PYMNTS DeFi Series: DeFi’s Very Real Risks

DeFi

Welcome to the seventh installment of PYMNTS’ eight-part series on decentralized finance (DeFi).

Over the coming days, we’ll be looking at every part of DeFi — the biggest, hottest, most rewarding and risky part of the blockchain revolution. At the end of it, you’ll know what DeFi is, how it works, and the risks and rewards of investing in it.

See Part 1: What is DeFi?

See Part 2: What Are the Top DeFi Platforms?

See Part 3: What Is a Smart Contract?

See Part 4: What is Yield Farming and Liquidity Mining?

See Part 5: What Is Staking?

See Part 6: What Are DeFi’s Top 10 Uses?

See Part 7: Unpacking DeFi and DAO

Cryptocurrency is supposed to be safe. After all, that “crypto” refers to cryptography — the mathematics of keeping information secret.

Thus, the decentralized finance platforms built on blockchain and funded with cryptocurrency should be safe, right?

Read more: PYMNTS DeFi Series: What Is DeFi?

Well, let’s look back at the last 30 days: On Dec. 16, blockchain intelligence firm Chainalysis revealed that its 2022 Crypto Crime Report will show that fraud and hacks saw $7.7 billion stolen in 2020.

See more: 2021 Crypto Scams Top $7.7B, Fueled by DeFi-Friendly ‘Rug Pulls’

That presumably includes the $130 million hack of the BadgerDAO DeFi platform on Dec. 2 and the $196 million theft from the BitMat exchange on Dec. 4.

Related:

$196M BitMart Hack Puts Crypto’s Weakness on Display

Crypto Company to Hackers: Give Back Our $119M

Another Grim Day for DeFi as Hackers Loot $30M From Fantom Blockchain Yield Farming Project

But it would not account for the Dec. 20 hack that saw $30 million drained from DeFi’s Grim Finance, a yield farming project.

The idea behind cryptocurrency transactions in general, and DeFi platforms in particular, is that transactions are “trustless” — an unfortunate cryptography term meaning the two parties in a trade don’t have to trust each other or rely on trusted third party like a bank or broker, but rely on the immutable, permanent and unchangeable blockchain.

But, can you trust trustless? Well, sometimes, and sometimes not. Here are potential problems to be aware of before investing.

As always, remember that caveat emptor — let the buyer beware — applies far more in crypto and DeFi than it does in traditional, regulated investments. Not only are the transactions immutable, both parties’ identities are hidden behind pseudonyms.

See also: PYMNTS DeFi Series: What is Yield Farming and Liquidity Mining?

Software Flaws

Blockchain, cryptocurrency and DeFi are, after all, built on software. There’s an old programmers term that was popular during the internet boom: GIGO, meaning garbage-in, garbage-out.

Bad programming can mean anything from hackable exploits to downtime. Decentralized exchanges, or DEXs, can crash during periods of high volatility, which is bad for traders stuck in derivatives contracts (more on those below). The same thing applies to yield farmers and liquidity providers who cannot unlock funds.

In one case, top DeFi lending platform MakerDAO suffered a software failure during a “flash crash” in ethereum’s price. It led to borrowers who’d locked in collateral seeing it sold off for zero-dollar bids. Less an exploit than a software bug, the borrowers lost their collateral and still owed the lenders.

Hacks and Exploits

Hacks are a different type of bug, in which an expert finds a flaw in the code to exploit, and the losses can be staggering. This summer, an anonymous hacker drained $610 million from DeFi’s Poly Network — and, shockingly, gave it back — but that was a one-off. Several hacks just this year cost more than $100 million.

Read more: Another Grim Day for DeFi as Hackers Loot $30M From Fantom Blockchain Yield Farming Project

Governance by Anonymous Voting

DeFi projects are (or plan to be when finished) governed by DAOs, in which all decisions are made by a majority vote of unknown token holders. This means there’s no personal accountability, as the MakerDAO borrowers learned when the platform refused to compensate them for losses that were the result of a software flaw.

Another factor here is that DAO governance is controlled by smart contracts, which enforce a waiting period for the voting process of a week or more. This is bad when an exploit is letting hackers drain funds, and nobody can get the bug fix in place until it’s over.

Smart Contracts Are Dumb

Smart contracts are a type of “if-this-then-that” software that is immutable and self-executing, meaning they cannot be changed or cancelled. No trusted third party is required to make payment of crypto funds locked in the contract when the terms set in the contract are met, which brings a couple of problems.

First, if you’re cheated, there’s no recourse. So, if you invested in a crypto project that turned out to be a scam, the thieves will get paid even after the swindle is discovered — ditto if the painting you bought is a forgery.

Second, smart contracts are dumb in the sense that they will do what you told them to do — not what you thought you told them to do. If the terms are wrong, they cannot be fixed. In some cases, that means the cryptocurrency locked into the contracts when it was drawn up will never be paid and the contract will never execute.

Fraud

A huge part of that $7.7 billion was lost to “rug pulls” in which a developer creates a DeFi project, sells its unique crypto token to people who want to stake or lend for ethereum or stablecoins, and then yanks all the funds locked and disappears, driving the value of the project’s tokens to zero. Rug pulls grew from almost nothing to a $2.8 billion racket this year because it’s very easy to simply copy another projects code and change some names.

That’s just one type of fraud. Others run the gamut from falsely claiming to have regulatory approval (the CFTC charged a dozen firms with this on Sept. 29) to pump-and-dump schemes.

Leverage

In crypto derivatives and futures, leverage runs as high as 100x. While the larger exchanges cut this down substantially this year, borrowing far more than you have to bet on an extremely volatile and, according to the SEC, manipulatable market can be a ticket to bankruptcy.

Collateral

Much of DeFi borrowing is to invest crypto holdings in projects that earn interest rather than letting it sit idle. Generally, borrowers get stablecoins to invest in various DeFi projects, including lending it out in other borrowing pools to earn interest paid in the form of a project’s token, betting those will increase in value.

This can get very complex very quickly, as DeFi investors build chains of borrow-lend-borrow-lend investments — any one of which can go bad, tumbling the house of cards.

The way crypto lending works is you put up crypto collateral worth 125% to 150% or more of the sum you are borrowing. If the price of the cryptocurrency used as collateral drops close to 100%, the smart contracts governing the lending/borrowing DeFi platform will sell it off — at a loss.

In a market in which even bitcoin fluctuates 5% a day regularly — and 10% or more is not unusual — flash crashes can, and do, lead to billions of dollars being liquidated with some frequency.

Market Manipulation

The reason the SEC won’t allow bitcoin spot exchange traded funds (ETFs) is because of what it calls rampant market manipulation, ranging from wash trading on iffy exchanges to pump-and-dump schemes.

With 10,000 bitcoin holders (or 0.01% of the total) controlling more than half the bitcoins ever mined, there are plenty of big coinholders — whales — capable of doing that.

Read more: Six Crypto Execs Warn Congress Not to Overregulate Crypto

Regulatory Risks

Regulating crypto, stablecoins and DeFi are hot topics in Washington, D.C., and plenty of other financial capitals around the world. China just banned crypto altogether and India may do the same.

See also: Sen. Warren Calls DeFi the ‘Most Dangerous’ Part of Crypto at Senate Hearing

The U.S. SEC and Commodity Futures Trading Commission are among the agencies vying for control of various parts of the industry, and while crypto is struggling to contain the regulatory impact, it’s coming.

Initial coin offerings (ICOs) are a thing of the past since the SEC started suing promoters, bitcoin spot ETFs aren’t coming soon, and stablecoins are seen as a huge potential threat to existing financial systems around the world.

Related: Ex-Treasury Official: Crypto Fits Under Existing Financial Regulations. Deal With It