Understanding the Risks of TokenSets
The risks you should be aware of when interacting with TokenSets and Set Protocol
There are many risks associated with using the different DeFi/Open Finance protocols on Ethereum and these risks should be considered before a user decides to interact with any of these apps.
In this post, we’ll clearly outline all of the risks that you should be aware of when using the TokenSets platform and interacting with the Set Protocol contracts so that you can make more informed decisions when buying a Set.
Smart Contract Risk
We take smart contract security extremely seriously at Set. All of our contracts that have been deployed to the Ethereum mainnet have been audited by reputable security firms. Additionally, we have 100% test coverage, run integration/scenario/blackbox tests, do internal smart contract audits, and run modeling to look for adverse cases.
It’s important to note that even though our code has been audited and tested many times, there is still a risk that some edge case or bug exists which could result in user funds being lost.
Here are the links to all of the audit reports:
- PeckShield Audit [January 8th, 2020]
- Trail of Bits audit [April 8th, 2019]
- ChainSecurity audit [February 18th, 2019]
All of the funds that are part of the Set Protocol system are stored in the Set Protocol Vault smart contract (which you can view here). Users are able to protect themselves from hacks against this smart contract that would result in loss of funds by taking out protection using the Nexus Mutual platform.
It’s worth noting that we also have an open Bug Bounty Program that you can learn more about here.
Our aim is for the Set Protocol system to be as open as possible. All of the code that powers the system is open source on Github, our team members are all publicly known and the Set Labs company is registered in the U.S.
In saying that, the Set Labs team retains administrative control over the protocol as we have an admin key that is secured by a 2-of-3 multisig hardware wallet. This admin key allows us to upgrade our contracts at any time with no time-delay.
This key cannot currently be used to access funds that are stored in the Set Protocol Vault nor can it be used to confiscate or freeze user funds (Sets). Though, because this key allows us to upgrade/change the Set Protocol system at any time, anyone with access to this key could, in theory, push a change that adversely affected the protocol.
We do plan to further decentralize the protocol over time and reduce admin key risk (by implementing in a time-delay function), but as it currently stands we are still building out a lot of the core functionality for Set Protocol which requires us to maintain some level of control.
Like most of the DeFi/Open Finance protocols on Ethereum, Set Protocol relies heavily on oracles. We use oracles to feed price data to the platform, price rebalances, calculate fees and calculate triggers for rebalances.
We utilize both third party oracles and our own for each of the asset pairs on TokenSets (such as ETH/USD, LINK/USD etc) and we also use these price oracles to calculate the indicators that are used to trigger rebalances (such as the ETH 26 EMA, ETH/BTC RSI etc).
Price oracles pose a unique risk in that the price that they feed to the Set Protocol platform controls when a Set begins its rebalancing process. For example, let’s say the 20 Day MA Crossover Set is set to rebalance when ETH reaches a price of $200 but the current ETH price is $150. A possible attack scenario here is that if an individual or group was able to gain control of the Maker ETH/USD oracle, they could feed an incorrect ETH price of $200 or greater to the 20 Day MA Crossover Set which would trigger it to start the rebalance process. Though it’s worth mentioning that the Maker ETH/USD oracle is very robust and is used by most DeFi applications. You can read more about Maker’s oracles here.
In saying that, there are some preventive measures that can be taken in this situation. Before a rebalance is initiated, a function call needs to be made to the rebalancing contract that “initiates” the rebalance. Currently, our team has an automated bot that monitors for rebalances and calls this function. In the event of an oracle attack, we could disable this bot and not call the function on the smart contract. Though, of course, anyone else could still call this function to trigger a rebalance which would thwart our attempt to stop this attack.
Additionally, we currently act as a light node for Maker’s oracles which means we can push updates as needed and we also have monitoring in place to keep track of the oracles which would alert our team if anything unexpected was to happen.
Currently, Sets can be collateralized with a number of unique assets.
These assets include:
- ETH (in its wrapped form — WETH)
- WBTC (a tokenized version of BTC)
- USDC (Coinbase and Circles USD stablecoin)
- DAI (MakerDAO’s stablecoin)
- LINK (the native token of the Chainlink platform)
- cUSDC (interest-bearing USDC from Compound)
- cDAI (interest-bearing DAI from Compound)
Each of these assets has a unique risk profile that should be considered when deciding which Set you buy and hold — let’s run through each of them below.
WETH, or ‘Wrapped Ether’, is basically the equivalent of ETH. The reason the Set Protocol system converts ETH into WETH when depositing it into a Set is because the ETH asset does not conform to the ERC20 token standard on Ethereum. Ergo, wrapping it into WETH transforms it into an ERC20 token. The smart contract that is used to wrap ETH is not controlled by anyone which means WETH is considered non-custodial.
WBTC — Counterparty Risk
WBTC, or ‘Wrapped Bitcoin’, is similar to WETH but with one key difference — it is 100% custodial and centralized. The WBTC initiative is led by Kyber Network in partnership with BitGo. The short of it is that every 1 WBTC that is minted on the Ethereum network is backed by 1 BTC in a vault controlled by BitGo. The WBTC smart contract also has a pause function which allows its central operator to freeze WBTC assets at any time.
If this function was called to freeze WBTC deposited into Sets as collateral, or if the vault housing the BTC that backs WBTC is hacked, the expectation is that any Sets collateralized by WBTC would become worthless.
USDC — Counterparty Risk
USDC is a stablecoin tied to the US dollar created by Circle and Coinbase. It is 100% centralized and, like WBTC, has a pause function built right into its smart contract that would allow Circle or Coinbase to freeze anyone's USDC assets at any time.
If this function was called to freeze USDC deposited into Sets as collateral, the expectation is that any Sets collateralized by USDC would potentially become worthless (depending on if the assets were unfrozen at a later date).
DAI — Stability Risk
The DAI stablecoin is part of the MakerDAO system which means it is at the mercy of MakerDAO’s “decentralized governance” process. DAI is also known to lose its peg to the U.S dollar as it is only a “soft-peg” held in place by a complex set of parameters. While it is unlikely that DAI becomes worthless (as it is backed by collateral), it may affect performance of a Set if DAI’s peg is off while a Set is rebalancing.
cTokens (cUSDC and cDAI) — Liquidity and Platform Risk
Compound Tokens, or cTokens, are a product of the Compound Protocol. They are tokens that are “interest-bearing” meaning that they accrue interest at the current rate stipulated on Compound. Many Sets on TokenSets use cUSDC and some use cDAI.
The main risk associated with cTokens is that if the liquidity pool is overutilized during a rebalance that is exiting a Compound position (such as cUSDC or cDAI), it may be difficult to find the liquidity to successfully complete a rebalance for a cToken-based Set at favorable slippage.
Additionally, buying a Set that contains cUSDC or cDAI also opens up the user to Compound platform risk. For example, if Compound’s smart contracts were to be exploited, hacked, or adversely affected in any way — this could potentially have dire repercussions for any Set that contains cUSDC or cDAI.
Rebalances for Sets are some of the largest on-chain trades that happen on Ethereum. While this is encouraging from a growth perspective for Set Protocol, it also comes with it’s own set of risks. The major risk is a scenario where there simply wouldn’t be enough liquidity or people participating in a rebalance in order to successfully complete it (or complete it at favorable slippage).
An example of liquidity risk is what happened with MakerDAO’s system on Black Thursday. Due to the congestion of the Ethereum blockchain, the keeper bots that usually bid on MakerDAO liquidation auctions were unable to process their transactions which means that vaults were liquidated with bids at $0 for the underlying collateral. This resulted in an undercollateralized MakerDAO system as well as losses for users.
The above is just an example of liquidity risk in DeFi and doesn’t apply to Set Protocol because, in the case that no market makers bid during a rebalance (and the fail period elapses), the contracts can fail the auction and return to default state just like the rebalance never happened. If there are bids, and the auction fail period elapses, the Set goes into a drawdown state and users can then redeem their collateral.
It’s worth noting that to this day, no Set has had a failed rebalance and most rebalances have settled at between 0.5% to 1% slippage.
In saying that, to reduce the risk of a failed rebalance even further, we’re introducing a chunked rebalance mechanism called TWAP. You can learn more about that here.
TokenSets Website Goes Offline
The TokenSets website is an interface that allows anyone to interact with the Set Protocol smart contracts. This website is designed, developed and maintained by Set Labs in a 100% centralized way but this doesn’t mean that we can control or limit your access to the Set Protocol smart contracts.
In the unlikely event that the TokenSets website is offline, you can still interact with the Set Protocol system by following this guide. It will walk you through how to buy and sell Sets by using third party tools such as MyEtherWallet or Etherscan.
Additionally, Sets are still able to rebalance by calling the relevant functions on the smart contracts by using third party tools like those mentioned above.
Set Performance Risk
When you buy into a Set on TokenSets, you are buying a tokenized trading strategy that comes with its own set of performance risks. No trading strategy is guaranteed to make money (over any time period) and users should be aware of that when deciding on if they want to buy and hold a Set.
All of the performance metrics for each Set are displayed on the TokenSets website and are also able to be derived from the Ethereum blockchain as every rebalance is completed on-chain.
Social Trader Risk
While each Robo Set on TokenSets is controlled entirely by smart contracts, each Social Trading Set is controlled by their respective traders. While the trader cannot access user funds, they have the ability to:
- Change the Sets fees at any time (with a 5-day delay)
- Stop rebalancing their Sets and/or leave the platform without notice
- Trigger erratic rebalances or “go rogue” (though there is a 30 minute window after a rebalance is initiated where users can withdraw funds)
It’s also important to keep in mind that, as mentioned above, no trading strategy is perfect and traders may underperform the market which could lead to losses for users over time.
We hope that this article has helped you understand the risks associated with using TokenSets and Set Protocol.
If you have any questions, please feel free to jump into our community Discord channel where we’ll be happy to answer all of them!