This is the first step in a larger initiative to create a collaborative DAO to increase safety and transparency for DeFi through a community-driven product risk history and scoring resource.
Providing a credible risk assessment platform helps highlight innovators who are changing the future of finance without cutting corners. Not only does this help the average crypto participant make more intelligent decisions, but it also incentivizes individual projects to boost their overall security and trustworthiness.
Below is a list of the available tools, projects, and protocols for analyzing and managing risk within DeFi.
Note that this list is focused on technical, centralization, and liquidity risk of DeFi protocols, NOT price risk of tokens.
We hope that better sharing of tools, standards, and development patterns will support the safe growth of the DeFi ecosystem overall. We also hope that DeFi protocols, white hat hackers, developers, auditors, and users can unite around the common goal of making DeFi safer for current and future adopters.
To learn more, join the DeFi Safety DAO Telegram group.
Feel free to submit a pull request, with anything from small fixes to translations to tools you'd like to add (or remove!). If adding a new tool, please add a brief description that you think new developers would understand.
- Projects that do not have a working product should only be added to the Coming Soon section.
- Projects that are deprecated or no longer maintained will be removed.
- Projects that are paid/restricted services without open-source code or developer reviews will be further vetted.
Building on the work of awesome projects like DeFi Score, DeFi Safety, and others, we believe that the systemic failure of large financial protocols is the biggest risk to a thriving DeFi community over the next few years.
Currently, some of the risks in DeFi include:
- DeFi protocols range from fly-by-night scam operations to serious protocols challenging TradFi and it is often hard to tell these apart
- Many DeFi hacks have taken place and DeFi users have lost funds. Arguably this could have been prevented if objective risk information would have been available.
- Objective information about DeFi protocols is hard to find and scattered over different platforms. Investors have to do independent research by swivelling across various interfaces and data sources.
- If objective information is available at all, it is centralised and often outdated
Protocols and smart contracts that contain large amounts of value face the following risks:
- Smart Contract Risk - Technical bugs that can expose funds to hackers.
- Centralization Risk - Centralized admin keys are stolen or used nefariously, or oracles are manipulated to allow an exploit.
- Financial Risk - Collateral falls below outstanding obligations, likely due to price movement, or low liquidity leads to locked funds.
The resources below list some common methods of failure. We hope that by educating and evangelizing the public, our community can eliminate or mitigate these vulnerabilities as more groundbreaking financial services are built in this space.
Eventually, a DeFi Safety DAO would seek to solve key issues by:
- Bringing together a suite of tools together that have been standalone until now.
- Assessing and indicating risk across protocols.
- Providing incentives to keep these metrics up to date and to improve quality and quantity of the underlying data.
- DeFi Score - A 1-10 grade on the smart contract, centralization, and financial risk of lending protocols.
- Economic Safety Grade from DeFi Pulse & Gauntlet - A 1-100 grade to quantify and compare the economic risks of using on-chain protocols.
- DeFi Safety - A 1-100 rating of smart contract quality and safety for DeFi apps.
- Prime Rating - Letter rating (A+ to D) that represents the overall quality of a protocol based on publicly available data.
- Certik Security Scores - A 1-100 score of protocols across on-chain monitoring, social sentiment, governance changes, and market volatility.
- CER Security Score - A 1-10 score on protocols based on audits, bug bounties, and liquidity.
- CoinGecko Trust Score - A 1-10 score on centralized exchanges as well as a Green/Yellow/Red rating of the liquidity of certain trading pairs.
- Nexus Mutual Community-Driven Risk Assessments - A low-critical risk rating of Nexus Mutual supported protocols.
- Risk Ratings on Yearn Strategies
- Rekt News - Anonymous platform for whistleblowers and DeFi detectives to present their information to the community.
- Blockchain Threat Intelligence - Newsletter covering the latest security news, tools, events, vulnerabilities, and threats in the cryptocurrency landscape. Also supports this repo.
- Blockchain Graveyard - A list of all massive security breaches or thefts involving blockchains.
- DeFi hacks snapshot from Dragonfly Capital - Snapshot of 2021 hacks and transition from Ethereum mainnet to BSC
- Bad Things™ (Crypto Security) - List of DeFi hacks from @tayvano
- DEFI YIELDS's Rekt Database
- Gauntlet's Market Risk Assessment on Aave
- RugDoc
- DeFi Yield's Audit tracker
- Manifold Finance's DeFi Threat Matrix
- Nexus Mutual
- ArmorFi
- Certik Foundation
- Cover Protocol
- Unslashed Finance
- Nayms
- Risk Harbor
- 3F Mutual / Hakka Finance
- Atomica
- UNION
- NSure
- Opium Network
- Insurace
- Cozy.finance
- Clarity Protocol
- DEFIYIELD Safe ‘Risky Contract Manager’ - Tool to revoke approvals to smart contracts
- Solidify by Coinbase - Tool to detect and classify smart contract security risks
- CryptoFin Solidity Auditing Checklist - A checklist of common findings, and issues to watch out for when auditing a contract for a mainnet launch.
- MythX - Security verification platform and tools ecosystem for Ethereum developers
- Mythril - Open-source EVM bytecode security analysis tool
- Oyente - Alternative static smart contract security analysis
- Securify - Security scanner for Ethereum smart contracts
- SmartCheck - Static smart contract security analyzer
- Ethersplay - EVM disassembler
- Evmdis - Alternative EVM disassembler
- Hydra - Framework for cryptoeconomic contract security, decentralised security bounties
- Solgraph - Visualise Solidity control flow for smart contract security analysis
- Manticore - Symbolic execution tool on Smart Contracts and Binaries
- Slither - A Solidity static analysis framework
- Adelaide - The SECBIT static analysis extension to Solidity compiler
- solc-verify - A modular verifier for Solidity smart contracts
- Solidity security blog - Comprehensive list of known attack vectors and common anti-patterns
- Awesome Buggy ERC20 Tokens - A Collection of Vulnerabilities in ERC20 Smart Contracts With Tokens Affected
- Free Smart Contract Security Audit - Free smart contract security audits from Callisto Network
- Piet - A visual Solidity architecture analyzer
- OpenZeppelin's Security Best Practices
- Smart COntract Vulnerability List
- ConsenSys' Blockchain Security Database
- Smart Contract Weaness Registry
- Known attacks
- Gemini's Cryptopedia - Accessible encyclopedia on crypto security topics.
- Paradigm's CFT - Challenges to learn common smart contract failures.
- Damn Vulnerable DeFi - Challenges to understand common DeFi vulnerabilities.
- ImmuneFi - Bug bounties on smart contract vulnerabilities.
- Chainabuse
DeFi Safety DAO’s goal is to keep the DeFi space safe, robust, and grounded. It will be a community owned and operated comprehensive blockchain security analysis DAO.
DeFi Safety DAO will provide a comprehensive, 360-degree view of the smart contract threat landscape, involves the community in the scoring process, and makes DeFi easier and more accessible by offering a standard of safety that users can trust.
It will function as the first DeFi risk assessment tool for users to make smarter and safer decisions. Community members can provide qualitative suggestions on potential composability risks for various projects and fill metrics.
The community will be incentivized to contribute qualitative and quantitative information on smart contract, centralization, and other DeFi risks. Team members will be sourced from the DAO and assembled to work on specific risk assessment tasks or setup as mini teams to perform comprehensive assessments.
The main inputs in calculating the DeFi Score 2.0 are:
- Smart Contract Risk - Technical bugs that can expose funds to hackers.
- Example Metrics: Audit history, critical hack history and responses (from hack incident reporting), DeFi Score 2.0 audits.
- Centralization Risk - Centralized admin keys are stolen or used nefariously, or oracles are manipulated to allow an exploit.
- Example Metrics: Admin keys, timelock for protocol changes, whale concentration, percentage of staked tokens, % TVL from own tokens.
- Financial Risk - Collateral falls below outstanding obligations, likely due to price movement, or low liquidity leads to locked funds.
- Example Metrics: Combined liquidity across dexes, 24-hour volume, volatility and impermanent loss measured over time.
The creation of guidelines will fuel a community driven initiative based on user ratings, providing measurement of DeFi protocol scores defined by adaptable objective metrics and risk methodologies, updated by teams, contributors and the community.
Protocols that want to be listed should be able to complete a prospective rating themselves, and submit to the DAO for verification and approval. Alternatively, protocols should be able to offer grants for crowd sourced completion of ratings.
To help get things started, ConsenSys Codefi will also:
- Provide more helpful tools to the site, such as charts
- Source valuable data to make scoring more accurate
- Encourage meaningful community participation
- Add additional communications support as needed
Soon a decentralized community of contributors will form to maintain this important infrastructure.
Continued improvements on DeFi scoring with bounties for clear, specific, predictable data. Sample draft SOPs are provided below in the "Risk Factors Database and SOPs" section.
Enables decentralized and transparent distribution of rewards autonomously allocated by the community of contributors doing the work. This will provide insights on what the community finds most valuable, and who the key contributors are in different areas. Their aim is to make the experience of contributors more dynamic, rewarding, fair and transparent.
Teams of DAO members working on particular tasks will be assembled into “Circles''. Circles could be specialized based on the task/risk being assessed; or they could be set up as mini teams that perform comprehensive assessments. Circles will be assigned a budget for each task/project, to be paid when complete. Total rewards are then divided amongst the members of the Circle based on contribution.
For crowdsourcing to be effective, it is important to ensure that:
- the quality of input meets a certain minimum standard, and
- a mechanism should exist which continuously improves the quality of input
To address this, a credibility score may be implemented.
Circles/individuals may be rated on a constantly optimized credibility score. The credibility score will be composed of:
- Experience score - how many audits completed/how much work done
- Quality score - Did the audit prevent hacks? The longer the audited projects go without any exploits, the quality score of the individual/circle who completed the audit goes up
Protocols can restrict takers for their crowd sourced audits based on credibility score. Also, payment for services will be based on the credibility score of the individual/circle performing the work.
Hives: Collection of circles that perform the same generalized function.
Circles: Autonomous teams with specialized expertise whose responsibilities are clearly delineated. All members of a Circle act as peers.
Structure:
Hive A: Smart Contract Risk assessors
Hive B: Centralization Risk assessors
Hive C: Financial Risk assessors
Hive D: Mitigation Measures assessors
Within each Hive, there will be specialized expertise circles for:
Circle 1: Lending platforms
Circle 2: Trading platforms
Circle 3: Yield farming platforms
Audit Circles: Circles can be specialized based on Audit tools used or by parts of the Audit split by expertise type (like with DeFi score circles above)
Composite risk rating defined by compiling other DeFi safety scores which can be crowdsourced or automatically generated.
A list of DeFi ratings, which the DAO can leverage:
- DeFi Score - A 1-10 grade on the smart contract, centralization, and financial risk of lending protocols
- Economic Safety Grade from DeFi Pulse & Gauntlet - A 1-100 grade to quantify and compare the economic risks of using on-chain protocols
- DeFi Safety - A 1-100 rating of smart contract quality and safety for DeFi apps
- Certik Security Scores - A 1-100 score of protocols across on-chain monitoring, social sentiment, governance changes, and market volatility
- CER Security Score - A 1-10 score on protocols based on audits, bug bounties, and liquidity
- CoinGecko Trust Score - A 1-10 score on centralized exchanges as well as a Green/Yellow/Red rating of the liquidity of certain trading pairs
Crowd-sourced audits are ground-breaking and need to be defined carefully, but proactive cybersecurity is necessary in DeFi.
One of the easiest ways to achieve protocol security is by providing rigorous crowd sourced audits in addition to bug bounties that are big enough to incentivize hackers to opt for the whitehat approach over blackhat.
Protocols can pay for crowd sourced audits. Members of the DAO will conduct audits and report results, which will include bugs, proposed fixes, time spent on the audit and tools used.
Audits can be completed on request by the protocol (paid job); or complete audits and/or parts of audits can be completed by individuals as research to build their credibility on the platform (free jobs).
Autonomous contributors can work on specific risk assessment tasks or perform comprehensive assessments.
Hacks vs exploits vs rugs vs scams, with detailed definitions and prevention strategies. Positive DeFi/DAO best practices for new and current projects to build on. Definition of DeFi risk factors used in the model.
An accessible resource for learning about past DeFi vulnerabilities/exploits and helping prevent them in the future.
Aggregate bug bounties across protocols. Bounty hunters will be incentivized to hunt for critical vulnerabilities and be rewarded in the process. Armor and Immunefi have already been working with ecosystem protocols on a Big Bug Bounty Challenge. Protocols can offer bug bounties on Immunefi for exposure to a larger pool of interested whitehat hackers.
Objective: Adapt https://defiscore.io/ and https://inspect.codefi.network/ to the current DeFi landscape for measuring protocol risks with decentralized contributor model. We’ve put together a list of risk factors that can be used as a base to build upon an improved and robust DeFi scoring system.
We are looking for a solution that has the ability to:
- Aggregate data points for each risk factor from existing reputable and reliable sources (automatically or crowd sourced)
- Validate or invalidate the source of the data
- Automate or implement a trigger based process from validating and updating data
- Add/remove/hide risk factor data points
- Generate an overall 0-10 score based on parameters set for each protocol
- Display risk factor data and score for each protocol into a simple, easy to understand, easy to user interface.
Below, you can find the risk factor data points that we put together including sample data, and steps for generating the data manually. Click here to view data for the Top 10 DeFi protocols based on the risk factor data points listed below. Feedback and improvements are most welcome.
| Key Stats | Sample Research Results | SOP for Manual Data Gathering |
| TVL in USD | $8.75B |
|
| TVL in ETH | 3.7M ETH | |
| TVL in BTC | 137.3K BTC | |
| ETH Locked | 2.9M ETH | |
| % Supply Locked | 2.51% | |
| Blockchain | Ethereum | |
| Most Locked | $WETH | |
| Protocol Token | $MKR |
| Centralization Risks | Sample Research Results | SOP for Manual Data Gathering |
| Admin Keys | MakerDAO - smart contracts do not have an admin key. There is no single key or multisig that can be used to modify MakerDAO's smart contracts. Any changes must be approved by a governance vote. Please note that this only relates to admin key risk and MakerDAO is still subject to smart contract risk.
https://inspect.codefi.network/details/maker/admin-keys Instadapp - no admin key or ability to modify https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/ Synthetix - Once a proposal is approved through voting, users must trust Synthetix’s protocolDAO to make the modification to the protocol. protocolDAO is a fancy way of describing a 4-of-8 multisig admin key (48 hour timelock). However, action by the protocolDAO is in no way technically connected to the off-chain voting that occurs. Therefore, users must trust the protocolDAO to act responsibly and skillfully. In addition, any one member of the protocolDAO has the ability to pause the entire Synthetix system in the case of an emergency. No vote is required, and no other members of the DAO have to be involved for one member to do this. https://defiwatch.net/defi-projects/synthetix Bancor - had admin keys |
Find out if the protocol is holding any admin keys.
Admin Keys are held by platform administrators who have the ability to modify the rules of the contract in an arbitrary manner. Most administration keys are securely secured by features like Timelock and Multisig. However, no DeFi project can provide that the operational security of administration key is strong, so users need to rely on the expertise of the team and their ability to protect administration keys. Here are some references we found, if the protocol is not mentioned in any of these resources, you can do a keyword search for “does <protocol> have admin keys?” (or similar). https://inspect.codefi.network/details https://en.cryptonomist.ch/2020/02/26/defi-admin-keys-an-unsolved-problem/ |
| Timelock | MakerDAO - 4 hours
https://inspect.codefi.network/details/maker Uniswap - Timelock has a hard-coded minimum delay of 2 days, which is the least amount of notice possible for a governance action. Each proposed action will be published at a minimum of 2 days in the future from the time of announcement. Major upgrades, such as changing the risk system, may have up to a 30 day delay. https://uniswap.org/docs/v2/governance/governance-reference/#timelock SushiSwap - It takes 48 hours for the transactions to pass the timelock https://docs.sushi.com/products/yield-farming/menu-of-the-week |
Find out if the protocol has a timelock set on their smart contracts. If they do, indicate the delay time.
Timelock is a fixed delay time that allows for some reaction time in the event of an unexpected change that is not agreed upon or malicious, and therefore it is possible to unlock the funds and secure them. The timelock is set by code, once set no one can reduce the waiting time. Check the protocol’s documentation page found on their website, or you can do a keyword search for “does <protocol> have timelock?” (or similar). |
| Whale Concentration | MakerDAO - 17 Whales hold 55.98% MKR tokens
https://drive.google.com/file/d/1JsYuhpOiyuiQVEP3ZbjTCUprUeCPpwAZ/view?usp=sharing |
The term “whale” in cryptocurrency describes an individual or organization that holds a large amount of a particular cryptocurrency. You can sign up for a 7-day free trial (no credit card required) account on https://www.intotheblock.com/ |
| Smart Contract Risks | Sample Research Results | SOP for Manual Data Gathering |
| Audit History | MakderDAO
https://github.com/makerdao/audits https://security.makerdao.com/audit-reports Compound https://compound.finance/docs/security#audits Aave |
Find out if the protocol has been audited before by researching for security audit references.
Deploying smart contracts over to the blockchain system is irreversible. If the smart contract is poorly designed, it puts its users’ assets at risk, and therefore external security audits are crucial. You can do a keyword search for “<protocol> audit history” or “security audit” (or similar). |
| Critical Hack History | MakerDAO - No, but it was a close call
https://www.coindesk.com/55m-hack-ethereum-down Compound - Pickle Finance was hacked through Compound Aave - Yearn Finance was hacked through Aave |
Find out if the protocol has been hacked before, or if there is any relevant news related to it being hacked.
You can do a keyword search for “has <protocol> been hacked?” or “<protocol> hacked” (or similar) |
| Highest Bug Bounty USD | MakerDAO - $100,000
Compound Finance - $150,000 Aave - $250,000 |
Do they have a Bug Bounty Program? If yes, what is the maximum payout?
You can do a keyword search for “ <protocol> bug bounty” |
| Bug Bounty Page | MakerDAO
https://hackerone.com/makerdao_bbp?type=team Compound Finance https://compound.finance/docs/security#bug-bounty Aave |
Provide the Bug Bounty Page of the protocol where the maximum reward is mentioned. |
| Financial Risks | Sample Research Results | SOP for Manual Data Gathering |
| Total Liquidity | Uniswap - $105,642,533
https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984 Sushiswap - $2,182,622 https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2 |
What is the Total Liquidity and Volume of the protocol token?
Liquidity is the degree of which an asset can be quickly bought or sold without affecting the general stability of its price. In other words, it refers to the ability to convert the asset into cash. A higher liquidity is preferred because of the fair price advantage and market stability. Volume refers to the amount of activity of a token, may that be buying or selling within a period of time, eg. 24 hours. Generally high trading volume is considered a good thing. It shows that the market has liquidity and stability.
|
| Volume (24H) | Uniswap - $52,455,299
https://info.uniswap.org/token/0x1f9840a85d5af5bf1d1762f925bdaddc4201f984 Sushiswap - $1,644,410 https://info.uniswap.org/token/0x6b3595068778dd592e39a122f4f5a5cf09c90fe2 |
| Ability to Cover Risk | Sample Research Results | SOP for Manual Data Gathering |
| Nexus | Yes | Similar to any type of investment, the ability to limit risks by insuring tokens are crucial to avoid losses from smart contract bugs and hackers.
|
| ArCore | Yes | |
| ArNFT | Yes |
Creation of this resource was spurred by the good folks at ArmorFi and ConsenSys Codefi.
If you'd like to collaborate, contribute or participate in a DeFi Safety DAO, join the Telegram group.