“Most DeFi Hacks are NOT Due to Code Flaws But Due to Financial Loopholes.” – Eren Yecan



Ishan Pandey Hacker Noon profile picture

@Ishan PandeyIshan Pandey

Student of law working on code and everything law.
Founder: Blockchain Research


Ishan Pandey: Hi Eren Yecan, welcome to our series “Behind the Startup”. Please tell us about yourself and the story behind Pera Finance?

Eren Yecan: Thanks Ishan. Pera Finance is a new DeFi project focusing on decentralized trading competitions that aims to bring this popular feature of the centralized exchanges to the DEX space. We have been working on the Pera for more than a year now and it will be launched in June through our partner, DaoMaker as a SEED SHO offering for their users.

We are a team of six based in Turkey, Spain and the US. All of us are coming from different engineering & academic backgrounds. Me and my co-founder partner Utku are former academics specializing in structural engineering and neuroscience, respectively. Onur, our COO, is coming from the aviation sector as an aeronautical engineer and Selim, who introduced us to Bitcoin and mining in 2013, is a former mechanical engineer. Ozan, our full-stack developer, is also an engineer & academic located in the US right now.

We are all long-term friends and blockchain enthusiasts that always wanted to develop our own project. With the advent of DeFi in 2020, we finally understood what cryptocurrencies could actually be used for and started to work with Yasin, our head developer, who has been contributing to the blockchain space for a long time both as an educator and developer to create Pera Finance.

Turkey is amongst the most crypto-adopted countries globally, but there has not been an established global project out of our country yet. With Pera, we hope to put our country on the development map as well and open up a new path for the local blockchain enthusiasts. 


Ishan Pandey: Recently, the DeFi project Rari capital was hacked for $10M in Ethereum. According to you, what are the best practices to cyber secure a DeFi project?

Eren Yecan: Actually, most smart contract hacks in the DeFi space are not related to the code itself but caused by financial loopholes that hackers exploit via complex flash-loan attacks. As you know, almost all of the hacked smart contracts are audited, for some, maybe more than a few times… Even if that is the case, hacks are everywhere and still causing people to lose substantial amounts of their funds. I think the main issue about these hacks is the lack of financial audits that DeFi space desperately needs.

DeFi space is built upon interoperability between the smart contracts and all the DeFi protocols need to interact with other smart contracts to some extent in order to offer the services that people cherish and like to use. Interoperability between the smart contracts is a must for creating unique financial instruments for the DeFi users, but as a downside, they also carry third-party risks and unforeseen financial exploitations, just like we have encountered with the Rari hack you mentioned. That’s why I think that financial audits of smart contracts should also be an industry standard as a starting point. This is especially needed for the protocols that use external price or pool data to trigger their contracts.

Nowadays, most of the audit procedures are evaluating the mechanics of the code to control whether the contract functions are working correctly or not- which is also quite essential and should be done, of course- but overlooking the financial architecture of them due to the complexity and time-consuming nature of this process.

However, DeFi is a newly emerging space, and it is a bit unfair to expect perfect solutions for everything in a short time. I hope that established financial auditing services, mass adoption of the decentralized insurance protocols and learning from the past mistakes will mitigate this problem when the DeFi space is more matured.


Ishan Pandey: Can you explain what is a yield farming protocol? Further, how does it work and what can be its impact on the banking industry considering the low-interest rates in the EU and other developing nations?

Eren Yecan: Almost all the DeFi applications are built upon liquidity pools, which refers to collecting user funds locked in a smart contract to offer financial services like decentralized trading, banking, insurance, and many more. That’s why the need for attracting the liquidity providers – the people who provide the funds as mentioned above- has led many projects to create DeFi-specific and unique income methods to incentivize the liquidity providers and gain a user base.

Yield farming is an umbrella term for the income models offered by the DeFi applications. Basically, it can be described as supplying your crypto assets to a DeFi protocol as liquidity for their services and, in return, gaining profit in the form of transaction fees, interest, or native token of the platform.

As you mentioned, low-interest rates throughout the world caused a lot of investors to look for alternative income methods to overcome the low-return problem of their traditional investment preferences. I think this widespread problem was also one of the most important kick-starters of the DeFi space as well.

For example, even if the yield farming methods are quite various, most of the users prefer stablecoin-based farming methods due to the highly volatile nature of the crypto assets. These methods are highly similar to traditional banking services. Users lend their dollar-pegged stablecoins to a credit protocol like Aave, Compound etc and in return, they gain interest from the borrowers and the governance tokens of the credit protocols that have financial value. The interest rates of these credit protocols are much higher than the traditional banks due to removing intermediary elements and low-cost operation fees, thanks to the trustless nature of the smart contracts.


Soon, all the traditional financial institutions, including the banking industry, will need to re-think their services due to the offerings of the emerging DeFi space, which is already a firm competitor even today.

Ishan Pandey: Can you explain how inflationary and deflationary farming works in a decentralized farming protocol?

Eren Yecan: In the yield farming space, distributing native platform tokens to the liquidity providers is common. These tokens are generally used for the governance of the underlying protocol and represent voting share for the proposals regarding the platform. Even if their purported utility is the governance aspect, they are also tradable in the open market and have a financial value. That’s why these tokens are mostly used for incentivizing liquidity providers to bring their capital to the platform.


All these tokens are earned via liquidity provision. For this reason, yield farming is also known as liquidity mining because the supplied liquidity, in a sense, mines new tokens for the liquidity providers.

Since the supplied liquidity is needed on a long-term basis for every DeFi protocol, yield farming rewards in the form of native tokens are generated in two different ways for the liquidity providers.


If the farming rewards are generated by increasing the token’s total supply with a pre-set emissions rate, it is called inflationary farming.

Since too much inflation decreases the token value and devalues the farming rewards of the liquidity providers, some other platforms prefer applying a certain transaction fee to their tokens and distribute them to the liquidity providers as farming rewards. This method is called deflationary farming and it is considered a solution to inflation-based farming, but when the transaction of these tokens is not incentivized, deflationary farming methods also cause low returns for the farmers.

So, both methods have their advantages and disadvantages. That’s why I think that merging these methods in a way to complement each other’s deficiencies would be the best solution for a long-term and sustainable farming experience.

Ishan Pandey: What advice and tips will you give a smart contract developer on how to code a complex smart contract protocol?

Eren Yecan: They have to make sure that they do as much testing as possible and cover every scenario that may occur. Each code path should be tested rigorously to ensure their code returns the expected results every time. When they think everything is ready, then they should try to exploit the code.


As general advice, I suggest they ask themselves where they would attack if they wanted to exploit the code. It should be planned as to how to fix the weak spots on the code or mitigate the explorer’s possible moves via financial incentives. For example, the transaction fees might be considered a financial barrier to prevent the exploitation of wash trades or front-run bots. As I mentioned earlier, most of the hacks we experienced in the DeFi space were not caused by bugs in the code but by financial infrastructure deficiencies. I would also recommend looking for more than one smart contract audit and financial audit if possible.

Most importantly, I suggest they be as familiar with their code as possible. Study the math and structure of your code on paper and familiarize yourself with every single letter of it. When you think that everything is correct, prepare logic maps and analyze all the situations that may occur and how your code should behave in which situation. Although there are very high-quality audit firms in the market, nobody can know your code as intuitively as you when your code gets too complex.

Ishan Pandey: What are your views on the regulations of digital assets and the proposed FATF travel rule guidance, which brings decentralized finance applications under the purview of FATF regulations? Do you think this is a step in the right direction?

Eren Yecan: Regulations are a fact of life, like taxes or death. So, it is quite probable for authorities to start paying attention to the decentralized finance applications especially considering the expansion pace of the DeFi space.

As a personal view, I think most of the regulations we are surrounded by in today’s world are prepared by either uneducated or ill-informed people in the context of the point in question, especially if the regulations are tech-related.


Despite that, we are not living in a perfect world and there are also lots of bad actors, exploitations, or unwanted consequences in the DeFi space, just as any other industry-related monetary services. That’s why a realistic and easy-to-implement regulatory framework would be considered as a step further for broader mass adoption and user protection.

Nonetheless, the current proposal of the FATF regulations is not offering a realistic framework and if it is getting implemented the way it is proposed, it will definitely hinder the development and uniqueness of the DeFi space.

Ishan Pandey: What is the future of DeFi and what next major innovation are we going to see in the Layer2 ecosystem?

Eren Yecan: I think the future of the DeFi lies in the cross-chain liquidity protocols since the mass adoption of the DeFi will require a better liquidity utilization than the current state of the fragmented structure across multiple blockchains or Layer-2 solutions.

In my opinion, most of the liquidity in the DeFi space is either sitting idle in the ghost blockchains that have no user base or under-utilized due to the lack of interoperability solutions between blockchains with active users for the time being.


In addition, the current state of Ethereum also causes a big problem for the development of the DeFi space as well. Therefore Layer-2 solutions seem like the best option we have right now. Even if the Layer-2 solutions are getting traction daily, the current Layer-2 protocols are not fully established in terms of providing seamless and fast bridging solutions that also allow composable DeFi products between multiple Layer-1 and Layer-2 applications. The next major Layer-2 innovation will come in the form of a fully interoperable solution between both different Layer-2 solutions and the underlying Layer-1 protocol.

In general, cross-chain protocols of today have not offered a user-friendly and seamless switch in between the chains yet, especially for the not so tech-savvy users, which consists mainly of the active user base of the DeFi space. I think this problem still needs to be tackled and it will be a more immediate concern soon considering the user expansion rate of the DeFi space.

The purpose of this article is to remove informational asymmetry existing today in our digital markets by performing due diligence by asking the right questions and equipping readers with better opinions to make informed decisions. The material does not constitute any investment, financial, or legal advice. Please do your research before investing in any digital assets or tokens, etc. The writer does not have any vested interest in the company. Ishan Pandey, legal researcher at Karm Legal Consultants.


Join Hacker Noon