Assessing risk in decentralized finance: a handbook for money markets

Money markets are at the heart of DeFi. From a high-level perspective, yes, they simply enable the borrowing and lending of various assets. Yet those functions are like the two primitive verbs of DeFi at the base of pretty much all use cases.

There are three major money markets right now in DeFi: Aave, Compound & Cream. Yet all the following services use them, one way or another: Yearn Finance, Curve Finance, Alpha Finance, Harvest Finance, DeFiSaver, Saffron, 88MPH, Idle Finance, etc. To put it simply - money markets are one of the root-level of DeFi.

Money markets are amazing - simple yet very intricate. In this article, I try to provide a framework and some clues to assess the risk at different levels.

To dive more into the service layer currently being built on top of money markets, feel free to read my previous articles:

1. An introduction to tranching focusing on Saffron Finance:

🗡 Risk? Yes please, but exactly how I like it

2. A presentation of fixed interest rate protocols through the lense of APWine:

🍷 Yields are like fine wines, the secret lies in the brewing process

I/ Risk Scoring is Broken

Before we dive into the risk analysis framework, let’s quickly discuss the current leading solution used to evaluate risk in DeFi: Consensys CodeFi DeFiScore.^[1]

DeFiScore is undisputedly compromised since it’s still giving DAI a higher rate on Compound than Aave even with the oracle failure on the Compound side and the arrival of the Safety Module on Aave’s side:

The Consensys CodeFi team was notified a few days ago^[2], acknowledged the issue^[3] but yet refused any immediate to update the website even with just notice or disclaimer. Instead, one of their members proposed a 500 USDC bounty open for anyone willing to update the formula^[4]. It has yet to be claimed.

It’s no surprise that quantitative approaches so far have failed. They must achieve both sustainability (if the formula stays consistent it allows historical comparisons) and adaptability (yet the risk parameters are always evolving): it’s not an easy feat.

I will not delve into the depths of risk scoring, as there is a dedicated article exploring what a decent DeFi-native risk scoring system looks like coming out shortly on this blog (hint: it does not exist yet).

II/ Appreciating the Safety of a Money Market

I know it’s painful to hear, but since quantitative analysis is unhelpful, you have to resort to a qualitative approaches for each project. The good news is there aren’t many money markets in DeFi worth looking at:

1. Aave
2. Compound
3. Cream / Iron Bank

For each of these, you have to look at them holistically. I propose an approach that is purely mine, using 8 different dimensions all critical to the safety of assets committed to the money market analyzed:

1. Protocol access & permissions
2. Oracles
3. Liquidation mechanisms
4. Collateral listing & risk analysis
5. Safety module
6. Expanded insurance ecosystem
7. Native token risk management
8. Community & Ecosystem

So what we have today is essentially a comprehensive framework you can use to assess the safety of a given money market. Feel free to challenge me on any item. Let’s dive in.

II.A/ Protocol Access & Permissions

At the very base level, you want to know who can update the protocol core parameters (-> the contracts), and the different limits associated with it.

For instance, there’s usually a timelock, meaning that any significant change only applies after a set duration. For the administrative functions of the protocol, you need to make sure that they are community-owned, which usually means governed by a multisig of designed community members.

This section also includes everything related to the “opsec” of the wallets/people governing the multisig. “Opsec” is short for “operations security” - it’s about the safety of everything digital interfaces related to the holders of these keys. Can they be hacked? Impersonated? Etc.

Such a matter is CRITICAL, as we saw recently with the CEO of Nexus Mutual: his laptop was compromised, allowing the hacker to submit a fraudulent transaction on top of a real transaction he signed.^[5]

We have yet to see significant attacks based on social engineering in DeFi but expect them.

Transparency on the decisions of the protocol is key too: we address it below in the community & DAO section.

This article focuses on mature money markets like Aave or Compound. Newer projects might be less decentralized, and that can be a good thing - you might want some control and rollback options for a newer project.

Assessing the protocol accesses & decentralization

• 🔮Likelihood of failure: Assess on a protocol/team-basis
• 🔥Loss of funds risk if failure: Potentially all funds deposited on the market
• ❌Already happened? Not yet 🤞

So to wrap this up, here are some good questions to ask to assess the safety of a money market at the protocol & permission level:

• Who can update the contracts?
• Do they have a credible opsec?
• Any drain function in the contracts?
• What do the administrative functions do?
• How decentralized is the process to create a new lending market?

II.B/ Oracles

Simply put, the oracles are the source for “outside truths”. Blockchains are only aware of themselves, so for Ethereum, the price of ETH in dollars (or any other token) is technically an “outside truth” you need to bring on-chain in a safe and verifiable manner: it’s precisely what oracles do!

It’s essential, as the perceived price delivered by the oracle is the source of truth for the protocol’s liquidation decisions. If the oracle says DAI is worth 1.30, then you are liquidated even if your DAI-borrowing position was safe on a $1 DAI and DAI is still actually worth $1 on the markets: the oracle is the source of truth. It happened already with Compound, so it’s not a theoretical concern.^[6]

The good news here is that the answer is quite simple: ChainLink is widely recognized as the most credible decentralized oracle solution, so any money market not using at least partly their price feeds is gambling with its users’ money, as Compound did with significant lossses. It seems like the situation has not improved - despite the failure Compound still uses the same centralized oracle (Coinbase) and a proposal suggesting a switch to ChainLink was refused. ^[7]

Assessing oracles

• 🔮Likelihood of failure: Significant (most impacting sub-theme to date).
• 🔥Loss of funds risk if failure: market-based, potentially whole markets can be drained/affected.
• ✅Already happened? Yes, on Compound.^[6]

You can assess the oracles for a money market with the following question:

• What is the source of truth for prices?
• How reliable is that source?
• Any history of abusive liquidation (stemming from oracle issues)?

II.C/ Liquidation Mechanisms

The liquidation mechanisms are critical too, but they only happen once a liquidation can be triggered - which depends on the price the oracle returns. So the liquidation mechanism cannot make up for a faulty oracle. It’s essential to first understand that.

Then, different money markets handle liquidations differently. They have different delays, fees, and restrictions with their liquidations. For instance, the Maker oracle/liquidation (internal system) has a one-hour delay to prevent flash liquidations during unsustained flash crashes.

Moreover, liquidation is not sudden neither an all-or-nothing event. There are several buffers to your positions, for instance on Aave, every token has a maximum loan to value and a liquidation thresholdat least slightly higher.

So with USDC as collateral, for instance, there is a 5% spread between the two - the max LTV is 80% (max $8000 worth borrowed from a 10 000 USDC collateral), while the liquidation threshold is 85% (= liquidation if collateral value < $8500)

◎ The main metrics for USDC as a collateral on Aave.

It gives borrowers using USDC as collateral another 5% margin so that even if the oracle reports $0.97 no abusive liquidations would occur. The situation is similar in other money markets.

Assessing liquidation mechanisms

• 🔮Likelihood of failure: Mostly depends on the collateral price action - a flash crash could trigger a chain of liquidations
• 🔥Loss of funds risk if failure: Significant (the money market can be potentially undercollateralized)
• ✅Already happened? Yes, on Maker where there were issues and delays with liquidations.^[8]

So here are some questions to ask yourself to assess the liquidation mechanisms:

• When liquidations are triggered; what is the flow?
• Any additional delay?
• What are the liquidation fees?

II.D/ Collateral Listing & Risk Analysis

Alright, now that we have a money market getting reliable prices and liquidating when needed, we can start looking at the tokens accepted as collateral and what is the process.

Assessing a token’s health and overall safety is one of the most complex tasks nowadays in DeFi because figuring out the whole ecosystem around a token can be tricky.

Take the SNX token, for instance, a major ERC-20 token. It’s usable as collateral on Aave, but with quite a low maximum loan to value ratio (to be raised soon?) at 15%. Other ERC-20 tokens like LINK are in the 60-75% range.

Without diving too much into the details, this has to do with what you can do with each token and SNX usage as collateral on the Synthetix platform.

Aave’s risk parameters are conservative enough to essentially “front-run” Synthetix itself in the chain of liquidations if a black swan event was to happen on Synthetix. It seems wise: a money market should not want to take higher exposition on a given token than the native platform itself.

Another way to look at it is the other way around: assess the overall “health” of the latest tokens added as collateral on the platform: are they liquid? Credibly decentralized? Etc.

You can also look at the overall collateral usage for any suspicious mismatch, like on Cream where almost a third of the deposits are FTT tokens (FTX exchange).

◎ Roughly 1/3 of the deposits on Cream are made of a single token, and it's not the one you'd want or expect to be here.

Assessing the collateral listing strategy

• 🔮Likelihood of failure: Depends on the collateral listing strategy risk appetite
• 🔥Loss of funds risk if failure: If a dangerous token is accepted as collateral, the money market can potentially ends-up undercollateralized or even drained. For instance, Cream accepts COVER as collateral. The token suffered three infinite mint attacks already, exposing Cream to further risk.
• ❌Already happened? some tokens got minted to infinity, like COVER^[9]. But they were used as collateral on a money market yet.

I won’t expand more on this topic since Aave’s risk documentation is very well done - check the risk parameters section for more information.

• How are the collateral listing decisions made?
• What risk framework is used for collateral?
• How is the money market adapting to the changing circumstances of the tokens it lists?

II.E/ Safety Module

Even if the risk is known at every level, insurance is never an option and never supernumerary. The first layer of defense is of course the platform-level if there is any compensation module.

The good news is that there is! Aave pioneered the field & even Compound has a reserve now. The second good news is that assessing the usefulness of this module is dead simple: it’s a simple ratio between the total $ value of the borrows made on the money market and the total $ that can be mobilized by the safety module.

Aave has roughly 2B in the Safety Module, of which up to 30% can be seized if needed = 600M. It covers both the V1 & V2 of the protocol. If the 30% on the slashing of the Safety Module is not sufficient, the safety module can mint additional AAVE tokens. Such a scenario is accounted for by neither Compound nor Cream.

◎ Overview of Aave's Safety Module.

On top of insurance, money markets can also have reserves. Compound is the pioneer here, with about $10M in reseve^[10]. Aave also has a reserve system that was recently launched, but I excluded it from the analysis considering the limited balance.^[11]

So looking at the available numbers, here are our quick maths: Safety Ratio = USD value of insurance / Total borrow on the money market

1. 🛡 Aave = 53% | $1.765 B (600M can be mobilized) in the Safety Module for $1.1B borrowed accross V1+V2 ($572M V1, $437M V2)
2. 🕯 Compound = 0.24% | $4.3B borrowed on a $10M safety capital.
3. 💀 Cream = 0% | As far as I know, Cream has no or highly limited (low amounts) native insurance module.

ℹ Note: While Compound currently has no safety module, the team/DAO is currently sitting on a large COMP reserve that could be used to that end^[12]. The maths were done on Feb 17 2021.

Evaluating the native insurance module

• 🔮Likelihood of failure: Non-null, but not as relevant here. The SM is here to provide compensations in case of failure.
• 🔥Loss of funds risk if failure: Depositors know they can get slashed if needed.
• ✅Already happened? Aave’s pioneering the field. The slashing launched weeks ago. So far no events required Aave to harness the safety module, but it’s great to know it’s here!

To get a sense of how protecting the native safety and insurance modules are, here are some decent questions to ask:

• Is there any native insurance module covering the platform?
• How does it work?
• What are the withdrawal delays & safeguards?
• What’s the coverage ratio (USD TVL exposed / USD TVL of Safety Module)?

II.F/ Expanded Insurance Ecosystem

On top of the native insurance system of the money market, depositors and borrowers can cover their positions through a third party insurance service like Nexus Mutual or Unslashed.

The most widely covered risk is the one of a technical failure of smart contracts. You will find covers for pretty much any widely used contract there is. Yet, smart contract failures are not the only event that can lead to a loss of funds on a money market.

Because of this, Robert Leshner the CEO of Compound can factually state the following^[13] while the protocol recently suffered 90M of abusive liquidations because of faulty oracles:

Compound has been operating for close to 2 years with ZERO smart contract bugs.

It creates a false sense of security many are falling for, just like the period of operation of the protocol. Notice how I left it out of these 8 criteria? It’s because it has close to zero relevance despite services like DeFiScore giving it an absurdly important weight.

On top of risks of smart contract failures, please consider the following list of non-exhaustive other risks that can result in a loss of fund:

1. Failure or manipulation of an oracle,
2. An issue with the smart contract of a token used collateral (such as infinite mint),
3. A stablecoin used as collateral or borrowing asset on the market lose its peg
4. The device or wallet of the admin of a not-so-decentralized service is compromised
5. Issues or delays with liquidations, meaning the money market can potentially no longer meet its collateralization requirements
6. etc.

Most insurance services are unhelpful with all these risks but for the risks of smart contract failures. The market for other types of risk is barely getting started thanks to Unslashed Finance now providing coverage for the risk of stablecoins losing their peg or custodian risk.

◎ The different approaches to DeFi insurance --- FROM 2019 & but still somewhat instructive.

To learn more about the different approaches for DeFi insurance, check this piece from DeFi Rate. However please keep in mind the massive bias here: it was written more than two years ago by Hugh Karp, founder of Nexus Mutual. However, it’s still factual enough and insightful to understand the different models.

Understanding insurances and the risk they truly cover

• 🎯Object: Smart Contract Failure + stablecoin loss of peg.
• 💰Utility: Provides compensation if a failure is observed.
• ✅Already happened?: Nexus Mutual, one of the oldest insurance options already paid out on several situations.^[14]

So for the topic of extended insurances, you will want to look at services such as Unslashed Finance, Nexus Mutual, or Cover Protocol and the plans they offer.

• What are the options available through the ecosystem to cover a position on the money market?
• What are their pricing and reliability (paid out already?)?

II.G/ Native Token Risk Management

We discussed quite a bit about the various tokens used as collateral, but there is one you need to watch extra carefully: the native token of the money market. So that’s the COMP token on Compound, AAVE on Aave, and CREAM on Cream.

The very first layer is of course to make sure that there is no fool play: the money market must be neutral and not favor its own token. It seems obvious, but it’s not a given. Cream allows an excessive 75% max LTV on CREAM, one of the highest of the whole protocol - as high as some stablecoins. Compound itself gives COMP a permissive 60% max LTV while Aave is more conservative at 50%.

Assessing how a money market manage its native token risks

• 🔮Likelihood of failure: It’s an all or nothing event: the money market can play with fire on its native token for months with no consequences before the situation eventually blow up and the token + the money market crumble together.
• 🔥Loss of funds risk if failure: The loss can potentially be system-wide (whole money market affected).
• ❌Already happened? Not yet. But Cream is already way beyond any reasonable max LTV figure on the CREAM token.

And here are some considerations worth exploring:

• Look at the health of the native token of the platform: token contract, liquidity, integrations, etc.
• Look at the native token usage on the protocol & assess the health of its market
• Ownership, distribution, and Gini coefficient of the governance token

So far, we’ve focused on the money market themselves. Yet, they are community-driven & governed projects, so their community & integration within the ecosystem are an essential part of the assessment.

II.H/ Community & Ecosystem

In DeFi, communities are essential. It’s not a “nice-to-have” to make the protocol more attractive, it’s a core feature and I assess it as such.

On such a topic, again, no metrics will help you just by themselves. The gist is to get a sense of how dynamic the community is. It usually translates into its core components: the DAO, the Discord, and the overall presence in the space.

Another consequence of a healthy community is widespread support and usage across the ecosystem, with many services and products built “on top of” the protocol examined. Here despite Compound’s lead being the first mover, Aave is also now a prime choice for any new protocol building a new financial primitive.

Indeed, teams can purposely foster such an environment simply by having members accessible and involved in the space. Besides, Aave has an ecosystem grants^[15] initiative helping to fund projects built on top of Aave such as APWine offering fixed yields. Other community-related initiatives are a healthy tell, such as hackathons, AMAs, livestreams, etc.

Again here - make sure to assess the quality, not the quantity. It’s easy to rush out all the initiatives listed above. But doing it right, in a way that makes sense for the community and pushes it forward is much harder.

I don’t want to make this a case against Compound, but here again, it’s so obvious. While Compound community fundings are quite limited the grants program just launched^[16], its founder Robert Leshner is an active venture capital investor, with the Robot Ventures funds^[17].

◎ RoboVC & its main investments.

Assessing the community & DAO of a money market

• 🔮Likelihood of failure: The community is the most important feature of all for the long-term success of the money market.
• 🔥Loss of funds risk if failure: Long-term risk. If a money market loses the community favors, it’s not gonna be a dramatic event but more of slow and painful threading into irrelevance for the given market.
• ✅Already happened? Yes, with Compound - they lost their top of mind position and preference for several reasons, such as their lack of support for the ecosystem, the DAI Market Oracle issue & the team reaction to it.

So here are some questions and clues to help you assess this last yet essential part:

At the DAO-level:

• How does it work to submit a proposal?
• How are they reviewed and improved?
• What’s the delay between the vote and the execution?
• Any proposal that was ignored or not implemented for a long time?

Core team members:

• Are they legit? Involved in the space? Giving back? Advising?
• Background-check: any involvement with a scam? What were they doing before?
• Present-check: on top of their involvement with the money market, what are they doing? Any potential conflict of interest?

Ecosystem

• Documentation & support: how hard is it to build on top of this money market?
• What are the services built on top of the money market? Are they widely used?
• Are they communicating clearly on risk parameters? Do they have non-technical/non-dev risk-focused documentation?

III/ A note on DeFi Tribalism

Exploring such a topic was insanely insightful for me, at so many levels. I remain quite surprised by the tribalism of the space: apart from Aave, gathering the information presented in this article was not a trivial task.

Because of the question I asked and the observations I shared, I’ve been the target of personal attacks from founders of some of the teams mentioned in this article. Others were quite misleading and selective in their answers. I received no answers from both Cream & Compound official accounts or teams.

Such attitudes gave me even more will to push this article forward. Beyond the technicalities of each protocol, I think the attitude of the founding team is essential too. On this front, there is a protocol that stands an order of magnitude above any other: surprise surprise, it also happens to be the most technically sound, secure, integrated, and exciting, and interesting. 👻

III.A/ Limitations of this risk assessment approach

I anticipate strong reactions already, so let me add a few more topics not addressed here:

1. While we went quite deep, we did not discuss the tokenization process: the process used by the protocol to represent the assets deposited. On this front, both Compound and Cream are using an archaic approach that was topped on all fronts by Aave with the first release of the aTokens in early 2020.^[18] Aave V2 further improved the tokenization process.
2. Cream by itself is a small market, but through the Iron Bank other protocols can borrow from Cream. Assessing the risk on such a market is even harder - and it was excluded from this analysis. To learn more about the real risk already posed and manifested by such an approach, you can check the latest Rekt on Alpha Homora.
3. While MakerDAO provides a service functionally equivalent to lending, the process is significantly different since each borrower is minting DAI. So for the sake of simplicity, I’ve mostly excluded MakerDAO from this analysis, but for a few meaningful examples.
4. I have no affiliation whatsoever with the Aave, Compound, Cream, or any other money market. However, I do own AAVE tokens (that I purchased myself on the markets) and stake them in the Safety Module. All the content hosted on my blog is made accessible for free - I am the sole editor.

I hope this article helped you get a better grasp of the scope of risks in money markets. I want to stress again that it’s non-exhaustive, nor absolute truth but I do firmly believe provides clear and useful contributions to make sure risks in DeFi are broadly understood, better than what currently exists.

If you do not agree with this statement, feel free to challenge me. I’m eager for facts disproving my observations: it would mean DeFi is safer than I thought.

Reminder: this blog is one of the few websites of the space not pillaging your data through the usage of Google Analytics and the likes.

IV. Notes & References

You can find additional information on each fact, event or figure mentioned in the article through the footnotes: