In this article, we will be diving into the complex world of risk in decentralized lending protocols.
Decentralized finance offers unmatched freedom for capital management, while also maintaining transparency thanks to every byte of source code being available and verifiable in the smart contracts. With this freedom, however, comes the responsibility of having to do your own research and assess the risks you’re taking when depositing money in a specific protocol. While protocols like AAVE, Compound and Curve introduce new mechanisms aimed at increasing capital efficiency for collateralized debt positions while keeping risks as low as possible, this task may pose a challenge even for advanced users.
Luckily, there’s more than enough data out there to carefully pore over. In this article, we will be diving into the complex world of risk in decentralized lending protocols.
Risks associated with decentralized lending systems are not as transparent for users as we would like them to be. After all, the only indicator you see when entering a borrow position is a risk factor, depicting the ratio of the loan to your borrowing power – what you can borrow against the deposited collateral. This is easy to interpret in most interfaces: the lower, the better, and if it enters the “danger zone” from 90% and above, you can either repay some of your loans or add more backing. However, the full picture is much more complex than this.
We can split the risks into four categories for DAO-based decentralized protocols:
We will be skipping the smart contract risks (code exploits) and governance risks in this article, as they are a very complex topic in their own right. We’ll narrow our focus to market and economic attack risks.
Market risk means everything associated with the natural evolution of the crypto market, be it trading that’s taking place on various exchanges or user interactions with DeFi protocols. It inevitably includes the possibility of sudden spikes in market prices, dangerous liquidity distribution, liquidations and others. Risk-conscious protocols must be aware and ready for such extreme conditions.
The economic attack risk denotes anything related to deliberate manipulation of the market state for profit. These attacks may be really complicated, but here are the three main types you need to consider:
Now that we are familiar with the dangers, what do we do?
…we set these right – as a protocol – or make sure they are set right. Here are the ones we are talking about.
The most commonly used risk factors are the ones influencing a position’s health factor and the moment it is liquidated. They may be indistinguishable at first glance, but the devil hides in the details. Let’s sort it out:
Close factor and liquidation incentive are two parameters that help establish the balance between capital efficiency and risk management.
The Interest Rate Curve defines how borrowing costs increase with the protocol’s utilization rate. The utilization rate is the total borrowed funds divided by the total deposited funds in the protocol. Generally, as more funds are borrowed, the cost of borrowing increases to incentivize lenders to supply more capital and disincentivize borrowers from taking excessive loans. These curves are usually defined by the protocol’s governance and could be different for each asset pair.
Usual structure of the interest rate curve go like this:
To know the value of an asset one must know its quantity and price. The latter isn’t as simple as it seems, being one of the most popular exploit causes over the past years. Finding out the market price of any token isn’t as straightforward as it might seem, given that the blockchain doesn’t have an internet connection in and of itself. There are several possible approaches:
And of course, an inaccurate oracle (or on-chain price feed) may lead to false liquidations and price manipulations.
Here’s what we recommend checking:
The oracle must NEVER reflect actions which have happened in the same block. This makes it vulnerable to flash loan attacks, which are essentially single-transaction attacks with unlimited capital. No TWAP will save you in this case!
Supply and borrow caps are hard limits on the total amount of deposit or borrow of a single asset. They are an additional layer of safety that helps to limit the exposure to certain assets. They can prevent a protocol from holding too much of a risky asset, and stop a borrower from taking a loan that could potentially destabilize the system. This can be particularly useful when dealing with assets that have relatively low liquidity or that are new and thus not yet fully understood in terms of their risk profiles.
Supply and borrow caps are usually set to a fraction of the token’s circulating supply, for which there is enough external liquidity for liquidation (both on the buy and sell sides).
An improperly configured or illiquid asset can put all the other protocol’s deposits at risk. A way of mitigating this is to limit exposure to the asset, meaning some sort of asset isolation. Let’s dive deeper:
Most exploits – both economic and code-based – happen in a matter of minutes and lead to the whole protocol’s TVL (total value locked) being drained. This could be mitigated by limiting the rate at which the funds are withdrawn from the protocol, so that the loss is not as severe before protocol administration takes action and freezes the market. Those rate limits can be implemented using protocol-level logic, like Solend are doing in their v2, or using an external protocol-agnostic wrapper, which was proposed in EIP-7265: Circuit Breaker.
Now let’s see how these parameters affect the risks themselves.
From a mechanism design perspective, there are several risk parameters that incentivize market participants:
APY for borrowers must rise once the utilization rate is too high to prevent too many borrows – which leads to liquidity risks – while also not incurring excess interest rate risks if this supply–demand balancing mechanism is too aggressive.
Excess deposits or borrows often lead to difficulties in liquidations when the prices fluctuate, as there is not enough liquidity outside the protocol to process all the orders. This brings us back to the aforementioned liquidation risk, liquidation impact and faulty liquidations. To mitigate those market risks, the parameters listed above must be set in such a way that identifies the optimal balance between motivating users and economic security.
Some parameters impose specific bounds on the state of the protocol, meaning that they don’t rely on supply–demand market dynamics, but explicit rules.
Borrow and supply caps set the limits for the protocol’s exposure to certain assets. This helps to make sure that there is enough liquidity for healthy liquidations – mitigating liquidation impact and faulty liquidations. Isolated pools address the same problem, restricting users from borrowing one volatile asset against another, and thereby reducing the probability of the position’s health factor dropping rapidly.
The larger the liquidation threshold, the lower is the margin before the position becomes undercollateralized (and generates bad debt), which would interfere with proper liquidations. Furthermore, the larger the difference between the max LTV and liquidation threshold, the lower the average risk factor of the positions at the time of creation, meaning they are further from liquidation and both borrowers and lenders are less likely to suffer losses.
Now from the attack perspective: a low max LTV and a solid margin between this figure and the liquidation threshold help keep the positions at a distance from liquidations, and it also makes it harder for a malicious agent to manipulate the price enough so that it is profitable to deposit the overpriced asset and get back only a share of its (perceived) value. Other parameters that prevent pump/dump attacks:
- Let’s say there is a $300,000 supply cap on a token, with a max LTV of 0.5. In this case, a price pump attack on this token would incur not more than $150,000 in losses, while the protocol’s TVL may be in the hundreds of millions.
The same principles apply to the forced liquidation scenarios, as this is a type of price manipulation. The following also help prevent losses for borrowers:
You may be wondering: what do I do now to find the safest investment option? Should the liquidation incentive be high or low, if both extremes incur different risks? Is a max LTV of 0.6 too much for $YFI? The answer is simple: there should always be a balance, and finding it is the protocol’s task. Your task, as a user, is to spot any extremes or suspicious parameters and ask as many reasonable questions as possible. Every major lending protocol has a Discord server where you can communicate with the admins and the community, and we highly encourage you to do so. You can also refer to our security ratings, which will be available soon for all major lending platforms.
Remember: the only risk-free protocol is one with no borrows or no deposits at all. Stay safe!