首页   >  关于我们   >  新闻中心   >  CSA GCR区块链安全工作组组长黄连金受邀出席2021全球数字资产&金融大会
返回
CSA GCR区块链安全工作组组长黄连金受邀出席2021全球数字资产&金融大会
  • 2021.02.05
  • 914
1月27日至29日,“2021全球数字资产&金融大会”在韩国首尔举办,这是韩国、美国、中国、新加坡、欧盟等全球数字资产金融专门企业参加的数字资产金融专门会议,旨在探讨全球数字资产市场的现状和前景、数字资产业权法的制定等议题,并进一步向投资者提出数字资产市场未来金融发展方向,共享数字资产金融生态界的核心信息。

云安全联盟大中华区区块链安全工作组组长黄连金应邀出席本届全球数字资产&金融大会,在大会线上发表了题为“卓越的DeFi项目具备的十大特征”的演讲。此外,Amber集团合伙人Annabelle Huang、ChainUp副总Jade Chen、Hexlant代表理事鲁镇雨、火币大学校长于佳宁、Xangle共同代表理事李弦雨、Coinness代表李升焕等发表演讲。
 

附“ 卓越的DeFi项目具备的十大特征 ” 讲稿
 

Hello everyone, my name is Ken Huang, I would like to talk about the top 10 good properties of a DeFi project. As you all know in year 2020, DeFi has been growing exponentially from less than 1 billion value locked to over 22 billion now. In year 2021 that growth will continue because DeFi project is the next generation of open finance and it has good properties in terms of inclusiveness, censorship resistance and global reach ect. So how do we evaluate a good DeFi project? I will give you 10 properties that you can look for. This is not really advice for investment but more like advice for research for good projects, and then you do your own homework. So I will lay out a few properties that you can look for, you can use these properties to search for some good projects. I will not tell you about particular projects but I will give you a method. So now come!


The first method is Cost Optimization, meaning that a good DeFi project will have a good smart contract code base which will reduce the gas cost. As it will basically invoke many different contracts because its money lego. So a DeFi project usually is calling different smart contracts. So if it has no optimization, the gas cost is expensive. There are other ways to reduce the cost and increase the performance such as layer 2 technologies using optimistic roll-up or another way is zero knowledge roll-up technologies. Those kinds of roll-up at layer 2 could potentially reduce the cost as well. Another is using the cross chain, such as Polkadot or Cosmos, some DeFi layer built on top of that can potentially reduce the cost. A good DeFi project can let you choose how you consume the gas from which chain. So you can potentially reduce the overall cost on this. So the first property you need to look at is Cost Optimization.


The second one is the Smart Contract security. You may ask I am just an investor. I do not know the smart contract. So, that’s true but there is something you can do. A good DeFi project at least has 1 or maybe up to 3 or 4 independent third party security companies looking at the smart contract security to validate if the contract is secure or not. Another way is to look at the insurance protocol which will provide insurance for the smart contract security problems. The insurance protocol such as Nexus Mutual, Cover, Opyn. Those protocols could potentially be leveraged for some new DeFi project. A good DeFi project could open up a pool in the Nexus Mutual or Cover to basically shield mining their own Token as a guarantee of the security to their smart contract. These are two areas to look at. As a developer you can follow some security guidelines. Some people may know that I am the chairperson of the Cloud Security Alliance in the Greater China Region. We recently published a white paper on Smart Contract Security. In 2018, I published a book. We devoted the whole chapter 3 on smart contract securities. Those can be a good reference. Others,  like OpenZeppelin, Consensys. They all have some good smart contract guidelines. Smart Contract is important because there are a lot of DeFi projects that got hacked due to the smart contract problem. Once the smart contract is deployed, it is there in the blockchain so you can not stop it. Unless you implement what is called a Pausable Interface. So you can pause it.  With Smart Contract,  you can  lock lots of funds. Once the funds or coins are stolen by the hackers due to contract error, you can not get it back.


The third property we should look at is… since this is a DeFi project, No KYC. You don’t need to register or provide a name. The key belongs to you. If that DeFi project asks you to register, even with email, even without KYC, it is not a good DeFi project. Usually you should just use your own Metamask or other Wallet. You can just sign in with your own wallet without providing email, phone number or even your passport. Don’t need that. That is a third property. A good DeFi project has no KYC needs.



The fourth property is that it will try to reduce Composition Risk. As you know most DeFi leverages financial primitives or Money Legos. The underneath protocols are necessary to build a strong DeFi project. Things like Compound is based  on other properties or protocols to build.  Synthetixis also based on other primitives to build on top of it. If the underlying protocol is not heavily audited or used frequently in the past. Then it is not secure enough and you would need to take a look into that as well. Usually a good DeFi project has to be time tested or battle ground tested protocol to minimize the composition risk. Because if one of the underlying protocols has risk it will certainly impact you. Also there is some correlation risk, you correlate a few underlying protocols together. If one has a problem it may impact the others, it will certainly impact the DeFi project which is based on that protocol. So you should DeFinitely take a look into composition risk, and look at the white paper, know  a little more before you invest.


Fifth, is really the key management. Currently and mostly,  when DeFi projects start, they may be only using a single key to deploy the project or smart contract. And that smart contract could potentially be upgraded. The properties or parameters of the smart contract can be changed with a single person or liquidity can be withdrawn by a single person. That has happened in the past. SushiSwap is a famous example. One of the creators was able to withdraw the liquidity from the SushiSwap. Eventually the fix was to have multiple signatures, another name is multi sig address which is used to deploy the project. In the SushiSwap  case, you can change the owner to a multisig address. This is one possibility. The best solution is actually having a DAO, Decentralized Autonomous Organization to manage the smart contract. So you have a voting mechanism. There is no perfect DAO. But having a DAO is better than having none. Having a multisig external address for smart contracts is better than having a single signature address. Of course even with multiple signatures you still have to deal with issues of, how can you prove these multiple signatures are actually multiple people and not one person? In some cases one person can have 3 signatures, this does not help. This needs to be managed by multiple people. Example: if 3 out of 5 multiple signatures are used, 5 people hold it and with 3 signatures, you can withdraw the funds on the multisig address. You have to have 5 people hold it. Key management is very important. Some DeFi projects do very well, however I would say most don’t do well.



Another property is Rug Pull. Rug Pull means anonymous team, people don’t know who is behind the DeFi project, it’s not audited. Once there is enough liquidity, they pull the rug. Meaning they withdraw the funds from the pool. It’s an exit scheme. This is not good. You need to prove that it’s not possible to do the rug pull. This is associated with the last one, you have to make sure the key management is in place. You have to make sure that the team has an actual name behind it. Verifying via accounts; Twitter, Linkedin, Medium with real names and photos. People knowing of this person from previous projects or universities. If it’s not a real person behind it, anonymous, you need to be very careful. Especially when the smart contract is not audited, this is another red flag, also where there are no multiple signatures in place. Rug pull has happened in the DeFi and you need to be careful.


The seventh property is Fair Launch. Fair Launch basically means there is no VC funding, has no pre mining or no owner reward. It may have developer funds that are approved by the DAO organization to give founders incentives but that has to be voted by the DAO. This is called Fair Launch meaning that the DAO launch is fair to everybody. So, if you participate early you might get some reward but not too much. If you participate early and get too much reward, it is not fair as well. It is fair to have a good curve. One idea is to have a bond curve, you bond your token price with the overall participation of the ecosystem or the overall capital invested in your token. This is fair to everyone, even the late participants can still take advantage of the whole ecosystem. The early participants can have a slight advantage to bootstrap the ecosystem. This Fair Launch will become more important in the future.


The eighth property is Self Control. This means it must be your wallet, the private key is yours. There is no centralized key management, if you need to withdraw, you don’t need to ask for approval - you can withdraw immediately. This is very important, it’s essential to DeFi.


Ninth - this one is quite obvious. DeFi has to be a financial application. Anything financial related, such as lending applications, the DEX (Decentralized Exchanges), different kinds of DEXs. People may know that you have AMM based, order book based, aggregator DEXs,

like 1inch. Aggratoring different types of DEXs. These are financial applications. Maybe the derivatives or synthetix types of projects, like you can have real world equity, stock or gold. These can be “synthetix” into a token. There are a lot. Such as stable coins, and the different types. You can have Fiat collateralized stable coin, such as USDT, USDC. You can have digital assets collateralized stable coin, like DAI which uses Bitcoin or ETH as a collatorization. You may have the algorithmic based stable coin like Basis dollar or ESD, those kinds of things. Those are financial applications.


Finally, it has to be Open Source. You have to prove that it can not be cheated or there is no inside trading. You have to be able to prove your innocence. There is no front running. There is potential that there is front running in DeFi projects but if you organize your structure well, you can decrease these possibilities. You have to be fair to everyone. You grow the whole pie so that everyone can participate, If the DeFi project is only for a few people, then only a few people will participate and it will die. The idea is to have more people participate to grow the pie.


In summary there are 10 properties of a good DeFi project. In 2021, you still have the chance to invest in good DeFi projects but you have to look for these properties.

 

 

Thank you everyone! Hope everyone will have a good new year in 2021!