New research suggests financial risks may not be the only concern for users of DeFi products and dApps, with several “critical but non-financial” issues plaguing popular tools.
How vulnerable are DeFi apps?
As per a report released this week by crypto data and research firm Brave New Coin, DeFi projects are overrun by scalability, smart contract vulnerability, compostability, centralization, and regulatory risks, among others.
DeFi projects have surged since mid-2020 despite being around for several years. The launch of lending/borrowing dApp Compound, with offered yields of up to 100% on some trade pairings, ushered in an era of new decentralized innovations like credit lending, trustless trading, tranches, and earning fees on swaps.
But such advancements carry great risks. Xavier Meegan, the research’s author, said that most DeFi apps are associated with twelve distinct risks, stating he found out such vulnerabilities using research rather than opinion.
Here are some of the risks identified by Meegan:
- Scalability Risk: The risk of Ethereum experiencing network congestion resulting in higher gas fees and failed transactions, leading to a DeFi application not working as intended. A DeFi protocol could also malfunction if there is too much stress on the network, leading to paused withdrawals, trades, and (in the worst case) loss of funds due to repetitive user input or a smart contract not operating as intended.
- Smart contract Re-Entrancy Vulnerability: “Re-entrancy” may occur when a contract sends ETH before updating its internal state. Such a risk would mean a rogue contract keeps requesting ETH before it has been updated, leading to a possible situation where ETH is sent repeatedly (much more than what was demanded).
- Unhandled Exceptions Vulnerability: This occurs when not all failed “calls” raise an exception on Solidity (the programming language for writing smart contracts on Ethereum). Such a scenario occurs when there is not enough gas to execute an operation, the call stack limit has been exceeded, or some unexpected system error occurs due to the node of the user performing the call.
- Integer Underflow/Overflow Vulnerability: Occurs when the incorrect smart contract integer is a large value, higher when the actual value denoted by the smart contract. This could lead to a DeFi app significantly malfunctioning.
It’s not only smart contracts
Apart from smart contract-based risks, Meegan identified some other concerns as well:
- Oracle Risk: Such a risk takes place when a blockchain is inputted wrong values and operates as normal. Blockchains, by design, are only stores of value but cannot verify the authenticity of the inputted data, meaning a smart contract getting updated with wrong information (as was the case in several instances this year) can lead to a widespread attack on the network and loss of funds for users.
- Composability Risk: A major risk identified by Meegan was that of “composability,” or the interconnectedness of some DeFi platforms with each other for their operation. Such interdependency (such as in the case of Cream Finance) creates a “money lego” system, one that is very similar to “how traditional finance was before the Global Financial Crisis (GFC) in 2007–08.”
- Reliance on Infura: One of the last major risks, the dependency of Ethereum applications on Infura, an infrastructure-as-a-service provider firm run by ConsenSys, creates a centralized and highly-dependant entity on the Ethereum network, meaning that if it were to go down, it would end up taking many applications, products, and platforms down with it.
Other risks identified by Meegan included Centrality risks, Economic Incentive risks, Financial Illiteracy risks, Regulatory risks, Finality risks, and Disclosure risks.
As per CryptoSlate data, the DeFi subsector is a $17 billion market that accounts for 3.18% of the crypto space, meaning such risks, if left unattended, could leave a lasting impression on the sector for the years to come.