DeFi Needs Economics. Badly.
Decentralized Finance (“DeFi”) is heralded as the next crypto revolution. But the proliferation of recent hacks suggests that DeFi projects may still lack the maturity to fully replace standard financial services.
Economics tells us that unintended events can occur when incentives exist to game complex mechanisms.
Our analysis indicates that 5% of DeFi value ($50M in cryptoassets) has been compromised in hacks and other platform exploits over the past year, in part due to economic loopholes in DeFi platform design.
This is only the beginning.
Without sound economics, the number of hacks, lawsuits, disgruntled users, and emergency tweets will explode, severely hampering DeFi’s potential growth and expansion.
What is DeFi and why is it a target?
Broadly, DeFi includes all projects focusing on the disintermediation of financial infrastructure (see below). These include applications such as stablecoins, lending, derivatives, and exchanges. The value stored in DeFi protocols has skyrocketed since 2017 and hit $1B in early 2020 (see below). On the eve of the first DeFi hacks, Fortune wrote in February 2020 that “it feels like DeFi is here to stay.”
As DeFi’s value increases, so does the potential benefit from attacks. Unsurprisingly, precisely as the value stored in DeFi reached its maximum, hacks increased sharply in 2020 (see below).
Technology’s “move fast, break things” mantra carries significant liability when millions of dollars are potentially subject to these risks. Moreover, hacked protocols struggle to recover when users’ trust is destroyed; After dForce’s Lendf.Me smart contract was drained of $25M, the platform is still shut down, and users may never return.
At Prysm Group, we specialize in identifying, analyzing, and solving the economic vulnerabilities that blockchain-based platforms face as they launch and grow. Four economic security threats emerge as common threads across these DeFi incidents. DeFi projects must invest in understanding how these vulnerabilities occurred and how to fix them if DeFi is to obtain mass adoption. We discuss each below.
DeFi’s four economic threats to security
1. Interrelated determinants of crypto token value
The value drivers of DeFi tokens and financial instruments are frequently complex combinations of other fiat currencies (e.g., a basket) and/or other tokens (e.g., stablecoins).
This results in a higher risk that unexpected events or actions by a malicious actor can cause unwanted price changes for the token.
MakerDAO is a DeFi ecosystem that manages DAI, its stablecoin. It has been called the “Godzilla of DeFi”. On Black Thursday, ETH network congestion led to the significant breakdown of several key MakerDAO mechanisms. A key driver of the MakerDAO incident was the relationship between the DAI stablecoin and its collateral sources, which at the time were ETH and BAT. The value of DAI depends not only the price of its collateral, but also implicitly on the smooth functioning of markets for its collateral sources. When the price of ETH fell sharply on Black Thursday, ETH transaction markets became clogged. On MakerDAO, this resulted in Vault owners not being able to deposit additional collateral, Keepers not being able to access DAI liquidity, and eventually the DAI breaking away from its peg.
As a result of the Black Thursday events, MakerDAO has expanded the set of collateral sources to include ETH, BAT, USDC, and WBTC in an attempt to address collateral and risk concentration concerns. However, ~90% of DAI collateral is still ETH. Furthermore, MakerDAO will need to carefully consider how future events on any of these underlying platforms for collateral sources can impact DAI.
With any stablecoin that is not fully collateralized (with a 1–1 ratio of tokens to collateral), it is essential that platforms understand the various interdependencies driving their token value and develop remediation plans that address any weaknesses. Conducting agent-based simulations during the design process can help to identify the elements of the token design that are most susceptible to adverse events.
2. Oracle incentive compatibility in DeFi
DeFi often depends on some form of oracle, where many individuals report information and a composite function determines the “truth” that is then used by the protocol.
Oracles can simply relay token-related information such as current prices, but they can also specify more contested, complex information, such as the resolution of betting events on the platform Augur.
Platforms can be compromised when individuals have a profit incentive and are able to sway the oracle a certain direction at low cost. This was a security threat in many of the above incidents. Pegnet is a decentralized stablecoin platform that has moved over $500M through its network since launching in August 2019. However, in April 2020, a group of four mining entities successfully submitted 35 of the top 50 price submissions for the pJPY oracle on the Pegnet platform, artificially increasing their starting balance of a mere $11 worth of pJPY tokens to approximately $6.7M. While the mining entities did not cash out their pJPY, they clearly demonstrated the potential for significant price manipulation via the oracle.
Like many components of a blockchain-based system, oracle designs can be analyzed using game-theoretic models. Rigorous analysis of oracle design can surface the precise strategies and steps that each individual stakeholder could employ to conduct dishonest (but perhaps economically rational) behavior, and design levers to mitigate them.
3. DeFi pricing and auction mechanisms
Many DeFi systems often require a variety of pricing and auction mechanisms for financial instruments.
Poor auction design can lead to inefficient outcomes that damage the system and stakeholders.
In the MakerDAO system, when the value of the collateral for Vaults decreases to a certain threshold, Vaults are liquidated and auctioned off to a set of Keepers, who inject DAI into the system in exchange for the ETH (or other token-denominated) collateral. If there are multiple Keepers (or multiple Keeper bots) participating in these auctions, competition in bidding results in the auctioned collateral being purchased for a fair price. However, as we have touched on in a previous Coindesk article, auction mechanism failure played a key role in the MakerDAO incident discussed earlier. Ethereum network congestion created a scenario where two Keepers, each bidding solo in liquidation auctions, were able to win multiple auctions with bids of zero DAI. Because MakerDAO’s auction mechanism did not specify a reserve price, or minimum bid, there was nothing preventing the liquidated ETH from being sold for nothing. This created a ~$5.7M shortfall in the MakerDAO system and created a host of other issues for MakerDAO.
There is a rich economic research literature on the design of auctions. Two factors that have been shown to have significant implications for the outcomes of an auction are whether a reserve price is specified, and how the ending time for the auction is determined. Applying the insights from this research to the design of MakerDAO would have dramatically improved the functioning of these auctions and prevented the MakerDAO system from incurring a multi-million-dollar deficit.
4. Governance gaps in DeFi
DeFi systems run the risk that one small economic exploit can ruin the integrity of the entire system.
This risk can be mitigated by specifically creating risk management mechanisms, such as backstops, failsafes, and crisis governance mechanisms. However, structuring emergency safeguard components is often complex.
In the Lendf.Me incident, dForce could have potentially prevented the extent of the damage through some type of crisis governance. However, as far as we can tell, there were no emergency shutdown procedures or plan in place to stop platform operations in a timely manner if the system was compromised. There was a ~4 hour gap between when the dForce team learned of the attack and when Lendf.Me deposits were frozen. The lack of timely action is all the more surprising because dForce doesn’t utilize decentralized governance, so time was not required to coordinate the stakeholders involved for emergency procedures. Furthermore, once dForce took action, instead of fully suspending inflows to the lending protocol, they simply put up a red warning banner on the site that said “Do not supply anymore.” The delay in action, combined with the limited response, are not emergency actions that foster trust with users.
As we have discussed in a previous CoinDesk article, well-defined crisis governance is a critical component of any blockchain platform. It is essential that, from platform launch onward, there be a clear set of rules for what events will trigger the crisis governance process, who is allowed to make decisions on behalf of the platform, and what their options for actions are. Without this basic infrastructure, the confusion resulting from inaction during a crisis can cause significant damage and deter user adoption.
DeFi needs economic security
DeFi systems are complex. While complex systems can deliver significant value, complexity also presents many avenues for gaming behavior by self-interested actors.
In DeFi, the layers of specific algorithmic criteria that have to be met in a precise order for financial instruments to be created, transferred, closed out, or destroyed can be a feature, but can also create economic vulnerabilities. DeFi system creators have a responsibility and duty to develop platforms that are secure at economic and technical levels. Rigorous economic auditing is crucial for DeFi projects to avoid losing money for users and imploding.
