Understanding Risks in DeFi: #1 Uniswap

Hugh Karp
Nexus Mutual
Published in
5 min readOct 1, 2019


#DeFi is beginning to gain real traction which means more and more users are using the features of the space. We think it’s really important to understand the risks, especially as smart contracts are still experimental.

To interpret the risks involved we are writing a series based on a high level framework — largely influenced by established risk management techniques and adapting them for the DeFi community.

What will follow is a series of posts which use the framework we set out and apply it to a variety of projects and points of interest. We would love to hear your views and comments on this work-in-progress.

Risk Framework

Our framework is grounded in established risk management techniques and uses a high level qualitative approach to ratings. To start, we classify risk into 3 main categories:

1. Technical Risk

This is the risk of the smart contracts not behaving as intended by the developers. It is very hard to code error free so there is always some level of technical risk that exists. Audits, extensive testing, formal verification as well as how “battle-tested” the contract are factors that can reduce technical risk.

2. External Risk

This is the risk of external information influencing how the smart contracts operate to the detriment of other users. For example, an oracle could provide malicious data, and administrator could change a system parameter or governance procedures could be co-opted.

3. Economic Incentive Failure Risk

Many smart contract systems, especially in the DeFi space rely on economic incentives to encourage network participants to perform certain actions. These incentives could fail to encourage the right behaviour or not be adequate enough leading to other users being adversely impacted. For example, the incentives in the MakerDAO smart contracts could be too aggressive and the DAI <> USD peg could break if the ETH price drops too far, too quickly.

It’s important to acknowledge that these three categories of risk are in addition to the regular usage of the particular smart contract. For example, if you’re using a gambling application there is clearly a risk you lose your money through the normal usage of the system. We are focused on the more severe risks here, not risks involved in standard use where everything operates as expected.

Risk Framework

To assess the risk of using each smart contract system we have used a standard qualitative method that scores risk in each of the 3 risk categories. Importantly, the ratings are subjective and the categories are deliberately broad. The goal is not to imply accuracy but instead to conceptually understand the level of risk involved. The framework breaks down each risk category into two elements:

  1. Likelihood — how likely is the event to occur that could cause a loss.
  2. Consequence — assuming the event occurs what would the impact be.
Risk management framework

Uniswap an as Example

At this point it is probably easiest to work through a specific example. And for that we will start with Uniswap.

Uniswap is a decentralised exchange that has two main user types, firstly the user who wishes to trade tokens and secondly the liquidity provider who provides liquidity to the Uniswap pools in return for a share of the trading fees.

We will focus the analysis from the perspective of a liquidity provider as they are exposed to these risks on a more long term basis. A similar analysis could be completed from a trader’s perspective.

Technical Risk

Likelihood: As with all smart contracts, Uniswap’s smart contracts are exposed to technical risk. The contracts are relatively simple, have been audited, passed a lightweight formal verification, and have also been “battle-tested” to quite a good degree, so from a likelihood perspective we could rate it “Rare” that there will be an issue (we understand there is room for debate here and encourage feedback on these ratings).

Please be aware that there is a known attack vector with some tokens being used in Uniswap. Specifically, ERC-777 and some more complicated ERC-20’s with extended functionality. All basic ERC-20 tokens are fine.

Consequence: If there is a bug, the impact could potentially be “severe” as all funds could be stolen or made inaccessible.

Therefore, we’ve rated Uniswap ‘Medium’ in terms of Technical Risk by cross referring the matrix above.

External Risk

One of Uniswap’s defining features is that the smart contracts have no oracles, no administrative rights and no governance. They are entirely self contained, being one of the few instances of a widely used smart contract having this feature.

Therefore there is actually no external risk in this case.

Economic Incentive Failure Risk

Uniswap’s only real economic parameter is the trading fee of 0.30% per trade. This is to encourage liquidity providers to place their funds in the liquidity pools so that traders can make use of the protocol. If this fee turns out to be too high or too low then it might change the level of funds in each pool and consequently the returns for liquidity providers, but it has no bearing on a liquidity providers capital.

Therefore we’d argue there is actually no economic incentive failure risk in this case.

Uniswap Risk Scoring Summary

So for Uniswap we have risk scoring of the following:

Become a Uniswap Liquidity Provider

If you’re interested in becoming a Uniswap liquidity provider we suggest investigating historic returns as well as developing an understanding of the way the liquidity pool assets shift with price movements. As a liquidity provider you will likely get back a different ratio of the two assets you provide, as exchange rates will move between your entry and exit points.

In terms of returns, over the past 3 months Uniswap returns have been about 5.53% on the DAI:ETH pool and vary with both the size of the liquidity pool and volume of trades.

Uniswap DAI:ETH pool returns

Uniswap + Smart Contract Cover

Nexus Mutual’s Smart Contract Cover can be used to mitigate the Technical Risk involved in using Uniswap’s smart contracts. As a claim will be paid in the event of the smart contract failing. Current quotes on Uniswap for Smart Contract Cover are 1.3% pa.

As an ETH:DAI liquidity provider you now have two options:

  1. Earn 5.5% and take on the technical risk of the smart contracts
  2. Earn 4.2% net and mitigate the technical risk of the smart contracts.

Purchasing Smart Contract Cover can adjust your risk scoring to the following:

You can get a quote on Smart Contract Cover for Uniswap by entering uniswap.nexusmutual.eth as the smart contract address.