Ultimate Security Guide for DeFi Protocols
High TVL does not mean absolute safety, and audit reports should not be blindly trusted.Author: Ignas
Compiled by: Crush, Core Contributor of Biteye
The collapse of FTX has proven the importance of self-custody and risk management. However, there are still many vulnerabilities, rug pulls, and contract bugs in DeFi, and one misstep can lead to losses.
In today's article, I will discuss how to assess the safety of a project to protect your assets.
If you are an experienced smart contract developer who can personally verify the security of project code, that's great, but I believe most people are not.
So, we can only evaluate a project based on other data, which involves a certain degree of trust.
Is a high TVL always safe?
It is well known that most people assess the quality of a DeFi project based on the value of assets deposited in its smart contracts. Therefore, many believe that TVL can reflect the safety of a project to some extent.
The more assets locked, the higher the perceived safety of the protocol. You can think of it this way: a protocol that can lock up so much capital must have been thoroughly investigated by those depositing money, confirming its safety before trusting it with their funds.
Unfortunately, TVL often gives a false sense of security. On one hand, you might think that protocols with high TVL are safer, but hackers also target these protocols because attacking them can yield greater profits. On the other hand, a low TVL does not necessarily mean that a protocol is unsafe.
Thus, judging a protocol's safety solely based on TVL can be misleading.
We rank existing DeFi projects based on TVL:
After viewing this image:
Do you still think a high TVL definitely indicates safety?
Which protocols in the image do you find untrustworthy? Why?
Verify Personally
"Trust, but verify" is the reason we conduct smart contract audits. If it weren't for this, we might not need audits at all. Since the code is open source, the community can find all issues within the code. However, the community may lack the proper motivation, incentives, or expertise to verify the code.
Therefore, auditors must be sufficiently professional, but more importantly, they themselves must not have issues. For example, many projects audited by the well-known auditing firm Certik have still been hacked, indicating that vulnerabilities can be hard to prevent.
At the same time, auditing firms are also building their reputations. If a protocol they audited (and deemed safe) gets hacked, it creates an impression of unprofessionalism. In fact, Certik has audited over 3,422 projects, so it is inevitable that some of these projects will be hacked or have vulnerabilities.
Thus, merely undergoing an audit does not mean a protocol is safe. I have seen some projects proudly announce "completed audits," but when you read the audit report, you find that their safety scores are actually quite low.
The lesson for me is not to blindly trust the project's audit announcements, but to verify the results by reading the actual audit reports.
What if I don't like reading audit reports?
In fact, most people do not read audit reports, but Certik has a dashboard that includes data on all audited projects, where you can check a project's "trust score," with higher numbers indicating greater safety.
Other auditing firms, such as Hacken, also have similar dashboards. Alternatively, you can simply read the audit summary, like the example of Trader Joe, which was audited by Paladin.
Translator's note: Trader Joe is a one-stop trading platform on Avalanche that offers trading and lending features, combined with leveraged trading capabilities.
From the data here, we can see that Trader Joe has fixed all medium to high-risk issues, but there are still some low-risk issues that have not been addressed.
Auditing is Just the Beginning
Assessing a project's safety requires considering more factors:
Comprehensive testing
Bug bounty programs
Transparency of documentation
Management controls
Oracle documentation
There are so many aspects to consider that if you were to verify them all personally, you might wear yourself out. At this point, we must mention DeFi Safety. They validate these protocols and provide safety ratings.
Based on the results they provide, we can clearly see that Liquity Protocol, Synthetix, and Angle Protocol are the safest among all verified DeFi protocols.
On DeFi Safety, you can also find more detailed content. For example, the Liquity Protocol still requires formal verification.
Translator's note: In the design process of computer hardware and software systems, formal verification means using mathematical methods to prove the correctness or incorrectness based on one or more formal specifications or properties.
Additionally, you can conduct a security assessment of your wallet's portfolio through Exponential DeFi.
The "Evaluate Wallet" feature provides you with a risk analysis of your current investments. For example, among Tetranode's assets, there are $4.5 million invested in high-risk (C-rated) protocols.
Translator's note: Tetranode is an anonymous ancient whale rumored to have approximately $1 billion worth of crypto assets. He encountered Bitcoin in 2009 and has maintained a strong belief in it ever since.
Elemental DeFi provides scores based on project evaluations, considering asset risk, code quality, and the security of the blockchain where the assets are stored. This straightforward risk explanation is very appealing to me.
Take the stablecoin MIM from Abracadabra as an example; it directly warns that using SPELL as collateral may lead to bad debts.
Translator's note: Abracadabra is a yield-bearing asset stablecoin protocol that allows users to stake yield-bearing tokens to mint the protocol's native stablecoin, MIM.
Ask Questions
The last method I want to introduce is to directly join the project's community and consider the following questions:
Do they have an insurance fund?
Do they avoid questions?
What are they doing to improve security?
For example, I previously asked the Stargate team if they had an insurance fund to prevent the project from being hacked. However, sometimes getting an accurate answer is not that simple; project teams often dodge questions in various ways. This seems to be a warning signal that raises concerns.
But no matter what happens, DeFi is still very young and has a long way to go, so it's best not to put all your eggs in one basket!
