DeFi is one of the fastest growing sectors in crypto, in part a result of the high interest returns on offer compared to traditional finance. But what are the trade offs and risks in DeFi? In this section we take a look at some of the key risks and suggest ways that you can mitigate them, some of which are not only applicable to DeFi users, but wallet security in general. Scammers are always looking for ways to capitalize on user error and security vulnerabilities. More often than not there are no refunds on offer as you control your keys and actions when you operate in the DeFi space.

DeFi is still considered to be in a nascent phase and the risk of rug pulls, smart contract hacks and exploits is very real. An example was the Cream Finance exploit on October 27, 2021. A whopping $130 million was drained out of their coffers after hackers discovered a vulnerability in the platform’s lending system. Unfortunately, this is by no means an isolated incident for the sector and there is a growing list of incidents which have occurred amounting to over $2.3 billion in losses. For an up-to-date list of exploits, readers can check out this link. 

Types of Risks in DeFi

Investment Risks

Any time that you deposit funds into a DeFi platform, you are losing control of those assets and open yourself up to a number of risks. 

• Smart Contract Risk: These self-executing agreements govern DeFi protocols, executing transactions based on a pre-defined set of rules/conditions. The technology is impressive but as with anything new, smart contracts are not infallible and can have vulnerabilities which hackers aim to exploit. This can result in the loss of investor funds.
• Anonymous Developer Teams: Many DeFi protocols are operated by anonymous developers. So, it is often difficult to determine if the people behind the project can be trusted and there may be no recourse for users if something goes wrong. In saying that, proponents of anonymous teams point out that their privacy can help to protect a project from bad actors, centralized authorities and other attack vectors. But be aware of the risks.  
• Rug Pulls: Can take a number of forms but the liquidity scam is one of the most common. It generally refers to a developer who creates a token, launches a liquidity pool that is required to execute trades, and holds a substantial amount of the supply. Once the token launches, users are encouraged to add liquidity to the pool and at a certain point, the developer dumps all of their tokens into the pool and drains whatever the base token is. This action sends the token price to such a low level that investors are left holding near value-less tokens. The ‘rug is pulled from underneath the user’ and the developer walks away with a nice profit.
• Honeypots: This is a variation of a rug pull whereby users are lured by the increasing price of a token, then to realize that the only entity that can actually sell any tokens are the wallets of the scammers themselves. In November, 2021 this type of scam unraveled with the Squid Game Meme token which was themed on its namesake, a popular TV series. The price soared to $2,856 per token before the developers dumped all of their tokens and walked away with millions of dollars of profit. The token price dumped to basically zero and investors were left holding the bag.
• Impermanent Loss (known as IL): Is a risk associated with depositing dual asset pairs into DeFi liquidity pools, usually in a 50:50 ratio, in exchange for fee revenue. Essentially, it’s the difference in value between depositing two different assets into an AMM (Automated Market Maker) versus simply holding onto those tokens independently in your wallet. If the IL exceeds the fees earned when withdrawing, the investor has suffered a negative return compared to holding their tokens. It’s important to note that impermanent loss is only realized at the time when funds are withdrawn from a liquidity pool. Until then, losses appear only on paper and will vary as the underlying value of each asset fluctuates in either direction. As the name suggests, losses are considered to be ‘impermanent’ as the prices can return to their original levels at any time, in which case there would be no loss incurred at all. 

Security Risks

• Phishing Attacks (pronounced as fishing): This method aims to lure a user into signing transactions which hand over the approval of their tokens and the control of their wallets. Once an approval is signed and mined, the scammer can access and steal your funds. This is a very common scam which can be executed using a variety of techniques such as phishing emails, which may appear genuine, contain the correct contact information of an entity, however they have a link which takes users to a website that again looks genuine, but is under the control of the hacker. Once you connect your wallet and/or provide login details, your account will be compromised and drained of funds. A recent example was the OpenSea hack which led to $1.7 NFTs being stolen. 
• Google Ads: Google is not always your friend and hackers frequently mirror the front end of popular crypto websites, pay for ads which sees them listed prominently in search results and lure users into visiting their phishing website, with a domain name which is similar to the official site, and may even contain the real domain name in the ad description. In 2020, some users of the Uniswap DEX, were scammed by a phishing advertisement on Google. 

Ad with fake domain name (www.unswap.site/) appears directly above the legitimate Uniswap listing.

Leading users to a fake Uniswap interface where they connected their wallet and asked to input their seedphrase. Woosh……wallet compromised and funds stolen.  

The reality is we have only scratched the surface here as there are plenty of other ways that scammers can try and deceive you. Fake or compromised Twitter handles, Facebook accounts, Youtube channels and mobile applications have also been a popular way to deceive users. Not to mention the age-old Twitter giveaway scams which continually pop up, meaning they must be working!

Ways to Mitigate Risks

• Find out if the smart contracts integrated on a platform that you intend to use have been audited and by whom. New contracts may not be battle-tested and generally carry a higher risk of exploit. It’s worth noting that having an audit from a reputable auditing firm offers no guarantee. There have been a number of cases where exploits have still occurred. However, having an audit is certainly better than no audit at all. 
• Remove approvals to websites. Over time, your Metamask wallet (or similar) may have interacted with numerous DeFi platforms and you could have signed approvals which are still valid and enable a bad actor to drain funds in the future (a ticking time bomb of sorts). So, it’s a good idea to regularly remove those approvals which you no longer need or trust. DeBank offer a handy service to do this. 
• For those who engage in depositing into liquidity pools, a handy tool for users is the CoinMarketCap yield farming ranking page which includes an impermanent loss calculator that can help to identify and assess potential risks.

• Don’t put all of your eggs in the one basket. Spread your risk by using a range of DeFi platforms. If a platform that you have interacted with is compromised in a way that affects you directly, only a portion of your port-folio may be lost. Although not ideal, it’s better than losing your entire DeFi holdings if you have everything deposited on one DeFi platform.
• The advent of DeFi insurance now helps to protect investors from a wide range of exploits as the industry continues to mature and grow. But they won’t protect users from their own mistakes such as falling victim of a phishing attack. Two of the more popular insurance providers integrated by leading DeFi protocols are Nexus Mutual and Bridge Mutual. 

In terms of general security risks, here are some keys things to consider:

• Don’t use Google to search for crypto websites. Bookmark the sites that you frequently use. Even when using a bookmark, still double check the domain name and check for spelling errors when you visit a site.
• Never connect to links contained in emails unless you are 100% sure that they are genuine. If you are unsure, visit the official entity’s Telegram, Discord, Twitter or send an email to the official support address to verify BEFORE doing anything. It’s always better to be safe than sorry.
• If tokens are airdropped ‘mysteriously’ to your wallet and you have no idea what they are, do not interact with them. An increasingly common scam is to airdrop tokens to users and then direct them to a phishing website. So before claiming any airdrop tokens, do your research and make sure that the airdrop that you have received is legitimate.
• Do not click on adverts of any kind, wherever you are surfing on the web. Consider using Brave Browser.
• Make sure you are downloading genuine apps. Check with the official issuer if you are not 100% sure whether an application is legitimate or not.
• Never store your seed phrases or private keys in a digital format, keep them on your computer or any device for that matter. That includes taking screenshots or photographs. Only ever write down this important information, preferably in duplicate, keeping one copy in an off-site location that you can trust. 
• Do not enter your private keys or seed phrase on any platform or application. Just don’t do it!
• Avoid using public internet networks. Only use private networks that you trust.   

At the end of the day the biggest weapon a user can have to mitigate risk is to exercise good judgement and common sense. If something does not feel right, stop whatever you are doing and take the time to verify. Also remember, as is the case with broader crypto investing, only risk funds in DeFi that you can afford to lose.