DeFi Risk | A Framework For Assessing & Managing Risk in DeFi
The high yields available in decentralised finance come with a downside. DeFi risk is real and if you are participating in the markets then you should know how to assess and manage that risk. By building a risk assessment framework for yield farms and DeFi opportunities we can better assess fair value and allocate capital accordingly.
- DeFi Risk | What You Need To Know [Video]
- Types of Risk In DeFi
- Mitigating Risk In DeFi
DeFi Risk | What You Need To Know [Video]
This video covers the basics of DeFi risk assessment with more details in the article below.
Types of Risk In DeFi
When a user places funds in to a new DeFi protocol the risk that they are exposed to can be broken down in to four main areas.
|Smart Contract Risk||Flash loan attacks, hacks, bugs and lost funds|
|Counterparty Risk||Rug pulls, personnel and organisational failures|
|Legal Risk||Centralisation attracts legislation|
|Token Exposure Risk||Price volatility and long term valuations|
The next few sections look at how to assess these risks individually with a chapter at the end on how to mitigate DeFi risk. If we can quantify and manage risk with greater accuracy then we can make better decisions when allocating capital.
Smart Contract Risk
Decentralised finance runs on code in the form of smart contracts across a peer to peer network of computers. These contracts often hold funds within the contract itself which makes them a target for hackers. Flash loan attacks have been used in the past to drain huge fortunes from vulnerable liquidity pools.
The Lindy Effect suggests that there is a correlation between something’s current age and it’s life expectancy. The longer that thing has been around the more likely it is to survive.
In DeFi it’s fair to perceive smart contracts that have held funds for some time as being safer than newly deployed smart contracts. Large protocols will have already been probed by hackers looking for any weakness. If it hasn’t been hacked yet then it’s less likely to be hacked… in theory.
There are well known exceptions where bugs have been found in established code but for the most part this rule will hold true that new protocols hold more smart contract risk than existing ones.
Another consideration is the amount of funds locked in a contract. A protocol that isn’t popular wont be as battle tested as something that’s contained over $1B in TVL for the past year.
Not all security audits are created equally and there’s a huge divide between a Consensys or Certik program and a audit purchased from Fiverr.
The best security audits will provide a transparent report detailing:
- Amount of engineer hours committed
- Code coverage and ongoing monitoring
- Threat levels of any bugs found
- Code review and best practices
- Edge cases and fuzzing results
As a developer there is huge value in having a second and third pair of eyes look over your code with a sole focus on security. As an investor there is value in knowing the team has the confidence in their code to be audited and that the best minds in the industry are signing off on the protocol.
Every well funded DeFi platform which handles funds should have a well managed bounty program. This offers white hat hackers (good guys) an incentive to investigate, report and fix bugs before they get exploited by the black hats (bad guys).
Bounty programs can be run in house or via a 3rd party intermediary such as hackerone.
Code Quality & Originality
Code quality is a very difficult thing to quantify because what looks good to me might look spaghetti to another developer. By reading the code and getting a feel for how it was put together most devs will still be able to make a useful assessment.
Originality in blockchain development is what drives the industry forwards and gains traction for new protocols building on the cutting edge of financial technology. Unfortunately it can be bad thing when it comes to risk assessment.
Code reuse is recommended wherever possible because it leaves less room for bugs. There are the excellent OpenZeppelin libraries for example which can be imported and have been pre-audited. By using existing code and libraries that are already in the wild, developers can benefit from the Lindy effect. Obviously this isn’t to say that innovative, original code is a negative overall, just that 1000 new lines of solidity is a negative from a smart contract risk perspective.
Even the most decentralised protocols have some form of organisation structure. That might be a development team, a corporation or a DAO (Decentralised autonomous organisation).
When those organisational structures fail the investors are often hurt financially from the fallout. That might be from the extremes of a rug pull (developer draining the funds and running off to Mexico) or simply token value decimation when a important team member leaves.
There are a lot of benefits for developers to remain anonymous. There is a lot of pressure and negative sentiment thrown on blockchain developers. Andre Cronje of Yearn Finance fame talks a lot about this and is a victim of his own success. Unfortunately developers can not continuously create value at will and can’t give everyone their Lambo.
A doxed team simply means a team that is not anonymous. A DeFi developer team that has no anonymous developers is becoming rarer but still provides a lot of value to investors.
There is far less chance of rug pulls by doxed teams as it’s much harder to hide and recover professional integrity. It’s also far easier for anonymous developers to walk away from a project once the post-hype bear cycle and social negativity sets in.
It’s not just a teams identities where transparency can provide value. How a team handles negatively perceived situations is a clue to how they will manage a project in the future.
Investors want to see fair distribution of information before price movements that would indicate insider trading.
The channels for communication are important too with Twitter, Discord and Medium being common avenues for news distribution. There’s a risk benefit to being well connected with the development team and being agile enough to act on news flow before other market participants.
Venture capital firms in the space tend to do better due diligence than individual investors. A DeFi protocol that has seed funding from well respected VC’s in the space is more likely to have interests aligned with long term investors.
You don’t hear of VC backed teams carrying out rug pulls or scamming investors. The seed funding can also add value by adding more personel to a project and getting independent code audits. VC’s will also be very wary of investing in projects that have exposure to significant legal risks.
The promise of a untouchable self-regulating financial sector built on top of blockchains is somewhat far removed from the real situation in 2022. There’s mounting pressure from regulators especially the SEC in the US who is determined to establish authority in the industry.
Regulators will first go over the low hanging fruit to make examples of the bad players and easiest to prosecute participants. Centralisation invites litigation as it provides a target for regulators.
If a project is governed by a DAO and the developers are anonymous it’s going to take a significant effort to track down and prosecute anyone involved. Alternatively if there’s a corporation set up to manage and pay costs for a project then its far easier for a regulator to commence legal proceedings.
In the past year Uniswap removed obvious synthetic securities, Terra CEO Do Kwon got served 5 mins before going on stage to make a presentation and Coinbase was threatened with legal action if they released a 4% yield function on stablecoins.
From a risk perspective the easier it is to target a person or organisation behind a DeFi protocol the more likely it is.
Securities and the SEC
At the head of of these probes is Gary Gensler of the Securities and Exchange Commission in the United States. The US represents a huge market that most platforms can’t afford to block. Yet there are more and more blocks and restrictions in DeFi UI’s for American IP addresses.
Gary Gensler has lectured at MIT on blockchain technology. He was likely chosen to head the SEC because of this experience with the remit to gain “control of the industry”.
The SEC has significant power as a financial regulator and adopt the sue first, ask questions later policy. Over the next few years I’d expect to see them exercise that power and make examples of some of the DeFi and CeFi platforms.
It’s likely that they will initially target exchanges, synthetic stocks and any platforms that have the reach to disrupt traditional finance. These niches provide greater risk especially when combined with corporate management structures.
The legal jurisdiction that a project operates in is a significant factor in assessing it’s legal risk. China banned cryptocurrency for the 456th time and actually went as far as to kick out the miners from their state. Regulation and litigation is obviously a more significant risk for anyone operating in the US.
It’s completely unclear where individuals stand on transactions made within smart contracts from a tax perspective. It’s still early but the most significant DeFi tax risk is exchanging fiat (USD/EUR/GBP) for cryptocurrency which in most jurisdictions is a taxable event. In some liquidity pools this happens every 13 seconds on each block which would create a bad situation if it was ever enforced as the whales would probably end up owing more in tax than there is money in the world.
Token Exposure Risk
Token exposure risk comes from holding a digital asset linked to a DeFi protocol. This is often a governance token distributed over time to users of the protocol. The user is then exposed to price volatility of that asset.
Liquidity & Exchanges
Liquidity is the ability to exchange one asset for another. Low liquidity tokens and micro cap projects provide significant opportunity for growth but also pose the risk of higher price volatility and issues with getting out of a position cost effectively.
The greater the amount of capital deployed the more this becomes an issue for a number of reasons.
- Larger orders into thinner order books create greater price movements against the trader
- DeFi transactions are public and large wallets are watched closely
- MEV become an issue over a certain size as sandwich trades come into play
The exchanges that a digital asset is traded on can play a big role in the liquidity and price volatility. A token that is already traded across all the big centralised exchanges will have market makers in place and large arbitraged liquidity pools on DEX’s.
Impermanent loss is perhaps the most significant risk in double sided liquidity pools. Consider two pools on Uniswap for example.
UNI-USDC and UNI-ETH
Uniswap’s governance token has a greater correlation in price to Ether than it does to the USDC stablecoin. As the market goes up and down UNI and ETH tend to go up and down together relative to the dollar.
This means that there is more risk of impermanent loss on the UNI-USDC pool because whichever way price moves the liquidity provider will always be on the wrong side of the trade.
Impermanent loss is often compensated with higher fees and higher APY’s for investors.
If you want to learn more about calculating impermanent loss check out this article:
If we could accurately predict future narratives in crypto markets it would make navigating them much easier. We can however speculate on what future narratives a protocol might have and how it will affect market sentiment.
For example next summer a lot of focus will be on Ethereum, the merge, staking etc. This will likely have some positive and negative narratives associated.
- The unlocking of 8m staked ETH which is likely going to result in some profit taking and short term price volatility
- The triple halvening event making ETH a deflationary asset
- Will staking and predictable,sustainable revenue generation appeal to institutional investors?
- Potential long-term disruption to high risk bond markets, money flow from trad-fi
Brainstorming future narratives can provide a SWOT like analysis of a projects market potential and risk level.
Large price movements at times of high volatility can also cause issues with health factors. A common yield farming strategy is to deposit layer 1 assets such as ETH to a lending platform and borrow USD stablecoins using that collateral to be used in farms.
If the market moves down abruptly even if it’s only a short term wick, a significant risk lies in meeting the collateral requirements for that position. Health factors and liquidation engines work differently across different platforms and it is always a case of balancing risk of liquidation with capital efficiency. Less leverage means leaving some chips on the table but during periods of high volatility when networks are congested it might be a price worth paying.
Some traders believe that technical analysis is the be all and end all while fundamentals don’t matter. Others believe that it’s the equivalent of astrology for 30 year old men.
Somewhere in the middle there is an opportunity to better understand the markets by drawing the obvious trend lines and support/resistance zones on a chart.
While outside the scope of this article it’s obvious that price action greatly affects risk in terms of the market as a whole and individual assets.
Taking out a position at strong support after a liquidation cascade is considerably less risky than FOMOing into a parabolic asset at any price when markets are getting frothy. However our natural instincts act against us and the best opportunities to time the markets often feel uncomfortable and unnatural to risk-on.
Mitigating Risk In DeFi
There’s a lot to take in from the sections above and at first glance it looks overwhelming. The DeFi sector is inefficiently priced and it’ll likely stay that way as institutions will opt for the safest possible protocols. This presents an opportunity to outperform on a risk/reward basis by creating frameworks from which to assess and compare risk between protocols.
As investors we want exposure to the assets we believe will appreciate the most. As yield farmers we want the highest yields possible at the lowest risk possible on those assets.
No DeFi contract is risk free. Perhaps Curve is considered the closest thing and the lower APY’s reflect that investor sentiment. But investing all your funds in Curve puts all your eggs in one basket and that basket isn’t going to get spectacular yields.
There’s a benefit to distributing assets across different protocols as any disasters or areas of bad performance wont wipe out funds completely. This becomes more critical the further up the risk curve investors go to seek out higher yields from more risky farms with greater potential of loss.
While I wouldn’t go as far to say that “diversification is the only free lunch in DeFi” it can play an important part in mitigating overall portfolio risk and vastly reducing risk of ruin.
System Trading & Web3 Bots
While most participants will interact with DeFi protocols via a website interface, the protocols functions are also accessible from web3 scripts.
This allows traders and investors to create risk management systems and put limits in place, then hard code them into a bot.
A risk management engine might have price limits to close positions, it might be used to manage health factors on borrowing platforms or it could be used to optimise concentrated liquidity positions.
The opportunity is there for developers to build out programs that give them a clear advantage in the markets.
Analysis & Allocation
I’ve outlined in this article what factors can be taken into account when building frameworks to carry out risk assessment on DeFi protocols. The vast majority of market participants wont be accurately pricing risk which provides an opportunity for pro-active investors.
Effective analysis and allocation of funds in line with the best opportunities at any given time will ensure the best chance of outsized returns. DeFi markets change fast and the highest APY’s don’t last for long. It’s capital efficient to move funds regularly and always be researching new projects, pools and revaluating your investment thesis.
I hope that this introduction to DeFi risk assessment and mitigation has been of interest and
Want to learn more about blockchain development and staying up to date with crypto markets? Check out the YouTube channel and connect with me on Twitter for updates and new content.
If you’ve enjoyed these resources could you help share this content on social media and send it to anyone who you think might benefit from it.
Disclaimer: The content I create is to document my journey and for entertainment purposes. It is not under any circumstances investment advice. I am not an investment or trading professional and am learning myself while still making plenty of mistakes along the way. Any code published is experimental and not production ready to be used for financial transactions. DYOR and do not play with funds you do not want to lose.