Further Reading: Chapter 25 — The DeFi Risk Stack

Essential Reading

DeFi Risk Frameworks

  • Rekt News (https://rekt.news/) — The definitive archive of DeFi exploits, hacks, and failures. Each incident report includes a technical postmortem, financial impact analysis, and lessons learned. The "Rekt Leaderboard" ranks the largest DeFi losses by dollar value. Required reading for anyone evaluating DeFi risk.

  • DeFi Safety (https://defisafety.com/) — An independent organization that rates DeFi protocols on security practices including code quality, documentation, testing, and admin controls. Their protocol reviews use a standardized scoring methodology.

  • "DeFi Risk: What You Need to Know" by Nassim Nicholas Taleb and Yannis Bakos — A framework for applying tail-risk analysis to DeFi protocols, drawing on Taleb's work on Black Swan events and antifragility.

  • "Measuring DeFi Risk" by Gauntlet Network — Gauntlet's risk modeling methodology for DeFi lending protocols, including their agent-based simulation approach to stress testing. Available on Gauntlet's research blog.

Smart Contract Security

  • "Smart Contract Security: A Practitioners' Guide" by Trail of Bits — A comprehensive guide to smart contract vulnerabilities, audit methodologies, and security best practices from one of the most respected audit firms in the space.

  • "Building Secure Smart Contracts" by OpenZeppelin (https://docs.openzeppelin.com/learn/) — OpenZeppelin's educational resources on smart contract development and security patterns, including their widely-used contract library.

  • SWC Registry (Smart Contract Weakness Classification) (https://swcregistry.io/) — A taxonomy of smart contract vulnerabilities modeled on MITRE's Common Weakness Enumeration. Each entry includes a description, remediation guidance, and real-world examples.

  • Immunefi Bug Bounty Platform (https://immunefi.com/) — The largest DeFi bug bounty platform. Beyond the bounty listings, Immunefi publishes detailed postmortem analyses of major exploits.

Oracle Security

  • "The Oracle Problem in DeFi" by Chainlink Labs — Chainlink's technical documentation on oracle design, including discussions of price feed architecture, data aggregation, deviation thresholds, and heartbeat intervals.

  • "Flash Boys 2.0: Frontrunning, Transaction Reordering, and Consensus Instability in Decentralized Exchanges" by Daian et al. (2020) — The foundational paper on MEV (Maximal Extractable Value), which is closely related to oracle manipulation risks in DeFi.

  • "Oracle Manipulation Attacks: A Taxonomy" by samczsun (https://samczsun.com/) — A classification of oracle attack vectors by one of DeFi's most prominent white-hat researchers.

Governance

  • "Governors: Taking On-Chain Governance Beyond Token Voting" by Buterin, Hitzig, and Weyl — Explores alternatives to token-weighted governance, including quadratic voting and other mechanisms that could mitigate the plutocracy problem exposed by the Curve Wars.

  • "A Prehistory of DAOs" by Kei Kreutler — Historical context for decentralized governance experiments, from cooperatives and commons management to modern DAOs.

  • Curve Finance Governance Forum (https://gov.curve.fi/) — Primary source material for understanding Curve governance proposals, gauge weight votes, and the real-time dynamics of the Curve Wars.

Case Study Deep Dives

Terra/Luna Collapse

  • "The Fall of Terra: A Timeline" by The Block Research — A detailed chronological reconstruction of the UST depeg and LUNA hyperinflation, with on-chain data analysis.

  • "Lessons from the Collapse of Terra" by Bank for International Settlements (BIS), BIS Quarterly Review (September 2022) — Analysis of the Terra collapse from a central banking perspective, including implications for stablecoin regulation.

  • SEC v. Terraform Labs, Do Hyeong Kwon — The SEC's civil complaint against Terraform Labs, which includes detailed factual allegations about UST's design, the role of the Luna Foundation Guard, and the claim that UST was sold as an unregistered security. Available on the SEC website.

Euler Finance

  • "Euler Finance: Postmortem" by Euler Labs (March 2023) — The official postmortem from the Euler team, including a technical description of the vulnerability, the attack sequence, and the subsequent negotiation with the attacker that led to fund recovery.

  • "The Euler Finance Exploit: A Deep Dive" by BlockSec — An independent technical analysis of the exploit transactions, including annotated traces of each step in the attack.

Curve Wars

  • "The Curve Wars Explained" by Delphi Digital — A comprehensive research report on the Curve Wars, including game-theoretic analysis, bribery economics, and the role of Convex and Votium.

  • "Convex Finance: The veCRV Kingmaker" by Messari — Analysis of Convex's economic model and its impact on Curve governance.

  • "The Curve Ecosystem: A Map" by The Defiant — A visual and narrative guide to the Curve ecosystem, including its governance, pools, integrations, and the protocols that depend on it.

Three Arrows Capital and CeFi Contagion

  • "Three Arrows Capital: What Went Wrong?" by Nansen Research — On-chain analysis of Three Arrows Capital's known addresses, tracking their positions in LUNA, stETH, GBTC, and various DeFi protocols during the collapse.

  • "Celsius Network Examiner Report" by Shoba Pillay (court-appointed examiner, January 2023) — The independent examiner's report filed in Celsius's bankruptcy proceedings, detailing the company's financial mismanagement, undisclosed losses, and the gap between marketing claims and reality.

Technical Resources

Risk Modeling Tools

  • Gauntlet (https://gauntlet.network/) — Agent-based risk modeling platform used by Aave, Compound, and other major DeFi lending protocols to simulate market stress scenarios and optimize risk parameters.

  • Chaos Labs (https://chaoslabs.xyz/) — Risk simulation and parameter optimization for DeFi protocols, including real-time risk dashboards for Aave and other protocols.

  • DeFi Llama (https://defillama.com/) — The most widely used DeFi data aggregator, providing TVL tracking, yield comparisons, and protocol analytics across all major chains.

Smart Contract Analysis Tools

  • Slither (by Trail of Bits) — A static analysis framework for Solidity smart contracts that detects common vulnerabilities automatically.

  • Echidna (by Trail of Bits) — A property-based fuzzing tool for Ethereum smart contracts.

  • Certora Prover — A formal verification tool that can mathematically prove properties of smart contracts using Certora's specification language.

  • Foundry (by Paradigm) — A development toolkit that includes powerful testing and fuzzing capabilities for smart contract security.

On-Chain Monitoring

  • Forta Network (https://forta.org/) — A decentralized network of security bots that monitor on-chain activity for suspicious transactions, exploit patterns, and governance attacks. Protocols can subscribe to Forta alerts as an early warning system.

  • OpenZeppelin Defender — A platform for smart contract operations including monitoring, alerting, and automated responses to on-chain events.

  • Tenderly (https://tenderly.co/) — A development and monitoring platform that includes transaction simulation, alerting, and debugging tools.

  • "Decentralized Finance: Policy Challenges and Approaches" by the Financial Stability Board (FSB), February 2023 — The FSB's assessment of DeFi's financial stability implications and proposed regulatory approaches.

  • "EU Markets in Crypto-Assets (MiCA) Regulation" — Full text of the EU's comprehensive crypto regulation, including requirements for stablecoin issuers and crypto-asset service providers. Available from EUR-Lex.

  • "DeFi Risks, Financial Stability, and Policy" by International Monetary Fund (IMF), Global Financial Stability Report (October 2022) — The IMF's analysis of DeFi's systemic risks and regulatory gaps.

  • OFAC Specially Designated Nationals (SDN) List — Tornado Cash Designations — The Treasury Department's sanctions designations for Tornado Cash smart contract addresses, available on the OFAC website. Includes the legal basis for sanctioning code.

Podcasts and Media

  • Unchained Podcast by Laura Shin — Long-form interviews with DeFi founders, security researchers, and regulators. The episodes on the Terra collapse, Euler hack, and Curve Wars provide first-person perspectives.

  • The Defiant (https://thedefiant.io/) — Daily DeFi news and analysis, including detailed coverage of exploits, governance events, and regulatory developments.

  • Bankless — Podcast and newsletter covering DeFi developments, including risk analysis segments and interviews with protocol teams.