Your funds aren’t safu!!
by Svetlana Tokarenko
(I was going through my notes and found this article I wanted to post it a while back. Some info might be outdated!)
DeFi or how people think they can get rich in 1 day.
Been wondering in crypto dystopia for a while. Not going to enter into a debate if crypto is bad or good for society long term.
I’m just going to talk a bit of a specific field in crypto: DeFi (Decentralized Finance).
Disclaimer: You will see lots of weird crypto terms through this post. I’ll try to explain as many as I can.
The Start
At first was bitcoin, then Vitalik, a young weirdo, thought to get the concept of decentralization and execute code on it. So Ethereum arose and smart contracts were the buzzword in crypto (they still are). Because crypto offers power to the many, a peer-to-peer concept of interacting financially between individuals without a middle mad (a centralized institution) arose. We finally can replace that middle man with code (hail to the code).
There are multiple applications of DeFi like exchanging assets, borrowing/lending money, etc, but the one we will talk about here is Yield Farming.
Yield Farming, according to google, was started with the release of COMP token, the governance token of the Compound network. A Governance token grants some rights to the token holders.
But how can you attract token holders? Usually, you offer them some rewards depending on how many tokens they buy and hold, they provide liquidity and “crop” a reward. (For more info, check here(https://academy.binance.com/en/articles/what-is-yield-farming-in-decentralized-finance-defi#what-started-the-yield-farming-boom)).
There are some big yield farms on Ethereum that were possible through Uniswap and Sushiswap. More farms started to appear, each one of them coming up with different incentives to attract holders.
But enough with the theory (you can find more info by searching on google), let’s go into the actual story. The story of BSC and yield farming, or how people dive headfirst into Ponzi schemes thinking they will get rich in 1 day.
Due to the high transaction fees on ETH (come on Vitalik, bring that ETH 2.0 faster), lots of people started to move to BSC (Binance Smart Chain); therefore, yield farms on BSC arrived. The mother of yield farms was released in September 2020: Pancakeswap (get used with these weird product names, this is just the start). Pancakeswap is a product on Binance Smart Chain that uses an AMM (Automated Market Maker) model. It does not exchange an asset against an order book (as a normal exchange); you trade against a liquidity pool. People fill these pools with assets, and they get a reward from the fees. After a rough start, we can see now that Pancakeswap holds around 9–10B worth of assets.
What exactly can you do on pancake? You provide some liquidity and get a reward based on how much you put in, you earn some interest. Basically, you put some seeds and crop some food. The rewards percentage is usually displayed as APY (Annual Percentage Yield), and pancake offers a nice way of showing you the rewards (attach photo). It looks like a very easy way of getting rich: you put in money and get more out. The question is: from where? Here is the Ponzi scheme: you put money into a system by buying a token at price X and leverage the ability of the yield farm to attract more investors, all of them buying at a higher price, so basically, you get rewards from future members.
Pancakeswap is safe so far; you get decent rewards leveraging the farm’s ability to attract more investors into buying more (what happens right now in crypto anyway) but here comes the copycats and scammers. Once the success of pancake was astonishing, they released their smart contracts as open source and the possibility for new yield farms to leverage Pancakeswap LPs (liquidity pools). With this ability, new farms started to emerge, some of them legit, but most of them scams.
The Journey
It first started, of course, on pancake around three months ago. I entered in a pool, I think it was DEXE-BUSD, and started to get some rewards. Intrigued by the concept cause I did not understand how I get free money, I started to look more into it and started to discover more farms. And the journey of scams begins.
First entered into a farm called hyruleswap. It looked legit (and still is) and started to gain higher rewards than what I was earning into pancake, but also the risk was higher due to the lower TVL(total value locked = amount of assets people put into that farm) and trust, which means the native token (the token created by the farm to secure liquidity) being vert volatile. And I started to dig more and more, found more farms, some of them, for a noobie, promising to make you rich in a month or so. After I switched some more farms, i entered into a telegram group, of a new farm that was about to start in 2 hours. I did not enter into it, but I was watching the telegram group. The farm started, and boom, in less than 1 hour, I was watching the first scam in progress, people complaining they can’t withdraw their assets, panic panic, no admin available to respond. In 2 hours, the website and telegram group were deleted, people’s assets were gone.
I was shocked for a bit, trying to understand how that happened, they had an audit from Techrate ( one of the audit firms out there who analyze smart contracts for a fee and tells you what that smart contract can do). People misunderstand the concept of an audit, and they think the audit company will assure them that that is not a scam but no, their business model is to analyze a smart contract and look for bugs and point them out in a nice PDF, that is what Techrate was doing i think at that time. So here starts the journey of smart contracts auditing. I knew a little bit of solidity and wrote some smart contracts in the past, but I didn’t understand how it happened. So I went into bscscan.com and looked at the contract and compared it with the Techrate audit, it started to make sense how that was possible. Basically how they did it, was by using a hook into one of their methods that could withdraw people’s funds to the owner’s address.
More intrigued by this, I said that it would be a nice journey to smart contracts audit and invest in yield farms for a while, for fun, to learn some more solidity and as i always like to put my money where my mouth is committed to invest in farms i was auditing, to have an incentive.
During my journey into yield farms, I audited over 50 yield farms and invested in about 10 from where I got some good earnings, unreal. But of course, I’ve also lost some, mostly because I was too late, at first; it was easy, I invested into a farm and started to get good gains the first hours, then the price dropped, and the initial assets I was putting in started to decrease due to the IL (Impermanent Loss). Still, it was ok due to the gains at first, so I was winning.
Then I got my first scam: so-called Soft RugPull.
The concept of RugPull is easy to understand: a scammer creates an asset with high rewards, attracts people, and runs away with the funds. There are 2 concepts of a RugPull. Hard and Soft.
Hard RugPull means that the scammer has a functionality into the smart contract that can move your funds from the pool you provided them into his addresses, you losing all your assets. This one is easier to spot for someone who knows a little bit of solidity as you can look at the code and see if the funds you put can be transferred into scammer’s addresses. It took me a while to understand the numerous possibilities that this trick can be done: via the MasterChef contract via the Token Contract and so on. Of course, This isn’t bulletproof because there are always ways to hide a function that can do steal. But I was safe for now.
Soft RugPull means that the scammer created a farm and started to attract investors, then it decreases the price easily by selling the token he holds in other addresses, getting the price to almost 0. He always runs with a good amount of money, and people now hold an asset worth nothing.
I lost my first money on a soft rug pull until I learned to understand this concept too.
Then, around 4 am on a Sunday, battling with my insomnia, I was reading some telegram group and misunderstood a message and entered headfirst into a farm without looking at the code (bad mistake). The first day comes by, I was gaining some good crops. Almost one day passed by, I was out running, and a friend of mine was alerting me in the telegram that a rug pull on the farm I was in progress. The panic started to settle, I started to run faster home so i can try to Emergency Withdraw (this is a function in most smart contracts for yield farms that lets you withdraw your funds from a pool without getting the rewards, it was originally created to withdraw your money in case the website was down, and you couldn’t access the interface. You could access bscscan and call a function on the smart contract to withdraw your money and exit the pool). When I arrived home, too late, my funds weren’t there, the scammer replaced the original token with a proxy token, and my funds were moved to ETH through Anyswap. Around 700k worth of assets were stolen in this farm. People started to complain, tried to reach Binance to block the wallet but nothing could be done because this is crypto; you need to understand the risks. I was already ok with the losses, they were part of my earnings, a big chunk, but it was my fault that I didn’t audit the smart contract.
With my morale a bit down, I committed to getting back to it and gaining my money back by investing smarter and not going headfirst into something if it looks too good to be true.
The journey continues, and I might write a second article as i have more stuff to write about. #hold
