Analyst Chris Blec shows how to evaluate the security characteristics of DeFi projects. An open-source scheme analyzes the centralization and financial risk of the protocols.
Now more than ever, the decentralized finance (DeFi) ecosystem has been the object of study and in-depth analysis, after learning of the attack suffered by the platform bZx. This event highlighted how decentralized these systems can be or how much centralization many of these projects still have.
During all this discussion, it is possible to see people concerned with informing users about how much risk they run when they use decentralized platforms, what that they should know and which one they should trust. This article aims to show two models that allow users to determine how much risk they run when they operate in the DeFi sector.
Last February, Renowned analyst Chris Blec published a document in which he presented an overview of the operational security that exists around wallets. Users use said wallets for various decentralized applications (dApps).
Renowned analyst Chris Blec published last February a document in which he presented an overview of the operational security that exists around wallets used for various decentralized applications (dApps).
Operations Security (OPSEC) is a process that identifies friendly actions that could be useful to potential attackers. If these criminals analyze them properly and group them with other data, they can reveal critical information or confidential data. OPSEC uses countermeasures to reduce or eliminate adversary exploitation.
Based on that criterion, Blec studied the methods that thirteen DeFi projects have deployed to keep funds safe from hackers. He evaluated eight features, including time lock, multi-signature security, and other details about administrator keys.
Blec found in several protocols of the DeFi projects that he evaluated that almost all of them have private keys that grant administrative rights. This allows changes and improvements to the smart contract, which puts users’ funds at risk, in case that power falls into malicious hands.
Measuring Exposure to Risk
Given that risks are not always clearly visible and are often difficult to interpret for the average user, there is a way to measure them, using DeFi Score. It is a community-driven standard to assess the risk of operating on decentralized lending platforms.
The model bases on a score that allows assessing the risk of operating in each project. This measurement takes into account various influencing factors, such as smart contract risk, centralization risk, and financial risk.
The model qualifies each of these characteristics using a score ranging from 0 to 10. The scheme represents a useful alternative to assess risks, at a glance, and without the need for technical knowledge. Even though ConsenSys initially released it, DeFi Score is now open source.
Depending on the platforms where people use them, the most popular asset types (DAI, USDC, and WBTC, among others) receive their classification accordingly. A score of 10 is the best as it indicates that an asset has no risk. On the other hand, a score of 0 indicates a significant degree of risk and, consequently, that people should avoid the asset (or platform) at all costs.
Regarding smart contract risk, the analysis is based on determining the security of the underlying code of a lending platform. This score allows users to determine how proven a protocol is, as well as what type of systems exist to continuously eliminate flaws in the smart contract code. In other words, this takes into account smart contract auditing, bug bounty programs, and formal verification.
The other characteristic that this scheme evaluates is financial risk. This is about how the mechanisms behind a platform’s financial instruments work. This takes into account variations in areas such as liquidity, instrument volatility, and collateral requirements.
The assessment of collateral risk, for example, consists of examining two pieces of data, both of which derive from those in the chain. The first point is the 30-day exponential moving average (EMA) of the collateralization ratio. The second point is an analysis of the guarantee wallet using the CVaR (Conditional Value at Risk) model, also known as the expected deficit model, according to its website.
By Alexander Salazar