The crypto world is claiming that DeFi will disrupt traditional finance, yet conveniently overlooking a glaring issue in the DeFi space that will significantly hamper adoption. To make it worse, it’s a problem where short-term greed fuels long term complacency. But does Cardano have the answer?
Now while in some of these cases the hacks may be due to genuine coding oversight, I will wager that in a substantial amount there is some inside involvement. Think about it. What easier way to make money than to launch a DeFi application, bury a coding bug in it, disguise oneself as an anonymous hackers, then hack your own product to steal money all the while maintaining your innocence with promises to do better. Crypto’s dirty little secret is that it’s easy for devs to scam users while maintaining the air of legitimacy.
These are just some of the recent examples of money lost through hacks in the DeFi space. They add up to a mind-melting amount with 10 billion dollars lost this year alone. Here we can see a list of hacks that have taken place this year. There’s at least two or three occurring every month.
Let’s tale Burgerswap for example. A DEX on Binance Smart Chain.
Now perhaps it was an innocent mistake on the part of Burgerswap, and they did initiate a compensation pay out. However it only compensated some users and not others leaving people feeling they’d been scammed by devs. It’s impossible to know the truth.
Moving on, with Grim finance it does like it was due to genuine coding error. RugDoc did a detailed deep dive on this:
From what I understand the issue here is you can confuse the system by doing numerous deposits in succession, so that later deposits get double counted as belonging to earlier deposits. Seems like a pretty elementary weakness that ought to have been spotted.
This then raises questions about the firm responsible for doing the audit on the code, Solidity Finance, who apologized and blamed it on their CTO being away during the code audit.
This seems like a rather weak excuse and casts a question mark over the quality of audit firms themselves.
Finally in the case of Poly Network, the hacker gave back half of the funds with a promise to return the rest. They claimed they were doing it “for fun”, though their failed amateur attempt to escape with their loot may have had something to do with the return.
These are some of the countless tales of money loss in the defi ecosystem. As this article reports:
There have been more than 20 hacks this year where a digital robber stole at least $10 million in digital currencies from a crypto exchange or project. In at least six cases, hackers stole more than $100 million, according to data compiled by NBC News. By comparison, bank robberies netted perpetrators an average of less than $5,000 per heist last year, according to the FBI’s annual crime statistics.
And this is even before we factor in things like rug pulls, where founders of a token sell all their tokens and disappear overnight.
The cryptosphere is in dire need to get money loss causes by scams and theft under control. Mainstream news channels are starting to pick up on on it. but despite the fact it has been going on for years the appetite to tackle it does not appear to be there. The problem is exacerbated by the willingness of retail users to throw their money at anything in the hopes of getting rich quick, even if they suspect it may be a scam. Many of them think they can get out quickly enough such as this user:
“After a couple of weeks of providing liquidity to various tokens, I stumbled across Polygold finance…. The yields were insane. I can’t remember the exact numbers but for the first few days, the percentage returns were double digits per day. After moving my funds out of Aave and depositing more via a FIAT onramp, I had put about €1,300 into DeFi.
….On the 9th of June, the contracts were changed to reduce the minting of Polygold to zero, reduce the dividends to zero and changed the timelock to two hours. I’m not savvy enough to explain how the rug pull was done, but essentially the developer shut down the project and sold his tokens resulting in a price crash. He probably took all or most of the fees taken in until that point. Had this happened during the day, there would have been a reasonable chance that I would have spotted it and gotten out earlier as I tend to keep a close eye on my yield farms. However, this happened overnight (in Ireland at least). The end result is that when I removed my liquidity my position had gone from a value of over $2,000 to about $200.” (source)
It’s this greed mentality in crypto that means nothing is ever really done about the scams and new projects that have not been properly vetted can quickly pull in investor funds.
So what can be done? Well better regulation is one obvious answer. There are segments of the crypto community however that oppose regulation of any sort. They believe that scams and thefts are a feature not a bug of a truly free market. That you can’t claim to want freedom from governmental oversight yet then complain when you get scammed. And that being exposed to such thefts and scams will harden the market against them naturally as people become better educated and gravitate towards platforms that are considered more secure.
This however is idealistic thinking which assumes there are a fixed set of people who will become better informed over time, not that there is a constant supply of new and naïve people entering the market. And while some want total freedom, the majority of people do not want to be responsible for learning how to audit code themselves, or perform the relevant due diligence and risk mitigation on every DeFi project. People want a free yet fair playing field, not the wild west.
And regulation is coming. Over the next 12 months I expect to see regulatory bodies around the world clampdown on the anonymous nature of DeFi, and such projects will need to start thinking seriously about how they could abide by KYC laws if they wish to move from being used by cowboys in the wild west to citizens of civilized society.
In addition, a spotlight may be turned on the world of DApp audit companies. Right now, anyone can set up shop and claim to be a provider of DApp audits, with only minimal existing cybersecurity regulation in place to abide by.
An article by confirm.com, states that current laws governing audit companies are weak and not designed for DeFi.
“The nature of having code created by a dissipated number of developers that makes automated decisions on all transactions raises a number of concerns in relation to current data and cybersecurity regulations such as GDPR and CCPA. These laws were set for organizations using technology or technology-first organizations that have centralized data processing and operations management etc.
Code has traditionally been seen as an ‘enabler’ to digitalization with human-operated systems, it has not been the sole driver. DeFi and DAOs change that nature and thus the right regulatory approach must be taken.” (source)
They then go on to list 11 ways crypto auditors could be better regulated.
So regulation can help and are more than likely on their way. Exchanges like Binance, FTX, and Coinbase are now engaging in discussions around regulation (albeit when faced with the threat of a heavy handed SEC).But regulation alone will not prevent scams. What else can be done?
In the above blog post from September IOG outline how an app store is being developed for DApps on the Cardano blockchain along with a opt-in certification system.
Cardano DApps can choose differing levels of certification from a quick and easy automated check at a basic level, to formally verifying code written in Cardano’s native language, Haskell.
” At the simplest level, automated logic checks will enable us to detect certain types of malicious code. For example, these will be able to check if the contract does not contain a way for locked up funds to be recovered. In a well composed contract, locked funds need to be retrievable.
Beyond that, manual smart contract auditing will help us verify any DApp’s integrity. Ultimately full formal verification will test the mathematical model to prove that a smart contract satisfies the formal specification of its behavior.”
Furthermore, a DApp store would help users identify what level of certification a DApp has received.
“Any DApp can exist on the store, whether certified or uncertified, but we will provide users with clear information about a particular DApp’s certification status. The dAppStore seeks not to act as gatekeeper (or judge) but rather to provide a platform for transparent user assessment.”
This raises the bar for DApps that are responsible for handling large sums of money. For such DApps to attract a large number of users, they would need to ensure they get audited. Meanwhile lightweight DApps that aren’t responsible for millions of dollars worth of crypto, can still be deployed easily.
The audit firms themselves have been carefully selected with Runtime Verification, Tweag, Well Typed, and Certik currently being used.
Of course this does not guarantee that a DApp is hack-proof. However combined with Cardano’s native language Plutus, which enforces a stricter and in a lot of way simpler programming methodology, the risk of software bugs is significantly reduced.
“Smart contracts in Plutus are functional programs, and the simple and verifiable semantics of functional languages underpins what we do with both automated testing and formal verification. We want to build a more secure foundation than other chains.”
So to recap, Cardano smart contracts are written in Haskell which itself is a fairly rigid language designed to prevent bugs. Plutus, the programming model for Cardano, is built on a eUTXO model where the outcome of a transaction is known as soon as the code starts running – the Grim finance bug for example could not occur on Cardano.
The eUTXO model also makes it easier for auditors to check the code and even formally prove the on-chain code does what it’s supposed to. The DApp store allows users to identify high quality dApps and thus encourages legitimate projects to get themselves audited.
Finally Cardano’s decentralized identity solution, Atala Prism, positions it well for dealing with any KYC regulations that crop up.
Time will tell how successful all this is. Scams like rugpulls will still be hard to prevent. But whether its through better coding, better standards, or better regulation, one things is certain – for DeFi to become mainstream, the crypto industry needs to do more to counteract the vast sums of money lost to thefts and scams, rather than keeping it a dirty little secret.