Twelve out of 15 of the most popular decentralized finance protocols still have access to a ‘God Mode’ admin key, according to data on review platform DeFi Watch.
These full-access controls allow developers to modify or replace the smart contracts underpinning their projects, including making adjustments to user balances.
While admin keys have been justified as a way to protect users’ funds and are often used with security features such as timelocks and multi-sigs, analysts argue this calls into question exactly how “decentralized” these projects really are.
In a YouTube video posted on September 24, "Mastering Bitcoin" author and educator Andreas Antonopolous defined a truly decentralized project as one that does not have custodial control over the funds:
"That's a very important criterion. I think that's the foundational criterion."
By that standard, most protocols fall well short. Of the fifteen projects reviewed on DeFi Watch, only InstaDapp, MakerDAO, and Uniswap are reported to have no admin keys associated with their product. The remaining projects — which include Aave, Compound, DDEX, Yearn Finance, Nexus Mutual, and Synthetix — all have admin keys allowing varying degrees of control.
Aave’s admin key, which is owned by an Aragon DAO consisting of just five members, only requires three “yes” votes to make sweeping protocol changes. Aave currently sits third among all DeFi projects by total value locked (TVL) with more than $1.38 billion locked.
However, several projects, including Compound, have implemented security features to protect the integrity of the admin keys, and many projects have plans to migrate to fully decentralized governance system in future.
While many users have suggested that Aave and other projects have been upfront about their admin keys, DeFi Watch founder Chris Blec believes that DeFi protocols need to be explicit if they retain the option to enter God Mode:
It takes far too much digging for a user to find that info.— Chris Blec (@ChrisBlec) September 23, 2020
It needs to be front and center.
Blec added that even when project acknowledges that an admin keys exist, few clearly outline the ramifications. For example, nowhere “does it say ‘Aave can change your account balance’ or ‘Aave can replace all code with new code.’”
Aave’s website states all funds are held in non-custodial contracts and has an opaque warning:
“Aave will keep ownership of the protocol in these early days in order to ensure that the protocol remains secure if any issues arise.”
Synthetix smart contracts are similarly fully upgradeable via the admin key, with DeFi Watch stating that the core team possess “vast power to do just about anything, including adjusting user balances and draining funds.” Despite Synthetix’s core team acknowledging that the project is highly centralized, the protocol has attracted more than $590 million in assets from the DeFi community.
Uniswap does not have any admin keys, however blockchain analytics firm Glassnode, suggested in a report this week that the DeFi project has essentially created their own equivalent backdoor through the distribution of their UNI governance token.
According to Glassnode, the team potentially has immediate access to almost 40% of the entire supply, which is over double the amount currently held by the rest of Uniswap’s community. With UNI tokens facilitating project governance, including access to the project’s Treasury, this would put them firmly in control of a decentralized protocol.
DeFi Watch states that trustless protocols are something of a mirage at present and in the end, security comes down to the project team’s competency:
“The only way that you can truly feel secure while using these DeFi products currently is to trust in the competency of the team and their ability to secure their admin key.”