Introduction of DeFiScan (DeFi Collective)
Source: https://x.com/DeFiCollective_/status/1849405344646402518
Announce of DeFiScan
The DeFi Collective announced the DeFiScan framework, which details the methodology used to analyze protocols and score their decentralization:
Most of the time, DeFi protocols pretend to be decentralized but can have external dependencies like multisigs or oracles which make them not so reliable, nor truly decentralized.
DeFiScan is inspired by L2Beat. L2Beat provides an excellent basis for decentralization assessment about Layer 2s with really convenient and appropriate dashboards.
The thing is, decentralization assessments in DeFi protocols aren't so easy to do, and there is no common base to do it.
So we have DeFiScan which analyzes centralization risks:
- Chain
- Upgradability
- Autonomy
- Exit window
- Accessibility
Now, we have a common base for all kinds of protocols (decentralized exchange, lending, stablecoin issuer, etc.).
Release is expected to be next week
Brice thinks it is L2beat fork season. He believes that more and more initiatives will appear to make all kinds of assessments in the crypto industry. DeFiScan is one of them, and there will probably be others.
DeFi centralization risks
Chain
You can't build a secure protocol if the blockchain isn't secure. To estimate the risk, L2Beat's assessments are authoritative.
🔴High risk: Layer 2 with a Stage 0 rating (Blast, Scroll...)
🟡Medium risk: Layer 2 with a Stage 1 rating (Arbitrum, Optimism, Base with Fraud Proofs...)
🟢Low Risk: Layer 2 with a Stage 2 rating (no example yet) or Ethereum mainnet
Upgradability
Upgradability refers to the ability of a permission owner to make changes to a DeFi protocol. That permission owner can be a multisig, on-chain governance, or even no ownership.
🔴High risk: Possible updates may result in theft or loss of all funds (multisigs with no timelock)
🟡Medium risk: Possible updates may change materially the system, or result in theft or loss of unclaimed yields. User funds are safe.
🟢Low Risk: The system cannot be changed (immutable smart contracts) or possible updates don't change the system.
Autonomy
Autonomy is about the external dependencies of a protocol:
- Lending protocols use external price feeds (oracles)
- Aggregators use external yield sources
- Real World Assets use external custody
Autonomy focuses on the identification of external dependencies and their risk of failure:
🔴High risk: Failure results in theft or loss of user funds (oracle manipulation...)
🟡Medium risk: Failure results in changing the performance of the system (less yields...)
🟢Low Risk: Failure doesn't have an impact on the system
Exit Window
An exit window allows users to withdraw assets before an unwanted update is implemented in a DeFi protocol.
🔴High risk: No protection or exit window < 7 days
🟡Medium risk: Exit window > 7 days
🟢Low Risk:
- The team has no control over the protocol
OR
- Permissions are transferred to an on-chain governance process with an exit window > 30 days
Accessibility
Accessibility means availability and diversity in user interfaces.
🔴High risk: A single user interface without a backup solution
🟡Medium risk: A single user interface with public access to a backup solution (self-hosting app, decentralized front-end...)
🟢Low Risk: Multiple independent user interfaces
The decentralization stages
Stage 0
This is the first stage of a DeFi protocol where basic requirements give the technology a decentralized foundation.
- Blockchain-based protocol with EVM contracts (non-EVM chains don't count)
- Assets are not in custody by a centralized entity
- Public documentation exists that outlines the protocol and its expected performance
- Source-available codebase
- Verified contracts
Stage 1
In Stage 1, risks from critical permissions and dependencies are significantly reduced by:
- At least 🟡Medium risk score for Chain, Autonomy, Accessibility
- If Exit Window receives 🔴High Risk, then control over permissions must be transferred to a Security Council
What is a security Council?
The objective of this step is to eliminate the possibility of a group of insiders abusing, willingly or forcibly, their control over a protocol.
Requirements:
- At least 7 signers
- At least 50% threshold
- At least 51% non-team signers
- Signers are publicly announced (with name or pseudonym)
Stage 2
In Stage 2, no scenario but a smart contract hack can result in a loss of funds. The protocol needs 🟢Low Risk for the following:
- Chain
- Autonomy
- Exit Window
- Accessibility
Community involvement
An Open Source Framework
The Collective aimed to make that framework as open as possible: any user wanting to contribute can submit a protocol review to share his decentralization assessments about a protocol
There will also be a program where users will be incentivized to send protocol reviews, and the most relevant ones will be rewarded.
The DeFiScan alliance
Building stage 1/2 DeFi protocols is harder than other protocols in the ecosystem.
So some teams and projects can provide preferential treatment for builders who are trying to build them.
Announcements will be made as DeFiScan becomes better known 👀
The Collective is hiring
DeFiScan will get protocol reviews from the Collective and third parties (community, other teams...). Therefore, there will be lots of protocol reviews to handle
TDC is looking for someone with high technical knowledge to review all the upcoming reviews (this is a halftime job)