Posts

The Rigor of Building a DeFi Platform

avatar of @shanghaipreneur
25
shanghaipreneur
@shanghaipreneur
·
·
0 views
·
4 min read

Yesterday I mentioned a DeFi project that had recently been hacked and then almost immediately had all of its funds restored by the hacker. The whole process took a little more than a day. The amount was an enormous $25 million worth of crypto. Now the etherscan address is just a repository for private notes to the hacker. Check it out.

Speculation about why the hacker suddenly returned so much money has run rampant. Was it just a young developer trying out something s/he had read about? Was it an inside job? Was it all just a big publicity stunt to get the name Lendf.me and dForce into the mouths of the blockchain investment community? And if that's true, would anyone still be willing to put in funds to a platform that has given up such a high-profile hack? What kind of investor does that? 🤨 These are the questions that I need answered!

If you sign up for etherscan, you can observe an interesting exchange of on-chain messages. Decentralized exchange aggregator 1inch.exchange always seems to be at the center of these DeFi rows. For now, I'm giving them the benefit of the doubt because their platform is awesome! I use it and have never had a bad experience. The logo kinda looks like the Uniswap unicorn on steroids, which kind of gives you an idea of what the platform does. Think of it as kind of like kayak for DeFi - all the best deals bundled up on one site. You can even execute from their dashboard!

So 1inch traced the IP of the hacker back to a single Chinese IP address and reported it to the Singapore police. The thief was so careless that s/he didn't even use the privacy function of their browser!

Those of us in the DeFi space who want to see this fledgling industry prosper, however, must be wary of hacks like this. Even though this story has a happy ending, the reputational damage to the entire industry, not just Lendf.me and the associated dForce Network themselves, will take months to repair. For all of our projects to prosper, this pattern has got to be stopped. At the moment, this is how DeFi'ers feel:

Imagine how the user community feels!

On Monday, when this news broke, one of our community members at the DeFi project I'm working on, FinNexus asked me, "So how exactly am I supposed to tell which are the serious and decent DeFi projects?"

I provided this simple checklist:

  1. Look for a tech-oriented or tech-savvy CEO, even better if they're blockchain-savvy. They don't necessarily have to have been CTO, but the devs can't be able to just bowl them over whenever push comes to shove and things need to get done. I've seen it happen. The CEO needs to know enough about technology to be dangerous. If s/he’s been a CTO or lead engineer at another blockchain project, that's bonus points!
  2. Check for a third-party code audit. Coding is hard. Coding on a deadline with bosses and investors breathing down your neck is even harder. Heck, I make typos in these [Hive] posts all the time! When your money is on the line, you don't want my carelessness to be able to mess with your personal capital. So look for very obvious and proud mentions of multiple code audits. Thorchain is always going on about this stuff. You guys should know how I feel about Thorchain by now. Bottom line: There must be a 3rd party audit before any DeFi protocol is implemented on mainnet with customer funds.
  3. Make sure they aren’t trying to do too much. One of the problems with dForce is simply that they're trying to do too much. On their website, they list protocols for monetary, liquidity, and yielding products. That's just too much to keep track of at once, especially when they were rumors that their entire codebase is just copied over from Compound. If that's true, that's not a good sign that they can handle inevitable bugs in the code. Trust me, I know. I used to work at a place where the devs forked code all the time. Even then, they couldn't deliver a working product on time or on budget!

And so the calendar turns to another epoch in the DeFi space where, much like crypto, a week is a month and a month is a quarter and a quarter is a year. We are on to Day #3 since the latest DeFi exploit. There will surely be another one. But with mistake, a hundred others are found. Our devs at FinNexus told me that this accident raised some alarms on some of our development. No big issues were found but we went back and triple-checked the code repositories anyway.

At DeFi #2 project Synthetix, they went back over their code with a fine-tooth comb because of the incident and found a vulnerability with their incentivized sUSD curvepool. They paused the pool and removed the contract from the Ethereum mainnet. They are now working on a more robust fix that should be available in a week or two. And isn't that exactly the way it is supposed to be?

Now more than ever, we know the importance of maintaining an experienced and hard-working tech team. At FinNexus, our focus is on making steady progress with modest goals. Over time, we believe that this will result in amazingly transformative products that help bring positive change to not only the industry but the world.

Posted via Steemleo