Safety and security for DeFi and dApps

Need to know information to help you stay afloat in the sea of DeFi.

Never enter your 12-word secret recovery phrase or private keys into a dApp. If a dApp requests your 12-word phrase or private keys, it is trying to steal your crypto.


In this article:


What happens when I allow a dApp to make changes?

In DeFi, when you give a dApp permission to make changes to or have certain access to your wallet, you expose yourself to risk.

When you use a dApp, you're not sending your funds from your wallet to the dApp in order to use the service. Instead, you're agreeing to a contract with the dApp that when certain conditions are met, it can take certain actions with your funds. This allows the dApp's smart contracts to make changes to your wallet.

These conditions and actions are outlined and available for public review in the dApp's documentation. The design of a protocol's smart contracts is integral to dApps. For example, Tulip's ability to automatically provide your funds as liquidity to pools offering the highest interest rates is all done by smart contracts.

Interacting with smart contracts carries possible risk from malicious third parties, market conditions, or the design of the smart contracts.

If you're new to all things DeFi, you may want to be aware of some of these risks. Not to worry! There are also strategies that will help you to navigate the ecosystem a little more safely.

Please note: Exodus is a non-custodial software wallet that provides the interface for you to connect to the world of DeFi and dApps. DApps are platforms that are external to Exodus, so please make sure you do your own research before connecting!


What are the risks of using DeFi?

Hacks, scams, and bugs, oh my!

Some of most notorious risks in using DeFi come from the potential for a protocol's code to be hacked or exploited. Code can also malfunction in different ways.

Hacks

Determined hackers can find holes and exploits in a protocol's code. Sometimes they find a way in through a bug or through a protocol's use of oracles. It's possible for hackers to interfere with the mechanics of the protocol to alter its expected behavior.

While DeFi protocols may not have custody of your funds, they can transact on your behalf if certain conditions are met. A hacker can exploit this by artificially meeting the conditions and then being able to access your funds.

Bugs

Depending on how established a protocol is and how experienced its developers are, a dApp could have built-in shortcomings that may compromise its security or cause the protocol to behave in unexpected and undesirable ways.

Scams

In some circumstances, the developers of a protocol are bad actors. Some dApps may have devious designs or back door functionality that can steal your money after you've allowed the dApp access to your wallet.

In all these cases, it's important to research each dApp to make sure they have a safe track history and that they're being maintained by experienced developers. More information can be found in this section: Do your own research.

Impermanent loss

Impermanent loss is a risk specific to yield farming. This happens if the assets you provide as liquidity increase in value.

Let's say that 1 SOL equals $100. Let's also say you were to provide a 1-1 ratio of 1 SOL and 100 USDC as liquidity to a DEX. In exchange for your liquidity, the DEX provides you with $200 worth of LP tokens.

Now let's say that the price of SOL doubles and 1 SOL now equals $200 and you want to cash in your LP tokens to get your assets back. 

In this scenario, the DEX would give you back only 0.5 SOL as well as the 100 USDC. This is because you are only given enough LP tokens to reclaim the dollar amount of what you provided initially. In this example, $200 worth of liquidity.

This is where impermanent loss comes in. Had you kept your 1 SOL instead of providing it as liquidity, you would have gained $100 in value just by holding it.

Keep in mind that this only happens if you decide to cash out. Over time, the value of SOL may drop from $200 back down to $100 and you would be able to reclaim your 1 SOL and 100 USDC.

Also remember that by providing liquidity the DEX is paying you interest in exchange fees proportional to your percentage of the liquidity pool. Depending on the amount of liquidity you've provided, and how long you provide it for, might net you more profits in the long term.

A good way to get familiar with providing liquidity is to provide stablecoin pairs like USDC/USDT. Because their prices are stable, the possibility for impermanent loss is much lower than using more volatile assets.

Intrinsic protocol risk

Intrinsic protocol risk refers to the mechanics of a protocol and its smart contracts. Even if everything works as expected, a protocol may produce an unfavorable outcome. 

When you engage with a DeFi smart contract, you're giving it permission to transact your assets when certain conditions are met. You can find out more about how this works in our article: How is DeFi non-custodial?.

As an example, say you took out an overcollateralized loan through a lending protocol such as Aave. You deposit 1 ETH valued at $2,000. Since you're able to borrow up to 50% of your collateral, you borrow $1,000 worth of Dai.

Now say the price of ETH fell by just a dollar and you were unable to provide more ETH as collateral. Your ETH could be liquidated by the protocol because your collateral was no longer sufficient for the amount you borrowed.

Your collateral could also be liquidated if you failed to pay back what you borrowed at the specified time.

This is inherent protocol risk. While these DeFi protocols are functioning as expected and can be great financial tools, they also carry risk if they're used without proper caution or understanding.

Always do your due diligence to understand the protocols you use and what conditions may result in an unfavorable outcome.


How do I stay safe using DeFi?

Do your own research

Before entrusting your funds to the wild west of Web3, some extra research will go a long way in keeping you safe and successful on your DeFi journey. Here are a few different ways to research a dApp that you're interested in using.

Read the dApp's documentation

A dApp's code and documentation should be transparent and open to the public. 

A good place to start researching a dApp is its documentation. Reading the docs will help you understand how it works and what the dApp has to offer you.

Since a dApp requires your trust in order to use it, a dApp with good documentation will do a good job of explaining itself to you.

After reading a dApp's documentation, you should be able to answer these questions for yourself:

  • What does this dApp do?
  • What are the potential risks involved?
  • Under what conditions can it access funds in my wallet?
  • Does this dApp have a community I can engage with?

If you're unable to answer these questions after reading a dApp's documentation, you may need to do more research before choosing to use that dApp.

Check if the dApp has been audited

There are several tools and websites that audit different dApps to check for security flaws, trustworthy developers, or issues a dApp may have. Here is a list of different auditing tools you may find useful when researching a dApp:

  • DeFi Safety - A website that posts reports and safety scores on DeFi projects.
  • Solidity Finance - A website that checks if a protocol has been audited or not.
  • Rugscreen - A website that can identify if a protocol is known scam or rug pull.
  • Coinsniper - a resource with more information on how to protect against common DeFi scams.

Research the developers of the dApp

Doxxed developers are accountable developers. It can help in your research to see if you can find the names of the dApp's developers.

Publicly known developers are a good sign as they can be identified and held accountable if something intentionally malicious occurs with the dApp.

Look into the dApp's community

Another place to check when researching a dApp are its community pages. Check if a dApp has a Twitter account or Discord page where you can ask members of the community what their experience has been with using the dApp.

However, if you find that a dApp's social media pages are full of spam posts or activity unrelated to crypto, it could be a sign that the community is inactive or unmoderated, both of which indicate that the dApp may not be trustworthy.

Exercise caution and be prepared

Once you've researched a dApp you want to connect your wallet to, you should still exercise caution. It's a good idea to only invest funds that you are willing and prepared to lose. While a dApp could appear solid and trustworthy, an update to the code or a newly discovered exploit could compromise your funds.

It also helps to be skeptical of DeFi protocols that promise larger than normal returns. If a high APY sounds too good to be true, it probably is. Big numbers alone don't guarantee a good investment - especially if you can't tell where the money is coming from.

Always make sure you keep enough gas on hand to cover the smart contract fees for the dApps you choose to use. Not having enough funds for gas could interrupt your dApp activity.

It's also important to use a secure dApp browser such as the one in Exodus Browser Extension. Secure dApp browsers will often take the time to review and vet a dApp before listing it for search.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.