Safety and security for DeFi and Web3
Need to know information to help you stay afloat in the sea of DeFi.
Never enter your 12-word secret recovery phrase or private keys into a Web3 app. If a Web3 app requests your 12-word phrase or private keys, it is trying to steal your crypto.
In this article:
- What happens when I allow a Web3 app to make changes?
- What are the risks of using DeFi?
- How do I stay safe using DeFi?
What happens when I allow a Web3 app to make changes?
In DeFi, when you give a Web3 app permission to make changes to or have certain access to your wallet, you expose yourself to risk.
When you use a Web3 app, you're not sending your funds from your wallet to the app in order to use the service. Instead, you're agreeing to a contract with the Web3 app that when certain conditions are met, it can take certain actions with your funds. This allows the Web3 app's smart contracts to make changes to your wallet.
These conditions and actions are outlined and available for public review in the Web3 app's documentation. The design of a protocol's smart contracts is integral to Web3 apps. For example, Tulip's ability to automatically provide your funds as liquidity to pools offering the highest interest rates is all done by smart contracts.
Interacting with smart contracts carries possible risk from malicious third parties, market conditions, or the design of the smart contracts.
If you're new to all things DeFi, you may want to be aware of some of these risks. Not to worry! There are also strategies that will help you to navigate the ecosystem a little more safely.
Exodus is a non-custodial software wallet that provides the interface for you to connect to the world of DeFi and Web3. Web3 apps are platforms that are external to Exodus, so make sure you do your own research before connecting!
What are the risks of using DeFi?
Hacks, scams, and bugs, oh my!
Some of most notorious risks in using DeFi come from the potential for a protocol's code to be hacked or exploited. Code can also malfunction in different ways.
Determined hackers can find holes and exploits in a protocol's code. Sometimes they find a way in through a bug or through a protocol's use of oracles. It's possible for hackers to interfere with the mechanics of the protocol to alter its expected behavior.
While DeFi protocols may not have custody of your funds, they can transact on your behalf if certain conditions are met. A hacker can exploit this by artificially meeting the conditions and then being able to access your funds.
Depending on how established a protocol is and how experienced its developers are, a Web3 app could have built-in shortcomings that may compromise its security or cause the protocol to behave in unexpected and undesirable ways.
In some circumstances, the developers of a protocol are bad actors. Some Web3 apps may have devious designs or back door functionality that can steal your money after you've allowed the Web3 app access to your wallet.
In all these cases, it's important to research each Web3 app to make sure they have a safe track history and that they're being maintained by experienced developers. More information can be found in this section: Do your own research.
If you receive an unknown NFT in your wallet do not transfer it or list it for sale. Sometimes scammers airdrop NFTs with malicious intent, hoping you will interact with the NFT or click on a suspicious link. This can result in the theft of your assets.
Impermanent loss is a risk specific to yield farming. This happens if the assets you provide as liquidity increase in value.
Let's say that 1 SOL equals $100. Let's also say you were to provide a 1-1 ratio of 1 SOL and 100 USDC as liquidity to a DEX. In exchange for your liquidity, the DEX provides you with $200 worth of LP tokens.
Now let's say that the price of SOL doubles and 1 SOL now equals $200 and you want to cash in your LP tokens to get your assets back.
In this scenario, the DEX would give you back only 0.5 SOL as well as the 100 USDC. This is because you are only given enough LP tokens to reclaim the dollar amount of what you provided initially. In this example, $200 worth of liquidity.
This is where impermanent loss comes in. Had you kept your 1 SOL instead of providing it as liquidity, you would have gained $100 in value just by holding it.
Keep in mind that this only happens if you decide to cash out. Over time, the value of SOL may drop from $200 back down to $100 and you would be able to reclaim your 1 SOL and 100 USDC.
Also remember that by providing liquidity the DEX is paying you interest in exchange fees proportional to your percentage of the liquidity pool. Depending on the amount of liquidity you've provided, and how long you provide it for, might net you more profits in the long term.
A good way to get familiar with providing liquidity is to provide stablecoin pairs like USDC/USDT. Because their prices are stable, the possibility for impermanent loss is much lower than using more volatile assets.
Intrinsic protocol risk
Intrinsic protocol risk refers to the mechanics of a protocol and its smart contracts. Even if everything works as expected, a protocol may produce an unfavorable outcome.
When you engage with a DeFi smart contract, you're giving it permission to transact your assets when certain conditions are met. You can find out more about how this works in our article: How is DeFi non-custodial?.
As an example, say you took out an overcollateralized loan through a lending protocol such as Aave. You deposit 1 ETH valued at $2,000. Since you're able to borrow up to 50% of your collateral, you borrow $1,000 worth of Dai.
Now say the price of ETH fell by just a dollar and you were unable to provide more ETH as collateral. Your ETH could be liquidated by the protocol because your collateral was no longer sufficient for the amount you borrowed.
Your collateral could also be liquidated if you failed to pay back what you borrowed at the specified time.
This is inherent protocol risk. While these DeFi protocols are functioning as expected and can be great financial tools, they also carry risk if they're used without proper caution or understanding.
Always do your due diligence to understand the protocols you use and what conditions may result in an unfavorable outcome.
How do I stay safe using DeFi?
Do your own research
Before entrusting your funds to the wild west of Web3, some extra research will go a long way in keeping you safe and successful on your DeFi journey. Here are a few different ways to research a Web3 app that you're interested in using.
Read the Web3 app's documentation
A Web3 app's code and documentation should be transparent and open to the public.
A good place to start researching a Web3 app is its documentation. Reading the docs will help you understand how it works and what the Web3 app has to offer you.
Since a Web3 app requires your trust in order to use it, a Web3 app with good documentation will do a good job of explaining itself to you.
After reading a Web3 app's documentation, you should be able to answer these questions for yourself:
- What does this dApp do?
- What are the potential risks involved?
- Under what conditions can it access funds in my wallet?
- Does this dApp have a community I can engage with?
If you're unable to answer these questions after reading a dApp's documentation, you may need to do more research before choosing to use that dApp.
Check if the dApp has been audited
There are several tools and websites that audit different dApps to check for security flaws, trustworthy developers, or issues a dApp may have. Here is a list of different auditing tools you may find useful when researching a dApp:
- DeFi Safety - A website that posts reports and safety scores on DeFi projects.
- Solidity Finance - A website that checks if a protocol has been audited or not.
- Rugscreen - A website that can identify if a protocol is known scam or rug pull.
- Coinsniper - a resource with more information on how to protect against common DeFi scams.
Research the developers of the dApp
Doxxed developers are accountable developers. It can help in your research to see if you can find the names of the dApp's developers.
Publicly known developers are a good sign as they can be identified and held accountable if something intentionally malicious occurs with the dApp.
Look into the dApp's community
Another place to check when researching a dApp are its community pages. Check if a dApp has a Twitter account or Discord page where you can ask members of the community what their experience has been with using the dApp.
However, if you find that a dApp's social media pages are full of spam posts or activity unrelated to crypto, it could be a sign that the community is inactive or unmoderated, both of which indicate that the dApp may not be trustworthy.
Exercise caution and be prepared
Once you've researched a dApp you want to connect your wallet to, you should still exercise caution. It's a good idea to only invest funds that you are willing and prepared to lose. While a dApp could appear solid and trustworthy, an update to the code or a newly discovered exploit could compromise your funds.
It also helps to be skeptical of DeFi protocols that promise larger than normal returns. If a high APY sounds too good to be true, it probably is. Big numbers alone don't guarantee a good investment - especially if you can't tell where the money is coming from.
Always make sure you keep enough gas on hand to cover the smart contract fees for the dApps you choose to use. Not having enough funds for gas could interrupt your dApp activity.
It's also important to use a secure dApp browser such as the one in Exodus Browser Extension. Secure dApp browsers will often take the time to review and vet a dApp before listing it for search.