What are the risks of DeFi?

The DeFi industry has only emerged in the past few years. Yet in that short time there has been rapid innovation in decentralised business models and technologies.

There is little material risk associated with experimenting with free tokens in the world of DeFi through testnets. But if you decide to purchase and trade some real digital assets then it is critical that you understand the technology risks you are exposed to.

A unique set of risks

When technologies fail in centralised finance those problems can generally be resolved through banks, the police or the courts. In decentralised finance there is often little recourse if things go wrong.

In this article we explore some of the technology risks in this nascent industry: first, on the risks of smart contracts, and second, on the risk of miner extractable value (MEV).

Smart contract risks

DeFi projects are often complex webs of smart contracts. Smart contracts are agreements (or parts of agreements) that are digitally coded and execute automatically on a blockchain network.

One benefit of smart contracts is to reduce (or entirely mitigate) counterparty risk. You can be reasonably sure that some trades (such as swapping one token for another token in a decentralised exchange) will execute simultaneously.

But smart contracts raise other technology risks. If you make sloppy decisions, such as transferring to the wrong address or across the wrong network, your funds may be irretrievable. There is no centralised third party, such as a bank, that can reverse the smart contract and return your funds.

Another technology risk for smart contracts is oracles. Oracles are necessary to execute many smart contracts that rely on external data, providing information such as price feeds. But when those oracles falter, or are compromised through malicious activity, it presents a risk to the intended execution of a smart contract.

Smart contracts themselves can also have bugs. As entrepreneurs push the boundaries of DeFi innovation, smart contracts are combined and deployed in novel and unprecedented ways. They are mixed and matched together to provide new products and services. Some bugs are inevitable. While some bugs are revealed unintentionally, others are the result of deliberate attacks.

One common characteristic of DeFi is open source code – that is, anyone can view the code and observe bugs. Transparent code means that bugs might be discovered and corrected quickly. As Eric S. Raymond famously noted in his essay The Cathedral and the Bazaar, “Given enough eyeballs, all bugs are shallow.”

But that openness also extends to malicious actors. They can observe bugs in the code and exploit them. Hacks are an ever-present technology risk for DeFi users.

While smart contract risk is an inevitable DeFi technology risk, there are some ways to mitigate it. Extensive testing and code audits, for instance, can reveal some bugs before the code is released to the mainnet.

Miner extractable value

One important technology risk is Miner Extractable Value (MEV). Also known as Maximal Extractible Value, this is the profit or advantage that stems from miners (or other bots) “arbitrarily reordering, including or excluding transactions within a block”. Blockchains are chains of blocks. While the network must come to agreement over the state of the blocks, individual miners initially propose new blocks. They take unconfirmed transactions and make decisions about which transactions, and in what order, they include in that block.

Miners have some ability to change the ordering of a block, or include their own transactions, to their advantage. For instance, one potential MEV tactic is front-running, where individuals profit by observing unconfirmed transactions in the mempool (e.g., a very large swap on a decentralised exchange that is likely to shift the price), and place their transaction before it to profit. Other MEV tactics include back-running and sandwiching.

It’s not just humans taking advantage of the transparency of the mempool. Arbitrage bots can observe unconfirmed transactions, copy them, and submit them with a higher gas fee (so that they are more likely picked up by a miner and placed earlier in a block).

MEV is in its infancy, but has been described as “an invisible tax that miners can collect from users”. While there are various debates about how bad MEV is for DeFi (including the long-term effects), it is nevertheless a technology risk in DeFi.

There are many efforts to mitigate some of the technology risks we have explored in this article. For instance, best practice code audits, bounties for bugs, and obscuring unconfirmed transactions to suppress MEV. Nevertheless, whenever you are engaging in the DeFi ecosystem you must be aware of the potential technology risks.