Navigating DeFi risks

Amitai Ruskin November 23,2021

Decentralized Finance, or DeFi, pioneered the use of blockchain technology to create revolutionary financial products (If you aren’t sure what DeFi is see DeFi guide for a good intro).

DeFi today is like the wild west with unbelievably lucrative investment opportunities, but with these come a whole host of dangers. This year alone, hackers walked off with hundreds of millions of dollars worth of funds.

A core investment term - Risk Premium, implies that one should be compensated highly for assuming greater risk with their investment. Since the DeFi space is new and there are many associated risks, the potential returns tend to follow this thesis and are highly inflated. Investors with a good understanding of the various risks involved in DeFi investing can find effective ways to mitigate these risks and benefit from great risk-adjusted returns.

This article breaks down and describes the different risks that exist in DeFi today.

We can divide DeFi risk into five different layers

  1. Financial risk

  2. Underlying blockchain risk

  3. Smart-contract risk

  4. Centralization risk

  5. Regulatory risk

Risk Breakdown

1. Financial Risk

This includes risks caused by natural market forces, rather than external factors. These include:

Market Volatility


Crypto is known for its volatility because its price is primarily determined by speculation on the financial potential of crypto technology. For this reason, crypto-assets usually trade according to short-term market sentiment rather than according to long-term fundamentals. Huge drawdowns of up to 95% were common in the earlier days of crypto. While volatility itself doesn't cause real damage until losses are realized, the wild price fluctuations are emotionally and psychologically taxing to the investor. This extreme volatility can cause even diehard crypto investors to panic and sell at a loss.

More so, this volatility is amplified by the high level of leverage that is common in crypto, where some platforms offer speculators up to 100x leverage!

The volatility in the crypto asset class is expected to decrease as the industry matures. Greater adoption of crypto by institutional investors with a long-term mindset will dampen volatility. In addition, since the crypto market cap is growing at a rapid pace, it would take significantly more capital flowing in and out to continue getting the huge market price swings of the past.

Impermanent Loss

impermanent loss

When a DeFi user becomes an LP (Liquidity Provider) for an AMM there is a risk that one token’s price will fluctuate against the price of the other token. Because of this price difference, the LP position is worth less than what it would have been if he just held on to the token pair outside the AMM pool.

This price difference is a non-realized loss. Over time the token values might return to previous prices, making the loss impermanent. The loss is only realized when investors withdraw funds from the AMM pool.

Liquidation Risk

DeFi has many platforms that allow users to borrow crypto easily (for more information on crypto lending see DeFi Guide). Almost all of these platforms require users to over-collateralize their loans (many projects are working on developing under-collateralized loans, for example, Trufi). This over-collateralization is necessary to prevent users from defaulting on their loans.

Liquidation risk is higher in DeFi compared to traditional finance. This is because in traditional finance over-leveraged traders receive margin calls enabling them to add collateral and avoid liquidation. In DeFi this is an automated process where lending protocols incentivize third parties to liquidate collateral quickly and without prior notice.

Due to the automated liquidation mechanics and crypto’s high volatility, even positions with low leverage are still at risk of being liquidated.

2. Underlying Blockchain Infrastructure

51% Attacks

A 51% attack is when a group of miners gain control of more than 51% of the network’s hash power and join together to attack the network.

The attackers in control can then block new transactions and double-spend coins. However, they cannot change previous blocks or issue new tokens.

A sufficiently decentralized blockchain with a lot of miners like BTC and ETH should be protected from an attack like this. However, smaller blockchains with few miners are vulnerable to this type of attack. For example, BSV and ETC are blockchains with a small market cap that have experienced 51% attacks.


Scalability references the amount of workload a blockchain network can handle at once. It is usually measured in TPS, the number of transactions a blockchain can process per second.

Blockchains are inherently inefficient because transactions need to be validated, executed, and stored on thousands of different nodes. This is in contrast to centralized servers where computation is executed efficiently on a single server. For more information regarding the tradeoff between decentralization and efficiency read about the Blockchain Trilemma.

A victim of its own success, the Ethereum blockchain, where the majority of DeFi activity is currently located, is congested with activity causing gas prices (the fee for transacting on Ethereum) to skyrocket.

The risk is that in times of high volatility the network can get extremely congested, skewing financial incentives. For example, leveraged positions might be underwater, but high gas fees will make it non-economic for liquidators to liquidate their over-leveraged positions. This can cause lending platforms to be severely under-collateralized.

Scalability is the main selling proposition that many newer blockchains are promoting to try and win market share from Ethereum.

There are many different scaling solutions being developed to improve Ethereum’s network scalability. These solutions include optimistic and ZK rollups, sharding, and the move to PoS among others.


MEV (Miner or Maximum Extractable Value) are the profits that a miner makes from accepting a bribe in exchange for a service. The miner can either mine the block in a certain order enabling the execution of many profitable strategies like sandwich attacks, liquidation, etc. A good analogy for this is bribing a card dealer in a poker game to order the cards in your favor.

Another service the miner can do is accept transactions from the backdoor without them going through the mempool. The mempool is the place where all pending transactions wait to be mined. This is a problematic issue that undermines a lot of crypto's core values of transparency and equality.

For more information regarding MEV see Ethereum’s official documentation.

3. Smart Contract Risk

Code Exploits

Hackers can exploit weaknesses in smart contract code to steal funds that are deposited in the contract. Smart contract hacking is very attractive for several reasons, including that funds hacked can be converted into money quickly, as the assets are highly liquid. Also, as most platforms use open source code, hackers can simulate the attacks on a private version of the chain, before conducting the same attack on a live network.

Interoperability and Systemic Risk

One of DeFi's main advantages is the interoperability between platforms it enables, also known as 'money legos.' This interoperability lets capital flow between applications, creating new types of services and improving market efficiency.

While interoperability is an attractive feature, it creates a complex and fragile system where platforms are interconnected which can cause systemic risk. A sudden failure or exploit in one application can ripple throughout the network, affecting other linked platforms. The complexity of the DeFi ecosystem makes it very difficult to map out all the different connections between platforms. As a result, even if an application is safe, it still has risk from its dependency on other dApps (Decentralized Applications).

4. Centralization Risk

Administrative Key Abuse

While DeFi aspires to be fully decentralized, this is currently not the case. Instead, most projects are managed by a core development team since projects in their infancy need to be upgraded frequently. To make this process more efficient and not dependent on a governance vote for every change, the development team holds the private key to the DeFi platform.

Centralization poses many risks, including stolen private keys which can result in hacked platform funds. For example, recently, a bZx developer had his private key stolen, enabling hackers to call the trasferFrom function and transfer tokens from users’ wallets that had previously approved the bZx platform. Another risk is that developers might get greedy and steal platform funds for themselves also called rug pulls (for more information see How to Spot a Rug Pull).

To help mitigate this risk admins protect the platform’s private key by using for example a multi-signature application such as gnosis or other solutions like time locks.

Oracle Manipulation

Oracles are protocols that transmit information from outside the blockchain and add it on-chain to update smart contracts. The main challenge with oracles is ensuring that they are sufficiently decentralized to prevent malicious actors from uploading false information.

To ensure that only correct information is uploaded, it is important to aggregate different price feeds from multiple as well as unique sources. For more information see our post about price oracle manipulation.


USDC stable coinUSDC stable coin

Stablecoins are crypto tokens whose price is pegged to a certain asset, mostly the US dollar.

There are different types of stable coins:

  • crypto-backed stable coins

  • algorithmic stablecoins

  • fiat-backed stable coins

Fiat-backed stable coins are by far the most common and are a source of systemic risk in DeFi. They are vulnerable to censorship since regulators can confiscate the money backing them, which is held in regulated banks. In addition, fiat-backed stablecoins require trust in the private company operating them. These companies have transparency issues regarding the type of assets backing these stablecoin tokens. It is not always certain that these tokens are fully collateralized.

The most widely used fiat-backed stablecoins are USDC and USDT.

Governance Manipulation

Governance tokens are tokens that enable token holders to vote on decisions regarding the DeFi platform. As of today, even platforms that claim to be decentralized have not yet transferred full control of the platform to token holders. With growing regulatory scrutiny regarding the DeFi industry, many platforms will push to become fully decentralized.

Fully decentralized platforms might be susceptible to opportunistic groups that will buy a majority stake in DeFi projects and use it to extract short-term profits. For example, dramatically raising trading fees can have a short-term financial benefit, but ruin the project long term.

5. Regulatory Risk

DeFi’s lack of intermediaries, pseudo-anonymity of users, and global reach are some of the reasons for regulators’ concerns.

The existing regulatory framework is not equipped to deal with this new industry. Furthermore, effective regulation is difficult because of the complexity of crypto and DeFi, as well as because of its rapidly changing nature.

It seems that the US regulators haven't decided yet how they plan to approach crypto. On the one hand, they want to exercise control over what they see as a “rogue industry.” On the other hand, they are afraid of stifling innovation and missing out on a technological paradigm shift. Over-regulation will harm the core value that made the US the dominant nation it is today and will push innovation outside its borders.

Another issue that regulators are worried about is if the crypto industry grows too big it could threaten the dollar's reserve currency status. China who is aspiring for its digital Yuan to replace the US dollar as the reserve currency has already banned crypto. The US as a democratic country might not make such a drastic move as to outright ban crypto, it might instead decide to heavily regulate the crypto industry in an effort to slow it down. The recent approval of the first futures-based BTC ETF is a sign of a certain level of crypto acceptance and a signal that the US probably won’t try to outright ban crypto.

Today, DeFi platforms face vast and confusing compliance and legal obligations. To address this issue, investors, experts, and regulators alike are calling for greater regulatory clarity. Clear regulation will make DeFi accessible to many more participants, particularly public companies and regulated institutions.

Problems that regulators have with DeFi:


The FATF (Financial Action Task Force) issued an initial set of guidelines in September 2020 and an updated version in October 2021. These guidelines state that any parties directing the creation, development, and/or deployment of a DeFi protocol should be considered VASPs (Virtual Asset Service Provider) and should be held responsible for AML/KYC compliance.

Attempting to impose such AML/KYC requirements on DeFi protocols is not practical. These protocols have no control over customer funds and have no means to comply in a practical manner. Enforcing these regulations will drive DeFi activity into a grey market and advance the use of “Zero Knowledge Proofs,” making DeFi completely private with even less regulatory visibility than exists today.

Some DeFi platforms that are making efforts to be more compliant offer institutional investors closed-off liquidity pools that are where all participants pass KYC and AML checks. While this solution might have its place, it loses some of the main advantages DeFi has to offer in terms of anonymity and composability between platforms. The most well-known platforms offering compliant DeFi are Aave and Compound.

Are Tokens Securities?

Many DeFi platforms issue tokens mainly used to bootstrap liquidity on the platforms. These tokens are under a lot of regulatory scrutiny by the SEC that is claiming that they are securities that should be regulated by them. During the ICO craze in 2017, the main way that these token issuers bypassed being considered a security is by claiming that they are a utility token, not giving ownership but instead a right to a service.

Today most tokens bypass being considered a security by claiming to be a governance token, giving them voting rights on questions regarding platform governance and not a claim on the platform's future cash flow.

The SEC chief Gary Gensler doesn’t seem to be impressed by what it is called and has recently stated that “many crypto tokens are securities and fall under the agency's jurisdiction.”

It seems that these tokens are the low-hanging fruit that regulators will go after first.


Stablecoins are essential for creating DeFi services like liquidity pools, staking, and lending platforms. Regulators weren't involved in stablecoin regulation until Facebook (now Meta) unveiled its Libra project. The Libra project aspired to be a global currency backed by a basket of different currencies. This was seen by many countries as a threat to sovereign currencies including the US regulatory body which immediately responded with many regulatory requirements.

The next big regulatory battle was between Tether that operated the USDT fiat-backed stablecoin and the New York State Attorney General Letitia James. James stated, “Our investigation has determined that the operators of the ‘Bitfinex’ trading platform, who also control the ‘tether’ virtual currency, have engaged in a cover-up to hide the apparent loss of $850 million dollars of co-mingled [sic] client and corporate funds.” In the same hearing Tether’s lawyer admitted that Tether was only 74 percent backed.

The company settled with the NYAG, as part of the settlement, Tether was banned from doing business in New York.

As a result of both of these cases, pressure for strict stablecoin regulation is growing. A sign of this is recently Treasury Secretary Yellen urged the US to set strict stablecoin regulations in place.

It seems that moving forward, stablecoins will take one of two paths. One option is that they can be extremely compliant. Some companies, for example, that are going this route are USDC, operated by Circle that even applied for a bank charter, and USDP, operated by Paxos - used by Meta’s Novi product for remittance payments.

Alternatively, other stablecoins will fully decentralize and will either be fully backed by crypto (unlike dai today that is backed 60% by fiat-stablecoins) or become algorithmic stablecoins like UST founded by Terra.


This post described the different layers of risk investors should be aware of when investing in DeFi projects. Investors with a good understanding of these risks can achieve an edge that will reward them handsomely. For example, many investors like Ray Dalio are worried that the US government will outright ban crypto. It is up to the reader to determine the likelihood of this happening, but it is clear that if the odds of a ban are unlikely, then it could be a great opportunity.

Good knowledge of the different risks can help investors find great investment opportunities with a great risk-reward setup.


You Might Also Like:

Permit Messages and Permit 2: Enhancing DeFi Security Amidst Emerging Risks

February 6,2024/5 min read

Explore the cutting edge of DeFi security with "Permit Messages and Permit 2: Enhancing DeFi Security Amidst Emerging Risks." This blog post delves into the innovative permit message technology and its evolution with Permit 2, highlighting their role in secure and efficient DeFi transactions. Despite their advancements, we uncover potential risks, including phishing attacks and smart contract vulnerabilities. Learn from past incidents and gain practical tips to protect your digital assets. This concise guide equips you with the knowledge to navigate the complex DeFi landscape safely.

Read More