Be wary of getting into smart contracts as you are responsible for your own safety.
by Caleb Lau
The ability to loan and earn interest on your crypto had been attractive given that the cryptomarket been through a bearish scene for over 2 years now. Maker, Compound, Aave, dYdX are just some of the dozens of projects active in the crypto lending scene, with more offered by centralised providers like Coinbase, Binance, and Crypto.com. On Ethereum alone, the total locked value as of today (17th May 2020) tracked by DeFiPulse is over 800M USD, an indication of how active the market currently is.
Of course, not forgetting the multitude of events and hacks which caused people to lose money: Maker’s Black Thursday which resulted in over USD 8M being liquidated for next to nothing, two bZx hacks amounting to nearly 1M USD, Lendf.Me hack (of 25M USD, which ultimately was returned in full to the hacker), an imBTC Uniswap pool drain of around 300k USD. Each of these exploits, typically an inherent nature of the network or through an allowed logic coded in place but used in unforeseen ways, resulted in very real fund losses, where either the team foots the losses or with the end users losing money. And yet such is the nature of global, programmable, state transiting system: With total transparency and scrutiny over the system any possible exploits will be exploited, especially when the rewards are high.
But as users, we do not want to lose money. Perhaps that is why the current world order evolved to what it is today, with bank notes which are identifiable, insurances to cover unanticipated losses, debt buyers, etc. So, for those who are brave enough to peek into the new frontier where we take on the responsibilities of being our own bank – We will have to step up with our inquisitiveness whilst dabbling ourselves into DeFi. Figure out whether a project socialises its losses or whether losses are insured – So when the inevitable happens, how does the project ensure that your funds are safe. What efforts and to what length did the team went to protect their users – Audits are not enough (and do read that audit report, lest the HegicOptions fiasco), but also what are the social safeguards in place, if there are any circuit breakers, how easy would it be for me to exit money is placed into the project, etc. After all, what is the use of a project team if they are not there to protect the users’ interest? Even more importantly, how precious would it be if all these caveats could be pasted up on the front page of a FAQ, instead of being tuck away at some dark corner which requires 10 clicks prior to getting to the answer.
As for aspiring DeFi developers, assuming that your users will never have enough money to drastically skew pricing or the behaviour of your contract is no longer an option, with the introduction of flash loans. Connecting multiple DeFi projects together to create a one-click solution will demand for deeper understanding of what are the tendencies and multitude of behaviours that could happen across contracts, and definitely take the time to study all these. Understand and make clear to users how fluctuating network conditions can affect both their experience and holdings. Roll out new features slower, rather, roll out new features which are both concretely useful and safe for users, because it is not your money which you are handling right there; Unless, you are just building for yourself, then to users: Caveat utilitor!
Applications on a blockchain are unlike cryptography; Where cryptography has a natural edge in defense against attackers, applications built on a blockchain are (at least supposed to) open to public and is more likely to be attacked than not. Be wary while interacting with smart contracts, understand what you as a user are getting into, and ultimately, only you can be responsible for your own safety.