Due diligence crucial before investing in a DeFi project
As a relatively new, high value ecosystem, the decentralised financial services – DeFi – permissionless financial services ecosystem is vulnerable and should be approached with due diligence.
This is according to John Singh, chair of the Institute of Information Technology Professionals South Africa (IITPSA) Blockchain special interest group and IITPSA Kwazulu Natal chapter committee member. Addressing an IITPSA webinar on DeFi smart contract security this week, Singh noted that DeFi is fundamentally a smartcontract running on the Ethereum Blockchain and gives investors powerful and flexible investment and lending options that are unique in the world of finance.
However, DeFi’s rise in value has made it a lucrative target for hackers, with the value locked last year totalling $39.69 billion, and the value stolen around $78.3 million.
He cited a $24 million DeFi exploit against Harvest Finance last year, using a series of flash loans. “It just shows how thoroughly secure these smartcontracts have to be to prevent hacks,” he said.
“One of the challenges of crypto is that in general, people are used to the traditional banking system which helps keep your account secure. People aren’t used to keeping their own money secure, but in crypto, you as an investor are totally responsible for everything that happens for your money. You must safeguard your keys and passwords, and back up your computers, because if you lose your keys you lose everything. This environment is for the person who wants full control of their money.”
He noted: “Bitcoin has proven itself to be very reliable and secure, but there are challenges in that the ecosystem is dependent on exchanges, and these exchanges can be vulnerable to attack. With DeFi, the risk comes to a whole new level because anyone can develop a smartcontract and deploy something as a money making scheme. Because this is an unregulated environment and you don’t know who these people are, you have to carry out due diligence.”
He noted that Bitcoin volatility meant it wasn’t for everyone, and warned: “You don’t have recourse if you lose your money; you can’t put in money you can’t afford to lose – like your rent money or your pension fund.”
Singh said key security risks in the smartcontract software itself could include arithmetic overflows and underflows, and reentrancy. Techniques to avoid underflows and overflows include using or building mathematical libraries that replace the standard maths operators of addition, subtraction and multiplication, such as OpenZeppelin’s safemath library. To prevent reentrancy, the transfer function can be used when sending data to external contracts, or mutex, adding a state variable that locks the contract during code execution and so prevents reentrant calls. It is always advisable that any DeFi project using token standards such as ERC777, he said.
“Security and development practices should be implemented when looking at smartcontracts,” he said. “Security best practices should provide for minimalism and simplicity, code reuse, code quality, readability and as much testing as possible should be carried out.”
Singh advised: “Basic audits of a smartcontract should include checking the source on github, checking if it follows ERC token standards, checking whether safemaths libraries are being used, whether technical specifications, design, and testing scripts exist for the smartcontract, and also checking the credentials of the team and developers, who should include at least one security specialist.”
