3 Step Guide to check DeFi yield farming contracts for safety

3 Step Guide to check DeFi yield farming contracts for safety

By btcgeek | DeepResearch | 8 Apr 2021

So you want to yield farm. That's great, but how do you know the smart contracts are safe? How do you know the contracts won't simply transfer all your crypto into the project's wallet?

Assuming you don't want to go through the smart contracts line by line trying to figure them out from scratch, you still need to be able to quickly check things before your put your money into (usually unaudited) smart contracts. This is true for both Ethereum yield farming or BSC yield farming but might be different for other protocols.

Here are a few ways you can do that. You don't need to be a programmer to follow these steps.

Step-1: Isolate the staking contract

If you are yield farming, you don't really care about all the smart contracts of the project. What you are most interested in is the actual staking contracts. These are the contracts that lock up your tokens or LP tokens and then give you rewards. Therefore, the first step is to find the staking contract on Etherscan.

Warning: Do not look for this contract on the project's Github. This is because the project can simply put a safe contract on Github while using a malicious contract on their site.

In order to do this, go to the app's site and look at which contract is actually being called when you go to stake. You can do this on MetaMask - just copy the contract being called and then reject the transaction.

MetaMask contract call

Once you click on the above, you will copy the contract's address to your clipboard. Then go to Etherscan and check the contract. Get the source code from the contract tab on Etherscan. If the contract is not verified, run away!

Step-2: Run a diff

Most staking contracts today are derived from either the original Synthetix staking contracts or Sushi staking contracts

Then run a diff against this. 

You can use diff tools online for this such as diffchecker. The diff tool from yieldfarming.info is also good to preload the contracts from their library, making it a quicker process. 

Step-3: Look for suspicious changes

Specifically look for any suspicious changes like changing the owner of a function or introducing a new function to transfer or withdraw. In addition, if there is a timelock, make sure to check that to see how long it is set for and ideally set up notifications when there is a transaction on the timelock. The owner should generally be a timelock to prevent misuse of admin functions by the team. If it is a regular Ethereum address (EOA) there is a much higher risk, depending on the admin/owner capability.

Of course there are other gotchas that you should be careful about and no smart contract is guaranteed to be 100% safe, but if you follow the steps above, you will eliminate 80% of all outright scams and keep your crypto safe.

Author: btcgeek


Crypto research analyst since 2013


Deep dive into the world of cryptocurrency, DeFi tokens, crypto-assets, NFTs, and more

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.