Bond defaults are part of a healthy financial system. It is undoubtedly bad for the borrower that reneges on their debt, and also not good for the lender, who has to take a hair cut, but they are helpful to the system as a whole. Most importantly, defaults price risk for credit markets, giving lenders valuable information about the downside risk.
Typically when a company defaults on a bond, the lender doesn’t lose all of its investment. “Default” could lead to a new payment schedule, liquidation of the borrower’s assets, or the lender could trade the loan on the secondary market for a discount.
Without a prior example to look to, it’s impossible for borrowers, lenders, insurers and other liquidity providers to build services for what happens if things go south. Without a precedent, markets can’t build confidently.
bZx sets a DeFi precedent
When news broke last Saturday of losses on bZx’s Fulcrum margin trade and lending platform, even bZx critics and pessimists could not have seen how the story would further unravel with an additional hack two days later and then an accusation by 1inch.exchange of another ignored vulnerability in bZx’s platform.
There is still a lot to shake out, but given that this is DeFi’s first hack/exploit/default, what precedent will be set for future?
Smart contract insurance faced its first test
Nexus Mutual agreed to pay out its first claim but only after it was revealed that the first bZx attack was not oracle manipulation, but in fact, was due to a flaw in the smart contract logic, which allowed the attacker to take a highly leveraged position.
Increased interest in Opyn and Nexus Mutual. Nexus Mutual’s active cover amount is now $3.5m, up from $2.5m a day before the attack. Meanwhile, Opyn launched insurance cover for DeFi deposits through tokenized options two days before the first bZx attack (good timing). Opyn-based insurance for Curve.fi launched a few days later, while Outlet recently launched a wallet with Nexus Mutual cover on all of its deposits
Bug vs manipulation & insurance vs. options –Nexus Mutual rejected a claim on the second bZx attack because the loss of funds was from oracle manipulation – not a smart contract bug. This is a distinction likely to continue in the future. Opyn appears to be more lenient for its coverage, given it’s an option-based system and the risk can be priced in.
Self-regulation and industry standards
There has been an awful lot of soul searching the last week in DeFi, with a lot of genuine concern and reflection over the responsibility of building systems that manages people’s money.
“Audit” gets thrown out a lot, but it’s quickly turning into the “ICO Whitepaper” of DeFi. It’s not clear who should do the audit or what they should be looking for, especially as flash loans open up new attack vectors on DeFi smart contracts.
There was an attempt to self-regulate in 2017, but there were always new investors to trick. DeFi may be small enough to institute some rigor and standards within the industry. ICO scams hurt the image of Ethereum, but DeFi projects face a far greater risk of brand damage, given the interconnectedness and the shared DeFi brand.
Nothing changes unless investors demand it. Chris Blec has done good work in highlighting the admin privileges and opsec risk of different DeFi projects, but the bZx incident will likely kick off a more structured attempt to self-regulate DeFi, to say nothing of actual regulation.
The Future of bZx
It’s tough to defend bZx. They clearly made mistakes and have not managed the message well. But I can’t help but wonder what will happen to their iETH pool?
The attacks drained the ETH pool of nearly $1m, but that didn’t destroy the logic of the ETH pool, which is still kinda functioning. It’s paying a 42% interest rate to depositors, although there is no ETH left in the pool, because as soon as someone deposits ETH, the liquidity is taken by desperate iETH holders trying to withdraw their ETH.
The high interest rate is intended to attract risky borrowers, which it’s doing, but can it attract enough to make bZx solvent? If so, when?
Dogecoin has proven that you can’t kill cryptocurrencies, and I imagine the same is true for liquidity pools. Might an investor recapitalize the pool? Or is the iETH pool destined to be a perpetual FOMO3d for DeFi borrowing?
DeFi frontrunning could enhance Ethereum’s security model
How Ethereum miners make money: 1. Block rewards
2. Fees And now 3. DeFi profit opportunities (below) #3 changes everything about the security budget of $ETH No joke: this is one of the most important developments *ever* for long-term protocol security
Eric Wall IS RIGHT@ercwl
Ethereum miners should identify all flash loan contracts, scan the mempool for flash loan transactions and replace attacker addresses with their own if there are profits worthwhile. Flash loan attackers will soon have to cut deals with miners, or become miners.
February 21st 2020
19 Retweets130 Likes
Since miners see transactions in the mempool as soon as they are broadcast, frontrunning has been a big problem in DeFi, especially for Synthetix. Miners could do the same thing for flash loans. This won’t protect DeFi protocols from flash loans, but DeFi arbitrage could be a new revenue source for miners that secure the Ethereum network. More revenue from arbitrage means lower fees and less ETH inflation.
Maker governance scare; Uniswap liquidity drained
The flash loans hysteria reignited a debate about MakerDAO’s governance module. In December, Micah Zoltu pointed out that with just 8% of MKR, an attacker could take control of all ETH collateral in the MakerDAO system.
Ethereum’s Dark Knight, Ameem Soleimani even proposed TakerDAO, which would pool MKR in a smart contract until the 8% threshold is met and then execute the attack and pay out the ETH to all the addresses that pooled MKR.
With flash loans, the cost of attack is greatly lowered. An attacker could borrow ETH, acquire enough MKR on Uniswap and Kyber to trigger the governance attack, steal the ETH collateral in MakerDAO and have more than enough to pay back the loan. 70% of MKR was removed from the ETH/MKR pool on Uniswap, presumably by MKR holders who didn’t want their tokens used for an attack.
Soon after, MKR holders voted on a more permanent solution, giving a 24hr delay in the event a bug is found. The spell also set the DSR to 8%, the SCD stability fee to 9.5% and raised the debt ceiling to $150m.
Chart of the week – ETH TVL drops
After a steady climb for months the amount of ETH locked in DeFi protocols fell sharply last week. The bZx hacker literally took thousands of ETH out of DeFi but the drop has mostly come from the market’s response. A good chunk of ETH was taken out of Uniswap to prevent the Maker governance attack mentioned above. Maker saw a lot of ETH outflows itself as investors closed vaults. DeFi inflows and outflows fluctuate and it’s not surprising that bad industry news led to outflows. Don’t worry, TVL is still above $1bn.
Odds and Ends
Synthetix’s silver price feed, powered by Chainlink, falters, trader profits Link
Synthetix prepares for the Archenar Release Link
DeFi lego, the many versions of Dai Link
Summary of the two bZx attacks Link
Enigma settles with SEC over its $45 million ICO in 2017 Link
RealT V2 integrates Compound to increase yields for property owners Link
Dharma launches Android app to go after DeFi retail market Link
Uniflash aims to be Uniswap for Flash Loans Link
Thoughts and prognostications
The Decentralized Financial Crisis: Attacking DeFi [Imperial College London]
The State of Optimistic Rollup [Daniel Goldman/Moloch]
That’s it! Feedback appreciated. Just hit reply. Written in Brooklyn, where it felt like Spring today.
Weekly Dose of DeFi is written by Chris Powers. Opinions expressed are my own and do not necessarily reflect the opinions of others. All content is for informational purposes and is not intended as investment advice.