Decentralised finance and the emergence of new risks
Decentralised finance (DeFi) refers to a new financial system, based on public and programmable blockchain networks, outside the traditional financial system. In its previous article, Adan highlighted the profusion of use cases offered by this ecosystem.
However, although the DeFi presents multiple new use cases, this still emerging sector also carries new risks, mainly technological. Thus, to better understand and apprehend this composable ecosystem, it seems necessary to identify the technological risks associated with it.
This article aims to highlight – without being exhaustive – the main non-financial risks for users of decentralised finance protocols. The risks selected for this article are the following:
- The smart contract risk;
- The rug pull risk;
- The oracle risk;
- The regulatory risk;
- The systemic risk; and
- The risk of governance of the protocol.
The smart contract risk
Smart contracts are programs developed on blockchain networks that execute automatically once all conditions required for its execution are satisfied (e.g. conditions that have been predefined in the code). For example, if the smart contract provides for the payment of a 2.3% yield from 15 December 2021 for the provision of liquidity on a decentralised exchange platform, the payment may not be executed before or after the defined date. Generally speaking, smart contracts have many advantages: they are secure and reliable (because they are audited), fast, accessible (on the public register of blockchain networks) and immutable.
Cependant, si les contrats intelligents sont intrinsèquement sûrs, ils ne sont pas infaillibles. Selon un rapport publié par CipherTrace, en 2020, la moitié des hacks dans le secteur des crypto-actifs proviennent des protocoles DeFi. En 2021, le montant des pertes liées aux attaques des protocoles de finance décentralisée a augmenté de plus de 280 % par rapport à 2020. Une telle statistique atteste de la nécessité de prendre en compte ce risque lorsqu’on traite avec DeFi.
Indeed, there are many times when hackers have used flaws linked to the development of a smart contract to steal and liquidate decentralised applications. The best-known example to date is the DAO affair when, in 2017, an attacker took advantage of a flaw at the time of the release of funds in ethers on the application to steal the sum of three million ethers. This attack led to the hard fork of the Ethereum blockchain on 20 July 2016.
More recently, a hacker took advantage – for the third time in 2021 – of a flaw in the Cream Finance lending platform’s smart contract to steal $130 million in crypto-assets. However, last April, Cream Finance had set up a flaw detection reward system with a $1.5 million bonus for those who detected a hack in the protocol, in order to mitigate such a risk and prevent such an event from happening again.
The rug pull risk
Within the crypto industry – particularly in the DeFi sector – the terms “rug pull” has been used several times to describe often catastrophic situations in which the developers of a – supposedly secure – project create a token and list this token on decentralised exchange platforms (DEX) with particularly attractive return farming systems. Then, after a significant amount of liquidity has been placed on this token, the developers abandon the project altogether and run away with the investors’ funds.
After a rug pull, protocol users lose all of their initial funds and all of their return due to the significant devaluation that the protocol token will be subjected to. The damage from a Rug Pull can therefore be considerable.
The WhaleFarm case is one of the most recent and interesting examples of Rug Pull. The platform was set up by anonymous people and was offering APYs of up to 7,217,848%. In June, a Rug Pull on the protocol led to a theft of $2.3 million in crypto-assets and a 99% drop of the WhaleFarm protocol token. The developers, who have remained anonymous until now, have never been found.
The oracle risk
Generally speaking, oracles allow so-called off-chain informations (external to the network) to be incorporated into the DeFi protocols. On decentralised lending platforms (such as Aave or Compound), oracles allow the price of tokens borrowed by the protocol’s users to be given, which is decisive for liquidating or not lenders who have deposited their funds as collateral.
Indeed, if the oracle indicates the wrong price of the token, the smart contract can dramatically liquidate borrowers who were not exposed to any risk. This was the case recently with the decentralised lending protocol Compound, which used the services of an oracle that only used one price source, Coinbase. The price of the DAI posted by Coinbase increased to $1.30 (instead of $1.00), which was a significant deviation from the actual market price. Some lenders went under-collateralised, causing them to be liquidated, as they were receiving a 30% premium. Finally, 89 million dollars were liquidated on the protocol for an oracle-related pricing error.
Source : TradingView
To limit this risk, some oracles such as Chainlink refer to several platforms to determine the price of a token.
To date, the legislator has not yet decided on the regulatory framework applicable to decentralised finance services. However, future regulation of DeFi could have important consequences for the evolution of the ecosystem in general.
For example, at the international level, the FATF updated guidance of last October aims to bring decentralised financial services within the scope of the definition of VASP (virtual asset service providers). Such an assimilation would require these players to implement anti-money laundering and anti-terrorist financing (AML/CFT) measures with respect to their users. Although the FATF standards are not binding on States, most of them implement them (in particular because the States with the least scrutiny in terms of AML/CFT can be included on the FATF blacklist of the most risky countries).
With no central entities and developed on a disruptive technology, decentralised finance applications require a drastic revision of the commonly accepted approach to regulating financial actors.
Inadequate regulation of these new services could be ineffective or even considerably limit the development of the industry.
The goverance risk
Generally speaking, the governance of a decentralised finance protocol refers to the democratic systems that allow modifications in the protocol, the governance body is called the decentralised autonomous organisation (DAO).
In order to participate in the governance of a decentralised finance protocol, users and investors have to acquire – on crypto-asset exchange platforms – a governance token that offers governance rights to the protocol. Thus, governance token holders use these tokens to vote on protocol developments and adapt the project roadmap. The more governance tokens a user has, the more important their voice will be in the governance of the protocol.
Governance risk is characterised by the mismanagement of the governance token by the users of the protocol. Indeed, sometimes a group of people can take control of the governance token and do things that compromise the governance protocol.
It is therefore possible that the holders of these tokens may make proposals that would be contrary to the viability of the project or to the principles it embodies. Such a risk requires a study of the largest holders of tokens on the protocol.
Over the past few months, decentralised finance has been growing as exponentially as the technological risks associated with this set of composable protocols. In this context, when dealing with decentralised finance, it is necessary to be fully aware of potential hacks, oracle problems, price contraction, inadequate regulation, misgovernance, etc.
These risks are gradually diminishing thanks to the activism of the community, which is improving the resilience of the protocols on a daily basis. Some decentralised communities are interesting forces of proposal to propose regulatory solutions, improve the governance of protocols and many others.