The decentralized finance (DeFi) industry is growing at a rapid pace, with a 610% increase in the user base of decentralized lending applications (lending dapps) since 2018. The vast majority of DeFi protocols are built on the Ethereum blockchain, and this boom could result in a further upward price momentum for ETH. DeFi is responsible for recent all-time highs in Ethereum network usage and naturally increases the demand for ETH. As a result, investors have seen the year-to-date price of ETH grow by more than 90%. However, as we have learnt in recent years – public support and billion-dollar fundraisings don’t always necessarily translate into long-term price gains.
How the term ‘DeFi’ was coined
Ethereum developers and entrepreneurs including Blake Henderson (of Ox), Brendan Forster (of Dharma) and Inje Yeo (of Set Protocol) were discussing various nomenclature possibilities for this concept of open financial applications being built on Ethereum on a Telegram chat in August 2018. While there were other options like Open Horizon, Lattice Network, etc. under consideration they finally settled on DeFi as it can be pronounced as ‘DEFY’ – a movement to defy traditional centralized finance.
Characteristics of DeFi
DeFi protocols allow for value to be transferred without the use of centralized agencies like Banks. Non-custody refers to the fact that the users continue to retain custody and control over their funds.
DeFi protocols are borderless and open to everyone , unlike the traditional centralized financial systems. They are like the internet for financial applications.
The source code of DeFi protocols is open-source. This allows everyone to view and verify the code that powers these protocols.
Since the code is open-source, other developers can view the code and build on top of it. If they don’t like a particular application or a particular feature of an application, they can always make changes as per their requirements.
The DeFi protocols are built on decentralized blockchains like Ethereum which are not controlled by any central authority. These are run by distributed nodes. Further, Decentralized Applications (DApps) are not governed by any single entity. The decisions about these DApps are taken by the community, allowing them to participate in the governance mechanism of these applications.
Top 10 Risks in DeFi
1. Price Volatility leading to a forced liquidation cascade
The way a standard DeFi lending and borrowing protocol works is that a user who wants to borrow funds, first deposits a crypto asset (for eg: ETH) as collateral. The DeFi protocol then allows the user to borrow stable coins (for eg: DAI, USDT) against this collateral. The Loan to Value Ratio (LTV) is generally 50 to 60%. This means a user can borrow approximately $500-$600 worth of DAI/USDT against the collateral of $1000 worth of ETH. Now, as the crypto market is quite volatile, this collateral value of $1000 can drop significantly if the price of ETH drops. As a result, if the ETH value drops below the LTV ratio, then the smart contract will automatically liquidate the ETH deposited by the borrower as collateral. This is known as forced liquidation and it can lead to a cascading effect. More forced liquidations will result in more selling pressure on Ethereum and that in turn will cause the price of ETH to fall further. Let’s visualize this with a practical example.
Asha wants to borrow $500 worth of USDT by depositing $1000 worth of Ethereum as collateral. Now the Loan to Value ratio of the protocol is 60% which means she can borrow a maximum of $600 worth of USDT against $1000 of ETH. If this ratio falls below the LTV, then Asha’s ETH will be liquidated. So down the line, the value of ETH drops to lets’ say $800 so the value of Asha’s collateral has dropped to $800. Now as per the LTV ratio, she can only borrow USDT worth $480; but since she has borrowed more than that ($500), the protocol will automatically liquidate her ETH to repay the loan.
2. Hacks and Exploits
A DeFi protocol is only as good as the security of the code written behind it. All DeFi projects rely on smart contracts that are written on a platform like Ethereum. There have been numerous cases of malicious actors exploiting the vulnerabilities in the smart contracts, to drain the users out of their assets locked in the smart contract protocols. In the spirit of transparency, the codes of most DeFi projects are open source and available to the public (and thereby hackers) for inspection.
The most common mitigation to this DeFi risk is for projects to get their codebase audited by security experts like Certik. Users should always do their research to check if the code of the project has been audited and any identified vulnerabilities have been sorted out.
3. Rug Pulls
Pulling the rug (or rug pull) is a malicious scheme that bad actors deploy to make a quick buck. To understand Rug pull, you need to first understand how a decentralized exchange like UniSwap works.
A decentralized exchange is a place where users can swap tokens while retaining the custody of funds themselves. So they don’t have to rely on centralized exchanges for buying and selling tokens. The way a decentralized exchange works is that users first need to add liquidity to a pair of tokens (Liquidity providers). Once liquidity has been provided for a certain pair of tokens (For example- ETH and USDT), users can simply connect their wallets and swap tokens. Decentralized exchanges like UniSwap use an algorithmic equation that determines the swap rate automatically based on the balances of both tokens, as well as the actual demand for this swapping pair.
Since anyone can create a token and list it on Uniswap, it creates room for bad actors to create tokens with zero utility and list them on Uniswap by providing liquidity. They then create telegram groups, websites etc. to make their token and project look legitimate. Innocent users who follow these projects go to a decentralized exchange like Uniswap and exchange their tokens like ETH for these worthless tokens. Once the bad actors have gained enough good tokens, they drain out the liquidity from the exchange, thereby leaving the innocent user locked up with a bunch of worthless tokens.
In some cases, the malicious actors create clone tokens that resemble actual tokens. Innocent users end up buying these tokens thinking that they are buying the original tokens but end up with these fake tokens with zero value.
The only way for users to avoid these Rug Pools is to do thorough research of the project before investing. Also, it is important to check the contract address of the token with verified sites like CoinGecko or CoinMarketCap or the project’s official website and verified social media channels.
4. Losing Private Keys
A good thing about decentralized finance is well.. that it is decentralized. This means that no central authority controls the user’s funds. Users have to store their funds in wallets like Metamask that support Web 3.0 decentralized applications (DApps). As a result, users are themselves responsible for the safekeeping of their crypto assets. If users forget (or lose) the seed phrase that backs up their private key, there is no “forgot password” option that can help them. Those funds will be lost forever.
The best way to mitigate this DeFi risk is to carefully note down the seed phrase on two or more pieces of paper and store them in separate and secure locations so that at least one copy is retrievable whenever the need arises.
5. Price Slippage
Slippage refers to the price difference between the expected price of the trade and the price at which the trade is executed. Slippage can occur at any time but is most prevalent during periods of higher volatility when market orders are used. It can also occur when a large order is executed but there isn’t enough volume at the chosen price to maintain the current bid/ask spread.
Slippage does not always mean a bad thing. Slippage could be a positive slippage, negative slippage or no slippage. It is simply the difference between the expected price and the actual price. When an order is executed, the crypto asset is purchased or sold at the most favourable price offered by exchange or any other market maker. This can produce results that are more favourable, equal to or less favourable than the intended execution price. The final execution price vs. the intended execution price can be categorized as positive slippage, no slippage and/or negative slippage.
The risk of price slippage is enhanced when a user trades on decentralized exchanges like Uniswap which uses the Automated Market Maker (AMM) model for executing trades. Users should always define the price slippage that they are comfortable with before placing the order on the exchange. A low price slippage however carries an inherent risk of the trade not being executed.
6. Impermanent Loss
DeFi protocols like Uniswap and Pancakeswap have gained popularity and have seen a tremendous increase in volume and liquidity. These protocols allow users to swap their tokens in a decentralized manner. These decentralized exchanges use a model known as Automated Market Maker (AMM) to provide liquidity.
These exchanges reward users who provide liquidity on these platforms. When a user trades on these exchanges, they don’t place their order against another party but they place their trades against these liquidity pools. These Liquidity Providers (LPs) are rewarded with a portion of the trading fees earned by the platform. While it seems like a profitable venture for LPs, they do need to keep in mind the risk of Impermanent Loss.
Impermanent loss happens when you provide liquidity to a liquidity pool and the price ratio of those assets changes dramatically compared to the price ratio when you deposited those assets. Pools that contain assets that are quite volatile are more likely to experience impermanent loss as compared to pools that have assets that are more stable in value like stable coins (For eg: USDT-BUSD pools).
How does impermanent loss happen?
Anita deposits 1 ETH and 100 DAI in a liquidity pool. The token pair needs to be of equal value, so the price of 1 ETH = 100 DAI (and total deposit value comes out to 200 USD as 1 DAI = 1 USD). There is a total of 10 ETH and 1,000 DAI in the pool courtesy of 10 LPs (Liquidity Providers) like Anita with everyone having a 10% share in the pool. The total liquidity of the pool is 10,000 (multiplying the number of ETH and DAI tokens, 10*1000).
Down the line, assume that the price of ETH increases 4x to 400 DAI. Since liquidity (10,000) has to remain constant and since AMMs don’t have order books, arbitrage traders will remove ETH (and add DAI) to the pool to reflect the current price. Therefore, there will now be 5 ETH and 2,000 DAI in the pool to keep the liquidity constant (5*2000).
At this stage, Anita wants to withdraw her funds, which is 10% of the pool. Her current share, therefore, is 0.5 ETH and 200 DAI (total value 400 USD). Compared to her initial investment, it is a cool 100% return in USD terms. But if she had not opted for the liquidity fund and instead just held on to her 1 ETH and 100 DAI, the current value of her holdings would come out to 500 USD. In this case,Anita would have benefitted more by HODLing her assets. This is what is termed an impermanent loss. While in this specific case, it wasn’t a substantial amount of loss, but in other cases, it could lead to big losses due to price fluctuations – sometimes even eroding a portion of the initial deposit.
A point to note here is that in this case, Anita would have earned a portion of the trading fees in exchange for the liquidity she provided. In many instances, these fees would compensate for the impermanent loss and make it a profitable transaction overall. But it is still imperative to understand the concept before deciding to provide liquidity to a DeFi protocol.
7. Regulatory Clampdown
One of the most significant DeFi risks that the crypto industry at large faces is the risk of a regulatory clampdown. While the regulators have been primarily focussed on centralized exchanges (since that is where most of the fiat conversion happens), it is not long before DeFi platforms like Uniswap, AAVE etc. come under regulatory scrutiny. The risk here is more so as there are no KYC documents required for users to use DeFi – it is truly anonymous and decentralized. The rising cases of hacks and scams and increasing value of assets locked in DeFi protocols are some of the factors that can bring DeFi platforms under the radar of the authorities.
8. High Gas price due to lack of scalability
Most of the DeFi protocols currently are built on Ethereum. This has resulted in clogging of the Ethereum network, thereby resulting in slower processing of transactions and an increase in gas price. While several Layer 2 solutions are being built on top of Ethereum to solve this problem, it is going to be a while before they get ready to process transactions at scale. Without solving this problem of scalability, DeFi cannot achieve mass adoption and disrupt centralized finance. The current transaction fees (gas price) on the Ethereum network has resulted in most people not being able to access DeFi applications and financial risks.
9. Oracle Manipulation
DeFi protocols rely on “oracles” to provide them with off-chain data like the price of Ethereum. These data feeds must be accurate because a lot depends on them. Oracles are essential for the DeFi ecosystem since they supply market data that settles financial [smart] contracts
Going back to our earlier example of collateral liquidation, imagine the collateral of a user gets liquidated only because the DeFi platform got an inaccurate price of Ethereum. Disastrous, right? There is always a risk that someone manipulates these oracle protocols to feed inaccurate data to DeFi protocols.
Instead of depending on a single source of information, especially one that is easily manipulated due to limited liquidity (like Uniswap), DeFi projects must employ a more reliable oracle setup. Projects usually design those themselves or implement a third-party solution.
10. Admin Keys
One of the most fundamental aspects of Decentralized Finance is that it is NOT centralized. What this means is that the user always has access to their funds. However, the current state of DeFi protocols is not truly decentralized. The main reason for this is the existence of Admin Keys. They allow developers behind a DeFi project to control the smart contracts that manage user funds. There are two important reasons for the existence of Admin Keys.
Reason 1 – Updating the software of the Decentralized Application (DApp). The developers cannot upgrade the software if they cannot access the software.
Reason 2 – Force Majeure – What if a situation that is beyond the control of developers occurs and exposes user funds? An admin key that can turn on and off the project can really save user funds.
Тhe existence of an admin key does not automatically presuppose access to users’ tokens. However, that is the case in eleven out of the fourteen notable projects reviewed for DeFi Watch by Chris Blec. Once it is clear that the team behind a DeFi project has access to the users’ assets, it is crucial to consider the type of access.
Some projects set up a multi-sig wallet that does not allow any one developer to access the funds. However, details about this are generally kept opaque for security reasons. Another good option that projects employ is Time Lock. In this case, any change to the code takes effect after a certain period of time. This gives the users ample time to decide if they want to move funds out of the DeFi protocol.
With a plethora of ground-breaking protocols and the total value locked in DeFi protocols exceeding $75 billion (as of 03-May-2021 as per https://dappradar.com/defi), there is no doubt that DeFi is here to stay. DeFi has the potential to change our society in a profound way similar to what the internet did in the 1990s and continues to do even today. The impact of DeFi on Finance is going to be massive and it’s going to be an interesting journey to follow. Having said that, the blockchain, crypto and DeFi space is still relatively new and is currently in an experimental stage and hence prone to many financial risks. It is advisable to proceed with caution before you start dabbling with DeFi. Always do your research before investing in DeFi protocols with financial risk management and remember the most important risk mitigation strategy of all – DO NOT INVEST MORE MONEY THAN YOU CAN AFFORD TO LOSE.
Submitted by : Manan Vora
About the author:
Manan Vora is a qualified Chartered Accountant and a Bachelor in General Law. He is also a Certified Fraud Examiner (CFE). He has been actively involved in the crypto space for the last 4 years. He is a PwC alumnus, having worked in their risk advisory department. In the past, he has worked full time with ZebPay – India’s leading cryptocurrency exchange as the Sr. Manager – Strategy and Special Projects and led several key initiatives and projects. Currently, he is working on several projects in the crypto space focused on different aspects like key management and blockchain SIEM solutions.
About AlphaEdge Consultants:
We are a one-stop shop for all your queries pertaining to blockchain and crypto – assets. Whatever the nature of your problem, we at AlphaEdge Consultants have all the solutions. With our vast experience (5+ years) in a very nascent industry, global affiliations and connections and a penchant for problem-solving, we make ourselves your go-to consultants for all your needs ranging from education to technology and much more.
Visit www.alphaedgeconsultants.com to know more