Despite sharing similar objectives, Bitcoin and DeFi have very different development cultures, especially when it comes to security
The development of Bitcoin and DeFi networks is at once similar and very different. While developers supporting the growth of Bitcoin and DeFi collectively seek to provide an improved, open system of finance, the methods used to implement network updates differ significantly. Here, we’ll look at some of those differences.
- Bitcoin and DeFi share the same goal of decentralizing finance
- They exhibit very different dynamics: DeFi development is exciting in comparison to Bitcoin being cautious
- DeFi’s development culture favors experimentation and rapid iteration
- Bitcoin’s development culture values stage-gate development and long-term roadmapping
- There is pressure on DeFi projects to become more risk-aware
Bitcoin and DeFi’s shared goal
Four months ago, little more than $1 billion was locked in DeFi (decentralized finance) projects. Now, there is $10 billion. This is still significantly less than Bitcoin’s $200 billion market capitalization, but such fast growth has brought DeFi to the forefront for crypto investors and traders.
The goal of decentralizing finance surely resonates with Bitcoin supporters. In fact, Uniswap, a decentralized protocol used to swap tokens over the Ethereum blockchain, states that its team has been “long committed to the ideals of permissionless access, security, and immutability”. If that sounds familiar, it’s because these are the same values the Bitcoin community has cherished since day one. DeFi and Bitcoin seem to share both their goal and their values but their culture and dynamics couldn’t be more different.
DeFi’s exciting pace
No day in DeFi is eventless, whether it be a hack, a new token gaining 400% in value in 24 hours, a famous developer disappearing, hacked funds being refunded, said developer reappearing, etc. DeFi seems to combine the rich narrative of a Netflix series with the hectic pace of Tiktok. This buzzing environment is not without risks however. To take only a handful of recent examples: on the 13th of August, the two-day-old YAM project fell from $60M to $0 in 35 minutes; on the 2nd of September, the ‘Hotdog’ token went from $4000 to $1 in five minutes; on the 14th of September, the bZx protocol was attacked for the 3rd time in the year and lost $8M because of a faulty code; on the 29th of September, a hacker drained $15 million out of the Eminence Finance contract — of which he returned $8M right after.
While these examples highlight the potential drawbacks of DeFi, it cannot be overlooked that these risks are made possible only because of the very past pace of development. Notably, in the span of just a few months, the DefiPulse list of applications has grown to more than 150 applications, and counting.
If DeFi is risky, fast, and exciting, Bitcoin in comparison could appear safe, slow, and boring.
During the same period (August 13th to September 29th), Bitcoin’s price hovered between $11,500 and $10,700. Everything seems to move at a slower pace: Bitcoin developers are usually funded on a 6 month basis minimum and the biggest change at the protocol level has been in progress for nearly two years and may not be implemented for another year. The main news recently has been that of publicly traded companies adding Bitcoin to their treasuries, sometimes in significant proportions. The two ecosystems’ dynamics are very distinct, a result of their development cultures and approaches to security being profoundly different.
It may seem to some in DeFi circles that Bitcoin development is infrequent. Even though this is far from accurate, it remains true that Bitcoin developers are intensely security-focused, and therefore much more risk averse than DeFi developers. This is especially true at the protocol level, because it is the most sensitive. Bitcoin application developers such as OKCoin’s Developer Grant recipient BTCPayServer, on the other hand, tend to ship very quickly. At the protocol level, the proposed changes are called “Bitcoin improvement proposals” and need to be evaluated by a number of other Bitcoin developers. Every aspect of the process is designed to ensure the adoption mechanism remains as decentralized as possible. OKCoin’s Independent Developer Grant recipient, Amiti Uttarwar, and OKCoin’s Content Lead, Olivia Lovenmark, published a simple but detailed explanation of the process.
To improve Bitcoin’s security, it is also crucial to relentlessly test and review the code before publishing it. In fact, this is what the latest recipient of OKCoin’s Independent Developer Grant, Marco Falke, has been working on for years now. There are, also, two external factors limiting the speed of innovation at the protocol level in Bitcoin: on one hand it is inherently time-consuming and difficult to reach consensus about a significant change in such a wide and distributed system; on the other, since Bitcoin is open source, it has a structural shortage of reviewers. Secure innovation therefore takes time to be deployed in Bitcoin. The DeFi culture on the other hand is oriented towards experimentation and rapid iteration.
The DeFi ecosystem is focused on building and shipping products quickly. Andre Cronje for instance, the developer behind the Yearn.Finance protocol, claims in his Twitter bio that he is “testing in production,” a way to warn that his code may be buggy when it is first published. This kind of approach is inherently risky when one deals with a $500M market capitalization.
One of the two resources DeFi projects use to mitigate such risks are audits and bug bounties. Most big DeFi projects have paid external audit companies to review their code and track vulnerabilities. Most also offer bug bounty programs. The Aave project has come up with a chart detailing how much one would be awarded per bug disclosed, depending on its severity and likeliness:
As a matter of fact, audits and bug bounty programs are two of the main criteria security experts use to evaluate the safety of DeFi protocols. Demand for DeFi audits has been so high that specialized firms are now overwhelmed. This is again a difference with Bitcoin, which relies on the good will of developers to spend some of their time reviewing and testing the code.
Compounding DeFi vulnerabilities
Beyond the specifics of the DeFi culture there are fundamental risks with smart contracts. One is that of the first layer: the Ethereum blockchain, in DeFi’s case. Another is that, once the rules of the smart contracts have been baked in a protocol they theoretically cannot be changed. This means there can be no quality assurance process like in usual software development: the code has to be secure right when it is deployed, as Anton Mazgovoy, Humaniq’s CTO, has pointed out.
Additionally, the strength of DeFi projects, the fact that they are composable, can also be a weakness. Composability means that the code of one app can be used to compose another one with new features. This can lead to powerful combinations, but it comes with two risks. First, a team can simply copy the code of an app they don’t understand, make a few changes and introduce bugs without understanding how or why, which is allegedly what made the dForce hack possible. This very composability is both a blessing and a curse: it is at the heart of DeFi’s innovation potential, but also creates compounding vulnerabilities since projects are often built on top of each other.
Testing one’s way to the mainstream
At the beginning of this year, the combined market capitalization of DeFi projects was $500 million. They had few users, and most were crypto savvy. Making compromises on security was a risk these users willingly took. Now that DeFi has reached the $10 billion milestone, lots of non-technical users are pouring into the space, sometimes taking risks they may not understand. This is why security evaluations like those provided by DeFiScore or DeFiSafety are gaining traction. After having audited over 120 projects, the Quantstamp Security Firm, for instance, has vocally recommended that DeFi projects adopt a better testing culture. DeFi, in order to truly reach the mainstream, will have to strike a balance between the exciting pace of innovation that made its success and the risk-awareness that large market capitalizations require.
Despite having similar goals, Bitcoin and DeFi have very different development cultures, especially when it comes to security. Bitcoin developers tend to err on the side of caution, even if it means innovating at a lower pace or proposing fewer features. DeFi developers tend to prefer experimentation, even if it means taking more security risks. However, there is pressure on the Bitcoin ecosystem to innovate faster, as well as pressure on DeFi projects to be more mindful of the security of their users’ funds. In the future, the two cultures may not remain as distinct as they currently are.