Bitpush comprehensively analyzes DeFi's 6-layer stack and DeFi risk management

Open Finance is one of Multicoin's three crypto super themes, and Open Finance is a superset of DeFi. In the past 12 months, DeFi business on Ethereum has surged: up to $13.6 billion in funds have participated in DeFi, an increase of more than 20 times over last year.

Source: DeFi Pulse

This wave of DeFi is mainly driven by lending platforms (Compound, Aave, Cream, MakerDAO, dForce) and trading platforms (Uniswap, dYdX, Kyber, Cueve, 0x). Together, these platforms account for more than 80% of the total funds involved in DeFi.

DeFi’s growth is fueled by liquidity mining, a tool used to kickstart DeFi protocols and generate network effects. Users can now earn significant returns on their crypto assets simply by providing liquidity to AMMs (Bancor, Curve, Uniswap, Mooniswap, DODO), lending assets to money market protocols (Compound, Aave, and Cream), or providing tokens to yield optimization tools (RAY, Yearn Finance, Idle Finance, APY.Finance, Harvest Finance).

This is possible in part because of composability. Jesse Walden, founder of the venture capital fund Variant, gave an elegant definition of composability: "A platform is composable if existing resources on it can be used as building blocks and programmed into higher-level applications. Composability is important because it enables developers to do more with less work, which in turn leads to faster and more sophisticated innovation."

Now people can create DAI using ETH as collateral, obfuscate it through Tornado.Cash, swap it for USDC through Curve, and then bet on the presidential election on Polymarket, which is an amazing use case. Ethereum has the development tools, building blocks, liquidity, wallet support, and tradable assets (ERC-20) to make it possible to build viable DeFi businesses. Composability creates a virtuous cycle: it makes it easier for entrepreneurs to build new products on Ethereum because they can leverage all the existing infrastructure, which allows them to get to market faster, iterate faster, find product market fit, make the product better, make more people want to use the product, and so on. The network effect of the DeFi ecosystem is powerful.

However, this compounding innovation is not without risk. In fact, for DeFi, as innovation grows, so does risk. In this article, we explore the inter-DeFi dependencies and how several key layers support the entire industry. If any of them fails, the entire DeFi could collapse.

The only effective way to understand the risks that investors take through "yield farming" is to understand the hidden dependencies in the DeFi stack, that is, the risks that arise from composability. To do this, it is necessary to understand the layers in the DeFi stack.

To better understand these risks and dependencies, we break the DeFi Stack into six different layers. Below, we outline composability risk, which is what happens when currency Legos are aggregated into money bricks.

Disassembling the DeFi stack

Layer 1: Atomic Units of Value

Money needs money to make money. Therefore, Layer 1 in the DeFi stack starts with atomic units of value.

DAI, ETH, money market tokens (cTokens and aTokens), centralized custodial ERC-20, anchored assets and stablecoins (USDT, USDC, WBTC, renBTC, tBTC), LP tokens of AMM funding pools, they are mainly used as collateral for derivatives, lending and leverage in DeFi protocols, and also represent the beginning and end of a complete transaction life cycle.

DAI and Tether have different risks. The main risk for DAI is the collapse of the Maker system and the loss of DAI’s anchor asset. The main risk for Tether is that something bad happens to the bank account that holds the reserve dollars that back USDT. All centralized custody assets like WBTC and USDT are subject to binary risk, for example, their value could plummet if BTC is hacked or the market discovers that Tether’s bank account does not have USD reserves. They all introduce substantial risk at the bottom of the inverted pyramid of the DeFi stack. Whether it is a bug or a smart contract failure, if any atomic unit of value is shaken, the system that utilizes them will be compromised, regardless of the quality of its code.

Source: Coin Metrics

Layer 2: Transaction Layer

Atomic units of value alone are not enough. DeFi users, whether human or bot, must be able to transact on-chain. This ability is often mistakenly taken for granted and is layer 2 of the DeFi stack.

As DeFi protocols have evolved, they have become part of an increasingly complex DeFi system. Protocols no longer require only key:value queries (such as finding a public address, returning the number of tokens held). Modern DeFi protocols rely on external transactions to run smoothly, including tracking and storing collateral balances, measuring collateral ratios, processing oracle prices, performing liquidations, distributing collateral rewards, issuing margin and leverage, etc. These operations consume a lot of Gas, so sufficient capacity is required in Layer 1 or Layer 2. Therefore, we identify "transaction capabilities" as a core element in the DeFi Stack.

While “transaction capacity” seems to be constant, this is not the case. Ethereum’s gas fee determines transaction costs, and a single transaction can cost more than $100. If users and bots cannot conduct on-chain transactions, liquidations, margin calls, oracle price feeds, etc. will not be processed, causing chain bankruptcies in the DeFi ecosystem.

Transaction capacity is improving in many ways. Projects like Solana are innovating at Layer 1, optimizing for throughput, latency, and gas fees, resulting in better performance than the status quo (50,000 TPS, sub-second latency, and near-zero transaction fees). Other projects like SKALE, StarkWare, and Optimise are building Layer 2 solutions to facilitate scaling on Ethereum.

Layer 3: Price Oracles

Price oracles are the next indispensable foundation of infrastructure at the transaction layer. The security of market data and the verifiability of inputs are critical to the functionality of DeFi protocols. The isolated design of smart contracts based on off-chain data means that centralized oracles may introduce a single point of failure for the entire system.

Oracles can trigger higher-order module events, such as liquidations. The centralized Coinbase and decentralized MakerDAO medianizers, Chainlink, Band, Tellor, UMA, API3, Compound Open Oracle, and Nest are nine of the largest and most popular oracles today.

If Chainlink oracles fail or misreport, loans on Aave or synthetic assets on Synthetix could be inadvertently liquidated, while DEX midpoints on Bancor and DODO could be skewed. A range of DeFi assets could go from solvent to insolvent in a matter of seconds.

Layers 1, 2, and 3 form the core infrastructure of DeFi. On top of this infrastructure, entrepreneurs are building more complex and interoperable financial infrastructure products (AKA financial architecture).

Layer 4: DeFi underlying products

When most people think of “yield farming” or pure-play DeFi applications, they think of the underlying product layer. DeFi underlying products include:

• Lending protocols: Compound, Aave, Cream, bZx, Yield, Notional, Mainframe

• AMM trading platforms: Curve, Uniswap, Balancer, Bancor, mStable, BlackHoleSwap, DODO, Serum Swap

• Order book exchanges: 0x, IDEX, Loopring, DeversiFi, Serum

• Derivatives trading platforms: MCDEX, Perpetual Protocol, DerivaDEX, Potopn, Opyn, Synthetix, dYdX, Pods, Primitive, BarnBridge

• Asset management platforms: Set, Melon, dHEDGE

It is best to think of these underlying products as networks rather than stacks, as these protocols are not necessarily stacked on top of each other in a particular order. Each underlying product can be used independently or in combination with other underlying products, either at this layer or lower in the DeFi Stack.

Here are some examples:

cTokens on layer 1 are used as collateral in Curve on layer 4.

Users can borrow assets from Aave and then deposit the assets into Uniswap. Conversely, users can deposit assets in Uniswap and then use Uniswap LP tokens as collateral in Aave.

Here are some examples of how to use leverage with Layer 1-3 DeFi underlying products:

1. DAI supports all open contracts on Augur and is also the collateral token for many stablecoin pools on Curve.

2. USDC supports all open contracts on dYdX.

3. Aave relies on Chainlink’s oracles to accurately issue and liquidate crypto-backed loans.

4. dYdX uses MakerDAO’s V1 oracle to ensure the ETH-USD price within the protocol.

5. Lending protocols and non-custodial derivatives protocols (Perpetual Prootocol, Compound, Aave, MCDEX) require Keepers to send transactions to liquidate underwater positions. When the Ethereum network is blocked, positions may be liquidated quickly, as evidenced by MakerDAO in the 312 crypto market crash.

Layer 5: Protocol Aggregator

Aggregators are above the underlying products. This layer consists of supply-side and demand-side aggregators. Some examples include:

• Supply-side aggregators: Yearn Finance, RAY, Idle Finance, APY.Finance, Harvest Finance, Rari Capital

• Demand-side aggregators: 1inch, DEX.ag, Matcha, Paraswap

• Aggregator of Aggregators: yAxis

• New Aggregators: Swivel Finance, Benchmark

Layer 5 protocol aggregators do not custody collateral assets. These products typically provide smart contract construction that enables users to interact with other Ethereum DeFi protocols.

Aggregators have become popular because they are good at one thing: making money (or saving money). However, investors must consider the risks of this layer. If any of the underlying protocols fail, users may lose some or all of their funds. Since many yield aggregators such as Yearn utilize multiple underlying protocols, the risk is further increased as users bear the risk of all the underlying protocols used by the Yearn machine gun pool. On the positive side, demand-side DEX aggregators are the safest and easy to avoid this risk because they do not hold funds and simply execute atomic transactions within the block.

Layer 6: Wallet and Frontend

Wallets and frontends sit on top of all DeFi. Examples include:

• Relayers: Tokenlon, Dharma, PoolTogether, Guesser

• Wallet: Coin98, MetaMask, Math, imToekn, Bitpie, Exodus, Trust Wallet

• DeFi native frontends: DeFi Saver, Zerion, Zapper, Argent, Instadapp

The existence of DeFi wallets, relayers, and frontends enhances the user experience of DeFi. They do not compete on financial or technical construction, but on design, customer support, ease of use, localization, etc. Their main business is to acquire users.

We segment these companies by function. For example, relayers provide a front end for a specific protocol (e.g. Guesser is a front end for Augur, and Tokenlon is a decentralized exchange based on 0x). Front ends like Instadapp and Zapper simplify the process of writing smart contract calls across different DeFi underlying products.

DeFi Risk Management

Quantifying compounding risk in DeFi

The risks in DeFi are growing. Paradigm partner Arjun Balaji described this phenomenon brilliantly in a recent tweet:

“The risks of DeFi are growing exponentially, including contract errors, poor protocol parameterization, on-chain congestion, oracle failures, Keeper robot/LP failures, and contract composability and leverage further amplify the risks.”

Curve's sUSD pool is one of the most popular yield farming opportunities. Let's take it as an example. Users deposit one or more stablecoins (DAI, USDT, TUSD, sUSD) into the pool, and then stake their LP tokens on Synthetix's Mintr platform to receive SNX rewards.

Each stablecoin in the Curve pool has unique risks (DAI’s value is governed by Maker, Oracles and Liquidators, USDT’s value depends on collective belief in Tether’s reserves). The creation of a stablecoin pool reduces the impact of any one stablecoin’s collapse on holders while supporting the stability of each token. However, the collapse of one token will still have an adverse impact on other tokens in the pool, and will have an adverse impact on all protocols that rely on the pool (instability of the Synthetix debt pool, liquidation between Maker CDPs). This is the double-edged sword of Ethereum’s composability - easy to integrate, promotes breakthrough innovation, but the risks are increasing step by step.

Let’s take a look at the biggest potential risks in DeFi today.

Currently, the locked assets in the top DeFi protocols (Uniswap, Compound, Aave, Balancer, Curve and MakerDAO, etc.) have reached 11.4 billion US dollars.

Of this $11.4 billion, DAI accounts for 9% ($1 billion), USDC accounts for 24% ($2.8 billion), renBTC accounts for 3% ($308 million), and WBTC accounts for 17% ($2 billion). If anyone allowed these stablecoins to deviate from their pegs, there could be a cascade of liquidations, bankruptcies, and price volatility.

Source: Dune Analytics (via Jack Purdy of Messari)

Chainlink provides key functionality for three of the top five synthetic asset platforms by value locked, with Synthetix having a debt pool of $126 million (entirely secured by Chainlink) based on SNX price and all synthetic assets generated.

Synthetix suffered an oracle attack on June 25, 2020, with the sKRW (synthetic Korean won) price feed returning incorrect values, which provided an opportunity for arbitrage bots to extract approximately 37 million worth of sETH from the system (although the attacker eventually returned the funds after negotiations).

Users can also manipulate oracle feeds directly for personal gain. On February 18, 2020, an attacker used a flash loan to drive the price of sUSD on Uniswap to about $2, provided sUSD collateral to bZx at this inflated price, borrowed about 2,400 ETH, and effectively exited the bZx position without collateral loss, all in one transaction. Since then, the number of oracle attacks has increased significantly, including recent attacks on Hrvest, Value DeFi, and other products.

Chainlink secures approximately $2.2 billion in value across Synthetix, Aave, and Nexus Mutual alone, and as discussed, it is vulnerable to price manipulation attacks.

The last major risk factor is Ethereum congestion. As we saw with the recent launch of UNI, Ethereum is still not ready for global-scale trading activity. Some decentralized BitMEX products, including Perpetual Protocol in our portfolio, had to delay their mainnet launch due to rising gas fees. Not only is it expensive to open a position, but the cost of executing key transactions, such as adding collateral and liquidating near underwater positions, is also prohibitively high.

Mitigating Risk in DeFi

Layers 1-3 of the DeFi stack impact almost all of DeFi and are the most important when considering risk mitigation. Therefore, they are what we focus on.

Staking Tokens

Most protocols in DeFi accept the same assets as collateral. These token assets include DAI and centralized custody assets (USDC, USDT, WBTC, renBTC, etc.), as well as interest-bearing money market tokens such as aTokens and cTokens. DeFi developers can protect against collateral risk in several ways:

• 1. Limiting collateral types (e.g. dYdX only allows USDC as a perpetual swap position, while Maker allows multiple types). The trade-off is that enabling more types of volatile collateral creates systemic risk for all collateral in the same asset pool.

• 2. Only accept transparent and audited stablecoins (such as USDC and PAX).

• 3. Use assets with well-defined risk parameters (such as liquidity and market value requirements) as collateral, and introduce collateral types in stages over time.

• 4. Limit collateral concentration and incentivize liquidity providers to add underrepresented collateral (for example, Curve now incentivizes LPs to add DAI to its specific pool because DAI has low liquidity in the pool).

• 5) Teams building layer 3 underlying products can purchase collateral insurance for their users. This would essentially bring insurance to the lower levels of the stack, e.g. dYdX could purchase credit default swaps for its traders with USDC equal to their position exposure. It is possible for stablecoin issuers, insurance companies, or decentralized insurance providers (Opyn, Nexus) to become underwriters of swaps. Opium.Exchange recently launched credit default swaps when the price of BitGo’s WBTC token fell. DeFi teams that have added WBTC as collateral can purchase these swaps to protect their users.

Oracle

Oracles are the main source of trouble and attack vector for almost all DeFi protocols. As mentioned above, 30% of the top 10 protocols by DeFi Pulse rely on Chainlink, while another 20% use LINK tokens in some way. If Chainlink fails somewhere, a large part of the DeFi ecosystem could collapse.

To mitigate oracle risk, the protocol team can get prices and other off-chain data from multiple oracle providers (Chainlink, MakerDAO medianizer, Band, Nest, Coinbase) and then use the median. If an oracle's feed price deviates from other oracles by X%, it is ignored (for centralized oracles, FTX ignores prices that are more than 30 basis points from the median). This can potentially prevent the situation where an oracle is compromised. In addition, the protocol can use TWAP or VWAP to mitigate flash loan attacks.

Alternatively, the team could choose to limit the range in which the oracle price can fluctuate over a certain period of time. This can provide increased security in the event of oracle compromise and manipulation. However, if the price does change significantly and the oracle quotes do not reflect this, this could result in significant market distortions that could seriously threaten the solvency of the system.

For a more detailed overview of oracle attacks, check out samczsun’s recent post.

Trading capabilities

On March 12, due to on-chain congestion, part of the MakerDAO system was liquidated. Keepers are network participants in the Maker system who can bid zero dollars to liquidate nearly underwater positions. Due to the increase in gas fees, they are unable to trade. The reason is that the default configuration of the software used by Keepers cannot automatically adjust the gas fee according to network congestion.

With the rise of decentralized derivatives protocols on Ethereum (such as dYdX, Perpetual Protocol, DerivaDEX, MCDEX), trading capabilities will become increasingly important. Imagine if Binance is unable to liquidate losing traders, the insurance fund is completely spent, directly leading to large-scale automatic deleveraging across the entire exchange.

That being said, Keepers are currently generating over $10M per year on projects like Compound, Aave, dYdX, MakerDAO, etc., so we are cautiously optimistic that these Keepers will improve their performance over time to capture this opportunity:

Source: LoanScan

We already have some solutions to reduce the risk of DeFi underlying products being unable to trade:

Migrate to Layer 2 or other scaling solutions (rollups, sidechains, other Layer 1, etc.)

1. Optimistic rollups are backward compatible with EVM. They inherit the security of Layer 1 and can have higher throughput (especially across shards), low latency and lower gas fees, but it takes a long time to implement.

2) Sidechains such as Skale and Matic can quickly become backward compatible with the EVM, have the characteristics of high throughput, low latency, low gas fees, and provide instant deposit and withdrawal functions. They are highly configurable for developers, but they do not inherit the security of Ethereum Layer 1.

3) Layer 1 projects such as Solana, Near, Algorand, Dfinity, Nervos, Kadena and Ava are competing public chains of Ethereum. They usually have higher scalability and lower costs, but do not have the collateral asset foundation and components that make Ethereum successful.

Create complex collective liquidation robots to keep track of funds at all times

1) KeeperDAO is a public liquidity pool that allows token holders to contribute and earn rewards through on-chain liquidation. KeeperDAO works across the entire DeFi ecosystem and runs highly sophisticated and optimized software.

2) Individual teams building underlying products can create their own mini versions of KeeperDAO, for example Mainframe is pooling liquidator collateral for its fixed-rate zero-coupon bond lending system so the protocol doesn’t have to rely on individuals to perform liquidations.

3) On this basis, the team should ensure the use of optimized, fast-liquidation software to avoid crises like what Maker experienced on March 12.

Mining pools can prioritize certain transactions

1. We have been thinking about the possibility of mining pools issuing tokens (for simplicity, we call it MPT). MPT works as follows: when an address with at least 10,000 MPTs broadcasts a transaction, the mining software of mining pool X notices this transaction and marks it as a priority transaction (PT). In the next block mined by mining pool X, PT will be listed as the first transaction (as long as PT pays the required minimum gas fee).

2. DeFi teams can hold a large amount of MPT to ensure that their key operation calls (such as oracle price updates, liquidation, and margin issuance) are prioritized and packaged into blocks.

3. Spark Pool recently announced that they are testing a network called Taichi. According to Gasnow, Taichi will bypass the traditional mempool and "push received transactions directly into the mempool of the mining pool." This concept helped Ethereum researcher samczsun save $9.6 million for Lien Finance users a few weeks ago.

Miner extractable value (MEV)

The term Miner Extractable Value was first coined by Phil Daian in his seminal research paper Flash Boys 2.0. The basic idea is that since miners have the ability to order and censor transactions in blocks, they can choose to replace arbitrage or liquidation transactions with their own transactions (but with zero or lower transaction fees). While this practice is generally considered "evil" and will certainly have a negative impact on chain stability, it may actually end up being a useful tool for DeFi risk management. In this scenario, the profit margins of liquidators and custodians will be zero. But if miners systematically perform MEV on liquidations and arbitrage, they will prevent bankruptcy and price divergence across the system because liquidations and arbitrage transactions will always occur.

Derivatives Position Offsetting and Cross Margining

If liquidity providers can cross derivatives platforms or cross margin collateral and take net long and short positions on competing protocols, they can provide more liquidity for every $1 of collateral. For example: if an Ethereum address has a 1x long BTC-USD perpetual contract on dYdX and a 1x short BTC-USD perpetual contract on MCDEX, these positions can theoretically be netted so that the trader only needs a fraction of the necessary collateral. This would have the added benefit of greatly reducing liquidations. However, given the immaturity of these systems both technically and governance-wise, this is unlikely to happen in the short term.

GasToken like CHI and GST-2

Gas tokens are an untapped avenue for scaling. Currently, the combined market cap of the two main Gas tokens, CHI and GST-2, is under $2 million. What are Gas tokens? Gas tokens can store gas for use in later free transactions, or as a prepayment for future gas use. When gas prices are low, savvy traders mint them into tokens, and then when gas prices rise, traders redeem Gas tokens, saving on transaction fees. We expect DeFi teams to start accumulating Gas tokens and use them in the protocol when they need to use the built-in liquidation bot during periods of market volatility.

Summarize

Nowadays, the interconnectedness between various DeFi protocols is becoming more and more close, and with it comes more and more complex systemic risks. There are many different DeFi protocols now, but most of them have the following common features.

1. Contains a collateral pool that can be traded or borrowed;

2. To avoid systemic bankruptcy of borrowing/lending and derivatives agreements, the oracle feeds prices to the contracts;

3. If insolvency occurs, the third-party Keeper can initiate liquidation and make a profit.

In this article, we aim to provide a simple framework for thinking about how to manage the three major risks in DeFi: collateral risk, oracle risk, and liquidation risk.

While it sounds relatively simple (it boils down to three main types of risk!), there are a lot of moving parts, which Multicoin internally calls "Lego." There are currently $13 billion in assets locked in DeFi networks, and many of them rely on a few basic building blocks. While some of these assets are protected by smart contract insurers such as Nexus Mutual and Opyn, there is little protection against economic and congestion failures today.

As the DeFi market matures and more complex underlying products are launched (like decentralized BitMEXs and Fixed Rates), project teams will need to think more rigorously about how to protect against systemic risk. Institutional players like Genesis and BlockFi, as well as new banks like Betterment and Wealthfront, will eventually want to get into permissionless DeFi. When they do, the first question they ask DeFi teams is how to protect themselves from black swan events like a single oracle failure or blockchain congestion. Knowing the answers to these questions ahead of time may be the difference between winning them and losing them in DeFi.

Original article: The DeFi Stack

Author: Spencer Applebaum, Matt Shapiro, Shayon Sengupta