Defi — What is broken
Lessons from the attack on the largest dex on Algorand — Tinyman
The Finance sector functions primarily by efficiently distributing resources to the best use and demand.
This means resources are moved between savers and borrowers(Investors, entities, individuals) to serve more productive use.
The sector is divided into 3parts: Personal, corporate, and public finance.
The structure of traditional financial models leaves the system with accessibility issues, resulting in 1.7 billion people being unable to access any financial service.
The convergence of blockchain, crypto, and smart contracts has created a new financial system — decentralized finance. The goal of Defi is to recreate all the services in our existing finance system on the blockchain and to make it accessible to all.
Instead of trusting government regulations and big financial service companies, Defi brings financial services to all through a trustless, transparent, and permissionless technology called the blockchain.
Defi stands for decentralized finance, a financial system created with computer codes called Smart contracts on the blockchain that gives you access to financial services with cryptocurrencies through decentralized applications called Dapps. Defi has effectively created an alternative/parallel financial system to the existing financial system that fulfills all the shortcomings of Tradfi, allowing users to own their money and control how it is used. Some of the popular services in Defi include token swapping, liquidity, lending, and borrowing, usually classified as yield farming. Decentralized services are performed on decentralized applications, example includes:
- Automated market maker — Uniswap
- Protocols — Near Protocal
- DAOs — MakerDAO
- Decentralized wallets — Metamask
- Aggregators — 1Inch etc.
The nature of the ethereum blockchain created decentralized finance — adding programmability to the blockchain allowed developers to write code, consequently build applications that are now called dapps(Decentralised applications). This created the foundation for the innovation we see in today’s Defi.
On the normal web, you can’t buy a blender without giving the site owner enough data to learn your whole life history. In Defi, you can borrow money without anyone even asking for your name. — CoinDesk
Benefits and risks in Defi
Defi users can trade cryptocurrencies, borrow or lend money, speculate on the price action of different tokens using derivatives, earn interest on stacking, and more. All these transactions are done peer to peer between users on Defi platforms. Some obvious benefits include:
Transaction time: In Defi, transactions are executed instantly, this makes features like flash loans possible. While speed is often relative to the level of congestion in the network, Defi transactions are fast. When compared to buying assets from stock exchanges; where investors have to engage in multiple calls with brokers to close deals on assets, the benefit of Defi quickly shines.
Higher yields: Defi rewards investors bountifully, with features like stacking, loans, arbitrage opportunities. Investors and traders have multiple ways to make money than existing financial systems. APYs — Annual percentage yield could be as high as 10,000% on an asset. It is important to note that assets with higher APYs are often riskier. Thie higher the risk the higher the profit.
Ownership & Privacy: Using decentralized wallets, users can have full custody of their assets, eliminating risks like bans or other issues in centralized exchanges like Binance. Defi also protects users’ anonymity, wallets are designed to plug directly into decentralized exchanges. No need for email and password.
Defi can be described as the wild west of crypto, a largely unregulated, completely anonymous area of crypto, here are some common risks in Defi.
Impermanent Loss: This occurs when users deposit assets into a liquidity pool, and the change in the price of deposited assets is compared to the initial value deposited, the difference either to higher or lower is called impermanent loss. Click here to learn more.
Defi Rug Pulls: Imagine standing on a rug with all the trust in the world, and someone pulls it off from under you with sudden force. A rug pull in Defi happens when the development team of a project suddenly abandons everything and sells or removes all its liquidity.
Flash loan attacks: This is a type of Defi attack where an attacker takes a flash loan (a form of uncollateralized lending) from a lending platform and uses it together with various types of tricks to manipulate the market in their favor. These attacks can happen in seconds and yet involve multiple Defi protocols.
Flash loan attacks are the most common types of Defi attacks because they are the cheapest to pull off. They have been consistently making headlines since DeFi’s surge in popularity in 2020 and appear to be growing more rampant in 2021.
What is broken in Defi?
Defi projects are open source, this should make Defi projects naturally more secure since they can draw from the pool of developers in the community, instead of depending on the development team, but this is not the case.
Most of the attacks on Defi projects were successful out of weakness in the security of the system, hackers identify these weaknesses and exploit them.
Another problem with Defi is user experience, most Defi products are mere experiments on prototype products with technical jargon that are hard to understand for newbies, this makes DeFi a place suitable for only crypto nerds.
This will change over time but for now, will remain a drawback with Defi platforms.
Besides swapping, lending, and yield farming, other applications are barely functional.
Lessons from Tinyman
Defi has been the hotspot for hackers right from inception. Every day in some ecosystem somewhere a possible weakness is being exploited. Public Blockchains are open source making decentralized applications(Dapps) more vulnerable to attacks by anyone.
Sadly most of these attacks were successful. They were mostly targeted at high-profile dapps.
The year 2022 started with lots of promise and momentum for most projects but not Algorand, on the first of January the largest Decentralized exchange in the ecosystem — Tinyman was attacked, stealing approximately $3million of assets.
According to their official Twitter account;
“We advise our users not to use Tinyman at the moment due to the problems we are experiencing. Low liquidity can also cause a loss of value in your funds. We’ll be stopping our swap function. on the interface soon. Please take this warning seriously as this is for our user’s protection.”
The hackers continued the attack by targeting some pools, swapping some assets, and minted Pool Tokens, allowing the attackers to get two of the same assets instead of two different assets. This way the hackers got the ‘gobtc asset’ which was more valuable instead of Algo, Algorand’s native token.
“Decentralised apps are designed to be trustless in that they eliminate any third-party control of users’ funds, but you must still trust that the creators of the protocol have not made a coding or design mistake that could lead to a loss of funds.” — Tom Robinson, Chief Scientist at Elliptic.
Cryptocurrency and blockchain have given us financial freedom we’ve only written before in research papers and stories, allowing us to truly be free and control our money. However, this freedom comes with commitment. Unlike the existing financial system where 3 parties like banks and credit companies can refund losses in the case of a hack. Defi platforms work differently — once a transaction is confirmed, it can not be reversed, if a user mistakenly uses a wrong address, it is gone. no refund for you.
Therefore, there is a need for caution and a sense of responsibility when using dapps to ensure assets are safe.
Here’s a short list of tips on how to stay safe.
Start with centralized exchanges: It is very dangerous for a beginner to start their crypto journey from the decentralized exchange(DEX), most DEXes are complicated and hard to understand for absolute beginners trying to buy their first asst. Pick a secure exchange — Binance, Kucoin, Coinbase are examples of popular centralized exchanges(CEXes) to start exploring. When using CEXes ensure you use strong passwords, enable 2FA, watch out for phishing attacks from and SMS also be careful with social media private messages.
Store your crypto securely: If you are buying to keep for a long time, hardware wallets are your safes bets, keep your private key safe, do not lose your key, avoid taking screenshots or syncing key to the cloud. Store seed phrase offline away from anyone.
Use DEXes securely: Revoke Dapp connections from wallets after use, Do your research before investing in a project, do not invest more than you can afford to lose, use audited projects that offer more security.
Avoid unverified messages: Verify the source of emails before opening a link. Look out for fake exchanges that mimick real exchanges to collect user data through mobile apps or websites.
Further readings:
Defi What’s Working What’s Broken by Naval Ravikant
Blockchains are the new app stores by Chris Dixon
What is Defi? (Decentralized Finance Animated)
Decentralized Finance: What It Is, Why It Matters by Marvin Ammori on a16z
Thank you for reading…
