Inside a DeFi Transaction

Read Time 5 mins | Written by: Yogev Bar-On

Decentralized finance (DeFi) is a collection of applications built on smart contracts that enables use cases like lending, borrowing, liquidity pools, asset fractionalization, NFTs and others – allowing anyone with a crypto wallet to access a set of permissionless financial services. With smart contracts, DeFi makes it possible to replace trust-based contracts with open-source, verifiable code on the blockchain.

Whenever they interact with DeFi applications, users are potentially exposing themselves to risks buried in smart contracts and their way of communicating with other dots in the blockchain. Every stage of a transaction comes with a few potential points of failure that can harm crypto users and their funds. Knowing how to recognize them and operating through a secure infrastructure can help mitigate risks and enable a safer, smoother transacting experience.

Responsible Trading

dApp Authentication

DeFi users interact with a dApp through a frontend interface that is connected to a set of smart contracts. Each dApp interaction is linked to a specific contract, which calls for a desired outcome like swapping an asset, lending, borrowing and more. While UI hacks are impossible to defend against, there are a few things users can do to reduce the risk of interacting with a compromised dApp.

Verifying a dApp’s integrity is the key to staying safe in DeFi. The most straightforward way to do that is to ensure the user interface is connected to the right set of contracts. The danger of interacting with a fake UI is not in the website itself, but in malicious smart contracts that can drain one’s wallet. Ensuring the website and contract addresses are correct should be the first step in every dApp interaction.

Fordefi’s wallet features a verification mechanism, which validates a dApp’s integrity through an index of smart contract addresses. This helps users escape phishing scams, hacks and the risk of having a compromised wallet. In every interaction, the user is presented with both the dApp name and the contract’s address, confirmed as legitimate by Fordefi’s risk engine. With Fordefi, users outsource dApp validation to the wallet operator, so they can remain focused on trading.

Semantic Verification

Validating a dApp’s source isn’t enough to stay safe in DeFi. Making sense of smart contract requests and their intentions is a key security practice in every transaction. To execute a DeFi transaction, a user must authorize the smart contract to access the funds in their wallet using a cryptographic signature. This step has high risk because the consequences of signing a bad request are catastrophic. Unfortunately, smart contract requests aren’t readable, and only advanced users have the ability to recognize their intentions.

A translation of a signature request can enable the user to understand the contract’s intentions and help protect them from hacks. Fordefi helps users approve smart contract requests with context through its simulation and risk mechanisms, which analyze and warn users of potentially harmful requests. Inside its wallet extension, Fordefi presents users with a message covering all the details of a pending transaction, including the type of action the smart contract will perform and any transferal or approval of funds – giving them full visibility into the transaction and ensuring no unnecessary permissions are granted to the dApp.

Transaction Inclusion

After a user has signed a transaction, it is broadcast to the Blockchain network. Nodes in the network then try to include the transaction in the next block.

At this point, a lot can still change, as the transaction isn’t confirmed. Validators have the power to decide which transactions to include in a block and in what order, with gas fees being a key factor in the process. Besides gas fees, which help dictate inclusion in blocks, validators can also profit from other methods like front-running transactions for arbitrage, a practice known as Miner Extractable Value (MEV). 

All these factors introduce challenges in having a transaction confirmed as anticipated. Fordefi enables the optimization of gas fees for a fast inclusion, and the avoidance of MEV through the use of Flashbots. With Fordefi, users can be one step ahead and pick the right settings to have their transactions confirmed fast and with no surprises.

Use Case: Compound

Compound is a decentralized borrowing and lending protocol – users of the dApp provide liquidity to lending pools and receive pool tokens in exchange, which entitle them to a share of the generated yield. With Compound, there are a few different contracts involved with each interaction. For that reason, users seeking to provide liquidity will interact with a different contract than the one allowing asset borrowing. 

Now let’s walk through a supply transaction on Compound.

To supply assets and receive yield tokens, a user must approve a spending request from the contract responsible for minting. In this specific transaction, we supply ETH in exchange for cETH. The image below shows how Fordefi presents this interaction in the wallet extension, enabling the user to understand the contract they are interacting with and get a simulation of the transaction result. After clicking “Create”, the transaction can be approved through Fordefi’s ID authentication.
screen shot Compound

Screen shot Fordefi browser extension transaction simulation

After the transaction is approved and signed, it’s included in the Ethereum network’s verification process to receive a final confirmation – traceable through the transaction ID Fordefi provides. After final confirmation of the transaction, the cETH tokens will appear in the wallet.

Conclusion

Navigating transaction nuances can be challenging. Using secure gateways to DeFi can help avoid hacks through a set of security standards and data-driven transparency into the blockchain. Fordefi is a DeFi custody solution for institutions, enabling the most advanced dApp interactions through a hot crypto wallet. Our value proposition includes transaction enrichment features that help users navigate smart contract requests and verify their authenticity.

With Fordefi, users can interact with any dApp on Ethereum while having full transaction visibility at all stages:

  • Verify a dApp’s authenticity on the smart contract level. Fordefi indexes the addresses of smart contracts to authenticate validated contracts and warn against potentially malicious contracts.

  • Predict transaction effects. By simulating the result of a smart contract, users can be one step ahead of the blockchain.

  • Mitigate risk and keep users safe from compromised dApps. Fordefi maintains a blacklist of dApps and contracts, preventing users from interacting with them.

Having the right set of tools, in combination with deep knowledge, is the best insurance users can have while using DeFi. In our sequel blog post, we’ll dive into token approval requests, a topic related directly to DeFi transactions and smart contracts. We’ll explain the types of spending approval requests, their risk profile and best practices for steering clear of malicious requests.

In the meantime, we welcome any questions or comments you may have – we’d love to hear from you on Twitter or LinkedIn. If you’re interested in exploring Fordefi and its custody features, we’d love to show you a product demo – book your demo today at www.fordefi.com

This article was co-written with support from Yanay Prop, a fintech writer and consultant. 
Yogev Bar-On

Yogev is a software engineer at Fordefi with over 8 years of experience, previously holding positions at Facebook and Realmode Labs. Yogev has a Master of Science (M.Sc.) in computer science from Tel Aviv University and is also doctoral (PhD) candidate.