A Primer on DeFi Due Diligence

  • The Uranium team had only a vague idea who was auditing their code
  • The Uranium team had little evidence that “defiyield.info” did anything
  • At best, “defiyield.info” ran Uranium’s test suite, which obviously is a far cry from a legit audit
  • As with defiyield.info, Hyperjump is a DeFi project in its own right, not a professional auditing firm.
  • There is no discussion in the Hyperjump audit report of the methodology employed to stress test the contracts; in fact, the audit comments imply that they only did a high-level review of the code.

Points of Failure

There are a few points of failure that made this project almost doomed to fail:

  • The Uranium team is anonymous. With minimal reputation risk, they seem to have hacked away at code in an irresponsible way. Moreover, Cataldo at Uranium has admitted that he thinks that someone in his team leaked knowledge of the hack to an acquaintance (perhaps to protect them from the exploit), but he refuses to identify individuals’ names to authorities.
Cataldo acknowledging that someone in his team probably leaked info about the smart contract bug
Cataldo refuses to share team identities
  • The Uranium team did the real audit — the one by BSC Gemz — after they deployed the smart contracts. Obviously, this makes almost no sense whatsoever and was clearly motivated by a desire to ship as quickly as possible. Moreover, any number of people at BSC Gemz and the 7 members of the Uranium team knew that there was a vulnerability. And any of these people might be the hacker or might have tipped off the hacker.
  • The Uranium team didn’t have a clear game plan when they discovered a bug. Ideally, they should have drained the LPs themselves and immediately and return the money to LP stakers. (Note that doing this competently is not trivial.) Instead, they decided to do something really crazy. They announced the release of v2.1 just ~10 days after the release of v2. In traditional software development, x.1 generally indicates that bugs are being fixed relatively to x.0. There is no such thing as x.1 in DeFi! They implicitly announced to the entire world that they found a bug.

Due Diligence for Investors

Based on the above, I’d suggest the following due diligence rules for investing in DeFi smart contracts:

  • Has v1 of the protocol has been around for at least 3 months? Don’t be one of the first people to ape into a project.
  • Has the most recent version of a protocol been around for at least 2 weeks? As seen with the recent Pancakeswap v2 release, upgrades are likely points of failure.
  • Did the development team spend at least 3 months working on the project prior to deployment of v1? (Check the commit history in their public repo and the age of the domain name on whois.domaintools.com.)
  • Is there any other indication of sloppiness in the code? Is the repo poorly maintained? Was the code written rapidly during a hot market? Check the repo commit timeline. (Uranium’s token & LP designs were very ambitious, but they had just two devs and seem to have made changes at a breakneck pace.)
  • Is the project a simple fork of a battle-tested protocol or is the project’s scope to be too ambitious for the development team? If the latter, the smart contracts are more likely to have bugs.
  • Are the developer identities known? As mentioned earlier, a known developer simply can’t afford to deploy irresponsible code.
  • Have the developers received sponsorship from a reputable institution? e.g., a grant or a Series A from Binance, Ethereum Foundation, Pantera, etc.
  • Is the TVL greater than $100mm?
  • Are the returns reasonable relative to other DeFi platforms? (Some of the Uranium LPs had returns north of 1,000% APY.)
  • Was the audit done before deployment or is it “in progress”?
  • Did the audit actually run a battery of tests or was it a casual review?
  • Is the audit report professionally done? Is their methodology explained?
  • Does the project have more than 100k Twitter followers or is at least one reputable Twitter account (>100k followers) promoting it?
  • Is the project a fork? If so, diff the code vs the source repo and ask the developers why they made certain changes.
  • Download the code and run the tests. How do the tests compare to the source repo’s tests? Do they seem to have taken shortcuts or did they go above and beyond to find weaknesses?
  • Is the project audited by a reputable company? Needless to say, auditors associated with prior hacks are probably not reputable.
  • Was the project hacked before? What were the details? In almost all cases, don’t touch a project that was previously hacked. Check the Rugsteemer group on Telegram.
  • Is the project’s token listed on Coingecko? Uranium’s token, U92, was not. As Coingecko does minimal due diligence on projects, not being on Coingecko is a reg flag.
  • Can you answer all the above diligence questions relatively easily? Is the development team transparent in their documentation and Telegram group?

Lessons for the Industry

Industry titans like Binance and the Ethereum Foundation should come together and:

  1. Establish clear guidelines on how good audits should be done. Audit firms should attest that they’ve followed those guidelines. To date, I haven’t seen any DeFi audit reports that strike me as comprehensive and thorough.
  2. Establish clear guidelines for how project devs should handle bugs that are discovered after deployment.

References:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store