How to Make Sure Your DeFi Investments Are Secure, Step 1: Evaluating the CEO

in #blockchain5 years ago (edited)

If we want DeFi to prosper, we need to get over this feeling of playing with fire. Right now it feels like this:

But we need to get more comfortable with the entire technology stack. And that starts with the CEO!

On Monday, when Lendf.me news broke, one of our community members at the DeFi project I'm working on, FinNexus asked me, "So how exactly am I supposed to tell which are the serious and decent DeFi projects?"

I provided this simple checklist:

  1. Look for a tech-oriented or tech-savvy CEO, even better if they're blockchain-savvy. They don't necessarily have to have been CTO, but the devs can't be able to just bowl them over whenever push comes to shove and things need to get done. I've seen it happen. The CEO needs to know enough about technology to be dangerous. If s/he’s been a CTO or lead engineer at another blockchain project, that's bonus points!
  2. Check for a third-party code audit. Coding is hard. Coding on a deadline with bosses and investors breathing down your neck is even harder. Heck, I make typos in these [Hive] posts all the time! When your money is on the line, you don't want my carelessness to be able to mess with your personal capital. So look for very obvious and proud mentions of multiple code audits. Thorchain is always going on about this stuff. You guys should know how I feel about Thorchain by now. Bottom line: There must be a 3rd party audit before any DeFi protocol is implemented on mainnet with customer funds.
  3. Make sure they aren’t trying to do too much. One of the problems with dForce is simply that they're trying to do too much. On their website, they list protocols for monetary, liquidity, and yielding products. That's just too much to keep track of at once, especially when they were rumors that their entire codebase is just copied over from Compound. If that's true, that's not a good sign that they can handle inevitable bugs in the code. Trust me, I know. I used to work at a place where the devs forked code all the time. Even then, they couldn't deliver a working product on time or on budget!

And so the calendar turns to another epoch in the DeFi space where, much like crypto, a week is a month and a month is a quarter and a quarter is a year. We are on to Day #3 since the latest DeFi exploit. There will surely be another one. But with mistake, a hundred others are found. Our devs at FinNexus told me that this accident raised some alarms on some of our development. No big issues were found but we went back and triple-checked the code repositories anyway.

At DeFi #2 project Synthetix, they went back over their code with a fine-tooth comb because of the incident and found a vulnerability with their incentivized sUSD curvepool. They paused the pool and removed the contract from the Ethereum mainnet. They are now working on a more robust fix that should be available in a week or two. And isn't that exactly the way it is supposed to be?

Now more than ever, we know the importance of maintaining an experienced and hard-working tech team. At FinNexus, our focus is on making steady progress with modest goals. Over time, we believe that this will result in amazingly transformative products that help bring positive change to not only the industry but the world.