Why DeFi needs decentralized cover (and how optimistic oracles fit in)

Tldr; As DeFi has grown, the demand for decentralized cover has increased. While the decentralized cover space is small relative to the size of the DeFi market, several projects have come up with useful ways to offer protection to users. These projects typically rely on resolution processes for payouts, highlighting the value of optimistic oracle mechanisms like UMA.

Key takeaways:

• The DeFi space is risky, which has created demand for protection.
• Projects like Nexus Mutual, Sherlock, and Cozy Finance have paid out millions of dollars in claims as DeFi has grown.
• In the decentralized cover space, tokenholders typically vote on payouts, creating an important use case for optimistic oracles like UMA.

DeFi is blockchain’s biggest success story to date. Since MakerDAO became the traditional finance alternative’s first project to launch on Ethereum in 2015, the ecosystem has ballooned in size, peaking at $250 billion in total value locked in late 2021. Groundbreaking projects and primitives have emerged across multiple blockchains. To date, over seven million unique addresses have interacted with DeFi at least once.

While DeFi has cooled in recent years as part of a broader crypto market decline, it’s the primary use case for blockchains like Ethereum, Avalanche, and Solana. But the space is not yet mature. When someone chooses to interact with DeFi, they expose themselves to risks such as smart contract bugs and hacks. It’s thanks to DeFi’s neverending deluge of hacks that crypto has been dubbed “the Wild West of finance.”

This environment has created demand for insurance-like products to protect users. DeFi relies on other support pillars like security audits, whitehat hacking, and protected tokens, but decentralized cover is arguably its most effective shield. While only a fraction of the $55 billion locked in DeFi today is protected, several solutions have emerged with innovative approaches to make the ecosystem safer. This feature unpacks how decentralized cover works, and the role optimistic oracle mechanisms can play in the space.

Euler Finance’s $200M hack and lessons for the space

DeFi suffered the latest in a series of blows on March 13, 2023 when the Ethereum lending protocol Euler Finance was exploited for $200 million in a flash loan attack.

While $200 million is a staggering sum, nine-figure hacks like this have become commonplace in DeFi. The Euler incident was not unique in its size, but rather due to the events that unfolded in the aftermath. Euler Labs took all of the usual steps teams take following an attack, including contacting law enforcement, offering the hacker a 10% bounty, and launching a $1 million campaign for information leading to their arrest. But on April 4, Euler Labs announced that the exploiter had returned all of the stolen funds to the Euler DAO treasury. The attacker, who identified as “Jacob,” also sent an apology in an on-chain message.

The Euler Finance exploiter sent an on-chain message to the project apologising for the theft when they returned the funds (Source: Etherscan)

The return marked one of the biggest recoveries of stolen funds in crypto history. What’s more, after Jacob traded the stolen assets for $ETH and $DAI, they sent back a greater sum than the amount they stole. The Euler team announced a plan to repay users on April 5; some claimants lost a portion of what they’d put in while others profited, depending on their activity on the protocol.

While hackers rarely engage with their victims and much less return their stolen wares, DeFi teams often attempt to negotiate with their attackers following hacks. In fact, 10% bounty offerings have become something of a standard in attacks like this. Euler came out relatively unscathed after Jacob returned the funds. But it’s clear that DeFi needs to do more; sending on-chain messages and offering out a bounty after an incident occurs isn’t enough to sustain a healthy ecosystem.

Some Euler users had taken out cover, DeFi’s on-chain equivalent of insurance, prior to the March 13 incident. Cozy Finance, a DeFi protection protocol on Ethereum and Arbitrum, reimbursed users after launching cover for Euler in February. Sherlock also paid out $4.5 million directly to the project. And Ethereum’s biggest cover protocol, Nexus Mutual, paid out $2.4 million; the project’s DAO later contacted Euler to demand a $2 million refund because it had covered losses for policyholders who later got their funds returned. Nexus Mutual has said it may pursue legal action if the funds aren’t returned, per CoinDesk. Cozy and Sherlock use UMA’s optimistic oracle as a resolution layer for payouts, while Nexus Mutual has its own internal resolution system to reach decisions on payouts.

The Euler incident highlights the importance of diligent auditing and dealing with incidents effectively when they occur. But it raises an important question: is there a way to make DeFi safer (and what happens if the funds later get returned)? Security audits and effective crisis management have an important role to play here, but it’s clear that protection is also crucial.

DeFi and risk

Interacting with crypto involves an element of risk. Users need to evaluate risk and then make decisions such as the assets they should buy and the amount they should put in based on their conclusions. Interacting with DeFi increases this risk and presents users with a new set of questions: is this protocol safe? How much yield can I earn? What portion of my portfolio should I put into this smart contract?

Similarly, DeFi projects have to weigh up the risks with their own questions: is the code safe? Can we trust our audits? What’s the plan if we get hacked?

DeFi protection is a direct response to risk, and it’s designed to help users and projects answer the above questions. When projects offer cover, they’re essentially saying “this technology is experimental and risky, but our product can offer you peace of mind by protecting your assets.”

Protection in DeFi

Similar to DeFi users, projects like Cozy and Sherlock face the question of how to price risk through the cover they offer. Protection options vary according to the related project and activity. But generally, they target a few different types of users:

• Yield farmers who want to earn from depositing assets into a protocol. The rate they pay for protection needs to be lower than the yield they can earn, otherwise it makes no sense for them to buy it.
• Borrowers who want to take out assets against their holdings. They pay to protect their collateral and also pay interest on their borrowed funds.
• Lenders who want to earn a premium for providing protection to other users. They can earn a high interest rate on their holdings, but they may lose a significant portion of their deposit in a trigger event such as a hack.

Once DeFi protection projects offer cover to users, they need to establish whether to make payouts in the cases where an incident occurs. In the traditional world, insurers typically decide on whether a customer will receive a payout based on a set of predetermined terms and conditions. In some cases, insurers lean on loopholes to avoid making payouts.

DeFi protection works differently. Projects usually rely on a resolution process to determine payouts, which can offer transparency and eliminate bias. Rather than one party deciding on who receives a payout, groups of tokenholders place votes and earn rewards for their participation. This is where UMA’s OO can serve as a useful tool for protection projects.

Cozy uses UMA’s OO as part of its security layer to trigger payouts. After a hack, the oracle answers the question “did a hack happen?” and then pays Cozy’s users who took out protection. For the most part, Cozy users are typical DeFi users.

Cozy Finance launched protected for Euler Finance users in February, leveraging UMA’s optimistic oracle to trigger payouts (Source: Cozy Finance)

Sherlock works differently to Cozy in that it directly targets protocols rather than users. When the project agreed to pay out $4.5 million to Euler, it did because Euler had taken out cover. Sherlock uses a group of expert researchers known as “Watsons” to price risk and offer cover accordingly. Like Cozy, Sherlock uses UMA’s OO to trigger payouts, but only if a decision is escalated. By asking $UMA tokenholders to evaluate payouts when the project can’t come to an agreement, Sherlock aims to eliminate third-party bias. This is because $UMA tokenholders are incentivized to vote honestly, and they shouldn’t stand to gain or lose anything from Sherlock’s payout decisions.

Sherlock currently covers around $16.5 million in value (Source: Sherlock)

Nexus Mutual launched in 2019 and is still crypto’s largest on-chain protection service. To date, it’s underwritten $5 billion worth of cover and issued $17 million in payouts, per its own website. It’s also the only DeFi cover protocol with a loss ratio of less than 1 ($23.9 million earned in premiums vs. $17.8 million paid in claims), per OpenCover data. In March 2023, Nexus Mutual launched its V2 offering, transitioning into “a risk management layer” for all kinds of businesses. Nexus Mutual now protects against all kinds of risks, in addition to crypto-related risks like smart contract failures and hacks. Although the project does not currently use UMA’s OO, it relies on a resolution process that shares some similarities with UMA’s Data Verification Mechanism. Members of the mutual stake $NXM to vote on claims and get rewarded for voting honestly. Those who vote fraudulently, meanwhile, risk losing their staked tokens. Claims are typically reviewed within three to six days. Where $UMA tokenholders put skin in the game and stake their tokens to verify any kind of truth, $NXM tokenholders stake to come to an agreement on claims payouts.