5 min read

Risks and opportunities when yield farming in DeFi

DeFi has attracted billions of capital in recent months. Are the yields too good to be true, or is it information asymmetry between those who know and those who don't?
Risks and opportunities when yield farming in DeFi

DeFi or decentralized finance is an open financial system built on the blockchain that disintermediates third parties like banks and exchanges, allowing for trustless and non-custodial financial services such as lending, borrowing and saving.

DeFi took off over the past several months, and approximately $80B of capital has been contributed to DeFi protocols through various liquidity mining programs promising high yields from token incentives.

Compound Finance - a decentralized lending platform on Ethereum - was one of the few protocols that started liquidity mining programs. Through its market making strategy, it paid out incentives in its governance tokens (COMP) for user deposits (lenders) and borrows (borrowers) of cryptocurrencies supported on its platform.

For example, users can deposit a variety of cryptocurrencies such as Wrapped Bitcoin (WBTC), Ether (ETH) and DAI and earn interest on them.

Users can also borrow against their deposits within certain limits without a credit scoring process. You pay interest on your borrows, determined autonomously by the protocol, and Compound Finance also pays you to borrow with their native COMP tokens.

Inside DeFi Yield Farming: A Beginner's Guide to the Latest Craze in DeFi
COMP token distribution

Therefore, lenders who borrow against their deposits could benefit from dual rewards as COMP is paid out both sides. If one deposits WBTC and borrows WBTC and redeposits the borrowed WBTC, one can earn the borrow and lending yield multiple times.

The explosion of DeFi and liquidity mining programs resulted in another phenomenon known as yield farming, where users switched between protocols to find the highest yields on their deposits.

It also led to the development of yield farming aggregators like yEarn that automatically find the highest yields for depositors within safety limits set by governors of the protocol.


DeFi is nascent but fast-growing, and there's a learning curve to get started. For example, one needs to understand how cryptocurrencies work, how to store them in a wallet, how to manage private keys, how to move funds across blockchains, how to find and research about protocols, and so on.

This is several steps away from funding your crypto wallet from fiat currency through a regulated on-ramp (step 1), buying cryptocurrencies (step 2) and transferring them into a non-custodial wallet that you control (step 3) which most investors or speculators in crypto currently are at.

The huge information asymmetry means there's plenty of opportunities to earn a good yield on your investments or even free tokens from airdrops.

For example, early users who interacted with the Uniswap protocol before its token launch were retrospectively given 400 UNI tokens per address, worth US$8K as of this article.

Uniswap wasn't the only protocol that airdropped its governance tokens, many other protocols like 1inch and PoolTogether also airdropped governance tokens to its early users.

Because of how token incentives are given out, early users in a protocol may farm plenty of rewards.

For example, early users of Compound and Curve had the ability to farm rewards at a much higher rate compared to current users as deposits soared.

That's because protocols often allocate a certain number of tokens per epoch or time period, and early users who hold a larger % of the pool or protocol will earn rewards at a faster rate. As deposits flow in, the same amount of tokens allocated for distribution has to be divided pro-rata to more depositors.

It's often the case that in DeFi, early users are often the best rewarded, but they also have to take on huge amounts of risk.


DeFi's high yields don't come without risks. In fact, there are plenty of them that can completely wipe out your deposits in a single protocol.

Protocols have been completely hacked multiple times, some have even been hacked twice or thrice in a row despite having reputable audits done.

EasyFi was compromised in April 2021 for US$59m of funds, as private keys to the network admin MetaMask account had been compromised.

Another project, Alpha Finance, which was audited by top auditors, was exploited as an attacker leveraged a rounding miscalculation in Alpha’s borrow function to recursively borrow ETH from Cream Finance against a growing sUSD debt using flash loans.

Just yesterday, a popular protocol Popsicle Finance was compromised for US$20m, through a smart contract exploit which allowed the hacker to trick the smart contract to pay out yield from the day it was launched rather than the time of deposit.

As we saw in the three examples, protocols can be compromised in one of many ways, from smart contract bugs in the case of Popsicle Finance, to wallet compromises in the case of EasyFi and flash loans in the case of Alpha Finance.

There are also many other ways for protocols to get hacked, resulting in huge losses for depositors. Some protocols might not be hacked, but they can execute a rug-pull, where they just run off with investors money by withdrawing liquidity.

In the case of a rug pull, a malicious protocol can list a token on a decentralized exchange, and seed liquidity with an initial pair like ETH. They can pump the token through social media, get the price rising as long as users are buying the token by depositing ETH into the liquidity pool.

As unsuspecting investors chase a token whose price rises sharply, the initial liquidity can be withdrawn, making it difficult for investors to exit. They can also shut down the site, leaving investors with no recourse to their funds in the unregulated world.

One example of a rug-pull is Meekat Finance, a project on the Binance Smart Chain, whose website went offline and social media channels disappeared after being supposedly "hacked" for US$31m.

Staying safe

DeFi is extremely complex, and not many people have the technical knowledge to understand smart contracts, let alone audit them.

However, over the past few months, clones and forks of popular protocols have emerged, many on side chains like Binance Smart Chain and Polygon where retail users have been active - attracted by low transaction fees and easy ramps from Binance, the world's most popular crypto exchange.

Yields are usually positively correlated to risk, and usually, what's advertised as too good to be true should usually be proceeded with some caution.

While audits may play some part to alleviate risk, it's not guaranteed - audits do not guarantee protection against hacks. Auditors in DeFi are extremely in-demand right now, with charges up to $800 for a day of work. It's easy for protocols to seek 'second-tier' audits from less known auditors who might not have the capabilities for a proper audit.

In the case of liquidity pools, it's wise to understand that if any token in the pool fails, your entire balance will be held in that token, i.e. you could own 100% in a worthless token.

For example, during the Titan Finance saga, which promised 3,190,000,000% yields annually, depositors in the TITAN/DAI liquidity pool lost all of their funds as the price of TITAN collapsed during a bank run - even though the price of DAI was stable throughout and they had contributed liquidity in an equal ratio.

Risks in DeFi is also compounded by regulatory risk, where US regulators have been increasingly scrutinizing stablecoins and the wider DeFi ecosystem for money laundering risks and investor protection.

The head of the US Securities and Exchange Commission (SEC) said that they could regulate platforms if they are advertising an interest rate return on a crypto asset as they would be seen like mutual funds.

Through it all, it remains to be seen how regulation would work in practice. Till then, DeFi is not going away, and it could change how we bank and transact in the future.

Get the latest updates on Telegram or by subscribing to the email list.