How to Assess the Risk of Lending to a Protocol
A framework for assessing the risks of lending to a money protocol
Reminder: if you’re not a paid subscriber this is your second last Tactic on the program! Free trial stops next week. 😲 Don’t miss out. Subscribe now & get 20% off forever!
Dear Crypto Natives,
My number #1 advice if you’re planning to lend your crypto: don’t chase rates!
You should evaluate lending opportunities based on risk adjusted returns. That means return minus risk.
But how do you assess risk?
That’ll be an ongoing topic of the program. But a good place to start is a framework recommended by an actuary who’s made it his mission to help assess and mitigate money protocol risks. That’s what we’ll cover today.
Really excited about this tactic.
If you’re considering using Compound, Maker, DyDx—any of the money protocols really, then you’ll want to read and apply this tactic.
Let’s level up!
How to Assess the Risk of Lending to a Protocol
Guest post by: Hugh Karp, Founder of Nexus Mutual
Learn a framework for assessing the risks of lending to a money protocol. First, helps you determine what to do with the risk—manage, avoid, ignore, or insure. Then, helps you assess lending protocols through the lens of technical, external, and economic incentive risks.
Goal: Determine how to think about & categorize risks of lending protocols
Effort: 30 mins
ROI: Increase your risk-adjusted returns on crypto lending
Ok, what are the risks?
When someone says, “you can earn more than 10% pa”, your first response should probably be “sounds like a scam”. But that’s not always the case and assuming you are interested enough to dive deeper, your next question should be, “ok, but what are the risks?”
I’ll walk you through a high level framework to understand the risks involved in interacting with the various DeFi systems. It’s not going to give hard and fast ratings or specific answers, instead it will provide you basic tools to do this yourself. And importantly, you don’t have to understand Solidity code.
Consequence and Likelihood
The first step in understanding risk is to break it down into two main factors, likelihood and consequence. As you will see, it helps immensely to separate these two items to not only understand the risks but take appropriate action on how to manage them.
Likelihood - the chance that the risk actually occurs. Is it a relatively common situation, or is it a rare event that may not ever happen?
Consequence - what happens if the event was to occur. Will it result in an insignificant or small financial loss, or a catastrophic failure leading to the loss of your entire investment.
Depending on how the risk scores on each factor is key to understanding how you should manage it. Very simply, the following matrix guides you on the broad actions to take.
Avoid - Anything with a high likelihood and high consequence should be avoided, the risk cannot adequately be managed or insured for a reasonable price. This is “scam” territory but it can also apply more broadly.
Manage - High likelihood items with low consequence form part of day-to-day management for you to take responsibility for or pay someone to manage on your behalf. For example, optimising returns due to changing interest rates between various DeFi protocols.
Ignore - Low likelihood, low consequence items are mostly not worth worrying about. The time and cost of management is probably not worth the effort so it is perfectly reasonable to ignore them.
Insure - The remaining category is the low likelihood, high consequence items where you should insure where possible to improve your risk adjusted return. At the very least you should understand the high consequence scenarios and what might cause them.
The three types of risk in a lending protocol
Now that we have a general framework to work within, how do we identify the events or risks that might occur? The high likelihood risks are usually more obvious as they tend to occur during the normal operation of the platform. Interest rates moving, liquidations if collateral drops to low, slippage costs etc. The high consequence risks are where you should spend more time thinking, as it’s where you will get a full grasp of the risk return spectrum.
To guide you through that process, there are three main groups of risks when using the various DeFi platforms. Each of these risks could result in a large loss of capital, depending on the platform, so it is important to understand all three.
1. Technical Risk
The risk of the smart contracts not behaving as intended by the developers. It is very hard to code error free so there is always some level of technical risk that exists. Audits, extensive testing, formal verification as well as how “battle-tested” the contracts are, are factors that can reduce technical risk.
A simple measure like funds held x time held could be a reasonable proxy for technical risk noting that even heavily battle-tested contracts have had issues in the past.
2. External Risk
The risk of external information influencing how the smart contracts operate to the detriment of other users. For example, an oracle could provide malicious data, and administrator could change a system parameter or governance procedures could be co-opted.
This is often difficult to assess without a certain level of technical expertise but generally there have been articles written on the major platforms that describe how much control the administrators have and where the external factors are. Some platforms have started introducing time-locks on governance controls which may allow users to take funds out before any changes take place, and some platforms have no external risk at all, like Uniswap.
3. Economic Incentive Failure Risk
Many smart contract systems, especially in the DeFi space, rely on economic incentives to encourage network participants to perform certain actions. These incentives could fail to encourage the right behaviour or not be adequate enough leading to other users being adversely impacted. For example, the incentives in the MakerDAO smart contracts could be too aggressive and the DAI <> USD peg could break if the ETH price drops too far, too quickly.
Firstly get to grips with the worst case, you can then make a decision if you’re willing to take the risk or not. For example, in Compound the worst case outcome from economic incentive failure is probably that funds can’t be withdrawn for some period of time, rather than funds being lost entirely. Depending on your circumstances this may be quite tolerable or it may not be.
Once you understand the risks you could rate them according to a more detailed matrix and then decide how you will actually deal with the risks. Whether that be avoid, manage, ignore or insure.
Interacting with DeFi smart contracts is very new and risks do exist, but in many cases they can be adequately understood and managed appropriately. If you firstly understand the various failure modes you will be in a much better position to grow your crypto wealth over time.
RSA Note: A technical risk like a protocol hack is a high risk / low likelihood event that can be insured against—Nexus provides insurance for technical risks for many money protocols. Most cost 1-2% of annual returns. External risks on the other hand can’t easily be insured against, so it’s important to know if protocol developers have the ability to change code or siphon funds. (e.g. Compound added a 2-day delay to admin functions to its contract after recently—this limits their ability to change code without notice—look for these improvements!).
The biggest external risk in money protocols like Maker and Synthetix is probably an Oracle attack of some kind—this deserves its own write-up. You cannot currently buy insurance to cover an Oracle attack. Bottom-line: lending protocols remain risky—size the amount of your loans accordingly!
Evaluate protocols against the three types of risk before lending
Assess risk of protocols you’re using today—avoid, manage, insure, or ignore?
(Advanced) Check out DeFi Score—project for risk scoring protocols (early days!)
Hugh Karp is an insurance professional and actuary with over 15 years of experience in the insurance industry. He has held a variety of roles in both primary and reinsurance companies including as CFO for Munich Re’s Life operations in the UK. He is now the Founder of Nexus Mutual, a decentralised peer-to-peer mutual insurer, that uses blockchain technology to replace the insurance entity with smart contract code.
Filling out the skill cube
This week you leveled up on “Lend” areas of the skill cube! Risk assessment is difficult in open finance today—but learning a good risk framework is the place to start.
Not financial or tax advice. This newsletter is strictly educational and is not investment advice or a solicitation to buy or sell any assets or to make any financial decisions. This newsletter is not tax advice. Talk to your accountant. Do your own research.
Disclosure. From time-to-time I may add links in this newsletter to products I use. I may receive commission if you make a purchase through one of these links. I’ll always disclose when this is the case.