How is it still self-custody if locking into a smart contract?

Hi All,

Can anyone pls help with my understanding of smart contracts and self-custody.

If I have a self-custody wallet and then send some crypto to a smart contract lending pool (ie me providing liquidity), is the smart contract then the custodian?

I am assuming above that when I send crypto to the smart contract I still maintain ownership of the crypto, but maybe that is bad assimption? I guess an alternative view would be that when I send crypto to a liquidity pool I lose ownership of that crypto (the pool owns it) and I get in return some sort of (non-custodial) token that acts as a claim on the liquidity pool, and if I in future redeem that token I dont get ‘my’ crypto back, what I get is crypto from the pool equal in balue to the ownership token.

2nd part of the question is then related to trust… If I am locking crypto into smart contract, even if there is no central intermediary I am still trusting the smart contract, eg the quality of its code, including that any admin rights dont allow the development team or protocol owners to do anything untoward, also I trust that the ownership token can always be used to redeem crypto from the pool. If you agree this is correct, that would seem to make the smart contract a trusted intermediary, and potentially even a centralised trusted intermediary if admin rights higve too much influence to protocol owners…

Anyway, thanks in advance for advice.


View Source

10 thoughts on “How is it still self-custody if locking into a smart contract?”

  1. Thanks both. I guess there is a continuum then:

    – Banknotes in my pocket (it’s mine, and its a liability of the central bank)

    – Crypto in my non-custodial wallet (it’s mine, and a liability of no-one). I am putting some trust in the wallet provider not to have coded something that means my keys are not my own, but if the keys genuinely are my own then there’s no centralised intermediary who can mess with my crypto.

    – Crypto sent from my non-custodial wallet to a smart contract for purpose of DeFi use case. Here, I trust the contract code and the developer who coded it. The crypto is no longer mine and is a liability (in a sense) of the smart contract. (The diff with TradFi is that there is no centralised intermediary in DeFi, in theory, who can prevent me from regaining my crypto if the terms of the smart contract atr met).

    And to mitigate the risks of trusting the smart contract code there is open source nature of the code, code audits, and (again in theory) a decentralised protocol governance through a DAO and a decentralised blockchain hosting the smart contract.

    If above sounds about right, perhaps I will retype this post in a better format for ref for others……….

  2. Always make sure a protocol is audited or a non modified fork of an audited protocol. When you send money to a lending protocol the money if accounted for in the smart contract. So you are not in control and totally trusting the code is legitimate. There have been many lending protocols that have not had hacks like Aave and Compound and non modified forks of them.

  3. >If I send crypto to a smart contract lending pool is the smart contract then the custodian?

    The smart contract issues you IOUs that represent your ownership share of all the assets in the contract. For dex pools people call the IOUs “LP tokens” or liquidity provider tokens, similar tokens exist for lending pools. For example when you deposit 100 ETH in AAVE you get 100 aETH tokens that represent your deposit.

    The smart contract and the people interacting with it can only do a very limited set of actions, so they don’t have custody over your assets. You still remain in control through the IOUs that you can use to withdraw at any point.

    >If I am locking crypto into smart contract, even if there is no central intermediary I am still trusting the smart contract

    You can use formal verification to **PROVE** that the smart contracts do only what you expect them to do with no trust assumptions.

    However, the vast majority of smart contracts are not protected by formal verification and you’re trusting that the code does what you think it does.

    Most people can’t be expected to analyze the security of smart contracts, that’s why we rely on independent security audits (the more the better) to confirm that the contract does what’s expected. Audits also check for bugs or malicious backdoors.

  4. It’s because you and only you own the cryptographic keys to move that money in and out of DeFi contracts. You can leave any time. It’s yours.

    No one else can move it because they don’t own the keys like you do. It’s yours alone.

    There are times when your tokens will be at the mercy of liquidation (depending on the contract) but that liquidation is pre determined according to the contract. It’s not like a single person can access your tokens and take 10% by themselves

  5. As others have said, the typical response is that you would need to trust the auditors.

    In most cases I would still say this is trustless because technically you COULD review the smart contracts yourself and come to the same conclusion of safety, without needing to trust anyone. It’s all in the code. This would be the ideal case, but complexity of code and coding illiteracy means that many people need to rely on the audits.

    For most legit projects, even where a dao/other actor has some control over the smart contract, this control is predefined and limited.

    One other point specific to lending pools – even with full trust in the code and the protocol working perfectly (no hacks) you can still lose access to your funds if someone has borrowed the max amount (either unintentionally or intentionally). They would have huge interest and technically their position would be liquidated over time – but this could take ages. I’ve had funds locked in lending pools this way – usually when the platform TVL is dying, but also in volatile markets, eg the USDC de-peg. So be wary.

  6. The shortest answer to your question is that I would never assume your crypto is safe locked in a smart contact.

    In a lot of ways, the most pure way of safely holding crypto is no different from putting your cash under your mattress.
    If you want rewards/returns/gains, you’re going to have to trust a third party. (As a matter of fact, you’re already trusting the third party that built the wallet you’re using.)

  7. If the smart contract itself is audited and actually safe, in the way that the script do not allow for the lp to be drained for example, you will always be able to get your funds back by unlocking them directly from the smart contract deployed on the blockchain.

    For more info about safety and to check if a project is safe i strongly advise you to look up and follow

  8. This is not in response to anyone in particular, but if you’re in cryptocurrency because you “don’t trust the banks”, there is no reason to trust a smart contact, regardless of any “audits”.


Leave a Comment