Skip to content

Latest commit

 

History

History
633 lines (505 loc) · 31.9 KB

README.md

File metadata and controls

633 lines (505 loc) · 31.9 KB

DeFi Risk Tools & Resources

This is the first step in a larger initiative to create a collaborative DAO to increase safety and transparency for DeFi through a community-driven product risk history and scoring resource.

Providing a credible risk assessment platform helps highlight innovators who are changing the future of finance without cutting corners. Not only does this help the average crypto participant make more intelligent decisions, but it also incentivizes individual projects to boost their overall security and trustworthiness.

Below is a list of the available tools, projects, and protocols for analyzing and managing risk within DeFi.

Note that this list is focused on technical, centralization, and liquidity risk of DeFi protocols, NOT price risk of tokens.

We hope that better sharing of tools, standards, and development patterns will support the safe growth of the DeFi ecosystem overall. We also hope that DeFi protocols, white hat hackers, developers, auditors, and users can unite around the common goal of making DeFi safer for current and future adopters.

To learn more, join the DeFi Safety DAO Telegram group.

Contributions are welcome!

Feel free to submit a pull request, with anything from small fixes to translations to tools you'd like to add (or remove!). If adding a new tool, please add a brief description that you think new developers would understand.

  • Projects that do not have a working product should only be added to the Coming Soon section.
  • Projects that are deprecated or no longer maintained will be removed.
  • Projects that are paid/restricted services without open-source code or developer reviews will be further vetted.

The Basics of DeFi Risk

Building on the work of awesome projects like DeFi Score, DeFi Safety, and others, we believe that the systemic failure of large financial protocols is the biggest risk to a thriving DeFi community over the next few years.

Currently, some of the risks in DeFi include:

  • DeFi protocols range from fly-by-night scam operations to serious protocols challenging TradFi and it is often hard to tell these apart
  • Many DeFi hacks have taken place and DeFi users have lost funds. Arguably this could have been prevented if objective risk information would have been available.
  • Objective information about DeFi protocols is hard to find and scattered over different platforms. Investors have to do independent research by swivelling across various interfaces and data sources.
  • If objective information is available at all, it is centralised and often outdated

Protocols and smart contracts that contain large amounts of value face the following risks:

  • Smart Contract Risk - Technical bugs that can expose funds to hackers.
  • Centralization Risk - Centralized admin keys are stolen or used nefariously, or oracles are manipulated to allow an exploit.
  • Financial Risk - Collateral falls below outstanding obligations, likely due to price movement, or low liquidity leads to locked funds.

The resources below list some common methods of failure. We hope that by educating and evangelizing the public, our community can eliminate or mitigate these vulnerabilities as more groundbreaking financial services are built in this space.

Eventually, a DeFi Safety DAO would seek to solve key issues by:

  • Bringing together a suite of tools together that have been standalone until now.
  • Assessing and indicating risk across protocols.
  • Providing incentives to keep these metrics up to date and to improve quality and quantity of the underlying data.

Risk Ratings

Hack Incident Reporting

DeFi Risk Research

Risk Management Projects & Protocols

Coming Soon

Developer Tools

  • DEFIYIELD Safe ‘Risky Contract Manager’ - Tool to revoke approvals to smart contracts
  • Solidify by Coinbase - Tool to detect and classify smart contract security risks
  • CryptoFin Solidity Auditing Checklist - A checklist of common findings, and issues to watch out for when auditing a contract for a mainnet launch.
  • MythX - Security verification platform and tools ecosystem for Ethereum developers
  • Mythril - Open-source EVM bytecode security analysis tool
  • Oyente - Alternative static smart contract security analysis
  • Securify - Security scanner for Ethereum smart contracts
  • SmartCheck - Static smart contract security analyzer
  • Ethersplay - EVM disassembler
  • Evmdis - Alternative EVM disassembler
  • Hydra - Framework for cryptoeconomic contract security, decentralised security bounties
  • Solgraph - Visualise Solidity control flow for smart contract security analysis
  • Manticore - Symbolic execution tool on Smart Contracts and Binaries
  • Slither - A Solidity static analysis framework
  • Adelaide - The SECBIT static analysis extension to Solidity compiler
  • solc-verify - A modular verifier for Solidity smart contracts
  • Solidity security blog - Comprehensive list of known attack vectors and common anti-patterns
  • Awesome Buggy ERC20 Tokens - A Collection of Vulnerabilities in ERC20 Smart Contracts With Tokens Affected
  • Free Smart Contract Security Audit - Free smart contract security audits from Callisto Network
  • Piet - A visual Solidity architecture analyzer

Risk and Security Resources

Potential Further Work and Tools

Form DeFi Safety DAO

DeFi Safety DAO’s goal is to keep the DeFi space safe, robust, and grounded. It will be a community owned and operated comprehensive blockchain security analysis DAO.

DeFi Safety DAO will provide a comprehensive, 360-degree view of the smart contract threat landscape, involves the community in the scoring process, and makes DeFi easier and more accessible by offering a standard of safety that users can trust.

It will function as the first DeFi risk assessment tool for users to make smarter and safer decisions. Community members can provide qualitative suggestions on potential composability risks for various projects and fill metrics.

The community will be incentivized to contribute qualitative and quantitative information on smart contract, centralization, and other DeFi risks. Team members will be sourced from the DAO and assembled to work on specific risk assessment tasks or setup as mini teams to perform comprehensive assessments.

Crowdsourced / Self-reported DeFi Scores

The main inputs in calculating the DeFi Score 2.0 are:

  • Smart Contract Risk - Technical bugs that can expose funds to hackers.
    • Example Metrics: Audit history, critical hack history and responses (from hack incident reporting), DeFi Score 2.0 audits.
  • Centralization Risk - Centralized admin keys are stolen or used nefariously, or oracles are manipulated to allow an exploit.
    • Example Metrics: Admin keys, timelock for protocol changes, whale concentration, percentage of staked tokens, % TVL from own tokens.
  • Financial Risk - Collateral falls below outstanding obligations, likely due to price movement, or low liquidity leads to locked funds.
    • Example Metrics: Combined liquidity across dexes, 24-hour volume, volatility and impermanent loss measured over time.

The creation of guidelines will fuel a community driven initiative based on user ratings, providing measurement of DeFi protocol scores defined by adaptable objective metrics and risk methodologies, updated by teams, contributors and the community.

Protocols that want to be listed should be able to complete a prospective rating themselves, and submit to the DAO for verification and approval. Alternatively, protocols should be able to offer grants for crowd sourced completion of ratings.

To help get things started, ConsenSys Codefi will also:

  • Provide more helpful tools to the site, such as charts
  • Source valuable data to make scoring more accurate
  • Encourage meaningful community participation
  • Add additional communications support as needed

Soon a decentralized community of contributors will form to maintain this important infrastructure.

Gitcoin Bounties

Continued improvements on DeFi scoring with bounties for clear, specific, predictable data. Sample draft SOPs are provided below in the "Risk Factors Database and SOPs" section.

Coordinape

Enables decentralized and transparent distribution of rewards autonomously allocated by the community of contributors doing the work. This will provide insights on what the community finds most valuable, and who the key contributors are in different areas. Their aim is to make the experience of contributors more dynamic, rewarding, fair and transparent.

Teams of DAO members working on particular tasks will be assembled into “Circles''. Circles could be specialized based on the task/risk being assessed; or they could be set up as mini teams that perform comprehensive assessments. Circles will be assigned a budget for each task/project, to be paid when complete. Total rewards are then divided amongst the members of the Circle based on contribution.

For crowdsourcing to be effective, it is important to ensure that:

  • the quality of input meets a certain minimum standard, and
  • a mechanism should exist which continuously improves the quality of input

To address this, a credibility score may be implemented.

Credibility of Auditors and Assessors

Circles/individuals may be rated on a constantly optimized credibility score. The credibility score will be composed of:

  • Experience score - how many audits completed/how much work done
  • Quality score - Did the audit prevent hacks? The longer the audited projects go without any exploits, the quality score of the individual/circle who completed the audit goes up

Protocols can restrict takers for their crowd sourced audits based on credibility score. Also, payment for services will be based on the credibility score of the individual/circle performing the work.

Organization Details

Hives: Collection of circles that perform the same generalized function.

Circles: Autonomous teams with specialized expertise whose responsibilities are clearly delineated. All members of a Circle act as peers.

Structure:

Hive A: Smart Contract Risk assessors

Hive B: Centralization Risk assessors

Hive C: Financial Risk assessors

Hive D: Mitigation Measures assessors

Within each Hive, there will be specialized expertise circles for:

Circle 1: Lending platforms

Circle 2: Trading platforms

Circle 3: Yield farming platforms

Audit Circles: Circles can be specialized based on Audit tools used or by parts of the Audit split by expertise type (like with DeFi score circles above)

3rd Party Composite Score

Composite risk rating defined by compiling other DeFi safety scores which can be crowdsourced or automatically generated.

A list of DeFi ratings, which the DAO can leverage:

  • DeFi Score - A 1-10 grade on the smart contract, centralization, and financial risk of lending protocols
  • Economic Safety Grade from DeFi Pulse & Gauntlet - A 1-100 grade to quantify and compare the economic risks of using on-chain protocols
  • DeFi Safety - A 1-100 rating of smart contract quality and safety for DeFi apps
  • Certik Security Scores - A 1-100 score of protocols across on-chain monitoring, social sentiment, governance changes, and market volatility
  • CER Security Score - A 1-10 score on protocols based on audits, bug bounties, and liquidity
  • CoinGecko Trust Score - A 1-10 score on centralized exchanges as well as a Green/Yellow/Red rating of the liquidity of certain trading pairs

Crowdsourced Audits

Crowd-sourced audits are ground-breaking and need to be defined carefully, but proactive cybersecurity is necessary in DeFi.

One of the easiest ways to achieve protocol security is by providing rigorous crowd sourced audits in addition to bug bounties that are big enough to incentivize hackers to opt for the whitehat approach over blackhat.

Protocols can pay for crowd sourced audits. Members of the DAO will conduct audits and report results, which will include bugs, proposed fixes, time spent on the audit and tools used.

Audits can be completed on request by the protocol (paid job); or complete audits and/or parts of audits can be completed by individuals as research to build their credibility on the platform (free jobs).

Autonomous contributors can work on specific risk assessment tasks or perform comprehensive assessments.

Defi Risk Glossary & Knowledge Base

Hacks vs exploits vs rugs vs scams, with detailed definitions and prevention strategies. Positive DeFi/DAO best practices for new and current projects to build on. Definition of DeFi risk factors used in the model.

Hack Event Registry

An accessible resource for learning about past DeFi vulnerabilities/exploits and helping prevent them in the future.

Pooled Bug Bounties

Aggregate bug bounties across protocols. Bounty hunters will be incentivized to hunt for critical vulnerabilities and be rewarded in the process. Armor and Immunefi have already been working with ecosystem protocols on a Big Bug Bounty Challenge. Protocols can offer bug bounties on Immunefi for exposure to a larger pool of interested whitehat hackers.

Risk Factors Database and SOPs

Objective: Adapt https://defiscore.io/ and https://inspect.codefi.network/ to the current DeFi landscape for measuring protocol risks with decentralized contributor model. We’ve put together a list of risk factors that can be used as a base to build upon an improved and robust DeFi scoring system.

We are looking for a solution that has the ability to:

  • Aggregate data points for each risk factor from existing reputable and reliable sources (automatically or crowd sourced)
  • Validate or invalidate the source of the data
  • Automate or implement a trigger based process from validating and updating data
  • Add/remove/hide risk factor data points
  • Generate an overall 0-10 score based on parameters set for each protocol
  • Display risk factor data and score for each protocol into a simple, easy to understand, easy to user interface.

Below, you can find the risk factor data points that we put together including sample data, and steps for generating the data manually. Click here to view data for the Top 10 DeFi protocols based on the risk factor data points listed below. Feedback and improvements are most welcome.

Risk Factor Data Points

Key Stats

Key Stats Sample Research Results SOP for Manual Data Gathering
TVL in USD $8.75B
  1. Go to https://defipulse.com/
  2. Search for the protocol name Here’s the example for MakerDAO, https://defipulse.com/maker
TVL in ETH 3.7M ETH
TVL in BTC 137.3K BTC
ETH Locked 2.9M ETH
% Supply Locked 2.51%
Blockchain Ethereum
Most Locked $WETH
Protocol Token $MKR

Centralization Risk Factors

Centralization Risks Sample Research Results SOP for Manual Data Gathering
Admin Keys MakerDAO - smart contracts do not have an admin key. There is no single key or multisig that can be used to modify MakerDAO's smart contracts. Any changes must be approved by a governance vote. Please note that this only relates to admin key risk and MakerDAO is still subject to smart contract risk.

https://inspect.codefi.network/details/maker/admin-keys

Instadapp - no admin key or ability to modify

https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/

Synthetix - Once a proposal is approved through voting, users must trust Synthetix’s protocolDAO to make the modification to the protocol. protocolDAO is a fancy way of describing a 4-of-8 multisig admin key (48 hour timelock). However, action by the protocolDAO is in no way technically connected to the off-chain voting that occurs. Therefore, users must trust the protocolDAO to act responsibly and skillfully.

In addition, any one member of the protocolDAO has the ability to pause the entire Synthetix system in the case of an emergency. No vote is required, and no other members of the DAO have to be involved for one member to do this.

https://defiwatch.net/defi-projects/synthetix

Bancor - had admin keys

https://twitter.com/Diane_0320/status/1273501704491683840

Find out if the protocol is holding any admin keys.

Admin Keys are held by platform administrators who have the ability to modify the rules of the contract in an arbitrary manner. Most administration keys are securely secured by features like Timelock and Multisig. However, no DeFi project can provide that the operational security of administration key is strong, so users need to rely on the expertise of the team and their ability to protect administration keys.

Here are some references we found, if the protocol is not mentioned in any of these resources, you can do a keyword search for “does <protocol> have admin keys?” (or similar).

https://inspect.codefi.network/details

https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/

https://cointelegraph.com/news/how-many-defi-projects-still-have-god-mode-admin-keys-more-than-you-think

https://defiwatch.net/

Timelock MakerDAO - 4 hours

https://inspect.codefi.network/details/maker

Uniswap - Timelock has a hard-coded minimum delay of 2 days, which is the least amount of notice possible for a governance action. Each proposed action will be published at a minimum of 2 days in the future from the time of announcement. Major upgrades, such as changing the risk system, may have up to a 30 day delay.

https://uniswap.org/docs/v2/governance/governance-reference/#timelock

SushiSwap - It takes 48 hours for the transactions to pass the timelock

https://docs.sushi.com/products/yield-farming/menu-of-the-week

Find out if the protocol has a timelock set on their smart contracts. If they do, indicate the delay time.

Timelock is a fixed delay time that allows for some reaction time in the event of an unexpected change that is not agreed upon or malicious, and therefore it is possible to unlock the funds and secure them. The timelock is set by code, once set no one can reduce the waiting time.

Check the protocol’s documentation page found on their website, or you can do a keyword search for “does <protocol> have timelock?” (or similar).

Whale Concentration MakerDAO - 17 Whales hold 55.98% MKR tokens

https://drive.google.com/file/d/1JsYuhpOiyuiQVEP3ZbjTCUprUeCPpwAZ/view?usp=sharing

The term “whale” in cryptocurrency describes an individual or organization that holds a large amount of a particular cryptocurrency. You can sign up for a 7-day free trial (no credit card required) account on https://www.intotheblock.com/

Smart Contract Risk Factors

Smart Contract Risks Sample Research Results SOP for Manual Data Gathering
Audit History MakderDAO

https://github.com/makerdao/audits

https://security.makerdao.com/audit-reports

Compound

https://compound.finance/docs/security#audits

Aave

https://docs.aave.com/developers/security-and-audits

Find out if the protocol has been audited before by researching for security audit references.

Deploying smart contracts over to the blockchain system is irreversible. If the smart contract is poorly designed, it puts its users’ assets at risk, and therefore external security audits are crucial.

You can do a keyword search for “<protocol> audit history” or “security audit” (or similar).

Critical Hack History MakerDAO - No, but it was a close call

https://www.coindesk.com/55m-hack-ethereum-down

Compound - Pickle Finance was hacked through Compound

https://news.bitcoin.com/hackers-paradise-yet-another-defi-protocol-exploited-for-nearly-20-million-in-dai/

Aave - Yearn Finance was hacked through Aave

https://www.crowdfundinsider.com/2021/02/171974-defi-platform-yearn-finances-dai-vault-suffers-major-exploit-hack-leads-to-11-million-in-value-drained-from-platforms

Find out if the protocol has been hacked before, or if there is any relevant news related to it being hacked.

You can do a keyword search for “has <protocol> been hacked?” or “<protocol> hacked” (or similar)

Highest Bug Bounty USD MakerDAO - $100,000

Compound Finance - $150,000

Aave - $250,000

Do they have a Bug Bounty Program? If yes, what is the maximum payout?

You can do a keyword search for “ <protocol> bug bounty”

Bug Bounty Page MakerDAO

https://hackerone.com/makerdao_bbp?type=team

Compound Finance

https://compound.finance/docs/security#bug-bounty

Aave

https://aave.com/bug-bounty/

Provide the Bug Bounty Page of the protocol where the maximum reward is mentioned.

Financial Risk Factors

Financial Risks Sample Research Results SOP for Manual Data Gathering
Total Liquidity Uniswap - $105,642,533

https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984

Sushiswap - $2,182,622

https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2

What is the Total Liquidity and Volume of the protocol token?

Liquidity is the degree of which an asset can be quickly bought or sold without affecting the general stability of its price. In other words, it refers to the ability to convert the asset into cash. A higher liquidity is preferred because of the fair price advantage and market stability.

Volume refers to the amount of activity of a token, may that be buying or selling within a period of time, eg. 24 hours. Generally high trading volume is considered a good thing. It shows that the market has liquidity and stability.

  1. Go to https://info.uniswap.org/home
  2. Search for the token name
Volume (24H) Uniswap - $52,455,299

https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984

Sushiswap - $1,644,410

https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2

Ability to Cover Risks

Ability to Cover Risk Sample Research Results SOP for Manual Data Gathering
Nexus Yes Similar to any type of investment, the ability to limit risks by insuring tokens are crucial to avoid losses from smart contract bugs and hackers.
  1. Go to https://armor.fi/mint (you must connect your wallet to see the list of tokens covered)
  2. Uncheck the giftbox
  3. Search for the protocol name on the search box, if the protocol exists, then enter YES to Nexus, ArCore, ArNFT. If it doesn’t exist, enter NO.
ArCore Yes
ArNFT Yes

Maintainers

Creation of this resource was spurred by the good folks at ArmorFi and ConsenSys Codefi.

If you'd like to collaborate, contribute or participate in a DeFi Safety DAO, join the Telegram group.