Published on: September 21, 2024
It’s hard for everyday people like you and me to remain on top of new cybersecurity threats and complex concepts while trying to protect our online privacy and digital rights without giving up the convenience of our favorite apps and technologies.
In this interview series by Safety Detectives, I talk to cybersecurity experts and thought leaders who share insights, actionable tips, and future predictions that will help us better understand what is happening with your data and protect your digital life more effectively without losing your sanity.
Rex Hygate is the President and Founder of DeFiSafety, a company that evaluates Ethereum-based DeFi applications, focusing on their development processes, quality, and transparency. Before DeFiSafety, Hygate served as Business Development Manager at Esterline CMC Electronics until 2020.
Do you believe that the DeFi space has matured enough in terms of security, or are we still in a phase where innovation is outpacing safety?
I find DeFi maturity steadily declining over time. Since the Terra/Luna crash, we have failed to bring in new users. This means most present DeFi users are experienced, looking for very high alpha, and using the money they are fully prepared to lose. In an environment like this, there is a declining incentive for a strong safety and security effort. Better make money fast. This makes it less appealing to normal financial users.
Unless we change it, a steady decline in DeFi will probably continue.
You’ve reviewed over 200 DeFi projects. What are the most common red flags that you see? How could these be better communicated to the public?
By far the most common red flag we find is laziness concerning security and transparency processes. Some DeFi protocols are very short-term thinking and only make the minimum effort to get their protocol active so their token will go up.
The crash of Terra/Luna in 2022 is the most notable example. The Terra ecosystem, which included the algorithmic stablecoin UST and its sister token LUNA, saw its market capitalization plummet from approximately $40 billion to nearly zero within a week in May 2022. This wiped out billions for investors and users.
Two more notable DeFi Failures:
- Still in 2022, the Ronin Network, associated with the popular game Axie Infinity, was hacked and lost $625 million in ETH and USDC. This breach highlighted their vulnerabilities in cross-chain protocols.
- In August 2022, the Nomad Bridge lost nearly $190 million because of a hack where multiple attackers used the same method to drain the protocol.
If you could change one thing about the current approach to DeFi security, what would it be and why?
I would increase the priority of overall security processes. Our industry focuses too much on smart contract security. Smart contract failings now account for less than 50% of all security incidents, while most keys, weak processes, and internal employee incidents are rising. Security should cover the entire protocol. Not just smart contracts.
Transparency is a core principle of DeFiSafety. However, some argue that too much transparency can expose vulnerabilities. How do you strike the right balance?
One of the biggest advantages of DeFi is transparency. Users can see and verify what the intermediary (in this case the software) is doing with their money. They can see if changes are made. Traditional finance does not have this habit. It builds trust based on regulation and private audits.
Because DeFi is not regulated we started with transparency to build trust in the early days. A DeFi protocol may want to protect the software so that forking is not too simple anymore. Our process allows for this but still gives transparency.
We have kind of unwittingly started digging our own grave. The technical complexity of using DeFi (which is being steadily reduced, a good thing) and the public advertisement of the risks have driven away normal users.
Normal investors normally invest through funds. > These funds must prove their due diligence and safety to investors. > Without regulation, these funds would require consistent clear transparency.
But today’s DeFi funds are only using money from more experienced investors who know the risks and are ready to lose it all in the hope of high returns. These users don’t see safety as a priority. Alpha above all.
When I review DeFi protocols and speak with DeFi funds, they tell me that my transparency audit is correct but it is not used in their investment decisions. For this reason, protocols are reducing their transparency because they do not see anyone looking for it. We do not have the right balance and we are building a system that normal investors do not want to use.
Do you think the use of AI could bring transparency issues in DeFi assessments? How can we ensure AI tools remain trustworthy and unbiased?
To date, we have tried to use AI in the evaluation of DeFi protocols. However, AI predominantly believes protocols when they write that they are extremely diligent in security matters. The trouble is that AI believes the words and does not look for shreds of evidence. As such, we have not been able to use AI effectively to date.
What role do you think regulators should play in DeFi security? Could they undermine the ethics of DeFi? If not regulators, who else should be responsible?
I think regulators in the near term will focus on centralized exchanges. This is where they expect most people to use crypto. Since TVL (the total value of a digital asset on a particular blockchain network) in DeFi is small and decreasing and the reputation is still deservedly very much that it is a rigged highly technical casino, I do not see regulators doing more than advising people to stay away from DeFi.
Looking ahead, what do you see as the biggest security challenges for DeFi in the next five years?
Trustworthiness remains by far the biggest problem. Most businesses see our industry as untrustworthy. This perception keeps out new users even though more and more people globally need DeFi because their banking systems are not protecting them.
If protocols are diligent and rigorously follow all accepted security processes, then DeFi can be very safe and transparent. There must be improvements in the wallet processes to reduce the risk of phishing hacks. I hope that account obstruction and other improvements will fix this.
How can our readers follow your work?
LinkedIn: https://ca.linkedin.com/in/rexhygate