Dezy Pte Ltd UEN: 202116623N, 
68 Circular Road #02-01, Singapore 049422

How do security audits work in decentralised finance (DeFi)?

Dezy Team

Blogger at Dezy
Published on 23.02.2022
Get up to 5.65% a year
on your savings
Frictionless and user friendly
decentralised finance powered savings.
Get Started

"Code is Law."

A key innovation in blockchains is the smart contract.

Related: What is a stablecoin? Bitcoin vs Stablecoin and more.

The humble smart contract has created billions in value and has given mankind a unique way to interact with technology to improve our lives. This is seen most notably through decentralised finance.

Related: What is DeFi? How is it different from Crypto and Bitcoin?

Smart contracts are not subjective, so defined actions and logic are executed automatically.

The elegance of it is in its simplicity.

Smart contracts are just logical flows we define to make our on-chain life efficient, trustless, and permissionless. Simple borrowing and lending are notable examples of a simple smart contract logic that ensures borrowers pay back debt, and lenders get their repayments. 

Since the rules of the game are governed by code, we often hear the phrase "code is law".

This simply means that smart contract is the ultimate judge and jury of what gets executed. In aggregate, this is powerful because it removes any subjectivity to any decision-making. However, this also requires us to take a robust approach in defining and coding smart contract logic.

Peer review or audits are common ways to ensure developers are not missing any key elements in their code to make it safe to use. 

How is code audited?

It’s no surprise that banks are subject to numerous hacking and phishing attempts. We've all heard about recent phishing scams locally which have resulted in over 8.5 Millions in customer funds being lost.

Hacks often don’t result in actual funds being stolen, but numerous data points have been hacked by many of the big banks globally. In most cases, funds are held in bank accounts, so they are generally protected from theft (unless someone robs a vault). However, the cost to that is an immense infrastructure resulting in lots of red tape, major overheads, and a plethora of capital inefficiencies.

Banks must spend a lot to keep security high, and that cost is ultimately passed on to the customers, likely in ways you would not be familiar with, see my deep dive into how decentralised finance cuts out the middle men.

Related: How are DeFi yields generated?

Smart contracts are an elegant way to allow code to sit on a secure, decentralized clearinghouse (for example, Ethereum). The cores benefits of using a blockchain and smart contract infrastructure are capital efficiency and permissionless access. However, there are risks in code. Code, just like any other system, must be audited. 

It’s very common for users of smart contract platforms, or infrastructure such as Dezy to get their code audited. This is similar to financial audits, but in the world of finance governed by code.

A 3rd party, who has vast experience in smart contracts will come and look at the smart contract logic and look for “attack vectors”, which is a technical way to say bugs. Because we are dealing with real money and people’s finances, the implications of a bug can be loss of funds, which could be hard to recover.

Auditing and audited contracts is a DeFi industry norm, and there are many excellent auditing firms that have vast experience in this space. Generally, these firms have done 1,000s of audits for other protocols from which they can draw experience from. They also are closely in touch with white hat hackers, who regularly point out potential bugs across the DeFi ecosystem. 

What does an Audit look like?

Audit firms generally will review your code and look for best practices in smart contract logic.

Due to the open-source ethics of the cryptocurrency industry, there are exponentially growing open-source codebases that are publicly available. Battle-tested code is often made public and copyable to anyone. This helps developers build on top of battle-tested code and this is also how Audit firms ensure that smart contracts and other software logic have lower risks of critical vulnerabilities. Since Audit firms not only see many projects, they are also actively called upon if there are vulnerabilities detected, increasing their knowledge of all the potential attack vectors. 

Often DeFi projects will publish the audit findings to the public, so there is transparency. Bug bounties are also common (as it is in Web2 software companies) to reward white hat hackers for pointing out potential bugs in the code. This expectation is unique to DeFi and a welcome change in how we look at trust in a modern financial system.

No such thing as a free lunch.

Ultimately, there is no free lunch, and everything comes with risks.

We see plenty of attack vectors in traditional banking, notably through phishing scams that banks have a hard time stopping.

Recently there have been big scams in the news, so our responsibility to manage our funds and be alert is ever increasing. Similar attack vectors exist in DeFi as well. However, when code is law, it’s far more difficult for a hack to “break” well audited and battle-tested code.

One might argue, in certain instances, smart contracts are far more secure (not to mention very traceable to locate stolen funds) than traditional centralized infrastructures.  


So how does Dezy factor into all this?

Dezy is a business building on top of decentralised finance protocols. Dezy takes your cash, converts it to dollar-denominated stable coins, which are deposited across a range of DeFi protocols. Absorbing both blockchain fees and forex fluctuation, Dezy offers up to 5.65 a year, with a 0 fee and lock in product.

Connect with Dezy on social media


Decentralised finance is an emerging field with fluid regulations. Learn more about the risks involved.

About the Author

Dhruv Sahgal

Dhruv Sahgal is a crypto investor, advisor and NFT collector. Sahgal is passionate to see the wider adoption of blockchain. technology. Connect with him on Twitter, or LinkedIn.


Financial freedom

in your inbox.

    The financial times, in 3-minute bites

    Dezy Pte Ltd UEN: 202116623N, 80 Robinson Road, #08-01, Singapore 068898
    1. Decentralised finance is an emerging field with fluid regulations and not without risk.
    2. Dezy is not licensed by the Monetary Authority of Singapore.
    3. Learn more about how we mitigate risk for consumer protection with insurance, diversification, and technical security measures.
    4. Dezy insurance coverage applies only to certain assets / protocols where insurance is applicable. Learn more about insurance.
    Dezy Pte Ltd UEN: 202116623N, 80 Robinson Road, #08-01, Singapore 068898