A November report by data and research company BraveNewCoin has highlighted a number of serious ‘non-financial’ risks in decentralized finance.
The financial risks involved with DeFi have been well documented, but the new report delves into more technical concerns associated with Ethereum-based smart contract finance protocols.
The report, penned by BNC analyst Xavier Meegan, begins with scalability risks which anyone dealing with DeFi in September this year will be familiar with. Network congestion resulting in high gas fees and failed transactions can cause DeFi protocols to malfunction or not work as intended.
During the height of the yield farming frenzy, average Ethereum transaction fees skyrocketed to record figures around $15. The report cited the Black Thursday event as an example;
“We saw this happen on Black Thursday in March 2020, when actors in MakerDAO (liquidators) could not access auctions to bid on collateral,resulting in collateral being sold for free.”
Numerous smart contract vulnerabilities were cited, including reentrancy risk which occurs when a contract sends ETH before updating its internal state. The $25 million dForce attack in April is an example of a reentrancy exploit.
Flash loans (where assets can be borrowed and repaid within the same transactions) can exploit this, with notable examples this year including bZx, Opyn, Harvest Finance, and more recently Pickle Finance.
Oracles also pose a risk as a smart contract may receive deceitful or innacurate input regarding off-chain values or asset prices due to the manipulation of information from the provider or a malicious actor.
Protocol design can pose a risk if it can be manipulated to benefit cyber-criminals. Composability is a good example of this whereby a DeFi protocol needs to rely on another protocol to function. The report noted that the "money Lego" concept of interconnectivity within the ecosystem opens it up to further risk;
“The current inter-connectedness of DeFi is extremely similar to how traditional finance was before the Global Financial Crisis (GFC) in 2007–08.”
There is also centralization risk associated with DeFi, if protocols are controlled by a central intermediary or governance is controlled by a few whales. Uniswap’s first governance vote was a good example of how a small number of players can attempt to control the outcome. Additionally, the bulk of stablecoins used in DeFi are centralized and controlled by corporations.
Reliance on Infura as a node infrastructure operator is also risky as the industry found out during the minor outage in mid-November. Infura provides cloud-based Ethereum clients so that users do not have to run their own nodes.
“An estimated 63% of the Ethereum community use Infura as their preferred method of interacting with the blockchain. What are the consequences if Infura does not function as expected one day?”
The report added that there were several other risks such as economic incentive risk, financial illiteracy risk, and regulatory risk. It concluded that there was also the risk of more risks being found making the entire ecosystem sound like one big financial nightmare!