Is decentralised finance worth the risk?

Nico Schäfer Smart Contract Assurance, PwC Switzerland 15 Feb 2021

The skyrocketing prices of cryptocurrencies – including Bitcoin and Ethereum – are drawing increased attention to the cryptocurrency market. And, this in turn, becomes a catalyst for growth of projects on these underlying distributed ledger networks. With a vast array of finance-based projects emerging (e.g. lending protocols, stablecoins, derivatives, exchanges), investors want to be better informed in terms of risk. When researching Decentralised Finance (DeFi) projects, investors easily find claims about the potential for huge returns, and, on the flip side, news about hacked smart contracts, scams and other fraudulent behaviour. However, quantifying the opportunities and risk associated with an investment is far more complicated than these headlines make it out to be.

2020 was a landmark year for DeFi. We saw promises of unbelievable returns and headlines about ‘hacks’ with amounts in the tens of millions. Known incidents1 in 2020 are estimated at over $200 million, with about 50% of the value recovered after the fact. The majority of these incidents happened in the last months of the year. This fourth quarter surge is an indication of the increased scrutiny of, and vulnerability of the DeFi industry as it gains momentum and grows at an unprecedented pace.

Hacks 2020

So, what does this all mean? If you’re an investor interested in exploring the DeFi space, it’s about whether opportunities in the DeFi space outweigh the risk.

What are the risks of investing in DeFi?

Given the accelerated rise of DeFi, it’s not nearly as mature as institutional investing – yet having an understanding of the types of risk can give an investor a better picture of what’s at stake. Though not a comprehensive list, here is some food for thought.

Who’s accountable?

In traditional finance, you know your counterparty. And, if a company acts fraudulently, you can legally prosecute them. The regulators further minimise risk by enforcing proper risk management, appropriate insurances and requirements regarding physical and software security. However, DeFi projects aren’t regulated like traditional finance projects and are, by nature, decentralised. As an example, the term ‛rug pulling’ has emerged to describe the sudden disappearance of project members with user funds. Recent examples are Compounder.Finance, Yfdex.Finance and SharkTron, to name a few. In these cases, the projects were neither managed nor owned by an identifiable party that could be prosecuted. At the end of the day, do you know who’ll be held accountable when things go south?

Who’s keeping an eye on DeFi?

Many DeFi projects are still in a ‛trial and error’ phase, experimenting in an ecosystem where generally accepted industry standards are still lacking. To add to this, regulations are lagging behind the technology in most, if not all, countries. This means DeFi projects do not need to undergo the same level of risk requirements as traditional financial projects. Without regulatory oversight, who’s keeping an eye on DeFi?

‛Code is law’, or is it?

In traditional finance, trust is built by the institution and the regulators overseeing it. In blockchain, however, trust is built within publicly available immutable code. Some users even go as far as to say ‛code is law’, implying that whatever blockchain technology allows is also legal. This is not the case, but it highlights the importance of legally defining what role a smart contract can play in the blockchain.

More layers, more vulnerabilities

DeFi projects are built on huge stacks of technologies, with each layer adding more potential attack surfaces. Layers like the cryptographic principles, including their implementation, and the network layer have often been reviewed intensively. However, securing one layer doesn’t protect against vulnerabilities in other layers of the system. Taking a holistic, top-down view is critical to securing your project.

Do you know where your keys are?

If someone has your private key, they can steal all your wealth. Yet, at the same time, private keys are impossible to remember. An example in 2020 was when Nexus Mutual's CEO Hugh Karp's machine was compromised and crypto of approximately eight million USD was stolen. Can you store your keys in a way that you won’t lose access to it or forget it, and where no-one can access it?

Is the solution to go back to centralisation?

One might conclude that going back to centralised crypto management is the solution. Unfortunately, it’s not that simple. Users’ funds in centralised exchange have also fallen prey to hacks and mismanagement. To give you an idea of the amounts at stake, in 2020, centralised exchange KuCoin got hacked and $280 million were lost.

Is DeFi worth the risk?

As with all new ventures, it’s hard to understand the full breadth of risks. However, where there is risk, there is also opportunity. By knowing and managing the associated risks when entering the DeFi market, these new projects might be an interesting playground as well as a promising future technology. And, at the end of the day, the most tried and true risk management strategy still holds: diversification.

Our team started as the Swiss ETH spin-off ChainSecurity AG and joined PwC Switzerland in 2020. Together with PwC, we bring extensive depth of experience in DLT security and breadth of knowledge on aspects of business that impact blockchain businesses – from taxation to cybersecurity. We have the capabilities to guide and support you wherever you are on the path – from exploring how you can use DLT and smart contracts and formal assessments of your smart contracts before they launch, to monitoring your smart contracts once they’re in place. If you want to know more about smart contract security or are interested in working with us, visit or give us a call.

1In our inventory of ‛known incidents’ we capture events that were made public knowledge via media coverage, including the value of funds that were stolen (and, if applicable, the amount that was recovered). The value of funds stolen/recovered is based on what was publicly reported at the time of the incident. We have not included events where there was no financial impact.


Contact us

Emilie Raffo

Emilie Raffo

Smart Contract Assurance, PwC Switzerland