The 7 Biggest Threats to Decentralized Finance [Part 1]

In a world of negative real interest rates, Decentralized Finance (DeFi) protocols offer yearly yields north of 8%. According to financial theory, such a divergence in the return on capital between crypto and fiat can only be justified by a different risk profile. In the following two-part series, we look at the most notable macro hazards in DeFi and help you make informed decisions when supplying real value in open finance apps.

The young DeFi movement is quickly gaining support among crypto investors and traders, hodl-ers, blockchain developers and entrepreneurs, and traditional finance professionals. Perhaps the most fundamental reason behind DeFi’s success is that it addresses the needs of two common types of users in crypto – speculators and risk-averse investors.

Speculators, enticed by the high volatility of crypto markets, are enabled to take more risk by making use of borrowed capital at annual yield rates (APY) currently ranging from 0.2% to 26%. In January and February 2020, these percentages were much higher, at times reaching 40%. 

Diametrically opposed to them, conservative investors are empowered to put their locked (hodl-ed) crypto assets and stablecoins to good use by lending them to speculators and getting stellar “risk-free” returns north of 9% (again, much higher two months ago).

ⓒ defirate.com

Put differently, 

DeFi harvests the most widely available resources in the crypto space – high volatility and speculation – and supplies the most needed ones – stability and high lending APYs.

Of course, there is more to DeFi than lending and borrowing. However, those are the primary sources of the much-needed liquidity in the space. If the above sounds unclear and you are unsure what DeFi is, make sure to read the Introduction to Decentralized Finance article that was published recently.

Going back to the “risk-free” point above, it shouldn’t be a surprise that there is a variation in the definition of risk in crypto and in traditional finance. Using DeFi protocols is definitely not 100% safe, and there are industry-unique risks that anyone willing to make use of any of DeFi’s value propositions must be aware of. Let’s consider the first three on our list.

I. Ethereum [Non-] Scalability

Essentially, DeFi is an Ethereum-based movement. Most of the innovation and all of the liquidity are focused there. New projects are launching all the time, aiming to attract new users with either better yields, more efficient token portfolio management, or both.

Behind the still limited front-end glamour, the Ethereum public blockchain infrastructure is doing all the heavy lifting in the background. The transactional-based economy behind DeFi and the validity of the various value propositions that have emerged in the space are all dependent on the operation of a supranational consensus-building network of individual nodes. 

Due to its technological novelty and the scalability challenges that accompany it, Ethereum is not immune to periods of sub-optimal network performance. During those, it becomes either impossible or too expensive to interact with decentralized apps (dapps), including DeFi ones.

There have been numerous instances of network congestion in Ethereum. Causes range from DoS attacks, software bugs, Tether transactions, and launch of new exchanges to the increased popularity of dapps (including scams like MGC), popular ICOs, and volatile crypto markets. 

The fragility of Ethereum infrastructure already manifested itself in 2020. On March 12, following a week of depreciating global stocks, the price of ETH plummeted by ~50% from 195 USD to 100 USD. The ensued market panic led to extreme network congestion and skyrocketing network fees that negatively affected all dapps, including DeFi.

As a result, on-chain oracles stopped delivering crucial price feeds to DeFi protocols, loan liquidations ceased to function correctly, the DAI stablecoin broke its soft peg with the USD dollar, DeFi trading protocols had to limit the use of their products, and transactions failed en masse (details here).

Apart from being unable to access one’s funds (unless willing to pay ~$25 fees), such extreme network-wide disruptions could result in loss of funds. That’s precisely what happened with several DAI borrowers using Maker’s Oasis DeFi app. Sharply falling ETH price and network congestion created the perfect storm for users who have locked their ETH to create DAI tokens. Unable to acquire and transfer DAI to close their debt positions, they were liquidated, losing 100% of their ETH collateral equal to $5.7m. That was not supposed to happen.

(To learn the details around Black Thursday’s market crash and its effects on DeFi, refer to the recently published overview of the most notable breakdowns in the DeFi space.) 

Mitigation

The most straightforward solution to Ethereum’s scalability challenges is a major network upgrade. That’s already in the works, but it will take years for its benefits to fully materialize.

Ethereum 2.0 or Serenity, as the update is referred to, will launch in phases, with the first one expected in 2020. The overhaul should improve the scalability of the network by introducing state-of-the-art tech concepts in a live environment, but it will also modify the system’s security model, moving away from the proven Proof-of-Work Sybil attack protection.

Since projects in the DeFi space have users to serve, they must devise ways to address the most severe side effects of the network under capacity. Now. 

The team at UMA, a decentralized financial contracts platform, has already proposed a new type of oracle design that moves price feeds off-chain, eliminating network bloat. In light of Black Thursday’s negative aftereffects, Maker has modified some system parameters to make its protocol more resilient to scalability-related disruptions. After March 12’s gas price hike, Gas Token’s solution certainly became more attractive to dapps running on Ethereum. The project enables the purchase of gas when the price is low, to be used in times of congestion.

Finally, DeFi dapp builders could also consider moving to more scalable blockchain [2.0] protocols like æternity, Tezos, and Cardano [still in an experimental phase for dapps]. Both æternity and Tezos are working on a stablecoin, an essential precondition for DeFi dapp development. The scalability boost, however, could be at the expense of Ethereum’s significant network effects.

For the time being, these temporary fixes should keep DeFi relevant until Ethereum 2.0 goes online. Until then – beware of network congestion or switch to more scalable blockchain infrastructure!

II. Maker and DAI Stablecoin Failure

Maker is an open-source project on Ethereum and a Decentralized Autonomous Organization (DAO) created in 2014. After 3 years of development, in 2017, the initiative launched the programmatic stablecoin DAI that is softly pegged the USD dollar. 

Anyone can create DAI using ETH, BAT, and USDC as collateral, keeping the minimum 1.5:1 ratio (1.25:1 for USDC). For example, if one owns 100 USD in ETH, one can create 50 USD in DAI. The stable DAI tokens (USD/DAI, 1:1) can then be used for payments or acquiring any cryptocurrency/token at decentralized or centralized exchanges. At any time, one can get the ETH back by returning the original amount of DAI plus the accrued interest (the so-called stability fee, which is, in fact, the borrow APY).

Currently, DAI is the most widely used stablecoin in DeFi, while Maker’s smart contracts that secure the ETH/BAT/USDC collateral and create/destroy DAI store about 50% of all the value in the space. 

That makes DAI a single point of failure in DeFi.

Ignoring instances of underperformance caused by sharp market movements, if someone manages to hack Maker’s smart contracts and steal users’ collateral, DAI will become worthless, affecting the entire DeFi space and damaging Ethereum’s reputation by association.

Mitigation

Since Maker is a DAO, its governance is community-driven. All users holding Maker’s governance token, MKR, can participate in votes dedicated to fine-tuning fundamental system variables, like the stability fee, for example. 

MKR tokens are also used as insurance against any drops in the value of the system’s collateral. 

If the total amount of collateral falls below the target ratio vis-a-vis DAI, MKR tokens are minted and sold to make up for the difference. In March 2020, when the Maker system became undercapitalized by $5.7m, new MKR tokens had to be minted and sold for DAI at public Debt Auctions. 

But what if all collateral is stolen or locked by a hacker? Will there be enough MKR to cover 100% of lost value?

Looking at the market caps of both MKR and DAI, it is evident that the value of MKR is almost four times (3.78 times to be precise) higher than that of DAI. However, the average ratio at which users create DAI is much higher than 1.5:1. According to data from Maker, the ratio is around 3.5:1, meaning that the value of all MKR tokens is roughly equivalent to the value of all the collateral in the system.

In the case of a hack and total loss of locked capital, the supply of MKR must increase by about 100% to cover the losses. And that might still not be enough since it is not clear if there will be such high demand for MKR and there will definitely be slippage.

Mitigation

What have Maker done to ensure that such a hack does not materialize? According to the Maker Whitepaper, the security of the protocol is managed by an extensive Security Roadmap including:

• Formal verification of the DAI codebase (the first of a decentralized application).
• Code audits by the best security organizations in the blockchain space and independent auditors.
• Bug bounty program.

Learn more about all the risks that Maker has identified and how they are being addressed in this video. 

No set of measures can mitigate risks 100%, but Maker’s approach to security is solid and should become a standard in the industry. Leading us to the next point.

III. Smart Contract Bugs/Hacks

Just like Maker, all DeFi projects rely on smart contracts (or programs) running on [mainly] Ethereum. Their code is usually public and available for examination (and interaction) by anyone knowledgeable enough to understand it. 

Blockchain networks and the applications that run on them are arguably some of the most attractive honeypots for hackers. 

Here are a few notable historical examples.

On November 7, 2017, GitHub user devops199 posted the above message in the issues section of the Parity Multi-Sig Library. Allegedly, while he was playing around with the Library’s code, he initiated a function that led to its self-destruction, blocking funds in 587 wallets holding a total of 513,774.16 ETH (valued at ~280m USD at the time). The funds are still inaccessible to this day.

In June 2016, one of the first projects in the blockchain space that focused on decentralized governance – the DAO – lost 3.6m ETH (valued at about 70m USD) due to a hack. Since the hack amounted to about 10% of total ETH supply at the time and the funds were inaccessible by the hacker for 28 days, the Ethereum community executed a hard fork and reversed the hacker’s transactions. It is highly unlikely that such a solution will be applied ever again.

On June 24, 2019, Synthetix, a synthetic asset issuance DeFi platform, lost 37m synthetic ETH (sETH) due to a bot exploiting an issue with Synthetix price-setting mechanism for Korean Won. The owner of the bot subsequently returned his 1000x profits, nullifying any losses. Synthetix was saved by goodwill and luck alone.

Mitigation

Projects in the DeFi space must follow Maker’s example and commit to extensive and frequent smart contract codebase audits. Before using any DeFi protocol, users must research if their code has been reviewed, if the identified vulnerabilities have been fixed, and if checks have been performed after the introduction of new features (code changes).

Another emerging mitigation strategy related to smart contract security is insurance. DeFi platforms like Opyn and Nexus Mutual (NM) offer users protection against smart contract hacks. Opyn provides coverage on deposits in Compound for half of the annual percentage yield, while NM can insure any contract depending on a live quote. 

In the above example, to get 45k worth of insurance in DAI for critical bugs in the Compound smart contract for one year, a user will pay 584.6 DAI. At the current lending rate for DAI (0.45%), that amounts to 289% of the APY. Two months ago, however, when Compound’s APY on DAI was at 8%, the insurance amounted to only about 16%. APY rates change all the time, mainly influenced by the state of crypto markets -> bullish (high APY), bearish (low APY).

Anyone planning to lock significant amounts of funds in smart contracts should consider getting insurance.

Here’s the second part.

__________

*  Disclaimer: The author of this article is neither an investment advisor nor broker-dealer. The information presented is provided for informative purposes only and is not to be treated as a recommendation to make any specific investment.

This may also interest you:

How Decentralized Finance Protocols Fared During One Of The Worst Weeks For Global Finance

An introduction to Decentralized Finance: Blockchain’s new killer use case