Navigating DeFi: Top Risks For a DeFi Project

“If you don’t manage your risks, the market will manage it for you”

In 2021, my friends were shocked that I wasn’t using BlockFi or Celsius.

Them: “It’s practically free money! We have $100k in BTC staked and are getting about $5k a year for free. That’s a vacation”

Me: “They’re not transparent on where the yield comes from. I’m handing over custody of my coins to them. There are centralization risks. And finally, that’s a ton of risk just to earn 5%. It doesn’t make any sense”

Well, you know how this story ended. BlockFi and Celsius ended up collapsing, and everyone’s left with nothing.

The older I become, the more I think about risks. At first, the risk indicators I looked at were simple: is the smart contract audited, and who’s the founding team?

But wow…the previous cycle exposed me to many risks I couldn’t see. Not many people saw FTX’s collapse coming. Or a rogue team member depleting the treasuries due to gambling addictions.  

I won’t focus on specific risk management principles such as portfolio construction, bet sizing, or avoiding leverage.

Rather, I want you to understand some of the specific risks with Crypto protocols,

Smart Contract Risks

Despite the name, smart contracts aren’t particularly smart. They are just pieces of code. And just like any other computer program, they contain bugs and vulnerabilities. Except that smart contracts hold millions in crypto.

If a smart contract has a bug, hackers may exploit it to steal funds or disrupt the platform.

I’m including all kinds of attacks, from flash-loan exploits to governance attacks, under smart contract risks. For a detailed list of smart contract hacks, check out Rekt leaderboard.

• Poly Network Hack led to a loss of $611 million dollars.
• $586 million dollars was lost in the BNB Bridge hack.
• The Euler Finance hack had led to a loss of $197 million dollars.

What can I do?

Conduct a mini-audit on your own. Don’t worry, I don’t expect you to read every single line of code. Just use Scanner. It is an app that audits any token or contract that you want.

Here’s how to use it:

• Step #1: Head to de.fi/scanner​
• Step #2: Type in the project or token name, or the NFT or Contract address.
• Step #3: Give it a moment, and boom! Their breakdown is ready for your eyes.

They’ll break down the

• Liquidity
• Contract safety
• High-risk functions
• Token distribution

With Scanner, you can dodge like 95% of sketchy smart contracts. However, that is not enough. Ideally, I’d want:

• Multiple audits
• Audits by reputable firms. Firms such as Trailofbits, Peckshield, Paladin, Hacken, and more.
• Bug bounties on platforms like Immune.fi

I will also be looking at how the team responds to the audit flags. If they handwave it away, it is a red flag. They should be addressing those.

Composability Risks

We celebrate the composability in DeFi.

It allows developers to build complex and innovative financial products by using existing DeFi protocols as building blocks. While this is good for rapid growth and innovation, it also has negative effects.

When DeFi protocols are combined, the risks associated with each individual protocol can become interconnected. A vulnerability or exploit in one protocol can potentially impact other protocols that rely on it.

The more protocols and interactions involved, the harder it becomes to identify and address all possible edge cases.

You can understand it better by looking at the difference between holding native ETH versus some strategy on a yield optimizer.

Imagine you’re holding native Ether.

You then stake the ETH into a liquid version. Say stETH. You’ve introduced the additional risks of the liquid staking protocol.

And then, you can deposit those into yield optimizers. You can use the stETH in pools, auto-compound it, or find other ways to gain additional yield.

So by the time you’re done, you’ve introduced several extra risks compared to holding spot Ether. You now hold risks from both the staking protocol and yield optimizer.

What to do?

• List out other protocols that a project builds on.
• Map out all the possible ways those protocols can compromise the project.
• Assign probabilities to them and add those to your risk profile for the project.

Execution Risks

Think about everyone you see on New Year’s Eve who declares they will lose weight. A few weeks later, they’re all back to their old habits.

The same is the case with crypto projects. Anyone can write a whitepaper promising the next trillion-dollar protocol. But actually, building the project is an entirely different matter.

The DAO hack is an iconic example from the history of crypto. “The DAO” was envisioned as a venture funding platform for crypto projects, with funds awarded automatically based on set criteria.

They raised around 12.7 million in ETH, which was worth around $150 million at the time. However, it was hacked for around $50 million of the funds. The Ethereum community had to hard-fork the Ethereum network to return the funds to the original holders. And the project was abandoned.

So yeah. Anyone can sell a dream, but execution is a different beast.

There are tons of other crypto projects that over-promise and under-deliver. The 2017 ICO boom was full of such examples. The Pixelomon NFT project is another flagship example from this cycle.

The project promised an exciting game. It had ungodly levels of hype. They raised over $70 million at 3 ETH per mint. However, all of it came crashing down at their NFT reveal. Despite raising $70 million, they had given a silly pixelated image that can be described as a cross between children’s drawings and Minecraft characters.

What can you do?

• Evaluate the founding team’s background. What did they do before this project?
• Analyze their roadmap. Does it make strategic sense? Are they hitting their milestones so far?
• How’s communication? Are the team still active on Discord / Twitter?

Key Man Risks

This risk kinda falls under the execution risks. The project can fail if it is dependent on a single person and if something happens to it.

Have you ever watched a Sports game before, and the main character gets injured? Then the entire offense and game collapses. 

Similarly, certain people can make or break a protocol. It’s usually the founder or the lead developer. So if these guys leave the protocol for whatever reason, that could be catastrophic. 

The recent fiasco surrounding Multichain is an example. It is a multi-million cross-chain bridge. Their CEO, Zhaojun, was arrested by China, and he had all the private keys. 

Their entire operation was affected. There were delayed upgrades and loss of functionalities. And the protocol lost around $126 million in a hack. The full details about the hack aren’t out yet.

Similar risk exists for many crypto projects. What if the anon developer gets hit by a car one day, and no one knows?

What to do? Actually, ensure that there’s a team, not just a dude coding from his basement. Projects backed by reputable venture firms have a much larger probability of navigating the exit of key members.

If key members do leave, you want to understand why they’re leaving. And who’s replacing them?

Ecosystem Risks

Blockchains are like cities. And DeFi protocols are like businesses in the cities. 

A thriving city depends on successful businesses. And successful businesses are (mostly) dependent on a thriving city. Successful DeFi projects are dependent on thriving blockchain ecosystems. And if a blockchain ecosystem fails, the projects on it will fail as well.

In other words, a project on Ethereum isn’t the same as the project on your hot new L1. I’ve seen solid projects getting destroyed because the overall ecosystem collapsed.

The blowup of the Terra Luna ecosystem is full of such examples. 

• Anchor Protocol was offering a high yield on UST deposits. It had >20 billion in TVL. Right now, the TVL is $0.
• Mirror Protocol allows users to create synthetic assets that track the prices of real-world assets. It is also dead now.
• TerraSwap also tells the same story. It was also destroyed during the Luna crash.

There are similar stories from other ecosystems as well.

• Harmony One ecosystem was never the same after the $100m bridge back.
• Fantom was once the darling of the DeFi space. Well, things have been rough the past two years. And the multichain exploit might’ve been the coup de grace. I’m not completely writing Fantom off yet, but things aren’t looking great. 

What to do? When evaluating DeFi projects, monitor the health of the underlying ecosystem. Do not enter into long-term investment in dying ecosystems. Only enter short-term plays.

Competition Risks

Protocols and dApps are like businesses. And anytime a company is successful, there’s going to be competition. It has to defend itself from all the copycats to survive in the long term.

I wouldn’t call myself an NFT expert, but man, I didn’t see OpenSea getting dethroned for a while. Blur came in and ate their lunch. 

Protocols need moats to defend themselves against competition. This is especially true in the case of crypto since most protocols are open-source and can be easily forked. 

Moats are competitive advantages of a company (or protocol) have that cannot be easily mimicked by competitors. Hamilton Helmer’s “7 Powers” is an excellent framework for identifying moats. (He refers to them as Powers)

Moat #1 Scale Economies​​

In many businesses, per-unit costs decline as the volume increases. So, achieving high-volume is a competitive advantage.

​Take McDonald’s. While buying raw materials, they have the scale economies to negotiate for rock-bottom prices. On the other hand, a small burger restaurant can’t compete in the pricing department.

​Crypto Example: Bitcoin mining. As $BTC’s price rose, many big players entered the mining game. They have scale economies. You can’t compete with a small boy operation.

​This started to create centralization issues, and it’s part of the reason why Ethereum transitioned to Proof of Stake.

​Moat #2 Network Economies​

​As the number of users increases, some businesses become more valuable: apps like Facebook, Twitter, and Tinder, for example.

​Just to write the code for an app like Tinder will cost around 50k. But it was sold for $3 billion. Why? Network economies.

(Imagine a Tinder for Crypto investors. I sure as hell wouldn’t use it – complete sausage fest)

​Crypto Example: Ethereum. Some Alt L1s are faster and cheaper than Ethereum. Still, they face an uphill battle against Ethereum due to their network effects.

• Large amount of users →
• Attracts more developers →
• Creates awesome dapps →
• Attracts more users →
• Flywheel effect​

Moat #3 Counter Positioning

​This is a power reserved for newcomers who create a superior business model. The incumbents can’t adopt it – trying to do so will cannibalize parts of their business.

Kodak invented digital cameras in the 1970s, but they didn’t pivot. They were hesitant to cannibalize its cash-cow businesses in film photography.

Stock photo companies know A.I. photos are the future, but adopting it would kill their existing business model.

​Crypto Example: MusicNFTs. They will offer a much better experience for artists and fans. Record companies can capitalize on this potential. But, they won’t. It’ll cut them out of the picture.

​Moat #4 Switching Costs

​People don’t like change. Change means they’ve to learn new skills.

​For example, I use only Apple products. Quite a few of my favorite apps are iOS only. It’ll be difficult for me to shift from Apple to Android. Doing so would mean that I’ll have to learn too many new softwares.

​That’s the power of Switching costs.

​Crypto Example: MetaMask dominates web3 wallets. It’s a pain in the ass to switch over and set everything up again. People are so used to Metamask at this point.​

Moat #5 Branding

​People trust good brands. And that is a competitive power.

Does a Rolex tell the time better than a cheap Seiko? No.

Does a Chanel bag hold items better than a Michael Kors? No.

​Branding power allows companies to charge a premium price.

​Crypto Example: Bored Ape Yacht Club. Anyone can create a 10k PFP collection, but one brand is in a league of its own. Fueled by celebrity endorsements and pop culture, BAYC has gone mainstream. The brand helped them sell $300m+ of virtual land.

​Moat #6 Cornered Resources​

​Preferential access to limited and desired resources is a huge competitive advantage. Empires fought over spices, salt, silk, and gold. The modern world is fighting over oil and semiconductors.

​DeFi protocols are fighting for liquidity. The Curve wars exemplify this.

​Crypto Example: Curve controls so much liquidity in DeFi. Acquiring veCRV tokens (and Convex) allows you to vote on which Curve pools get more rewards. So protocols fight for veCRV tokens because it can increase their token’s liquidity.

​You have protocols such as Frax Finance and Redacted Cartel trying to acquire valuable governance tokens. This gives them power.

​Moat #7 Process Power​

​Mastery over a superior process is itself a form of power. This will result in improved products and lower costs.

SpaceX has mastered reusable rockets. A competitor cannot just master it

Toyota’s Toyota Production System eliminates waste and improves efficiency.

TikTok’s algorithm has mastered the art of showing people exactly what they’d be interested in.

​In crypto, it’s all about creating processes for lower fees and more efficiency.

Uniswap V3 – its concentrated liquidity model is a process for improving capital efficiency.

Curve Finance – The StableSwap invariant Formula

What to do?

• Keep track of the protocol and its competition
• Keep track of the trending metrics. Is one competitor gaining faster traction than the others?
• Keep track of the buzz and sentiment. Crypto Twitter moves in herds.

Legal and Regulation Risks

I’m not a lawyer, so don’t quote me from this section. 

Crypto is a completely new technology. So the governments and regulators have no idea how to govern them. And projects are left with uncertain regulatory frameworks. What could be legal one day could be declared illegal the next. 

Builders and users are concerned about potential enforcement actions. The SEC led by Gary Gensler has been targeting the crypto industry in the past few months. 

• The SEC is investigating Uniswap Labs.
• They are claiming ADA, SOL, & MATIC are securities.
• Coinbase and Binance are sued by SEC as unregulated security exchanges.

All crypto projects except Bitcoin (Maybe Ethereum as well) are facing the risk of being labeled as illegal. Being decentralized definitely helps in avoiding it. 

However, everything isn’t gloom and doom. BlackRock recently filed for BTC ETFs. They are TradFi giant: the world’s largest asset management company. Many others also followed suit. 

The crypto industry also received a (mostly) favorable pre-trial ruling in the Ripple vs SEC case. Judge claimed that the tokens by themselves aren’t securities. The context surrounding the token, including how it was sold, will determine if it’s a security or not.

What to do? There isn’t much you can do as DeFi investor. Give plus points for decentralized projects. And stay away from obvious frauds. We’ll have to depend on Govt to write up sensible regulations.

However, there are a few things you can do as a crypto citizen. 

• Donate to crypto lobbies.
• Support pro-crypto politicians.
• Be a positive actor in the whole space. 

Principles to Better Manage Your Risks

I hope you are now sufficiently terrorized about all the ways your shitcoin can go to zero. Just because your protocol is vulnerable to one or two risks doesn’t mean that you shouldn’t invest in them. 

Remember, the goal isn’t to avoid risks. No risk means no rewards. The goal is to understand and manage your risks. Below are some principles to better manage your risks.

Proper Bet Sizing. Decide wisely about how much money you want to put into each investment. Don’t put all your metaphorical eggs in one investment. Only take on more risk if there’s more potential reward. 

Simplify > Optimize. I love keeping things simple – it’s less mentally taxing for me. I see people with smaller portfolios who keep getting rekt’ed repeatedly. Because their portfolio is smaller (and they don’t have good sources of income), they compensate by taking more risks and overexposing themselves with leverage. 

Think in terms of probabilities. Nothing’s guaranteed. I remember that EulerLabs was one of the most trusted DeFi protocols, and they got exploited! 

Take Profits early. There’s a lot of controversy around the rule “Take profits when the price 2x.” By doing that, you’re securing the initial principle. So if something happens to the protocol, you don’t lose any money. 

Think on a Longer Time Horizon. Everyone wants to make it in one cycle. We’ve all heard the stories of someone who got into ETH early and became a multi-millionaire. Or the other person who turned a $2k portfolio into millions in the previous cycle.Or the Shiba / PEPE millionaires. 

Newsflash: it’s survivorship bias. You hear these legendary stories but don’t hear about the thousands of others who failed. So, don’t go all in on a single shitcoin. Allocate a solid chunk to blue chips like Ethereum.

The key to becoming a successful DeFi investor is identifying the risks involved in an investment and applying proper risk management strategies. This article should give you an extensive list of the risks facing a DeFi project. And some principles for proper risk management.
 
Apply those. And Happy investing.