A thought experiment
This article will be the first part of a series presenting a view on how decentralized finance (DeFi) may evolve over the coming 5 years and the impact it will have on the world. The series explores this through a thought experiment on how existing problems may be solved and what new products may arise from these solutions. Its format is a recount of the history of DeFi looking backwards from 2025. In each instance it aims to apply first principles thinking to the allocation of risk and capital for digital native financial products. This first article drills down on an earlier article on crypto lending to focus on unsecured and undercollateralized crypto lending, which does not yet exist in any usable form.
The bottlenecks of 2019
By mid-2019, crypto loans had been around for 18 months, beginning with the margin loan product provided by Maker. Borrowing using an on-chain margin loan was easy; a borrower would lock up Ether as collateral and borrow in stablecoin (Dai on Maker). As long as the value of the locked Ether stayed above 150% of the loan balance the borrower would not be margin called. If it dropped below this threshold or the borrower defaulted, the locked Ether would be liquidated to repay the loan, ensuring that the Lender suffered no credit loss.
Whilst margin loans had taken off, unsecured crypto loans were a different matter because of the vulnerability to fraudulent borrowers. A borrower who didn’t have to supply at least 100% of the loan amount as collateral would always have some incentive to disappear with the loan. The threat of barring access to future finance would be a sufficient deterrent to most, however, the ability of malicious borrowers to easily create new pseudonymous addresses to repeat the process without detection meant that malicious actors could not be effectively blacklisted. In a worst case scenario, a malicious user could create hundreds of fake addresses, take out loans and then proceed to default on all of them simultaneously, known as a Sybil Attack. As long as a given user could create multiple addresses which could not be traced back to them then unsecured crypto loans would be vulnerable to Sybil Attacks.
Attempts to resolve this problem came in two varieties; the first, Know Your Customer (KYC) solutions, attempted to tie addresses to an off-chain identity, such that a bad actor could then be blacklisted. The second, gamification, sought to structure incentives so that borrowers would voluntarily choose not to exit scam lenders. Gamification could at best defer an exit scam rather than prevent it altogether as long as the possibility remained for one user to control all addresses on the system.
KYC solutions attempted to replicate the inefficient process which had been applied as a norm in the 1990s when the web was still in its infancy. It was assumed that the process of importing the stock standard KYC process on-chain was worthwhile because it was an inherited norm endorsed in a number of jurisdictions. Proposed solutions involved photographing physical identification documents (often accompanied by handwritten notes to act as a timestamp), verifying them, and then encrypting and storing these in a decentralized manner to be shared at the user’s discretion with third parties performing KYC checks, ie crypto lenders. Seeking to import the inefficient process on-chain threw up challenges; who had custody of the digital copies, could they be stored securely, could someone else’s verification process by relied on by third parties and KYC standards differed across jurisdictions. Furthermore, many of the unbanked without government issued documentation who stood to benefit most would be shut off from access.
While a solution to the threat of fraud would undoubtedly lead to an explosion of innovation in the DeFi space, it was hard to think of a better way to import fees, middle men, centralization and existing geographic barriers to financial inclusion than by seeking to replicate a set of regulations developed before “google” was a verb and which had since evolved at a snail’s pace.
Meanwhile, the cost of biometric sensors was in freefall, newer smartphones came with fingerprint recognition and better cameras could scan irises. The same way that smartphone GPS birthed the ridesharing industry, smartphone biometrics held the key to DeFi’s identity problem. The community had been trying to reverse engineer a solution to pull an outmoded identity verification process into the future of finance, not unlike building a hyperloop for the horse-and-carriage. However, reduced to its most basic form, the problem lay in proving that a given address could not be one of many controlled by a single person. The solution could be inverted as a question of whether a method could be devised in which a person could take an unalterable piece of information unique to them and use it to create an address. The answer lay at the intersection of biometrics and cryptography.
Enter Biometrically-Owned Accounts (BOAs)
Developers had started with the assumption that all addresses were created equal. There was one class of Externally Owned Accounts which were controlled by private key. Externally Owned Accounts triggered all activity with Contract Accounts on the Ethereum blockchain. Developers soon turned their attention to combining biometrics with cryptography. Working with teams of biochemists and cryptographers, they created the Biometrically Owned Account (BOA), a new class of Account in which the key pair was generated from the user’s biometric signature. To enrol for a BOA, a user took their iris scan using a smartphone, then it was run through an open source algorithm to hash the biometric signature’s binary code to generate a key and address.
The exact same address would be generated each time, giving an enrolling user only one possible Ethereum address. If a different encoding algorithm were used then a different address would result, hence it was important that all DeFi lenders adopted the same standard. The user’s identity could not be reversed out of the address using the same open source algorithm, preserving privacy. Acknowledging users’ desires not to have their financial activity commingled with other on-chain activity, other industries adopted different open source encryption algorithms so that a user could have different BOAs for different purposes — health, social media, finance etc.
Any person with access to a biometric-enabled smartphone could now create a unique address with their biometric signature, but only once, preventing Sybil fraud. The BOA became the ticket to accessing previously unavailable financial products. The global financial system was becoming flatter.
Undercollateralized crypto loans take-off
As the BOA was the most effective means of lenders preventing a Sybil Attack, only users with a BOA address could apply for undercollateralized loans. Many crypto lenders emerged to meet the untapped demand for undersecured crypto loans as the total addressable market was orders of magnitude larger than the market for margin loans.
Defaulting borrowers would lose access to DeFi loans through their BOA while the default remained unpaid. Of course, this didn’t eliminate fraud entirely, there were still edge cases where BOAs were taken out for other people and window-dressed to appear legitimate. By-and-large however, the wholesale fraud people expected to engulf a pseudonymous system of borrowing never materialized because most people who wanted access wanted to reuse the product.
While the advent of undercollateralized crypto loans and BOAs transformed access to finance, the precepts of underwriting remained the same. Lenders still needed to consider the borrower’s ability to repay when underwriting. With a digital native financial product, it only made sense that credit assessment use digital native evidence. Lenders paid most attention to:
- Age of the address — the older the address, the longer the demonstrable track record of income;
- Surplus income — the better the ratio of amounts transferred to the address relative to expenses transferred away from it, the stronger the application; and
- Network connections — more addresses transferring income to the address implies a more robust income stream.
Early adopters of the undercollateralized crypto loan were blockchain developers because they were already highly integrated with the on-chain economy. They were more likely to freelance on projects for multiple employers, were paid in cryptocurrency and were able to demonstrate a long track record of income to service loans. Underwriters would scrape their BOA’s transaction history and provide approval and funds within minutes. A loan token would also be transferred to the BOA which contained the schedule of payments to demonstrate whether an account was overdue or not. Borrowers who repaid on time would receive access to better future loan terms.
Conclusion: DeFi’s green shoots
This thought experiment on a novel solution to the prevention of Sybil Attacks diverges from present thinking in the space by departing from the requirement that a person’s exact off-chain identity be established, in favor of ensuring only that a given address is the only one controlled by a user of a platform. If this solution holds then a multitude of opportunities for new DeFi products and governance structures start to open up. These will be discussed in future articles as the thought experiment continues. The next article in the series will focus on the gamification and incentive design of DeFi lending products, I had wanted to include this here but felt they warranted a separate article. If you have any suggestions for future pieces please feel free to reach out here or on Twitter.