José Oramas
26 Aug 2021
•
6 min read
The world of Decentralised Finance (DeFi) has emerged as a revolutionary financial tool —an alternative to decades-old banking and financial ecosystems for investors. We could talk about the number of benefits that DeFi has to offer us; low fees, exposure to global markets, control of your finances, high-yield programs with attractive features, and more. But what about the downsides? We have to be careful when we consider emerging technologies —especially when we’re talking about an unregulated space.
There’s a rapidly expanding phenomenon in DeFi, especially on decentralised exchanges (DEXs): rug pulls —exit scams where protocol developers rip-off their investors by abandoning the project and running away with their funds. Rug pulls can happen in any industry, but DeFi has become a luxurious field for scammers, and how couldn’t it? We’re talking about a decentralised space —no regulations, no guarantees about what could go wrong in terms of security.
DeFi is certainly the wild west of the crypto space. Data from DeFi Pulse shows DeFi has currently over $80 billion in locked funds, but what’s more interesting it’s the massive rally it experienced in just a year. The DeFi market cap peaked at 19.8 billion by the end of December 2020 —a 1000% increase since January 2020. As the crypto market experienced a massive influx of institutional capital, DeFi’s Total Locked Value (TLV) boosted dramatically to a whopping 130 billion.
With so much money coming in, scammers have tried to take their cut and it seems they have been successful so far. According to blockchain analytics site CypherTrace, at least $474 million has been stolen in hacks and frauds in the first seven months of 2021. The report shows that external attacks have accounted for $361 million in tokens, while rug pulls amounted to $113 million.
Open-source protocols like Ethereum allow anyone to seamlessly create a token and list it for free without audit. Here are the two main advantages and disadvantages as well.
The developers —usually an anonymous team— set up their business model similar to traditional businesses. First, they launch a coin via an Initial Coin Offering, with a Round A investment to a group of shareholders to make it look legit. The next step is to promote the protocol through various social media channels to attract investors, promising high yields and generating massive hype, especially on new platforms. One trick is to inject a chunk of liquidity into their pool to build investor confidence.
The protocol needs to generate sufficient liquidity. Once the token is created on a DEX, developers pair it with a high-market cap token such as Ether (ETH), they then drain the DEX pools once a significant number of investors have swapped their ETH for the new token. This crushes the token’s price, decapitalizing the majority of investors.
One of the main drivers here is hype. A platform that’s gaining massive attention from the DeFi community is a good target for scammers since they can launch their projects there and materialize them.
Some coins are worth less than $1, so the hype might be centered around a new protocol that has been launched, with a cheap token expecting to moon anytime soon, and promises of exaggerated returns to investors on an Annual Percentage Yield (APY). What follows hypes is FOMO (Fear of Missing Out). An important red flag to consider is a fast price surge within hours. A coin that skyrockets from 0 to 50X in just 24 hours is just too good to be true, and this might be a trick to cause panic and rush investors to buy.
It can be complicated to know with certainty what is a potential scam and what are legit projects. There is no way to know it 100%. However, we can spot certain red flags and protect ourselves from losing a significant amount of money.
This is probably the biggest red flag you can detect. Investing in a protocol with anonymous developers is a huge risk, so it comes down to your appetite for risk. Keep an eye out for this: some developers might create highly detailed profiles, or they will state that the protocol is run by a shady “software developer organization” with no background whatsoever.
Investing in a protocol with an anonymous team is not the best idea to throw around. You should always check for the team credentials —who they are, their social media, history, previous works, etc.
Take a look at a protocol’s whitepaper. Does it look like they are trying to sell something instead of fixing a problem, or adding something innovative to the industry? Scammers heavily rely on promotions on advertising through various channels, and their whitepaper sounds more like a marketing approach instead of adding something valuable.
Do the mining structure and token distribution favours the development team? Carefully look at supply schedule, mining structure, and token allocation. We know that premine periods are often necessary to favour and reward early investors and protocol developers, yet if the token supply percentage during the project’s lifetime remains high, then it’s a red flag.
Verify if the token is listed and traded on popular exchanges and check the number of token holders. You can use a block explorer like Etherscan, and on-chain data aggregators like CoinGecko can be useful to learn more about the coin.
Yield Farming has always had high returns. It’s a reward scheme where token holders deposit their funds into the network to earn interest from trading fees on an APY (Annual Percentage Yield) base. Yet some protocols offer exaggerated and unrealistic returns of over 20%. Remember, if it looks too good to be true, well, it probably is.
One of the most popular DeFi thefts involved Meerkat Finance. While the protocol claimed its smart contract vault was compromised —draining $31 million— the incident raised eyebrows as it happened just after the launch. The exploit occurred on Binance Smart Chain (BSC), Binance’s decentralised exchange, resulting in 73,000 BNB and $14 million of BUSD loss.
Meerkat Finance was a yield farming protocol that cloned Yield Finance codebase. After the alleged hack, a protocol developer —which remained anonymous for obvious reasons— revealed that the exploit was a “trial” that sought to test users’ greed on a message via a telegram channel.
TurtleDEX was a blatant scam exit that pulled 2.5 million on BSC. Developers drained 9,000 BNB from the trading pools and then swapped them for ETH, later sent to several wallets. Telegram, Twitter, official website, and all the channels were deleted, leaving users with a worthless token.
The BSC community quickly reached out to Binance’s CEO, yet the only thing that they can do is freeze the funds coming from the wallets, if they are fast enough. In this case, the only thing investors can do is be way and DYOR (Do Your Own Research) before investing in a project.
In February, Yearn Finance suffered an alleged flash loan attack. The attacker managed to exploit the smart contract’s flash loan feature, draining $11 million worth of user funds from the DAI Vault.
Flash loans are usually more complicated but have been a common way to exploit DeFi protocols. They are a type of uncollateralized lending option in the DeFi space, mostly designed for developers. It enables them to borrow seamlessly, without any collateral needed as the liquidity is returned to the pool within one transaction block.
In this case, the attacker borrowed the flash loans from dYdX —a protocol for financial derivatives built on Ethereum and allows peer-to-peer options on any ERC-20 tokens— and then made a collateralized loan on Compound. Finally, the attacker deposited the loans in Yearn’s pool, accumulating Curve tokens from a pool with inflated DAI.
DeFi is growing at a fast rate, no doubt about it. But with more money, more problems —even more problems knowing that it’s a decentralised space, almost like the wild west of finance.
Not only hacks and scams are on the rise, but DeFi has been subject to critics as some users cover up their illicit sources of funds using smart contracts, attempting to evade monitoring solutions that trail illicit gains. An investigation by Cylynx —a platform for fraud detection powered by network analytics— revealed that money launderers trade illiquid assets (usually created by themselves) on DeFi platforms to hide the source of funds.
As a final thought, always make sure to do your own research before investing in a new coin. Once it’s lost as a result of a hack or rugpull, there’s no way to get your money back.
José Oramas
Fintech and finance writer, with keen interest in blockchain and crypto.
See other articles by José
Ground Floor, Verse Building, 18 Brunswick Place, London, N1 6DZ
108 E 16th Street, New York, NY 10003
Join over 111,000 others and get access to exclusive content, job opportunities and more!