1/ The FTX collapse proved the importance of self-custody and risk management.
But it's easy to lose money in #DeFi if you are not careful.
Exploits, rug pulls, contract bugs...
Here's a few tools & tips to stay safe in DeFi🧵
But it's easy to lose money in #DeFi if you are not careful.
Exploits, rug pulls, contract bugs...
Here's a few tools & tips to stay safe in DeFi🧵
2/ Take a look at the top DeFi protocols by TVL.
• Do you think the TVL represents the level of security/safety?
• Is there any protocol you wouldn't trust with your money? Why?
There might be biases in you based on what you hear on Twitter.
• Do you think the TVL represents the level of security/safety?
• Is there any protocol you wouldn't trust with your money? Why?
There might be biases in you based on what you hear on Twitter.
3/ It's great if you're an experienced smart contract developer and can verify the code yourself.
But most of us aren't.
So we have to evaluate projects based on other data, which involves some degree of trust.
But most of us aren't.
So we have to evaluate projects based on other data, which involves some degree of trust.
4/ It's no secret that for the majority, TVL is the ultimate proof of trust.
The higher the Total Value Locked, the higher the implied security of a protocol.
If a lot of money is deposited, it means 'someone' did due diligence, so that protocol is secure.
Sounds like FTX?
The higher the Total Value Locked, the higher the implied security of a protocol.
If a lot of money is deposited, it means 'someone' did due diligence, so that protocol is secure.
Sounds like FTX?
5/ Unfortunately, high TVL gives a false sense of security.
And high TVL protocols are also actively targeted by hackers.
On the other hand, low TVL doesn’t mean a protocol is NOT secure.
And high TVL protocols are also actively targeted by hackers.
On the other hand, low TVL doesn’t mean a protocol is NOT secure.
6/ 'Don't trust, verify.'
That's why we have smart contract audits.
If that wasn't the case, we might not need them, because code is open source and community could find all the bugs.
That's why we have smart contract audits.
If that wasn't the case, we might not need them, because code is open source and community could find all the bugs.
7/ Yet the community might not have the right motivation, incentives or expertise to verify the code.
Auditors are supposed to have the right expertise, but at the end of the day, we also have to trust them to do the right job.
Auditors are supposed to have the right expertise, but at the end of the day, we also have to trust them to do the right job.
8/ Remember the Twitter backlash against Certik because a few of their audited protocols ended up hacked?
Audit companies are building their reputation too.
In fact, Certik has audited 3,437 projects(!), so no wonder some of them got hacked or had a bug.
Audit companies are building their reputation too.
In fact, Certik has audited 3,437 projects(!), so no wonder some of them got hacked or had a bug.
9/ Just because a protocol has an audit, doesn't mean it's safe.
I've seen projects proudly announce 'Completed audit', but when you read the audit, the safety score is actually low.
Don't blindly trust the announcement—verify by reading the audit yourself.
I've seen projects proudly announce 'Completed audit', but when you read the audit, the safety score is actually low.
Don't blindly trust the announcement—verify by reading the audit yourself.
10/ But the majority doesn't read audits anyway.
The minimum you should check is the 'summary' table.
For example, take a look at the audit results of Trader Joe's Launchpeg audit by @0xPaladinSec below.
Paladin found 2 high severity issues, but Trader Joe fixed those.
The minimum you should check is the 'summary' table.
For example, take a look at the audit results of Trader Joe's Launchpeg audit by @0xPaladinSec below.
Paladin found 2 high severity issues, but Trader Joe fixed those.
11/ For a general overview of project security, @CertiK 's dashboard with all their audited projects is a good start.
You can verify the 'Trust Score' with higher number implying safety.
@hackenclub also has a similar dashboard for the projects they audited.
You can verify the 'Trust Score' with higher number implying safety.
@hackenclub also has a similar dashboard for the projects they audited.
12/ Audit is not enough.
A lot more is needed to evaluate safety:
• Adequate testing
• Bounty campaigns
• Documentation clarity
• Admin controls
• Oracle documentation
and much more...
A lot more is needed to evaluate safety:
• Adequate testing
• Bounty campaigns
• Documentation clarity
• Admin controls
• Oracle documentation
and much more...
13/ It's a nightmare to verify it all by yourself.
Luckily @DefiSafety is doing just that.
DefiSafety's Process Quality Review verifies protocols and gives them a safety score.
Luckily @DefiSafety is doing just that.
DefiSafety's Process Quality Review verifies protocols and gives them a safety score.
14/ According to the PQR results, @LiquityProtocol, @synthetix_io and @AngleProtocol are the safest of all verified DeFi protocols.
On DefiSafety you can also check every element and see where the protocol scores the best/worst.
Liquidy, i.e., still needs Formal Verification.
On DefiSafety you can also check every element and see where the protocol scores the best/worst.
Liquidy, i.e., still needs Formal Verification.
15/ If this is still too much, start by rating your portfolio safety on @ExponentialDeFi
Its 'Rate my wallet' feature provides you with a custom risk analysis of your current investments.
For example, $4.8M of Tetranode's assets are deposited into riskier (C rank) protocols.
Its 'Rate my wallet' feature provides you with a custom risk analysis of your current investments.
For example, $4.8M of Tetranode's assets are deposited into riskier (C rank) protocols.
16/ Elemental DeFi gives a score based on a project evaluation.
Assessment takes into account asset risk, code quality and blockchain security to which the assets are deposited.
I like their easy to understand explanation of risks.
Assessment takes into account asset risk, code quality and blockchain security to which the assets are deposited.
I like their easy to understand explanation of risks.
17/ Don't be afraid to join a project's community group and just ask:
• Do they avoid questions?
• Do they have an insurance fund?
• What are they doing to increase security?
But whatever happens, DeFi is still young, so better not to put all your assets into one protocol.
• Do they avoid questions?
• Do they have an insurance fund?
• What are they doing to increase security?
But whatever happens, DeFi is still young, so better not to put all your assets into one protocol.
18/ Finally, and most importantly, ignore direct messages from hot women 😅
19/ Do you have more useful tips how to evaluate projects to protect your assets?
Follow me @DefiIgnas for more.
Like/Retweet the first tweet below if you can:
Follow me @DefiIgnas for more.
Like/Retweet the first tweet below if you can:
Loading suggestions...