Quiz: Chapter 25 — The DeFi Risk Stack

Quiz: Chapter 25 — The DeFi Risk Stack

Multiple Choice

1. Which layer of the DeFi Risk Stack was exploited in the Euler Finance hack?

a) Oracle risk — the oracle reported incorrect prices b) Smart contract risk — a logic error in the donate-to-reserves function c) Governance risk — a malicious governance proposal was passed d) Bridge risk — a cross-chain bridge was compromised

2. What is a "composability cascade failure" in DeFi?

a) A single smart contract bug that affects multiple functions within one protocol b) A chain reaction where one protocol's failure triggers failures in dependent protocols c) A governance vote that changes parameters across multiple protocols simultaneously d) A regulatory action that bans multiple protocols at the same time

3. The Beanstalk governance attack exploited which specific vulnerability?

a) The protocol's oracle could be manipulated with a flash loan b) The governance system had no timelock, allowing proposals to be created, voted on, and executed in a single block c) The protocol's bridge contract had a signature verification bypass d) The admin key was stored in an insecure location

4. Why is DeFi insurance considered less effective against systemic risks than idiosyncratic risks?

a) Insurance protocols are not allowed to cover systemic events under DeFi regulations b) Systemic events simultaneously trigger claims across many protocols while depressing the insurance pool's asset values c) Insurance premiums are always higher for systemic risks, making coverage unaffordable d) Insurance protocols only cover smart contract risks, which are always idiosyncratic

5. The Iron Finance collapse is an example of which type of failure?

a) A smart contract exploit using a reentrancy vulnerability b) A reflexive death spiral where the stabilization mechanism accelerated the collapse c) An oracle manipulation attack using flash loans d) A governance attack where the team drained the treasury

6. What is the primary purpose of a timelock in DeFi governance?

a) To prevent anyone from voting on governance proposals b) To ensure that governance tokens appreciate in value over time c) To create a mandatory delay between proposal approval and execution, giving users time to react d) To lock user deposits for a fixed period to prevent bank runs

7. Which of the following is NOT one of the eight layers in the DeFi Risk Stack?

a) Oracle risk b) Composability risk c) Inflation risk d) Bridge risk

8. The Tornado Cash sanctions (August 2022) demonstrated which aspect of regulatory risk?

a) Smart contract code can be forcibly removed from the blockchain by regulators b) Regulatory pressure can make a protocol effectively unusable by targeting surrounding infrastructure (front-ends, RPC providers, stablecoin issuers) c) On-chain governance can be overridden by government orders d) Validators can be forced to reverse transactions by court order

9. What distinguishes a flash loan attack from a traditional exploit?

a) Flash loans can only target bridges, not lending protocols b) Flash loan attacks require no initial capital and execute atomically within a single transaction c) Flash loans bypass smart contract security entirely through a protocol-level backdoor d) Flash loan attacks can only steal governance tokens, not other assets

10. The Curve stETH/ETH pool imbalance of June 2022 primarily affected which type of participant?

a) Traders who swapped stETH for ETH b) Borrowers who used stETH as collateral c) Liquidity providers who withdrew and received disproportionately more of the devalued stETH d) Governance token holders who voted on pool parameters

True or False

11. A smart contract audit guarantees that the protocol is free of vulnerabilities.

12. The Wormhole bridge hack was caused by compromised validator keys held by the Lazarus Group.

13. DeFi insurance protocols are themselves subject to smart contract risk, governance risk, and liquidity risk.

14. A protocol with a 2-of-3 multisig and no timelock that can upgrade contracts instantly is meaningfully decentralized.

15. The USDC depeg in March 2023 was caused by Circle's exposure to the failure of Silicon Valley Bank.

16. Formal verification can mathematically prove that a smart contract is completely secure against all possible attacks.

17. Composability risk exists because DeFi protocols can interact permissionlessly, meaning a protocol can become a dependency without the depended-upon protocol's knowledge or consent.

18. The Mango Markets exploit was a bridge hack that compromised cross-chain assets.

19. A high bug bounty reward (proportional to TVL) incentivizes researchers to report vulnerabilities rather than exploit them.

20. Regulatory risk in DeFi can be fully mitigated through better smart contract design.

Short Answer

21. Explain why the Euler Finance hack is considered a landmark case study for the limitations of smart contract auditing. What specific aspect of the vulnerability made it difficult for six audit firms to detect?

22. Describe the trust dependency chain for a user who holds "USDC" on an Ethereum Layer 2 rollup. How many distinct entities must this user trust, and what could each entity do to cause the user to lose funds?

23. Compare and contrast the Iron Finance collapse with the Terra/Luna collapse. What was structurally identical about the failure mechanism? What differed in scale, response, and aftermath?

24. Explain why DeFi's transparency (open-source code, on-chain transactions) is simultaneously an advantage for security and a disadvantage for security. Provide one specific example of each.

25. A new DeFi lending protocol launches with the following characteristics: no audit, $50 million TVL within a week, 15% APY on stablecoin deposits, a single admin key held by an anonymous developer, and no timelock on contract upgrades. Using the DeFi Risk Stack, identify every red flag and explain what risk each flag represents.

Answer Key

1. b) Smart contract risk — the donate-to-reserves function had a logic error that interacted with the liquidation mechanism. The bug was not in the oracle, governance, or bridge systems.

2. b) A cascade failure occurs when one protocol's failure triggers failures in dependent protocols. This is DeFi's unique systemic risk arising from composability.

3. b) Beanstalk's governance had no timelock, allowing the attacker to use a flash loan to acquire governance tokens, propose, vote, and execute a treasury drain in a single transaction (13 seconds).

4. b) Systemic events create correlated claims across many protocols simultaneously while also depressing the value of the insurance pool's assets, potentially leaving the pool insolvent precisely when it is most needed.

5. b) Iron Finance was a reflexive death spiral: TITAN selling reduced IRON's backing, triggering redemptions that created more TITAN selling, in a self-reinforcing loop.

6. c) A timelock creates a mandatory delay between proposal approval and execution, giving the community time to review passed proposals and take defensive action (such as withdrawing funds) if a malicious proposal has passed.

7. c) Inflation risk is not one of the eight layers. The eight layers are: smart contract, oracle, governance, liquidity, composability, regulatory, bridge, and counterparty risk.

8. b) The sanctions demonstrated that regulatory pressure can target the infrastructure surrounding a protocol (front-ends, stablecoin issuers, block builders, GitHub repositories) making it effectively unusable even though the smart contracts themselves continue to function on-chain.

9. b) Flash loan attacks require no initial capital (the loan is borrowed and repaid within a single atomic transaction) and execute atomically (if any step fails, the entire transaction reverts, so the attacker risks only the gas fee).

10. c) Liquidity providers who withdrew from the imbalanced pool received disproportionately more stETH (the devalued asset) and less ETH, effectively absorbing the loss that stETH sellers were trying to offload.

11. False. Audits are necessary but not sufficient. The Euler Finance hack demonstrated that a protocol audited six times by reputable firms can still contain critical vulnerabilities. Audits are point-in-time reviews that can miss novel attack vectors and complex interaction bugs.

12. False. The Wormhole hack exploited a signature verification bypass — it was a smart contract vulnerability, not compromised keys. The Ronin bridge hack was the one involving compromised validator keys by the Lazarus Group.

13. True. DeFi insurance protocols are DeFi protocols themselves and carry the same categories of risk — their smart contracts could have bugs, their governance could be attacked, and their liquidity could be insufficient to pay claims.

14. False. A 2-of-3 multisig with no timelock that can upgrade contracts instantly is effectively centralized. Two of the three keyholders can modify the protocol at will without giving users time to react.

15. True. Circle disclosed that $3.3 billion of USDC reserves were held at Silicon Valley Bank. When SVB failed, uncertainty about whether those reserves would be recovered caused USDC to depeg to as low as $0.87.

16. False. Formal verification can prove that a smart contract satisfies specific properties that are explicitly specified. It cannot prove security against "all possible attacks" because that would require specifying all possible attack properties in advance — and novel attacks exploit properties that were not anticipated.

17. True. Composability is permissionless: any protocol can call any other protocol's public functions. Protocol A can build on Protocol B without Protocol B's knowledge, creating dependency relationships that may not be visible to Protocol B's developers or users.

18. False. The Mango Markets exploit was a price manipulation attack. Avraham Eisenberg manipulated the MNGO token's price on the platform's own markets, then used the inflated collateral value to borrow all available assets. It was not a bridge hack.

19. True. A high bug bounty creates a financial incentive for researchers to report vulnerabilities rather than exploit them. If the bounty is $1 million and the potential exploit would yield $100 million, the bounty may not be sufficient — but it shifts the incentive calculation significantly toward responsible disclosure for many researchers.

20. False. Regulatory risk originates entirely outside the blockchain. No amount of smart contract optimization can prevent a government from sanctioning the protocol, arresting its developers, or requiring compliant infrastructure providers to block access.

21. The Euler hack is a landmark case because the vulnerability was not in a single function but in the interaction between the donateToReserves function and the liquidation engine. The donateToReserves function worked correctly in isolation — it properly transferred eTokens to reserves. What six audit firms missed was the second-order effect: when a user with outstanding debt donated their eTokens, it artificially distorted the collateral-to-debt ratio in a way that made self-liquidation profitable. This demonstrates that auditing individual functions is insufficient; auditors must also analyze how functions interact under adversarial conditions.

22. The user must trust: (1) Circle, to maintain USDC's dollar peg and reserves; (2) the bridge operator, to hold the underlying USDC on Ethereum and accurately mint wrapped representations on the L2; (3) the L2 sequencer, to process transactions honestly and without censorship; (4) the L2's smart contracts (including the rollup bridge), to be free of vulnerabilities; (5) the Ethereum L1 validators, to finalize L2 state correctly. That is at least five distinct entities. Circle could freeze the underlying USDC. The bridge could be exploited, making all wrapped USDC worthless. The sequencer could censor transactions. The L2 contracts could have bugs. The L1 could reorganize, reverting finalized L2 state.

23. Structurally identical: Both Iron Finance and Terra/Luna used an algorithmic mechanism where a stablecoin was backed (partially or fully) by the protocol's own governance/utility token. Both collapsed via a reflexive death spiral where redemptions created selling pressure on the backing token, which reduced the stablecoin's collateralization, which triggered more redemptions. Differences: Scale (Iron Finance lost hundreds of millions; Terra/Luna lost $60+ billion). Terra had a Bitcoin reserve mechanism (the Luna Foundation Guard) that Iron Finance lacked, but it proved insufficient. Terra's collapse had far broader systemic effects, triggering the failures of Three Arrows Capital, Celsius, Voyager, and other CeFi entities. Iron Finance's collapse was largely contained to the protocol itself.

24. Advantage: Transparency allows anyone to verify a protocol's collateral and solvency in real time. For example, when concerns arose about Tether's reserves, DeFi protocols backed by on-chain collateral (like MakerDAO) could be independently verified as solvent by examining their smart contracts — something impossible with an opaque institution. Disadvantage: Transparency also means attackers can analyze smart contract code for vulnerabilities at their leisure and can see exactly how much value a protocol holds (making it a visible target). The Euler attacker could read the donate-to-reserves code, understand its interaction with the liquidation engine, and craft a precise exploit — an advantage they would not have had against an opaque institution.

25. Red flags: (1) No audit = high smart contract risk; the code has never been professionally reviewed. (2) $50M TVL in a week = rapid TVL growth often indicates unsustainably high yields attracting mercenary capital, not genuine demand. (3) 15% APY on stablecoins = significantly above market rates, suggesting either excessive risk-taking or an unsustainable subsidy (potentially a Ponzi-like structure). (4) Single admin key, anonymous developer = maximum governance and counterparty risk; one person can drain all funds at any time, and there is no accountability because the developer is anonymous. (5) No timelock = the admin key can upgrade contracts instantly, meaning a rug pull can be executed in a single transaction without warning. Overall assessment: This protocol exhibits red flags across smart contract risk (no audit), governance risk (single admin key, no timelock, anonymous developer), and economic risk (unsustainable yields). This is a high-probability rug pull scenario. No amount of yield justifies this risk profile.