How to Use DeFi Safely

October 4, 2019
Quantstamp Labs

With eye popping interest rates on lending platforms, it’s never been more tempting to put assets into some of the promising new #DeFi applications out there today. But are those assets going to be safe? That depends.

While traditional financial services often have some degree of deposit insurance, such as FDIC, DeFi applications are still at an early stage, and most do not provide this kind of protection. Consequently, the onus is on the end-user to ensure their funds are safe while using these new applications. 

Dr. Poming Lee, a security engineer with Quantstamp, explains steps users can take to use DeFi applications more safely.

1.Check Audit Status


Sample professional audit report of a project that did well. 

Checking if a reputable team has audited the project is the number one thing you can do to reduce risks while using a DeFi application.

Reputable smart contract security firms such as Quantstamp do a thorough evaluation of the application’s security by looking at both code and specification to make sure everything works as intended. In addition to simple technical errors or common vulnerabilities, auditors also evaluate the design of the application to assess issues such as centralization of power or custodial design. These issues are often difficult or impossible to detect without a thorough examination of the code and a wealth of experience in examining smart contracts. 

Once you know that a project has been audited, search for their audit report. A publicly available audit report pointing to open-sourced code on Github is a great sign -- it shows the team behind the Dapp has confidence in their code and audit results. 

Once you’ve found the report, read it. How is the audit evaluation? Were there many high-risk issues found, or were they mostly low risk or informational? Did the project team address the identified risks? Make sure the team was responsive and that any remaining risks are unlikely to affect the safety of your funds.

2. Evaluate the Product Team

Investigate the product team. DeFi applications require more diligent software engineering practices than traditional applications. Look for teams with experienced engineers, preferably those who have worked on blockchain, financial, or other mission critical systems before. If they have, check whether those applications or systems have been hacked. 

3. Don’t Over-Allocate

Even in the face of attractive returns, don’t over-allocate funds into any single distributed application. Smart contracts are becoming more secure every day, but there is still no absolute guarantee against hacks. As the saying goes, only put in what you can afford to lose. 

Using DeFi Safely

DeFi is still an experimental movement, but many of the DeFi applications on the market are already incredibly useful. While decentralized technology provides benefits for these distributed financial applications, it also introduces risks that users need to consider

Following prudent practices such as checking audit reports, investigating the team’s experience, and allocating funds wisely can help you reap the benefits of DeFi while lowering risk. 

About the Author


Dr. Poming Lee is a Security Auditor and Research Engineer with Quantstamp. Before joining Quantstamp he built multiple AI-based cryptocurrency and equity trading bots and worked as Senior Engineer at Himax Technologies as well as a Lecturer at National Chiao-Tong University. He has a Ph.D in CS with a focus on AI from National Chiao-Tong University and his Bachelors in CS with a focus on decentralized applications.

--

For more Quantstamp news or anything QSP crypto or QSP coin related, check out Quantstamp Reddit and QSP Twitter.

Quantstamp Labs
October 4, 2019

With eye popping interest rates on lending platforms, it’s never been more tempting to put assets into some of the promising new #DeFi applications out there today. But are those assets going to be safe? That depends.

While traditional financial services often have some degree of deposit insurance, such as FDIC, DeFi applications are still at an early stage, and most do not provide this kind of protection. Consequently, the onus is on the end-user to ensure their funds are safe while using these new applications. 

Dr. Poming Lee, a security engineer with Quantstamp, explains steps users can take to use DeFi applications more safely.

1.Check Audit Status


Sample professional audit report of a project that did well. 

Checking if a reputable team has audited the project is the number one thing you can do to reduce risks while using a DeFi application.

Reputable smart contract security firms such as Quantstamp do a thorough evaluation of the application’s security by looking at both code and specification to make sure everything works as intended. In addition to simple technical errors or common vulnerabilities, auditors also evaluate the design of the application to assess issues such as centralization of power or custodial design. These issues are often difficult or impossible to detect without a thorough examination of the code and a wealth of experience in examining smart contracts. 

Once you know that a project has been audited, search for their audit report. A publicly available audit report pointing to open-sourced code on Github is a great sign -- it shows the team behind the Dapp has confidence in their code and audit results. 

Once you’ve found the report, read it. How is the audit evaluation? Were there many high-risk issues found, or were they mostly low risk or informational? Did the project team address the identified risks? Make sure the team was responsive and that any remaining risks are unlikely to affect the safety of your funds.

2. Evaluate the Product Team

Investigate the product team. DeFi applications require more diligent software engineering practices than traditional applications. Look for teams with experienced engineers, preferably those who have worked on blockchain, financial, or other mission critical systems before. If they have, check whether those applications or systems have been hacked. 

3. Don’t Over-Allocate

Even in the face of attractive returns, don’t over-allocate funds into any single distributed application. Smart contracts are becoming more secure every day, but there is still no absolute guarantee against hacks. As the saying goes, only put in what you can afford to lose. 

Using DeFi Safely

DeFi is still an experimental movement, but many of the DeFi applications on the market are already incredibly useful. While decentralized technology provides benefits for these distributed financial applications, it also introduces risks that users need to consider

Following prudent practices such as checking audit reports, investigating the team’s experience, and allocating funds wisely can help you reap the benefits of DeFi while lowering risk. 

About the Author


Dr. Poming Lee is a Security Auditor and Research Engineer with Quantstamp. Before joining Quantstamp he built multiple AI-based cryptocurrency and equity trading bots and worked as Senior Engineer at Himax Technologies as well as a Lecturer at National Chiao-Tong University. He has a Ph.D in CS with a focus on AI from National Chiao-Tong University and his Bachelors in CS with a focus on decentralized applications.

--

For more Quantstamp news or anything QSP crypto or QSP coin related, check out Quantstamp Reddit and QSP Twitter.

Quantstamp Announcements

Monthly Hacks Roundup: March 2024

March was a volatile month for the web3 security landscape, with significant security breaches totalling over $152 million in losses. Read on as we dive into four major security incidents and the trends from last month 👇

Read more
Quantstamp Announcements

Modular Account: How Audits Can Help Shape Standards And Catalyze Mass Adoption

Quantstamp recently conducted a smart contract audit for Alchemy’s Modular Account, a wallet implementation designed from the ground up for ERC-4337 and ERC-6900 compatibility including two plugins

Read more
Quantstamp Announcements

Quantstamp 2023 Web3 Security Year In Review

As the year comes to a close, we wanted to take a moment to reflect on this year’s biggest hacks, root causes, and noteworthy trends.

Read more