Home

Awesome

DeFi Risk Tools & Resources

This is the first step in a larger initiative to create a collaborative DAO to increase safety and transparency for DeFi through a community-driven product risk history and scoring resource.

Providing a credible risk assessment platform helps highlight innovators who are changing the future of finance without cutting corners. Not only does this help the average crypto participant make more intelligent decisions, but it also incentivizes individual projects to boost their overall security and trustworthiness.

Below is a list of the available tools, projects, and protocols for analyzing and managing risk within DeFi.

Note that this list is focused on technical, centralization, and liquidity risk of DeFi protocols, NOT price risk of tokens.

We hope that better sharing of tools, standards, and development patterns will support the safe growth of the DeFi ecosystem overall. We also hope that DeFi protocols, white hat hackers, developers, auditors, and users can unite around the common goal of making DeFi safer for current and future adopters.

To learn more, join the DeFi Safety DAO Telegram group.

Contributions are welcome!

Feel free to submit a pull request, with anything from small fixes to translations to tools you'd like to add (or remove!). If adding a new tool, please add a brief description that you think new developers would understand.

The Basics of DeFi Risk

Building on the work of awesome projects like DeFi Score, DeFi Safety, and others, we believe that the systemic failure of large financial protocols is the biggest risk to a thriving DeFi community over the next few years.

Currently, some of the risks in DeFi include:

Protocols and smart contracts that contain large amounts of value face the following risks:

The resources below list some common methods of failure. We hope that by educating and evangelizing the public, our community can eliminate or mitigate these vulnerabilities as more groundbreaking financial services are built in this space.

Eventually, a DeFi Safety DAO would seek to solve key issues by:

Risk Ratings

Hack Incident Reporting

DeFi Risk Research

Risk Management Projects & Protocols

Coming Soon

Developer Tools

Risk and Security Resources

Potential Further Work and Tools

Form DeFi Safety DAO

DeFi Safety DAO’s goal is to keep the DeFi space safe, robust, and grounded. It will be a community owned and operated comprehensive blockchain security analysis DAO.

DeFi Safety DAO will provide a comprehensive, 360-degree view of the smart contract threat landscape, involves the community in the scoring process, and makes DeFi easier and more accessible by offering a standard of safety that users can trust.

It will function as the first DeFi risk assessment tool for users to make smarter and safer decisions. Community members can provide qualitative suggestions on potential composability risks for various projects and fill metrics.

The community will be incentivized to contribute qualitative and quantitative information on smart contract, centralization, and other DeFi risks. Team members will be sourced from the DAO and assembled to work on specific risk assessment tasks or setup as mini teams to perform comprehensive assessments.

Crowdsourced / Self-reported DeFi Scores

The main inputs in calculating the DeFi Score 2.0 are:

The creation of guidelines will fuel a community driven initiative based on user ratings, providing measurement of DeFi protocol scores defined by adaptable objective metrics and risk methodologies, updated by teams, contributors and the community.

Protocols that want to be listed should be able to complete a prospective rating themselves, and submit to the DAO for verification and approval. Alternatively, protocols should be able to offer grants for crowd sourced completion of ratings.

To help get things started, ConsenSys Codefi will also:

Soon a decentralized community of contributors will form to maintain this important infrastructure.

Gitcoin Bounties

Continued improvements on DeFi scoring with bounties for clear, specific, predictable data. Sample draft SOPs are provided below in the "Risk Factors Database and SOPs" section.

Coordinape

Enables decentralized and transparent distribution of rewards autonomously allocated by the community of contributors doing the work. This will provide insights on what the community finds most valuable, and who the key contributors are in different areas. Their aim is to make the experience of contributors more dynamic, rewarding, fair and transparent.

Teams of DAO members working on particular tasks will be assembled into “Circles''. Circles could be specialized based on the task/risk being assessed; or they could be set up as mini teams that perform comprehensive assessments. Circles will be assigned a budget for each task/project, to be paid when complete. Total rewards are then divided amongst the members of the Circle based on contribution.

For crowdsourcing to be effective, it is important to ensure that:

To address this, a credibility score may be implemented.

Credibility of Auditors and Assessors

Circles/individuals may be rated on a constantly optimized credibility score. The credibility score will be composed of:

Protocols can restrict takers for their crowd sourced audits based on credibility score. Also, payment for services will be based on the credibility score of the individual/circle performing the work.

Organization Details

Hives: Collection of circles that perform the same generalized function.

Circles: Autonomous teams with specialized expertise whose responsibilities are clearly delineated. All members of a Circle act as peers.

Structure:

Hive A: Smart Contract Risk assessors

Hive B: Centralization Risk assessors

Hive C: Financial Risk assessors

Hive D: Mitigation Measures assessors

Within each Hive, there will be specialized expertise circles for:

Circle 1: Lending platforms

Circle 2: Trading platforms

Circle 3: Yield farming platforms

Audit Circles: Circles can be specialized based on Audit tools used or by parts of the Audit split by expertise type (like with DeFi score circles above)

3rd Party Composite Score

Composite risk rating defined by compiling other DeFi safety scores which can be crowdsourced or automatically generated.

A list of DeFi ratings, which the DAO can leverage:

Crowdsourced Audits

Crowd-sourced audits are ground-breaking and need to be defined carefully, but proactive cybersecurity is necessary in DeFi.

One of the easiest ways to achieve protocol security is by providing rigorous crowd sourced audits in addition to bug bounties that are big enough to incentivize hackers to opt for the whitehat approach over blackhat.

Protocols can pay for crowd sourced audits. Members of the DAO will conduct audits and report results, which will include bugs, proposed fixes, time spent on the audit and tools used.

Audits can be completed on request by the protocol (paid job); or complete audits and/or parts of audits can be completed by individuals as research to build their credibility on the platform (free jobs).

Autonomous contributors can work on specific risk assessment tasks or perform comprehensive assessments.

Defi Risk Glossary & Knowledge Base

Hacks vs exploits vs rugs vs scams, with detailed definitions and prevention strategies. Positive DeFi/DAO best practices for new and current projects to build on. Definition of DeFi risk factors used in the model.

Hack Event Registry

An accessible resource for learning about past DeFi vulnerabilities/exploits and helping prevent them in the future.

Pooled Bug Bounties

Aggregate bug bounties across protocols. Bounty hunters will be incentivized to hunt for critical vulnerabilities and be rewarded in the process. Armor and Immunefi have already been working with ecosystem protocols on a Big Bug Bounty Challenge. Protocols can offer bug bounties on Immunefi for exposure to a larger pool of interested whitehat hackers.

Risk Factors Database and SOPs

Objective: Adapt https://defiscore.io/ and https://inspect.codefi.network/ to the current DeFi landscape for measuring protocol risks with decentralized contributor model. We’ve put together a list of risk factors that can be used as a base to build upon an improved and robust DeFi scoring system.

We are looking for a solution that has the ability to:

Below, you can find the risk factor data points that we put together including sample data, and steps for generating the data manually. Click here to view data for the Top 10 DeFi protocols based on the risk factor data points listed below. Feedback and improvements are most welcome.

Risk Factor Data Points

Key Stats

<table> <tr> <td>Key Stats </td> <td>Sample Research Results </td> <td>SOP for Manual Data Gathering </td> </tr> <tr> <td>TVL in USD </td> <td>$8.75B </td> <td rowspan="8" > <ol> <li>Go to <a href="https://defipulse.com/">https://defipulse.com/</a> <li>Search for the protocol name Here’s the example for MakerDAO, <a href="https://defipulse.com/maker">https://defipulse.com/maker</a> </li> </ol> </td> </tr> <tr> <td>TVL in ETH </td> <td>3.7M ETH </td> </tr> <tr> <td>TVL in BTC </td> <td>137.3K BTC </td> </tr> <tr> <td>ETH Locked </td> <td>2.9M ETH </td> </tr> <tr> <td>% Supply Locked </td> <td>2.51% </td> </tr> <tr> <td>Blockchain </td> <td>Ethereum </td> </tr> <tr> <td>Most Locked </td> <td>$WETH </td> </tr> <tr> <td>Protocol Token </td> <td>$MKR </td> </tr> </table>

Centralization Risk Factors

<table> <tr> <td>Centralization Risks </td> <td>Sample Research Results </td> <td>SOP for Manual Data Gathering </td> </tr> <tr> <td>Admin Keys </td> <td>MakerDAO - smart contracts do not have an admin key. There is no single key or multisig that can be used to modify MakerDAO's smart contracts. Any changes must be approved by a governance vote. Please note that this only relates to admin key risk and MakerDAO is still subject to smart contract risk. <p> <a href="https://inspect.codefi.network/details/maker/admin-keys">https://inspect.codefi.network/details/maker/admin-keys</a> <p> Instadapp - no admin key or ability to modify <p> <a href="https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/">https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/</a> <p> Synthetix - Once a proposal is approved through voting, users must trust Synthetix’s protocolDAO to make the modification to the protocol. protocolDAO is a fancy way of describing a 4-of-8 multisig admin key (48 hour timelock). However, action by the protocolDAO is in no way technically connected to the off-chain voting that occurs. Therefore, users must trust the protocolDAO to act responsibly and skillfully. <p> In addition, any one member of the protocolDAO has the ability to pause the entire Synthetix system in the case of an emergency. No vote is required, and no other members of the DAO have to be involved for one member to do this. <p> <a href="https://defiwatch.net/defi-projects/synthetix">https://defiwatch.net/defi-projects/synthetix</a> <p> Bancor - had admin keys <p> <a href="https://twitter.com/Diane_0320/status/1273501704491683840">https://twitter.com/Diane_0320/status/1273501704491683840</a> </td> <td>Find out if the protocol is holding any admin keys. <p> Admin Keys are held by platform administrators who have the ability to modify the rules of the contract in an arbitrary manner. Most administration keys are securely secured by features like Timelock and Multisig. However, no DeFi project can provide that the operational security of administration key is strong, so users need to rely on the expertise of the team and their ability to protect administration keys. <p> Here are some references we found, if the protocol is not mentioned in any of these resources, you can do a keyword search for “does &lt;protocol> have admin keys?” (or similar). <p> <a href="https://inspect.codefi.network/details">https://inspect.codefi.network/details</a> <p> <a href="https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/">https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/</a> <p> <a href="https://cointelegraph.com/news/how-many-defi-projects-still-have-god-mode-admin-keys-more-than-you-think">https://cointelegraph.com/news/how-many-defi-projects-still-have-god-mode-admin-keys-more-than-you-think</a> <p> <a href="https://defiwatch.net/">https://defiwatch.net/</a> </td> </tr> <tr> <td>Timelock </td> <td>MakerDAO - 4 hours <p> <a href="https://inspect.codefi.network/details/maker">https://inspect.codefi.network/details/maker</a> <p> Uniswap - Timelock has a hard-coded minimum delay of 2 days, which is the least amount of notice possible for a governance action. Each proposed action will be published at a minimum of 2 days in the future from the time of announcement. Major upgrades, such as changing the risk system, may have up to a 30 day delay. <p> <a href="https://uniswap.org/docs/v2/governance/governance-reference/#timelock">https://uniswap.org/docs/v2/governance/governance-reference/#timelock</a> <p> SushiSwap - It takes 48 hours for the transactions to pass the timelock <p> <a href="https://docs.sushi.com/products/yield-farming/menu-of-the-week">https://docs.sushi.com/products/yield-farming/menu-of-the-week</a> </td> <td>Find out if the protocol has a timelock set on their smart contracts. If they do, indicate the delay time. <p> Timelock is a fixed delay time that allows for some reaction time in the event of an unexpected change that is not agreed upon or malicious, and therefore it is possible to unlock the funds and secure them. The timelock is set by code, once set no one can reduce the waiting time. <p> Check the protocol’s documentation page found on their website, or you can do a keyword search for “does &lt;protocol> have timelock?” (or similar). </td> </tr> <tr> <td>Whale Concentration </td> <td>MakerDAO - 17 Whales hold 55.98% MKR tokens <p> <a href="https://drive.google.com/file/d/1JsYuhpOiyuiQVEP3ZbjTCUprUeCPpwAZ/view?usp=sharing">https://drive.google.com/file/d/1JsYuhpOiyuiQVEP3ZbjTCUprUeCPpwAZ/view?usp=sharing</a> </td> <td>The term “whale” in cryptocurrency describes an individual or organization that holds a large amount of a particular cryptocurrency. You can sign up for a 7-day free trial (no credit card required) account on <a href="https://www.intotheblock.com/">https://www.intotheblock.com/</a> </td> </tr> </table>

Smart Contract Risk Factors

<table> <tr> <td>Smart Contract Risks </td> <td>Sample Research Results </td> <td>SOP for Manual Data Gathering </td> </tr> <tr> <td>Audit History </td> <td>MakderDAO <p> <a href="https://github.com/makerdao/audits">https://github.com/makerdao/audits</a> <p> <a href="https://security.makerdao.com/audit-reports">https://security.makerdao.com/audit-reports</a> <p> Compound <p> <a href="https://compound.finance/docs/security#audits">https://compound.finance/docs/security#audits</a> <p> Aave <p> <a href="https://docs.aave.com/developers/security-and-audits">https://docs.aave.com/developers/security-and-audits</a> </td> <td>Find out if the protocol has been audited before by researching for security audit references. <p> Deploying smart contracts over to the blockchain system is irreversible. If the smart contract is poorly designed, it puts its users’ assets at risk, and therefore external security audits are crucial. <p> You can do a keyword search for “&lt;protocol> audit history” or “security audit” (or similar). </td> </tr> <tr> <td>Critical Hack History </td> <td>MakerDAO - No, but it was a close call <p> <a href="https://www.coindesk.com/55m-hack-ethereum-down">https://www.coindesk.com/55m-hack-ethereum-down</a> <p> Compound - Pickle Finance was hacked through Compound <p> <a href="https://news.bitcoin.com/hackers-paradise-yet-another-defi-protocol-exploited-for-nearly-20-million-in-dai/">https://news.bitcoin.com/hackers-paradise-yet-another-defi-protocol-exploited-for-nearly-20-million-in-dai/</a> <p> Aave - Yearn Finance was hacked through Aave <p> <a href="https://www.crowdfundinsider.com/2021/02/171974-defi-platform-yearn-finances-dai-vault-suffers-major-exploit-hack-leads-to-11-million-in-value-drained-from-platforms">https://www.crowdfundinsider.com/2021/02/171974-defi-platform-yearn-finances-dai-vault-suffers-major-exploit-hack-leads-to-11-million-in-value-drained-from-platforms</a> </td> <td>Find out if the protocol has been hacked before, or if there is any relevant news related to it being hacked. <p> You can do a keyword search for “has &lt;protocol> been hacked?” or “&lt;protocol> hacked” (or similar) </td> </tr> <tr> <td>Highest Bug Bounty USD </td> <td>MakerDAO - $100,000 <p> Compound Finance - $150,000 <p> Aave - $250,000 </td> <td>Do they have a Bug Bounty Program? If yes, what is the maximum payout? <p> You can do a keyword search for “ &lt;protocol> bug bounty” </td> </tr> <tr> <td>Bug Bounty Page </td> <td>MakerDAO <p> <a href="https://hackerone.com/makerdao_bbp?type=team">https://hackerone.com/makerdao_bbp?type=team</a> <p> Compound Finance <p> <a href="https://compound.finance/docs/security#bug-bounty">https://compound.finance/docs/security#bug-bounty</a> <p> Aave <p> <a href="https://aave.com/bug-bounty/">https://aave.com/bug-bounty/</a> </td> <td>Provide the Bug Bounty Page of the protocol where the maximum reward is mentioned. </td> </tr> </table>

Financial Risk Factors

<table> <tr> <td>Financial Risks </td> <td>Sample Research Results </td> <td>SOP for Manual Data Gathering </td> </tr> <tr> <td>Total Liquidity </td> <td>Uniswap - $105,642,533 <p> <a href="https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984">https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984</a> <p> Sushiswap - $2,182,622 <p> <a href="https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2">https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2</a> </td> <td rowspan="2" >What is the Total Liquidity and Volume of the protocol token? <p> Liquidity is the degree of which an asset can be quickly bought or sold without affecting the general stability of its price. In other words, it refers to the ability to convert the asset into cash. A higher liquidity is preferred because of the fair price advantage and market stability. <p> Volume refers to the amount of activity of a token, may that be buying or selling within a period of time, eg. 24 hours. Generally high trading volume is considered a good thing. It shows that the market has liquidity and stability. <ol> <li>Go to <a href="https://info.uniswap.org/home">https://info.uniswap.org/home</a> <li>Search for the token name </li> </ol> </td> </tr> <tr> <td>Volume (24H) </td> <td>Uniswap - $52,455,299 <p> <a href="https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984">https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984</a> <p> Sushiswap - $1,644,410 <p> <a href="https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2">https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2</a> </td> </tr> </table>

Ability to Cover Risks

<table> <tr> <td>Ability to Cover Risk </td> <td>Sample Research Results </td> <td>SOP for Manual Data Gathering </td> </tr> <tr> <td>Nexus </td> <td>Yes </td> <td rowspan="3" >Similar to any type of investment, the ability to limit risks by insuring tokens are crucial to avoid losses from smart contract bugs and hackers. <ol> <li>Go to <a href="https://armor.fi/mint">https://armor.fi/mint</a> (you must connect your wallet to see the list of tokens covered) <li>Uncheck the giftbox <li>Search for the protocol name on the search box, if the protocol exists, then enter YES to Nexus, ArCore, ArNFT. If it doesn’t exist, enter NO. </li> </ol> </td> </tr> <tr> <td>ArCore </td> <td>Yes </td> </tr> <tr> <td>ArNFT </td> <td>Yes </td> </tr> </table>

Maintainers

Creation of this resource was spurred by the good folks at ArmorFi and ConsenSys Codefi.

If you'd like to collaborate, contribute or participate in a DeFi Safety DAO, join the Telegram group.