DeRisking DeFi: Guarded Launches

A string of recent successful attacks on the $850M Decentralized Finance ecosystem has highlighted the need for better risk management. Below, we offer a process framework for launching new DeFi products, heavily informed by our personal experiences working on the largest user-facing software systems. We hope to inspire innovations that will accelerate DeFi development while protecting users and build long-term trust in the DeFi brand.

Risk Management is a Killer Feature — Learning from the Tech Giants

In web 2.0 the best software teams learned how to develop features quickly while protecting sensitive user data and critical workflows. How do they do it? Much of the answer lies in the way these organizations adopt risk management processes.

The widely-used canary deployment process, for example, allows developers to deploy new code gradually and safely to billions of users. This simple technique enables everyone from the smallest teams to Google and Facebook engineers to develop at unprecedented speed. While the canary process cannot be directly ported to blockchains, the core underlying idea remains applicable: start small in a low stakes environment and then increase exposure and risk in a controlled manner.

Guarded Launches: Protecting Users with Limits

DeFi systems can achieve similar results by designing in configurable rules and thresholds that intentionally limit the functionality of a system. A new contract is deployed in a “guarded launch” with a conservative set of parameters, allowing users to interact with a product in a limited scope. As users and developers gain confidence in a system over time, governance processes can act to relax these risk controls to allow the system to grow and unlock scale.

These configurable mechanisms built into code need not be complex. Simple mechanisms are preferable, as to minimize the risk of adding additional code. Below are several categories of limits that projects could consider:

1. Asset limits — Limiting the total asset value managed by a system
2. Asset types — Limit types of assets that can be used.
3. User limits — Limit the total number of users that can interact with a system.
4. Usage limits — Increase friction by enforcing transaction size limits, daily volume limits, per-account limits, or rate-limiting transactions.
5. Composability limits — Restrict the ability for a contract to be used in a composite atomic transaction by introducing time locks around core operations.
6. Escrows — Escrow high value transactions with time locks and a governance capability to nullify or revert transactions.
7. Insurance ratios — Limit the total assets and liabilities held by a system as a ratio of a built-in insurance fund.
8. LTV ratio limits — Limit ratios of liabilities to user-provided collateral for lending and asset-backed synthetics.
9. Circuit breakers — Implement automatic mechanisms to pause a system in extreme scenarios.
10. Emergency shutdown — Implement facilities that allow governance to shutdown new activity in the system and allow users to reclaim assets

Many DeFi systems are already starting to incorporate such controls. A few examples from popular projects:

1. Maker relies on governance to control many aspects of the system including the debt ceiling (asset limits), asset types, LTV ratio limits, and emergency shutdown.
2. Compound added timelocks for protocol parameter changes, as well as a “pause guardian” which allows for emergency temporary shutdowns.
3. Uniswap uses a per-transaction price slippage limit (a type of usage limit) to protect users from unexpected outcomes.

Building Primitives for Guarded Launches: DeRisking as a Service

There’s an opportunity to build smart contract libraries and services that provide reusable components to implement these controls. A small number of code modules and libraries can power risk management across many codebases, in the same way that OpenSSL and gnutls power many crypto projects today. Specialized smart contracts and dapps could provide unified interfaces to governance processes that manage risk parameters.

A well-audited and well-tested risk management library would allow new projects to deploy their earliest version with comprehensive risk controls with minimal development overhead. Integrating with Guarded Launch infrastructure will become as crucial as code audits are in today’s smart contract deployments.

A thoughtful approach to risk management will help DeFi earn the reputation of transparency and responsibility required by a next-generation global financial system. Building these foundations of trust will be instrumental in growing beyond early adopters and attracting the largest market participants.

Special thanks to Tom Schmidt, Dmitriy Berenzon, Dan Elitzer, and the Electric Capital Team (Avichal Garg, Curtis Spencer, and Maria Shen) for their feedback and suggestions.