Numerous rug pulls and hacks have made choosing a decentralized finance (DeFi) protocol seem risky and overwhelming. How do you choose the right place to invest your money? For newer users, it’s crucial to learn how to understand and evaluate DeFi protocols. This guide will walk you through the key steps in deciding which protocol to invest in and give you the tools to assess the risks yourself.
TL;DR:
- Review the audit report from a trusted source. Ensure its authenticity. Make sure it’s protocol specific, up to date and for the latest version of the deployed code. Make sure to read the report as it could reveal if the auditors feel that the project’s code is ready.
- Read the documentation as it could highlight the protocol specific risks.
- Evaluate if the community is genuinely excited about what the developers are building or if the project just has fake engagement to pump the coin.
- Assess the risks related to the project; be it the risks related to limits set by the protocol; smart contract risks; liquidation risk or any kind of upgradability risk.
- Consider who is paying your gains, are the gains coming directly from the protocol rewards like airdrops/points etc, or are these gains coming from other traders?
- Evaluate the amount you want to invest considering the risk-to-reward ratio. Always divide your portfolio between different protocols after assessing the risks.
The information provided in this guide is purely an overview for educational and informational purposes only and should not be considered financial advice. Always do your own research and consult with a qualified financial advisor before making any investment decisions.
1. Review the Audit Report
The first thing to look for while evaluating the security risk of the protocol is a security audit report. A security audit is essentially a security review performed by either the internal team or an external independent security firm for the protocol. The report usually consists of all the security vulnerabilities found by the security team, along with the suggested and accepted fixes.
Pay attention to fake reports. Developers have published fake or doctored security reports in the community Discord server, pretending they’ve had the protocol audited. When downloading a report, choose a public, trusted source, ideally from the official website of the security firm or their GitHub. (There is a chance publicly available reports may also be fake or doctored, but they are more likely to be caught.)
It is possible a fork doesn’t need to be audited, if the DeFi project is a fork of a larger, previously audited protocol. However, not all audits of an upstream project can attest to the security of the current version of the forked project. Always confirm that the audit is protocol specific, as the protocol-specific changes might introduce new vulnerabilities in the project.
One notable instance is a fork of the popular and audited protocol Gains Network. While Gains Network underwent rigorous auditing and proved its reliability, the project made a few changes to the core smart contract logic, introducing features that were not part of the original audit. These changes introduced new critical vulnerabilities, which were caught during an audit performed by our team. For more details on this case, check out our blog post, “Issues in Certain Forks of Gains Network↗”.
To make the process of evaluating such changes easier, we’ve developed Forky↗. Forky provides annotations that describe each function in plain English so you can quickly understand the impact of changes to the code.
Additionally, check that the security audit is up to date. By comparing the commit hash or version number of the audited code against the current commit or version, you can see if the project’s code has been updated since the last security review. New vulnerabilities may be introduced in the updates. Security reports also feature a remediation section, where you can verify if the newest commits were to fix bugs during the course of the audit or if they were to fix minor issues (e.g., variable name changes, spelling fixes, new tests) that didn’t require a new audit.
It’s also important to check what is actually deployed on chain by comparing it with the verified source code on platforms like Etherscan. This ensures that the deployed contract matches the reviewed version and that no additional changes were introduced before deployment.
For instance, the security practices implemented by the LayerZero team are ideal within the blockchain space. Every line of code deployed on chain undergoes a minimum of two audits, even for minor changes such as hotfixes. This rigorous approach represents the gold standard of security that all teams in the industry should try to achieve. Any process that falls short of this level of security practice carries a higher degree of risk.
It’s important to keep in mind that a security audit doesn’t always guarantee that there are no security issues. If a project has many critical issues, a report may deem it unready for production and recommend a reaudit after fixes are made. If a project team acknowledges a finding or concern without remediating the issue, it means the issue was not fixed but accepted as a risk by the project team. This is a red flag as safer projects usually tolerate less risk. In other cases, if the risk mentioned in the report is something that’s intended, the report usually has a comment from the protocol on why the issue might be an accepted risk.
Consider how many times a project has been audited, the track record of the auditors or audit firms, and the impact and number of issues found. It’s very important that the project has been audited more than once. Furthermore, it’s crucial for the project to have a bug bounty program so that auditors or security researchers could report issues (if they find any) after the project goes live.
2. Read the Docs
Good documentation is clear and detailed. It should explain the functionality of the protocol to everyone, not just developers, which reflects commitment to helping users. If the project is already up and running, lack of clear and detailed documentation is a major red flag, since it shows that the project is not being transparent.
A good protocol also has readily available code. Look for the addresses of the smart contracts of the project — usually hyperlinks to an explorer page — and find the source code. If there is no code available, this is also a sign of a lack of transparency and a major red flag.
3. Evaluate the Community
Legitimate protocols usually have an active community where asking questions is encouraged and developers/users aid in the questions and doubts of new adopters. The best way to evaluate the community is to engage with them. You may ask yourself,
- Do the users in the community believe in what this project is building? Or are they here to gamble and make quick money?
- What do the developers say happens if the contracts are hacked?
- Have the developers and founders of this project been involved in other reliable projects?
What you discover may provide insight into user confidence, developer preparedness and precaution, and the legitimacy of the people behind the protocol.
Social media is also a good place to evaluate the community. Take a look at the social media accounts behind the protocol and who engages with their posts or tweets in order to get a sense of the project’s credibility and trustworthiness, but watch out for fake posts and pages. Sometimes posts are created by bots; there are many online tools available to help detect whether engagement on social media is real. If there is a low number of likes and retweets compared to the number of followers, this often means the followers are bots. Scammers or malicious actors can also create fake pages pretending to be from the official protocol, with only minor differences in their social media handles. These pages can redirect users to fake websites that ask them to connect their wallets and sign transactions that steal their tokens.
4. Assess the Risks
Assessing the risks of a protocol is one of the most crucial aspects in deciding which DeFi protocol to invest money into. Let’s go over some of the most major types of risks that protocols may have.
Limitation Risk
In this context, limitation risk is the risk associated with the limits (dynamic or static) set by the protocol, related to withdrawal of deposited amounts. After reading the documentation carefully, pay attention to what happens with the assets you entrust to the protocol. Here are some questions you may look into.
- If the protocol is a vault, are there any timelocks or queues associated with depositing or withdrawing assets?
- Are there any withdrawal limits after you deposit to the vault?
- If these limits are dynamic and depend on external factors such as market behavior, instead of static limits (e.g., tokens may be unlocked after the deposit-to-withdraw ratio reaches some value instead of being unlocked after X number of days), why are these limits put in place?
Being aware of this behavior will ensure that the tokens you deposit are not stuck in the protocol for a duration longer than you expect.
Credit Risk
Credit risk is the possibility that a borrower is unable to repay the borrowed funds — and, whenever you deposit assets into a protocol, that protocol is borrowing those assets from you. In some DeFi protocols, such risks are enforced as invariants, and borrowers are liquidated long before this can happen; however, bugs in the smart contracts may lead to large debt in the protocol and affect the lenders. Always verify if the protocol has insurance funds to protect lenders against such undesirable scenarios. For instance, Venus Protocol accrued $100M↗ of bad debt due to market-price manipulation, coupled with aggressive risk-parameter configurations. Another case where bad debt led to insolvency was the Scream protocol↗, which led to $35M of bad debt.
Leverage Risk
Similarly, there is a downside to taking a loan or borrowing tokens to leverage, for example in a perpetual exchange (“perps DEX”) protocol.
Here’s an example of leverage. Let’s say you have $100 and want to go long on BTC. Without leverage, you would only profit $100 from your $100 investment, but with 10x leverage, you could transform that position from $100 to $1,000. This means that if the price goes up by $1, your position will be increased by $10, which is great, but if the price decreases by $1, your position will go down by $10, too. But where does this additional $900 come from?
It comes from the liquidity pool, where liquidity providers (LPs) provide liquidity to receive rewards in return. Traders are charged a fee for the duration of their open position, known as a funding fee, and this fee goes directly to the LPs (minus some protocol fee, if applicable). Protocols will protect LPs by providing an upside cap on the profits traders can make. Make sure you understand this limitation of the protocol — otherwise you may not receive the leverage profit you expect.
Perpetual DEXes are inherently challenging to design and implement, as even minor oversights can result in severe consequences. Developers must not only craft the smart contracts with great precision but also ensure that off-chain components, such as pricing oracles and liquidation bots, operate without any issues to maintain the protocol’s functionality and stability. Without meticulous attention to detail, numerous issues (oracle manipulation, flawed liquidation logic, insufficient liquidity, etc.) could lead to the protocol and users suffering financial losses. There have been numerous instances where small lapses in attention to detail have led to catastrophic effects. For example, Mango Markets was drained out of $116M↗ due to oracle manipulation. Similarly, Predy Finance was hacked out of $460K↗ due to an insufficient access-control issue.
Liquidation Risk
There are a few aspects in the liquidation process that are crucial for any protocol and may introduce risks if not followed.
- Liquidators must be incentivized enough for them to liquidate positions that are underwater; otherwise, it might not be profitable for liquidators to close those positions, and the protocol might accumulate bad debt.
- Liquidations must take place at the correct prices in the case where the project only allows liquidations via its own bots; otherwise, it may lead to protocol debt. For example, if the liquidations are delayed due to the bots not functioning as expected and if the liquidations are performed at the market price, the actual liquidation price might be far below the price at which liquidation must be performed.
- The current liquidation price for the position a user has opened must be easy to calculate. If the Web2 interface doesn’t show the liquidation price, users should know how to evaluate the correct value for the position and where the protocol fetches the price/position info from. This is important as users must know the price at which they could be liquidated so they can evaluate the risks.
Change/Upgradability Risk
There are risks when it comes to developers adding new code and updating certain parameters or smart contracts. Many projects have governance votes for changes or upgrades, but some do not. Using governance votes for such changes is crucial as it gives users time to react before such changes are implemented or be voted out if the changes do not align with their interests. The project you put your tokens in should value the opinion of the community through allowing governance votes and should ensure voting cannot be manipulated (e.g., a few addresses having the majority of voting power). Ideally, the protocol should announce the parameter/code changes if any to the community. If that’s not the case, users can always monitor the code on GitHub/Etherscan (if available) to verify the important implementation/parameters that are changed. If the code is not available on any of the sources, directly asking the developers for the reason behind the change could help.
5. Learn Who Pays Your Gains
The last step before deciding to invest is understanding whether the protocol is sustainable long-term and figuring out who pays for your gains.
If you’ve opened a trade to long BTC at $70K per BTC and you close the trade when it becomes $90K, or if you’ve deposited liquidity in a Uniswap pool on an ETH-USD pair and gained rewards from the pool when the price of ETH doesn’t increase much, you may wonder who has paid for those rewards. In the former case, they’re paid either by other trades who opened a short BTC trade (e.g., in the case of an order book where both trades were matched), or the gains were paid from the liquidity pool. In the latter case, the gains were paid by users who swapped tokens as a form of swapping fee.
When gains are paid by other traders and users, it’s possible the protocol is essentially a Ponzi scheme, intended or by accident.
Investigate if the developers are paying for the customer acquisition. If your gains are paid by the value they’re injecting in the protocol, be it airdrops or any kind of rewards/points, how long can they continue? This may not be sustainable.
Lastly, consider if the source of your gains affects how accessible and valid they are. If you make significant gains, could it be considered a hack? If you make large gains due to broad market volatility, will your gains be inaccessible due to some other assumption you have? For example, you could borrow USDC on a DeFi lending platform to make a leveraged bet on USDC depegging and post DAI as collateral because you trust it more. However, if USDC depegs and DAI goes down with it (because DAI is backed by a multicollateral vault and so its depeg risk is correlated with USDC), it is not possible to have a pure short position using only DeFi because USD does not exist on chain. This may make your gains inaccessible because the source of the gains is also affected due to the same reasons you made your gains.
6. Decide Your Investment
You’ve reviewed the audit report, read the docs, evaluated the community, assessed the risks, and learned who pays your gains. If all looks good, now is the time to decide the monetary amount and the time you’re willing to invest. What key factors should you consider?
Opportunity cost is a key consideration. Compare the potential returns from the protocol with an alternate investment and assess the risk-to-reward ratio for these investments, keeping an overall investment strategy in mind. It’s important to divide your portfolio between different protocols after assessing the risk-to-reward ratio of these protocols so that a bad trade doesn’t affect a large portion of your portfolio. On the other side, consider the potential losses and fees involved in buying, trading, and lending tokens. Gauge what you’re willing to spend against possibilities such as slippage, impermanent loss, funding fees, exit taxes, and so on.
Time is also key. Investigation of a DeFi protocol requires significant effort to thoroughly research and understand the system. Consider how user-friendly the protocol is and how often could you monitor the investment, especially in volatile market conditions.
About Us
Zellic specializes in securing emerging technologies. Our security researchers have uncovered vulnerabilities in the most valuable targets, from Fortune 500s to DeFi giants.
Developers, founders, and investors trust our security assessments to ship quickly, confidently, and without critical vulnerabilities. With our background in real-world offensive security research, we find what others miss.
Contact us for an audit that’s better than the rest. Real audits, not rubber stamps.