When it comes to DeFi, Do Your Own Research
With the #Cardano ecosystem growing fast, it’s more important than ever to research before getting involved with a project. In these exciting times, let's be careful out there
9 December 2021 11 mins read
Distributed applications (DApps) are coming to Cardano. The excitement is palpable. Yet, as the ecosystem steps up a gear, the excitement about this new stage in our journey needs to be tempered with some caution.
Cardano is an open, permissionless blockchain. So there is no central company, or other body, exerting ownership and, with it, responsibility. Anyone can build on this platform and engage the community. This is one of its superpowers. Yet because anyone can build DApps, users need to be judicious. As the saying goes, ‘Do your own research’.
Researching means more than scrolling through search results or watching your favorite YouTuber talk about moonshots or chart patterns. By doing your own due diligence and taking your signal from the right community voices (amid the noise), you can give yourself the best chance of navigating the emergent landscape successfully. And with it, play your part in helping grow a safe, secure, and healthy ecosystem.
Some cautionary tales
Bad things have already happened on other chains.
- On December 3, 2021, Cryptocurrency News reported that 120m US dollars were lost in the Badger DAO hack.
- On November 30, 2021, Crypto Briefing reported that users lost 31m US dollars on Ethereum and Polygon.
- On November 19, 2021, CNBC reported that, according to Elliptic, over 10bn US dollars had been lost to scams and thefts so far in 2021. You can download the original report from Elliptic.
- On November 3, 2021, The India Bureau of Business Insider reported that 1.4bn US dollars had been lost in DeFi hacks, with about half recovered.
- Fraud also occurs in the UK. On October 18, 2021, Coindesk reported that, according to the City of London Police, over 146m pounds had been lost to fraud in the first ten months of 2021.
And finally, the SolanaBankBox project sounded good - until it wasn’t.
Now, publishing this list here isn’t meant to throw shade or proclaim superiority. There is no room for hubris here. Real people have lost real assets. Rather than look at these incidents with hubris and “It couldn’t happen to me,” we should take a position of empathy and take these hard lessons on board. Because we will have issues on Cardano, however much rigor has gone into the core platform. But together as a community, we must seek to minimize the chance and the severity when it does happen to us.
We have worked extremely hard at a core platform level on security. The core Cardano platform has been built to the most exacting standards. Cardano’s design is based on peer-reviewed academic research. Then, using formal methods, we create high-assurance software. The result is that Cardano provides a resilient, scalable platform. We add a full set of development and testing tools, including a testnet, to the platform. As part of our toolset, we support programming languages that suit formal verification by skilled software engineers.
Meanwhile, our education and support programs enhance the skills of the whole community. Wherever we speak to new Cardano DApp developers – and we have spoken to dozens already – we are strongly recommending that they commission an independent external audit for every DApp they create. As we advance, the new Plutus dAppStore will have three levels of certification available for DApps that choose to take advantage of it. Certification will be highly recommended, but it will never be mandated on a decentralized platform.
However, decentralization doesn’t mean we should accept a ‘wild west’ environment. Even with the noblest intentions, some DApps will include design flaws, have bugs, or be poorly supported by inexperienced devs. These issues could leave low-quality DApps more open to being hacked. There will even be DApps that are outright scams or rug pulls. Sadly this is inevitable at some point. And of course, our detractors will seize on these issues and seek to amplify them to damage our community.
It is the responsibility of each DApp developer to ensure that their application produces the correct results. Meanwhile, every responsible member of the community should do their own research and help educate others. In the end, it is up to individual users to protect themselves from bad actors. So be curious, even skeptical. Ask questions. Accept nothing at face value. Equally, be cautious in calling out scams - with so much FUD about, you should not add to the noise without due deliberation. And many of us will remember this cautionary tale from our childhoods…
So here are some tips, curated with the support of the Cardano community.
A fact checklist
Who are the developers?
Developers proud of their product will be easy to contact and responsive to questions. There should be a project website. Anonymity or pseudonymity is relatively common in crypto, but it is important to know the developer can be traced if money is involved. It is much easier for anonymous developers to disappear with your funds. Even if fully doxxed, is this the developer’s first project? Devs or code shops with a reputation have more to lose, while inexperienced developers are more likely to make mistakes or take shortcuts, especially if there is a rush to launch.
What is the project’s vision?
Do your best to ensure that the project’s values and actions align with your values. Look at decentralization, idealism, passion, and purpose.
FOMO is your enemy
If it’s a great application now, it will be a great application next week and next month. If the developer plays on your fear of missing out, that is a big red flag. Due diligence takes time. Be diligent.
Is it really, really good?
The old saying applies. If it’s too good to be true, it probably is. If the project offers higher than normal staking rewards, you need to be hyper-vigilant and very thorough in your investigation.
Celebrity endorsements
Endorsements can be bought, and they are often an essential ingredient of a pump and dump or rug pull. By design, retail investors first discover a dump or rug pull when their basket of tokens is suddenly worthless. Don’t put your trust in YouTubers, but take note of YouTubers you trust.
Is the product open source?
Not all trustworthy DApps need to be open source. However, if the product claims to be open source, you should check the claim. For example, the GitHub repository should be accessible and active. The names of people on GitHub should match at least some of the people on the project website.
Project documentation
There may be a white paper, lite paper, or other design documentation.
Perform a thorough fact check: check sources, investigate authors, ensure content is authentic and not plagiarized. Evidence of poor proofreading, missing content, or broken links in references should all raise concerns. If the white paper is on a ‘pay to publish’ site, you should take that into consideration.
Token distribution
If the project has an associated token, use a chain analysis tool to check for a concentration of token ownership. For example, it would raise concern if most of the project's tokens were allocated to a handful of wallets.
Is it a new project, or is it ported from another chain?
Check its reputation in its past life, if it had one. It still takes good developers to take full advantage of the Cardano platform.
If it is a new project, how new is it? Do the participants have any history in the crypto space?
Is the developer engaged on social media?
Look for an active community of users and reviewers. Look to see how recently the entities associated with the project were created. Be suspicious of new accounts with only a few tweets. Check the number of followers, too. Tools like Sparktoro are another way you can check real v fake followers.
How much testing has been done?
We would expect a good project to have been active on the testnet – and offering commentary in social channels – before its mainnet launch. The ongoing activities from projects like SundaeSwap and Adahandle are good models here, promoting the testnet launch through social media to allow end-users to test and build their understanding. We look forward to supporting more over the coming weeks and months.
Has an external audit been conducted?
Look for a respected organization that is independent of the developer. See below for some useful organizations.
Review the product against your requirements
No matter how good the product, it must be right for you. If you are looking to earn extra ada rewards or trade, it remains forever true – never risk more than you can afford to lose.
Some useful organizations
External organizations can help you learn more about the developer of the DApp. Also, DApp developers can enlist external companies to help with the development process.
More information about developers
- Check the Binance Project Reports page. It aims to cover the top crypto-projects and provide unbiased information.
- The Messari site provides research reports for organizations or individuals.
- Crunchbase provides data about organizations and individuals. There is a free trial; otherwise, this is a paid service.
- PitchBook is a financial data and software company. There is a free trial option available here too.
- Search LinkedIn profiles of people and companies.
- Use BetterWhois or a similar registry to find out when a website was created and basic details of who is behind it.
Companies that help with DApp development
- QuviQ is a Swedish company that specializes in property-based testing.
- Runtime Verification performs security audits. They have done a lot of work with IO Global.
- Certik, founded in 2018 by Yale University and Columbia University academics, is a pioneer in blockchain security. Certik uses best-in-class AI technology to secure and monitor blockchain protocols and smart contracts.
- Tweag is a software innovation lab that helps technology start-ups improve their engineering performance and execute high-risk, high-reward projects. They will be familiar to many readers from their work with Cardano.
- Well-Typed is a specialist Haskell consultancy company. Again, they will be familiar to many readers for work on Cardano.
Community curation
None of these sites offer any endorsement or guarantee of quality, but they are a good place to start:
Essential Cardano - a simple GitHub repo managed by IOG and directed to community PRs. The site aims to be comprehensive, and inclusion doesn't mean endorsement, but this is a good list. During 2022 the goal is to build out this resource - in collaboration with the community – as a more holistic ecosystem resource.
Cardano Cube – a community site with a mission ‘to make information more accessible by providing an overview of all projects and dApps building on Cardano’.
Building On Cardano – ‘a place to view what’s happening within the Cardano ecosystem’ from Stake Pool Operators Shamrock Pool & Cardano With Paul.
We shall continue to drive for higher standards of audit and certification for Cardano throughout 2022. We hope that initiatives like our DApp store will help drive better practice in #DeFi and #RealFi across the whole industry. But this will only go so far. Despite several years of development (and many failures) on other chains, this is still relatively early days for the space as a whole. No developer is infallible, no audit can be omniscient, no platform impenetrable.
As our industry matures, so will risk. Meanwhile, above all else, it is up to the community to develop an immune system that can identify the most obvious issues and help the headlines focus on the successes rather than the setbacks.
The way forward
The Cardano community can be a shining example of how to achieve success and safety without external regulation. Project Catalyst provides funds for development on Cardano, and some community challenges specifically target security.
As intelligent, skeptical consumers, users must demand only the best DApps. Supporting great DApps will nourish a population of honest, trustworthy developers. Together, we will reach our goal of becoming a flourishing, self-governing community.
The information provided here does not constitute investment advice, financial advice, trading advice, or any other sort of advice, and you should not treat any of this blog’s content as such.
Inclusion here of projects does not constitute an endorsement, guarantee, warranty, or recommendation by Input Output. Do conduct your own due diligence and consult your financial advisor before making any investment decisions or relying on any third-party services.
Thanks to community members including Shweta Chauhan, Dan Gambardello, Jaromir Tessar, and Matti Winnetou for their contributions to this piece.
Recent posts
Hydra Doom Tournament by Fernando Sanchez
22 November 2024
Quality Engineering at IO: bridging research and reality in software development by Ivan Irakoze
20 November 2024
Black Hawk up: flying with heroes in the wake of Hurricane Helene by Fernando Sanchez
29 October 2024