Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
DeFi risks come in many flavors — smart contract bugs, oracle manipulation, liquidation cascades, governance attacks, MEV, depegs. Treating them as a single 'DeFi risk' is how protocols get exploited. Knowing the taxonomy is what makes you a DeFi engineer who can spot issues at design review, not after the exploit.
Classify DeFi risks.
Use these three in order. Each builds on the one before.
In one paragraph, explain the on-chain risk taxonomy and why it matters for designers.
Walk me through how oracle risk leads to economic risk in a typical exploit.
Given a new lending market, design the risk-mitigation stack covering all 10 categories — what specific tooling, configs, and circuit breakers.
1. SMART CONTRACT RISK (the code itself):
Reentrancy, integer overflow, access control bugs
Mitigations: audits, formal verification, bug bounties, time locks
Example: The DAO hack (2016, $60M)
2. ORACLE RISK (price feeds):
Manipulated prices via flash loan + thin-liquidity pool
Stale data feeds
Mitigations: TWAPs, Chainlink, multi-source, circuit breakers
Example: Mango Markets ($114M, 2022) — oracle manipulation
3. LIQUIDITY RISK:
Cannot exit a position at fair value due to thin order book
"Death spiral" — liquidations cascade as collateral price falls
Mitigations: liquidity reserves, gradual liquidation, position limits
Example: stETH depeg June 2022
4. GOVERNANCE RISK:
Token holders vote in malicious proposals
"Hostile takeover" via flash-loaned voting power
Mitigations: timelocks, quorum requirements, veto authority
Example: Beanstalk ($182M, 2022) — flash-loaned governance attack
5. MEV / FRONT-RUN RISK:
Searchers reorder transactions for profit at user's expense
Sandwich attacks on AMM swaps
Mitigations: private mempools, MEV-protected RPCs, batch auctions
Example: any sandwich attack on Uniswap
6. ECONOMIC / GAME-THEORETIC RISK:
Protocol works in normal conditions, fails under adversarial pressure
"Bank run" dynamics
Mitigations: stress testing, reserves, gradual unlock schedules
Example: Iron Finance ($2B, 2021) — algorithmic stable death spiral
7. BRIDGE RISK (cross-chain):
Centralized bridge operators have admin keys
Validators can be compromised or collude
Mitigations: prefer rollup-native bridges over third-party
Example: Ronin Bridge ($625M, 2022), Wormhole ($325M, 2022)
8. REGULATORY / OFFCHAIN RISK:
Sanctions on protocol (Tornado Cash)
Stablecoin issuer freezes addresses (USDC freezing post-Tornado)
Compliance enforcement on RFQ networks
Mitigations: jurisdictional diversification, multi-stablecoin support
9. INFRASTRUCTURE RISK:
RPC outage
Frontend hack (e.g. Curve, Bridgemutual)
Front-end injecting malicious approve()
Mitigations: multiple RPCs, IPFS-hosted frontends, hardware wallets
10. KEY MANAGEMENT RISK (operator):
Multisig signer compromise
Single point of failure on admin keys
Mitigations: 3-of-5+ multisig, hardware security, timelocks
Example: Ronin ($625M) — 5 of 9 validator keys compromised
When designing a DeFi protocol, the audit checklist must cover ALL 10.
Most exploits combine 2-3 categories (e.g., oracle + economic + smart contract).