Critical review of crypto lending platforms
#notafinancialadvice
Written by luboremo and Ambroid
TL;DR:
- Almost all centralized platforms have opaque jurisdiction/legal structure
- It is unclear if the assets of lenders are really insured in a way that the centralized platforms claim they are
- Centralized lending platforms are not transparent with how the yield is set
- Decentralized platforms carry significant security risks (admin key management, possible bugs, dependence on MakerDAO and USDC)
Intro
It would be redundant to explain what DeFi encompasses — for general information, we suggest visiting https://defiprime.com/ or https://defipulse.com/.
The aim of this article is to review more deeply some of the most popular lending platforms that offer an attractive yield.
As a part of a balanced portfolio strategy, we want to utilize yield on various lending platforms across a spectrum of assets.
The aim two-pronged:
* Earn interest on stablecoins not yet deployed into investment vehicles by loaning out a part of them
* Earn interest on a part of the long term holdings, which are eligible either as loan collateral or liquidity provision (BTC, ETH, etc.)
Prior to throwing money at crypto lending, we had a close look at most lending platforms. As the reader will see, there is an apparent, hidden standard in many aspects. They usually share similar architecture in their products, with few differences in custodians, yield stability and have a similar approach to jurisdiction and legal structure.
Basic separation
The first filter started with the separation into centralized and decentralized platforms. This separation is handy because the main problems to consider are very different with these types of platforms. For decentralized lending platforms, it is the trust in well written, documented and audited code. For centralized platforms, it is the trust in entities behind the brands. We have reviewed these centralized platforms: NEXO, Celsius, BlockFi, and Crypto.com. Decentralized platforms under review have been Compound, Nuo and Ethlend (Aave protocol).
Centralized platforms
NEXO
NEXO is a “spinoff” of Credissimo, which is a retail lending company from Bulgaria. NEXO filed for SEC compliance for their token sale with a company registered on the Cayman Islands.
Credissimo focuses on short term retail loans in Southern and Eastern Europe and seems to be registered in Malta. Our guess is that they launched the NEXO platform as a way to gather more liquidity and penetrate the crypto lending market. To do this, they launched an ICO for NEXO tokens — these are both discount tokens for loans and are to share dividends from profits by the company. This makes the NEXO token a clear security, which raised $52M in March 2018. At the time of writing, NEXO marketcap is $52M.
The token is holding up its value very well despite the overall bear market thanks to the perception of dividends from profits, which give the token value.
NEXO lacks regulated markets, typical for most security tokens —its largest market is Huobi, which historically just doesn’t give a damn.
NEXO is apparently incorporated everywhere and nowhere at the same time. We can assume that if things fall apart, Delaware (where a company named NEXO Inc. got registered in 2018), Bulgaria or Cayman Islands (maybe Malta?) is where all the legal actions will lead.
Very helpful.
Nevertheless, NEXO is backed by an established company and is exposed to a plethora of regulators from various countries that do give us a bit more confidence in the platform — meaning they should not just suddenly go “bankrupt” and exit-scam their users.
The security of the funds deposited on the platform is a different story. This is a recurring problem that all the centralized platforms share.
Centralized lenders use a third party insurer (usually BitGo) who only insures funds that are stored in cold storage and held by BitGo as custodian. NEXO claims to store 95% of funds in cold storage. This may slow down the process of withdrawals of users' funds but it is a price worth paying for security. The question remains if this insurance policy applies to those who lend their cryptoassets or only to those who use their cryptoassets as collateral.
At the time of writing, the annual percentage rate of the loans starts at 5.9% if the user is repaying or taking out the loan using NEXO tokens. Otherwise, the annual percentage rate for borrowers is 11.9%. The interest for lenders of stablecoins and FIAT is 8%. How NEXO tokens make a profit out of -2.1% profit margin is beyond our current knowledge. An assumption is that the company accepts the loss in exchange for boosting the use and prices in this velocity sink of the NEXO tokens.
NEXO is a master of vague responses. If a company is supposed to pay out dividends based on profits, they should release regular statements as to their operations (as is normal for a typical publicly traded entity). The problem is both NEXO and Credissimo are private entities and have no obligation to make their earnings public, other than pressure from NEXO token holders.
The token holders should have “rights” to dividends, however, this is not in any way enforced through blockchain. Therefore, their only avenue is to prosecute — and there, they are left with the muddy waters of NEXOs web of shell companies and Bulgarian parent company. Good luck with that.
On a positive note, NEXO does pay out dividends, but schedules are never clear. The latest dividends were paid out in August 2019, with a yield below 3% APR. From a short history of dividends payout it seems that volume is growing, while the number of staked tokens is stagnant.
The dividends are based on profits, however, no earnings statement has been shown to the public. The dividend value can therefore be taken only at face value.
It is important to note that your personal yield on the token can vary significantly based on the price where you bought your NEXO tokens at. Secondly, NEXO has added a “Loyalty dividend”, which is essentially a further velocity sink, which rewards not moving the tokens.
The yield plays an important role in case you want to utilize Nexo for borrowing and use the token as collateral because not only you will get a discount on the loan but also receive dividends for that collateral.
NEXO summary:
+ Decent yield (also on fiat currencies)
+ Credissimo is a legit lender, ensuring NEXO will always have customers
+ NEXO tokens are eligible to collect dividends when used as loan collateral
- Web of jurisdictions and shell companies
- Lack of clarity regarding NEXO earnings/dividends
- Lack of clarity in the NEXO token yield arbitrage
-Who are the borrowers?
Celsius
Public history of Celsius Network began with an ICO in February 2018. The stated utility for the token is supposed to be:
- Discount token on interest and fee payments
- Lenders can earn higher interest if they choose to receive it in CEL. Holding more CEL in ones wallet further increases these earnings
The $50M raise jump started the lending ecosystem and Celsius is now a successful lending platform. The marketcap of CEL at the time of writing is $13.8M.
The token itself has a weak velocity sink (staking tokens to earn higher interest in the token), however, there seems to be no utility, which would provide any fundamental buying pressure.
All bullish momentum will therefore be purely speculative. If one chooses to earn their interest in CEL, they are exposed to a highly volatile asset without legitimate markets. The only regulated market for CEL is IDEX, which suffers from chronically low liquidity.
Celsius Network Ltd is registered with the U.S. Security and Exchange Commission (IRS number 824381219; SEC CIK #0001739052 ).
It is incorporated in 35 Great St. Helen’s, London, EC3A 6AP United Kingdom. Their interest rates are very competitive and they offer interest on assets that are not available by other platforms (for example 0x and ORBS). Their insurance policy is similar to that of NEXO and therefore there is no assurance that the lent assets are insured. As their documents state:
Celsius has a 20k USD limit for automated withdrawals. Over 20k, your withdrawal will need to be confirmed with an authority inside the company. Regarding security of funds, the only assurance is that an audit “in final stages” with an unspecified entity. They promise to publish the results on their website. Nice.
The only way to use Celsius Platform is through their smartphone app, which is frankly weird if one plans to lend more than just their change on the platform.
Summary:
+ Decent yield
+ Exotic loan collateral choices
+ Registered with SEC
+ Withdrawal policy
- Who are the borrowers?
- Only accessible through a mobile app
- Weak explanation of high yield
Salt Lending
SALT had an ICO in the summer of 2017.
SALT token has simple utility:
- Discount token — better rates on monthly payment on a loan
- Membership token — users need to pay at least 1 SALT per year to be eligible for loans
Needless to say, market has deemed the token almost worthless. SALT raised $48.5M for their lending platform. The tokens marketcap at the time of writing is $3.5M. The largest market is, unsurprisingly, Huobi.
SEC was digging into Salt lending in 2018. The platform survived the scrutiny. Salt has afterwards become quite strict about who they let use their platform, so check your jurisdictions before registering on their platform.
The SALT token isn’t even mentioned on the website anymore. We’re sure the ICO investors are happy about that. At least it wasn’t another money grab that didn’t deliver anything, right?
Ironically, Salt Lending lets you lend nothing. They do let you borrow money with some interesting services, such as the ability to borrow USD by putting up a DASH masternode as collateral (the masternode is still earning staking rewards for you during this period). Also, DOGE is available as collateral.
They have a good insurance policy, but well, who doesn’t for collateral.
Summary:
+ Somehow survived SEC scrutiny
+ Interesting borrowing options
- Cannot become a lender
- VERY limited jurisdictions for users
- Lack of utility for SALT token, ICO history
BlockFi
BlockFi is a relatively new player with strong backing.
They are a child company of Gemini, which they leverage as their insurer, or better said, security provider. It gives the platform good social standing, as any BlockFi fail would directly hurt the reputation of Gemini, which has a lot of skin in the game.
Regarding assets, they are closely tied to Gemini itself, which is very conservative. The only stablecoin supported by the platform is GUSD. This means you are not only lending your funds to Gemini, your underlying collateral entirely depends on the stability of Gemini itself as a platform.
Interest rates are good when compared to the industry standard, but nobody knows how the interest is actually calculated. Looks like not even the company itself. Nice.
From the above explanation, our guess is that the interest rate depends on how well the clients of BlockFi slept the night before.
Not that other platforms are crystal clear.
Overall they are the crypto standard when it comes to interest rates (opaque as hell) and financial security — in this case you are trusting the Winklevoss twins.
According to BlockFi, they are making profit by lending your money/crypto to other “strategic partners” which is basically the same sales pitch all other platforms use.
Summary:
+ Winklewoss twins will frown disapprovingly at anyone who attempts to steal BlockFi funds
+ Decent yield
+ No historical red flags (read: no useless ICO)
- Interest rates are decided by reading tea leaves
- Stablecoin collateral is limited to GUSD and directly linked to Gemini (increasing systemic risk)
- Who are the borrowers?
Crypto.com
Even though we reviewed more centralized platforms, the last one worth reading about is Crypto.com — or formerly Monaco.
Monaco was an ICO in the summer of 2017. They raised $27M. The token marketcap is currently $69M.
Here is a short history of the MCO token:
VISA card incoming!; uhhh, maybe later; Google Play VISA partnership!; pump; dump; repeat.
Good times.
It seems that the legal structure ends on Malta (based on a simple Google Maps search, this is unsurprisingly a shell company):
They are operating under more entities though, so they also have incorporation in Hong Kong.
From all the platforms we looked into, Monaco/Crypto.com wins the award for the most complicated legal presence. They are also registered in Switzerland through an entity (STAX AG) that seems to specialize in registering companies in Switzerland.
This was probably done for the purpose of the token sale.
User fund security seems more like a marketing stunt than reality — the business model requires the funds to be liquid at least proportionally and to be moved from lenders to borrowers and from the platform back to lenders. Crypto.com has a solution though:
Like everyone else, they use BitGo for insurance.
Summary:
+ If the company uses only their internal funds for liquidity purposes, it implies good deposit security for users
+ Flexible lock-up periods for lending
- Unclear legal structure
- History of token pumps and dumps (hence the rebranding)
- Funds accessible only through a smartphone app
- Lack of focus — many products at once (credit card, lending, crypto exchange, quant trading)
Decentralized platforms
Compound
The biggest player in DeFi is currently Compound, a startup based and incorporated in San Francisco.
Unlike previously mentioned platforms, Compound has been financed through equity deals in multiple rounds.
Compound clearly has common sense and therefore no unnecessary futility token.
The best resource for security-focused due diligence on Compound is an article written by Ameen Soleimani and samczsun. It is probably the first useful thing to come out of Spankchain.
Our gripe with decentralized solutions is simple. You have to put your trust in the code, or better said in the people who wrote and audited it. Soleimani’s research has shown that although Compound is decentralized and open source, the private (admin) key is centralized and creates a single point of failure for the entire platform. If it ever gets compromised, all the lending pools can be drained of funds or even burned.
Similarly, the same administrator account provides price feeds (oracle) for all live markets.
All decentralized solutions will most likely have the same powers and have to be designed in mind with this.
Even though the founders claim there are various security precautions made to prevent this from happening, no security model is perfect. And since Compound is a decentralized project, can they really be held liable for potential losses?
Compound has passed through four security audits by OpenZeppelin and Trail of Bits. Each audit has found issues of at least medium severity, but with diminishing frequency and severity.
Summary:
+ Established as the biggest decentralized player
+ Relatively good liquidity
+ Repeated audits show a trend of less frequent and severe vulnerabilities
+Clear jurisdiction
- Admin private key is a central point of failure
- Oracle (price feed) vulnerability is hard to solve
Ethlend
Ethlend (Aave Protocol) started as an ICO in Autumn 2017. They raised $18M. Their current token marketcap is $13M.
The token utility is exactly the same as SALT (almost nonexistent).
Ethlend supports more assets than Compound. There is a possibility of significantly higher yield than on Compound if one finds assets that have a low current supply on Ethlend. This is a theorycraft as we have not tested this interest arbitrage ourselves. It is likely that the liquidity on Ethlend is too low to exploit this in significant volumes. From a quick peek at the platform and checking the lenders’ side of the market (waiting for lenders), we can observe that the “order book” is very thin.
As a peer to peer lending platform, the terms of the loans are set by the loan creator.
The information about their price oracle is very limited, with the latest information we could find being from 2017. The team was utilizing a smart contract from Oraclized (currently provable.xyz) and it used only Kraken API price feed.
Security audit situation is promising but crude. There has been only one audit finished, namely by Trail on Bits, with one more by OpenZeppelin in progress.
Ethlend/Aave Summary:
+ Aave supports FIAT pegged loans
+ P2P lending
- Low P2P liquidity/volume
- Outdated information about price oracle
- More audits necessary
Nuo network
Nuo network is an open source and non-custodial lending protocol that is backed by ConsenSys. The project pools tokens into shared liquidity and provides its users with proportional interest. The pooling should ensure instant liquidity for borrowers. What makes Nuo unique at the moment is the offering of 3x margin trading on Kyber and Uniswap. Nuo provides instant liquidity for long or short positions on Bitcoin, Ether and some ERC20 tokens. This makes Nuo a contract to contract implementation usable across DeFi products.
The platform seems to be growing fast in Asia.
The information in their official docs states:
Nuo is using their own centralized oracle, which is closed source. we can see they highlighted another pain point of decentralized exchanges, and that is the on-chain congestion during extremely volatile periods of price movement. For a sacrifice of your yield you can get a share of the insurance fund, but it is unclear how much of your assets will it actually cover if such a case will happen.
On the Nuo network, in some cases, the lending annual percentage rate can get higher than the borrowing rate. Even though it will probably only happen in low volumes as can we see on the current example with SNX.
This is because on Nuo: “Every loan that gets taken on Nuo has a fixed interest that you have to pay regardless of the time in which you repay. The rate of this interest is determined solely by the reserve utilization of that currency at the time of creating the loan.” https://help.nuo.network/article/how-much-interest-will-i-pay/
The projects smart contracts were audited by Quantstamp, but the audit report, as published, can be summarized by this tweet:
Summary:
+ Insurance fund can protect you by sacrificing profits, reducing risk
+ Significant potential interest through imbalances on the market
+ Margin trading on Kyber and Uniswap
+ Instant liquidity (untested)
- Lack of proper audit reports
- Centralized closed source oracle which can wipe out your account during network congestion
- Low liquidity in active loans and reserve pools
Lending apps
Lending apps deserve a small mention here. They significantly reduce barrier of entry for crypto lending.
Linen and Dharma use Compound for interest.
Outlet uses a mix of multiple DeFi platforms and the user does not even need to know they are using crypto. Linking the app with their credit card is enough.
In exchange for ease of use, these apps take a cut from the yield.
Summary
What is the best practice for lending out your precious cryptoassets? The question remains open after our research. On the side of centralized platforms, one has to trust a conglomerate of shady entities that mostly begun as money grabbing ICOs (there are quite a few more available on the market that we did not deem worth of a proper review). On the side of decentralized platforms, one has to trust these relatively young projects that their auditors are comprehensive enough and that the developers will not introduce further holes in the code. There is also the struggle with nullifying the single points of failure for these platforms.
Most of the options we reviewed above have more cons than pros. It is up to each investor to accept the offered yield for the inherent risk they accept by depositing their hard earned crypto to these platforms.
Further risks
When using centralized solutions, the KYC process is unavoidable. Using a third-party app further increases systemic risk by introducing another trusted party.
Decentralized platforms as a whole are strongly tied to the dominance of MakerDAO and USDC.
USDC is 99% of fiat backed liquidity in DeFi. If something happens to the reputation of USDC (since the peg is entirely trust based), DeFi will have problems.
SAI/DAI is directly linked to the potential vulnerability of MakerDAO. Exploiting it will not be as easy as the author of the article suggests, however, it is a risk that should be taken into account for any platform that accepts SAI/DAI.
Some see lending as a threat to Proof of Stake itself. All in all, staking has strong competition rising on the yield market and Proof of Stake consensus based systems will have to keep their monetary policy open to remain competitive.
