GK8 by Galaxy What Impenetrable Custody really means for digital asset security

Make Your Crypto Work For You Pt 2: DeFi

Pt 2: DeFi Basics In our last blog in this series, we discussed some of the revenue-generating opportunities in the ‘cryptoverse’. Specifically, we discussed staking, what it is, how it works, and […]

Pt 2: DeFi Basics

In our last blog in this series, we discussed some of the revenue-generating opportunities in the ‘cryptoverse’. Specifically, we discussed staking, what it is, how it works, and of course some of the risks involved. We also discussed the opportunity GK8 customers have to ‘cold stake’, meaning they can stake directly from their ‘cold vault’ thereby mitigating some of the threats associated with staking, including the need to transfer custody to a third party.

We also mentioned that staking is just one of the channels available to financial institutions from which they can generate passive income from their digital assets. DeFi, decentralized finance, is another. DeFi investments are typically considered speculative assets, or high-risk and high-reward channels of investment. At least, as compared to staking. 

And while during the great bull run of 2021, DeFi investments did indeed provide higher rewards, in 2022 the market discovered the ‘higher risk’ side of the equation. Importantly, 2022 showed us that institutional investors, could not or should not entrust their private keys to anyone other than themselves. In times of market volatility, having an end-to-end, self-managed, enterprise-grade solution that allows the institution to be in full control of its private keys is highly valuable to institutions that manage billions of dollars in AUM.

Moreover, what is often overlooked is the fact that DeFi programmers (the people who write the smart contracts which run the protocols), often ensure they have left themselves what’s called an Admin key. This Admin key is a risk in and of itself, as we’ll explain later in the blog. 

But first things first. 

What is DeFi?

DeFi, decentralized finance, is a financial ecosystem that leverages DLT (distributed ledger technology) and smart contracts to facilitate money movement or transactions without mediation by a third party (like a bank or other financial institution). 

Decentralized finance, like much of the cryptocurrency market, rose from the ashes of the 2008 financial crisis. In parallel with the growth of 2nd generation blockchain protocols, led by Ethereum, which were built to enable smart contracts. Smart contracts are encoded contracts stored on the blockchain, programmed to run when certain conditions are met. Together these events spurred the proliferation of DeFi.

DeFi is drawing a broad audience because of its automated, permissionless capabilities alongside the ability to mix and match a variety of services ‘over’ smart contracts. In many ways, DeFi democratizes investments and treats all actors according to the same rules and policies.

DeFi characteristics:

DeFi Traits

Size of the DeFi Market

TVL, or total value locked, continues to be one of the main metrics used to evaluate the projects or platforms in the DeFi space. Using TVL as an indicator of market growth, we see that the DeFi market began its upward swing in late 2020 – early 2021. Like the rest of the crypto market, the DeFi market has been hard hit by the events of 2022. Having peaked in late 2021 at just over $170B, the market fell dramatically in May with the Terra Luna crash and continued a more moderate decline until today with the latest bubble ‘popping’ alongside the FTX debacle. 

DeFi TVL

What types of DeFi are there?

The DeFi market is not a homogeneous one. Institutions can choose to invest in several different vehicles via smart contracts. Trading (DEX) and lending have for some time been the most popular. However, there are over 30 different investment vehicles available. These investment vehicles (categories) differ not only in popularity, but also in liquidity, yields, and processes, even within the same category. Some of the more popular include:

DeFi categories

*Based on data from DeFiLlama

While there are a wide variety of players partaking in the DeFi ecosystem, Ethereum (ETH) continues to account for a majority of DeFi share. Thanks to its architecture, ETH grants a layer-1 runtime environment, known as the Ethereum Virtual Machine (EVM), to dozens of popular layer-2 decentralized applications, including Aave, Uniswap, and 1inch.

What are some of the risks and challenges of DeFi?

Investing in DeFi is not without its risks. These risks extend beyond those of investing in an asset class which is speculative by definition.

Counterparty Risk

Up until now the usability aspects of investing in DeFi have been ‘difficult’, and not overly user-friendly. Importantly, in order to gain flexibility and convenience, institutional investors have often stored their private keys in browser-based ‘hot wallets’ or used 3rd parties which served as de facto custodians. Both options should make mitigating counterparty risk top of mind for any institutional investor.

The private key is the bearer’s most treasured asset. Whoever holds the private key has, in fact, de facto ownership of the digital assets. The organization/DAO which holds the private key has the power to decide if, where, and when to invest our digital assets. They also have the power to decide whether or not to return those assets to us. Hot wallets, by definition, are connected to the internet and are hence vulnerable to attacks.

The fact that actors like CZ, Paxful CEO, and our partners at ConsenSys all urge self-custody, is not without remark, given the events of 2022.

Consensys post

As our CTO, Shahar Shamai has said:

After the events of 2022, giving a third party control of the institution’s private keys is in the best case a mistake, and in the worst case downright negligent”.

Hacks, Thefts and Crypto Crime

Another topic often talked about in 2022, is hacking and theft. Particularly in the DeFi space. Depending on your sources, hacks have been blamed for the disappearance of over $3B (in assets) already in 2022. Despite the fact that the year is not yet over, partial results suggest that 2022 thefts from DeFi protocols already outpace those in 2021.

Chainalysis crime

Source: Chainalysis, The 2022 Crypto-Crime Report, Feb. 2022

In late September, Peckshield (@PeckShieldAlert) published the 10 biggest hacks in the DeFi space in 2022. These include Ronin Network, Wormhole Bridge, Nomad Bridge, and more. And with a few more keystrokes, you can find a wide variety of additional exploits which have pervaded the DeFi ecosystem. Bridges were heavily targeted, but they were not alone as hackers found backdoors worth millions into various platforms, players, and protocols. 

A back door to your assets – the Admin Key

A fact that is not often discussed is the fact that most programmers of DeFi protocols (or smart contracts) tend to keep for themselves an Admin key or Developer key. This is the key that signs the smart contract uploaded to the blockchain. In almost all smart contracts, the admin key retains some form of ‘superpower’ with which the programmer can control the code – post-deployment. These superpowers include permissions for functionalities that no one else has. And this is what makes this key another ‘single point of failure’.

Anyone who gets access to the Admin key has control of the protocol. And with this, they in fact control all assets held by the protocol. In one fell swoop, all assets can be siphoned into a hacker’s pocket. 

Tools and systems

Another avenue that particularly affected the DeFi space, is what is being referred to as the vanity address hacks. We reviewed these hacks in great detail in one of our other blogs (here: A Back Door to Your Digital Assets), but the long and short of it, is that some ‘cool tools’ are actually putting private keys at risk, as in the case of Profanity Addresses. 

Here, hackers managed to brute force the private keys of every 7-character vanity address generated using Profanity. Within a matter of months, $Millions of assets were drained from these addresses.

And the list of challenges continues with smart contract risks, governance risks, compliance challenges, and more. To learn more about how GK8 is addressing the concerns of institutions worldwide, stay tuned for part 3 of this series.

For more information about the GK8 solutions, click here.

Continue reading

Threat Analysis: What you need to know about crypto hacking

A patented one-directional no-attack vector connection is the key to secured connection. The world is changing. As economic wealth becomes more digital, leading financial institutions have listened to investors and market forces […]

5 Common Cold Wallet Myths (or: Why There’s No Real Cold Wallet Out There)

There seems to be some heated debate in the blockchain world between cold and hot wallets. Cold wallets are thought to be more secure but require processing any transaction manually, while hot […]

GK8 grants institutions secure access to DeFi through integration with MetaMask Institutional

GK8’s users will be able to use their MetaMask Institutional wallets from their MPC Vaults on the platform, unlocking new revenue streams through DeFi services  GK8, the leading institutional-grade self-managed digital asset […]