When decentralized finance, or DeFi, took off in 2020, it was pitched as an antidote to the failings of legacy finance.
Decentralized lending was imagined to be DeFi’s killer app – a means for folks to borrow and lend digital belongings instantaneously on blockchains, with out banks or credit score scores. As centralized crypto lenders like FTX crumbled final yr because of dangerous actors and monetary mismanagement, DeFi lending “blue chips” just like the Aave protocol – the biggest decentralized lender – stored on ticking, bolstering DeFi’s pitch as an enchancment to conventional finance.
Crypto markets are slumping, however Aave continues to boast $4.6 billion price of person deposits, in accordance with DefiLlama – cash pooled by folks world wide to assist facilitate bankless borrowing on Ethereum and different blockchains.
However a number of weeks in the past, a $70 million hack on Curve, one of many largest decentralized crypto exchanges, revealed cracks within the DeFi promise. The hack set off a Rube Goldberg-esque sequence of occasions that pushed DeFi lending to its limits – threatening to ship the worth of a key DeFi asset right into a downward “dying spiral,” and elevating essential questions on whether or not community-driven monetary platforms are geared up to handle threat.
The boundaries of overcollateralized lending
DeFi is powered by sensible contracts – blockchain-based laptop applications that permit folks to immediately transact with each other. The reliance on code is meant to make issues fast, low cost, and broadly accessible, permitting folks to lend, borrow and swap tokens with out banks.
The cash loaned out by DeFi lending platforms like Aave, Frax and Abracadabra is pooled from a “decentralized” group of particular person depositors, every of whom earns a lower of the curiosity paid by debtors. The chance of huge positions can also be unfold between these folks; if a borrower can’t repay their debt, these lenders are those left holding the bag.
DeFi lenders have fewer instruments than banks do to guage creditworthiness, so they have an inclination to have strict over-collateralization necessities – which means debtors should put up extra worth in collateral than they take out as loans.
Current occasions have proven the bounds of excessive collateral for staving off threat.
Over a number of months in 2023, Curve change founder Michael Egorov borrowed round $100 million throughout a number of totally different decentralized lending platforms. As collateral, he put up over $200 million price of CRV, Curve’s native token.
DeFi lenders are programmed to robotically liquidate a borrower’s collateral if it falls to a sure worth – which means they promote it off to the open market. Egorov’s lenders thought that they had sufficient CRV collateral to cowl themselves within the occasion of a possible default.
Nevertheless, when a hack siphoned $70 million from Curve final month – dragging the worth of CRV down 20%, nearer to costs the place Egorov’s collateral would have been auto-liquidated – the change founder’s DeFi lenders realized they could quickly be saddled with thousands and thousands of {dollars} in dangerous debt.
Learn extra: Curve Founder’s $168M Stash Is Beneath Stress, Making a Threat for DeFi as a Complete
In granting Egorov’s loans, lending sensible contracts had apparently didn’t account for Egorov’s full collateral place, which was stashed throughout a number of disparate lending protocols, and due to this fact tough to account for programmatically. Altogether, Egorov had put up a hefty one-third of all circulating CRV as collateral. If a lender liquidated even a fraction of this quantity, the entire marketplace for CRV – a comparatively illiquid however systemically necessary DeFi asset – would have collapsed.
“When a founding father of a undertaking desires to lend an enormous portion of a token’s provide, you are by no means going to have the ability to liquidate very quickly,” stated Sacha Ghebali, an information analyst at crypto analytics agency TheTie. “You’ll want to have limits there.”
Briefly, a type of Mexican standoff ensued between a few of Egorov’s largest leaders as they weighed liquidating the Curve founder early in an effort to keep away from being the final ones caught with nugatory CRV.
Egorov wasn’t finally liquidated; he managed to pay down a few of his loans with the assistance of big-money “whales,” like Tron founder Justin Solar, who had a vested curiosity in retaining DeFi afloat.
Even nonetheless, the Egorov state of affairs “put a chink within the armor of DeFi protocols in exhibiting which you can have dangerous debt, you’ll be able to have credit score losses in over-collateralized loans – supplied that the collateral just isn’t liquid sufficient,” stated Sid Powell, the CEO of Maple Finance, an institution-focused DeFi lending firm.
Challenges for decentralized threat administration
Each lending platform has guidelines baked into its code meant to guard in opposition to systemic-risk eventualities just like the CRV fiasco. Broadly, the foundations govern what belongings could be borrowed, and in change for what sorts of collateral. Requiring over-collateralization is a major technique for managing threat, however not the one one.
In an emailed remark to CoinDesk, an Aave spokesperson took pains to specify that Egorov’s $60 million Aave lending place was made in Aave V2, an older model of the platform, and wouldn’t have been attainable within the newer Aave V3 protocol, which “has threat parameters which restrict this actual situation to the purpose the place dangerous debt is extraordinarily unlikely.”
Banks rent skilled managers to set these sorts of threat parameters. Aave and different DeFi lenders kick this duty to their traders.
Aave’s threat parameters are set by the Aave DAO, or decentralized autonomous group – individuals who maintain the platform’s AAVE token. The setup is pitched as a means for Aave’s stakeholders to democratically govern how their cash is borrowed.
Whereas an Aave spokesperson instructed CoinDesk that “the Aave DAO is understood for conservative administration,” some specialists say the Curve disaster confirmed that threat administration is simply too sophisticated to be dealt with by a DAO.
“Greater than 500 totally different parameters are speaking to one another on the Aave protocol – it could possibly be collateral components, liquidation sensors, oracles, rates of interest,” stated Paul Frambot, CEO of the DeFi lending protocol Morpho. “You will have votes to alter these threat parameters always.”
“The Aave paradigm just isn’t constructed to scale with such an quantity of complexity,” stated Frambot, who has labored to introduce new sorts of threat administration methods with Morpho. Along with DAOs being gradual to make choices, “it’s important to have a Ph.D. in threat administration to essentially perceive this stuff.”
Leaving it to the professionals
If the Curve state of affairs illustrated something, stated Frambot, it’s that DeFi lending protocols shouldn’t be seen as autonomous items of laptop code, however as methods that rely closely on human choices. ”The Aave protocol is in truth extra of an on-chain fund with decentralized and open rails,” stated the Morpho founder. “What they’re doing is letting customers deposit cash, after which they handle the danger of this place.”
In line with Aave’s spokesperson, “The DAO has numerous risk-mitigation, third-party companies”
to make threat “assessments and proposals, however it’s finally as much as the DAO to determine how to answer potential dangers.”
Frambot says threat administration is simply too tedious and sophisticated for a DAO to deal with, which means energy naturally concentrates into the fingers of enormous “delegates” and threat administration corporations.
Companies like Gauntlet and Chaos, two of Aave DAO’s fundamental threat administration companions, have proprietary instruments to measure threat and suggest parameter modifications. “Actually on daily basis, threat managers are pushing threat parameters which can be fully trusted and opaque – like we do not know how they’re calculated,” stated Frambot. “But you recognize the DAO goes to greenlight it” as a result of it comes from a trusted model.
Of the 303 proposals since December 2020 which have made it to a proper Aave DAO governance vote – usually these comply with a “snapshot” group ballot within the Aave boards – solely 8% have been outright rejected. Of the 262 proposals which were authorized and executed by the Aave DAO, 233 handed with unanimous approval. The majority of them concerned threat parameter modifications.
Aave DAO choices additionally are usually pushed by only a handful of “delegates” – people and organizations which can be given permission to vote on behalf of different AAVE-holders. In every of the previous 5 Aave DAO votes, greater than half of the ultimate vote tally got here from the three largest delegates.
“There is a little bit of demagoguery to being a delegate,” remarked Dean Tribble, CEO of Agoric, an organization constructing a DeFi-focused blockchain. “Persons are rewarded for voting together with the bulk, and that is why you get these large swings – 100% vote sorts of issues. Or, a loud minority can have an outsized impression.”
The Curve fiasco demonstrated the capriciousness that may outcome from this sort of system.
In June – greater than a month earlier than the Curve change was hacked – Gauntlet proposed freezing CRV in Aave V2, arguing Egorov’s huge CRV collateral risked turning into dangerous debt. Aave’s group voted unanimously in opposition to the proposal, which might have prevented Egorov from rising the scale of his CRV place.
When Gauntlet reintroduced its CRV freeze proposal in July, days after the Curve hack, the group voted 100% in favor.