Things I wish I knew before building Ethereum #DeFi dapps | by Andre Cronje | | Medium

Having now built and semi launched, I wanted to take some time to go over things I wish I knew before I started.

1. Deploying dapps are expensive (if you don’t know what you are doing)

Other than a contribution from a colleague, everything else I had to source

Below all the incoming ETH transactions, for a total of; 93.64 ETH and my current balance is 16.84 ETH. 76 ETH (almost $15,000) spent on deployments and testing.


Now, to be fair, I made a lot of dumb mistakes, had to do a lot of re-deployments, could have designed my architecture better, and if I do this all again, I could probably do it for sub ~10 ETH. But this is for things I wish I knew before the time.

The testnets are great, Kovan and Ropsten, but I could not find or replicate a lot of the contracts I’m interacting with (since I’m working with uniswap, 1inch, compound, dydx, fulcrum, aave,, lendf, ddex it just wasn’t possible to replicate on testnet). So I had to do a lot of dev and testing on mainnet. The other problem, I’m very impatient, so I always pay the highest fees, but when you are in a dev test cycle, this is important.

So lesson learned, don’t try to dabble in building smart contracts unless you have some cash to spare, this has already cost me a lot more than I thought it would.

2. People won’t (or rather shouldn’t) use your software without audits

Ok, that’s kind of a no brainer, but in an open source world this is absolutely critical. The problem is, I’m doing this for free, as a hobby project, without funding, no fees, no tokens, (no community). But the #1 response is always “has this software been audited yet?”. Expect this question every time people ask you about your project, and when inevitably your response is “No”, they simply move away.

Which leads us to point #3

3. Getting audits are very competitive and expensive

So, now you spent the money on deploying and testing your dapps, now its time to get an audit. I asked around and I was recommended the following;

I started by putting out a public bounty on Jan 30th;

Didn’t get any responses though.

@epheph on twitter was proposing ethereum foundation security audits, I showed my interest, but nothing yet;

On the 31st I started asking certik and cryptomaniac’s on telegram (was fortunate enough to have their contact details) for quotes.

Had to followup with certik and cryptomaniac 3 times each.

By 4th of Feb, I didn’t have any quotes yet, so I started emailing;

Mailed an audit request to openzeppelin via their email Received a same day response saying they will get back to me in 1–2 business days. I will update this post when they do.

Mailed trialofbits, they responded same day with a quote, 1 engineer-week $16,000. They would perform “rapid risk review using manual and automated techniques and file security issues”, I unfortunately had to reply and tell them that was too expensive for me. I received another response recommended I use the following tools;

Not an audit, but at least helpful (although it does cost $259/month)!

Mailed quantstamp via their online form, no response yet.

Mailed sigmaprime, same day response and after a few back and forth emails, same day quote. They said they would require 11 person-days, report delivery on the 26th total engagement $27,500. Will need to mail them as well and tell them I can’t proceed.

Currently waiting on the certik quote, received the cryptomaniac’s quote for $5,000.

So recap;

I’ve asked cryptomaniac’s to please proceed with their audit. I created a funding request on gitcoin and on metacartel, but neither have had responses, so I don’t really assume anything will happen there.

Now for all of the above, this is not a full system audit, for all of these quotes, I asked to audit a single file, 359 lines of solidity code. Even at the most viable option from cryptomaniac’s that’s $13/line of code.

So if you have a bigger project, expect $50k+ for an audit.


Almost $20,000 out of pocket for my free, fee-less, open source project. No immediate signs of community support or ethereum funding, but I guess I’m just talking to the wrong people or they just aren’t interested in I do think I have a better “crypto network” than most though, so I don’t know how hard this has to be for a complete new entrant into the space.

Lessons learned.

Quick fire round of some more obvious but should be mentioned stuff;

4. VC’s I spoke to won’t fund your free, fee-less, non token system

Again, obvious, but should be stated. Respect for pooltogether, no clue how they managed it.

5. Tokens help bootstrap

I hate tokens, I’ve been vocal about them, both systems I’ve designed and are both token free, feeless systems, and both struggle the most because there is no “token network effect”. Want to build a community super fast? Add tokens (or get a VC behind you)

6. You won’t get community support unless you already have a community, which you can’t get without support

Cyclical I know, but don’t expect communities to help you with the above.

7. Easier to “fake it till you make it”

All these “our AUM has grown so much” or our “rates are so high” are semi “fake it till you make it”. Self provide initial AUM (from VC, funding, or community ~ aka token) and use those rates to increase other depositors rates. pooltogether is a good example with their 250k “self starter fund” for example.

Same model would work for but I don’t think the bit of money I can spare will help entice people…

Cheat Sheet

Launch a token, premine 50%, lockdrop the other 50% for AUM providers once off, get funding with the 50% of tokens, get a few VC’s, use $20k to build the product (or just copy for free) throw all the capital you raised into the “starter fund” to create massive interest rates (2x what others are offering). Because your rates are so high add system tax (15% of interest above the nearest competitor), which no one cares about because they still make ~2x-15% vs your competitors. Pay those taxes out to token holders which grows with AUM (which you already increased because of your 50% lockdrop) so you have network capture value.

Don’t do it the way I did it, which was hard, cost me a lot of money, and has created very little network effect.

Lessons learned.