisted, KYC compliant partners on the other side of a trade.
As institutional players begin to cozy up to Defi protocols, it becomes ever more essential to safeguard against latent hazards affiliated with the emerging sector. Appropriate security regulatory measures will need to be put in place if mainstream adoption is to be fully realized.