Apostro: A deep dive into economic risk and risk parameters in DeFi

In this article, we will be diving into the complex world of risk in decentralized lending protocols.

Decentralized finance offers unmatched freedom for capital management, while also maintaining transparency thanks to every byte of source code being available and verifiable in the smart contracts. With this freedom, however, comes the responsibility of having to do your own research and assess the risks you’re taking when depositing money in a specific protocol. While protocols like AAVE, Compound and Curve introduce new mechanisms aimed at increasing capital efficiency for collateralized debt positions while keeping risks as low as possible, this task may pose a challenge even for advanced users.

Luckily, there’s more than enough data out there to carefully pore over. In this article, we will be diving into the complex world of risk in decentralized lending protocols.

Risk classification

Risks associated with decentralized lending systems are not as transparent for users as we would like them to be. After all, the only indicator you see when entering a borrow position is a risk factor, depicting the ratio of the loan to your borrowing power – what you can borrow against the deposited collateral. This is easy to interpret in most interfaces: the lower, the better, and if it enters the “danger zone” from 90% and above, you can either repay some of your loans or add more backing. However, the full picture is much more complex than this.

We can split the risks into four categories for DAO-based decentralized protocols:

  • Market risk
  • Smart contract risk
  • Governance risk
  • Economic attack risk

We will be skipping the smart contract risks (code exploits) and governance risks in this article, as they are a very complex topic in their own right. We’ll narrow our focus to market and economic attack risks.

Market risk means everything associated with the natural evolution of the crypto market, be it trading that’s taking place on various exchanges or user interactions with DeFi protocols. It inevitably includes the possibility of sudden spikes in market prices, dangerous liquidity distribution, liquidations and others. Risk-conscious protocols must be aware and ready for such extreme conditions.

Market risk includes:

  • Liquidity risk: a scenario where users are unable to immediately withdraw their deposits in the case of a bank run;
  • Interest rate risk: interlinked with liquidity risk, this is a scenario where the interest rate rises too much due to high utilization, incurring losses for borrowers;
  • Liquidation risk: borrowers inevitably lose some of their collateral value during liquidations;
  • Liquidation impact: if the amounts of a specific token being sold in liquidations are significant compared to outside liquidity, it will have a negative impact on the price, which may lead to more liquidations of positions with suddenly lowered collateral value. This is called a liquidation cascade, and the most notable one in the DeFi space was the ICHI case;
  • Faulty liquidations: when the price moves too much, sending the loan-to-collateral value too high, the position must be liquidated, with the loaned asset returned to the liquidity provider in the exact quantity in which it was borrowed, while a part of the user’s collateral is kept as a bonus to account for network commissions, slippage and effort. This process could be disrupted, mostly because:
  1. The price has jumped too high and the position is already undercollateralized. This means there is no incentive to take the collateral and return the loan;
  2. The slippage is too large for the liquidation to be profitable for the liquidator. This happens mostly for large positions or illiquid collateral;
  3. The network commissions are too high for the liquidation to be profitable for the liquidator. This happens for small positions, which usually have little impact on market moves.

Economic risk

The economic attack risk denotes anything related to deliberate manipulation of the market state for profit. These attacks may be really complicated, but here are the three main types you need to consider:

  • Pump attacks: an inflation of price of one asset, which is then used as collateral to borrow other, fairly priced assets. The manipulated price eventually returns back to normal, leaving the protocol and its liquidity providers with a bunch of debt, which will never be repaid;
  • Dump attacks: essentially the same, but are based on borrowing an underpriced asset;
  • Forced liquidation attacks: a price manipulation which increases value of a loan asset (or decreases value of collateral) and triggers large liquidations, damaging the borrowers. 

Now that we are familiar with the dangers, what do we do? 

Risk parameters

…we set these right – as a protocol – or make sure they are set right. Here are the ones we are talking about.

Max LTV and Liquidation Threshold

The most commonly used risk factors are the ones influencing a position’s health factor and the moment it is liquidated. They may be indistinguishable at first glance, but the devil hides in the details. Let’s sort it out:

  • Max LTV (Loan-To-Value) is the maximal risk factor that is available when creating a position. For example, with Max LTV of 0.7 one can borrow a maximum of 0.7 ETH in token A against 1 ETH in token B. The real ratio of debt to collateral may increase due to the price movements, and therefore exceed the Max LTV, but the protocols usually restrict any of your actions that result in further increase of this ratio, such as new borrows or collateral withdrawals. There are some that do not, though; and for those ones Max LTV parameter really functions as a fool-proof mechanism, preventing inexperienced users from entering positions on the edge of liquidation.
  • Liquidation Threshold – always greater or equal to Max LTV – is the loan-to-collateral ratio at which your position can be liquidated. Once the risk factor reaches this threshold, anyone can take a part (or all) of your collateral and repay a part (or all – we will cover this distinction further) of your loan. You inevitably lose some money, which goes to the liquidator as a bonus.

Close Factor and Liquidation Incentive

Close factor and liquidation incentive are two parameters that help establish the balance between capital efficiency and risk management. 

  • Close factor determines what portion of a user's loan can be closed in a single liquidation event. It's a protocol’s defense mechanism, preventing large positions from being wiped out instantly, which would create excess price impact and incur more losses for the borrower. It's usually expressed as a percentage – for example, a close factor of 0.5 means that up to 50% of the outstanding loan can be repaid in one liquidation. Some protocols do not use this parameter, which means their close factor is set to 100%;
  • The liquidation incentive is the bonus a liquidator receives for work carried out. It's an essential tool to incentivize the process of liquidation in the system. The incentive is often a percentage that gets added to the repaid part of the loan and is taken from the user's collateral. For instance, a liquidation incentive of 5% means that the liquidator receives an additional 5% of the liquidated amount as a reward. This parameter usually depends on the asset: for illiquid, small-cap tokens it can easily reach 20%.

Interest rate curve

The Interest Rate Curve defines how borrowing costs increase with the protocol’s utilization rate. The utilization rate is the total borrowed funds divided by the total deposited funds in the protocol. Generally, as more funds are borrowed, the cost of borrowing increases to incentivize lenders to supply more capital and disincentivize borrowers from taking excessive loans. These curves are usually defined by the protocol’s governance and could be different for each asset pair.

Usual structure of the interest rate curve go like this:

  • At utilization 0, Borrow APY is 0% or close to it to incentivise loans.
  • Then Borrow APY increases linearly with utilization until it reaches a certain level, which is often described as optimal utilization rate. Protocols choose this value so that there’s not too much borrowing, which may impose difficulties for suppliers when withdrawing their assets.
  • After reaching this point, the slope increases dramatically, encouraging new deposits (as Supply APY increases as well) and borrow repayments.

Oracle configuration

To know the value of an asset one must know its quantity and price. The latter isn’t as simple as it seems, being one of the most popular exploit causes over the past years. Finding out the market price of any token isn’t as straightforward as it might seem, given that the blockchain doesn’t have an internet connection in and of itself. There are several possible approaches:

  • Oracle-less lending based on auctions and other game-theoretic mechanisms;
  • Finding out the price from a decentralized exchange such as Uniswap;
  • A centralized price reporter, like the Coinbase Pro price feed;
  • A decentralized price reporting network, like Chainlink.

And of course, an inaccurate oracle (or on-chain price feed) may lead to false liquidations and price manipulations.

Here’s what we recommend checking:

  • The oracle should ideally be a Chainlink feed or similar;
  • If the assets are not included in the price feeds, or are liquidity provider tokens for DEX pools, the oracle may be getting the price from a decentralized exchange. One adequate safety measure in such cases is to use TWAP (time-weighted average price) to smooth out the price trajectory and make manipulation much more difficult;

The oracle must NEVER reflect actions which have happened in the same block. This makes it vulnerable to flash loan attacks, which are essentially single-transaction attacks with unlimited capital. No TWAP will save you in this case!

Supply and borrow caps

Supply and borrow caps are hard limits on the total amount of deposit or borrow of a single asset. They are an additional layer of safety that helps to limit the exposure to certain assets. They can prevent a protocol from holding too much of a risky asset, and stop a borrower from taking a loan that could potentially destabilize the system. This can be particularly useful when dealing with assets that have relatively low liquidity or that are new and thus not yet fully understood in terms of their risk profiles.

Supply and borrow caps are usually set to a fraction of the token’s circulating supply, for which there is enough external liquidity for liquidation (both on the buy and sell sides).

Isolated pools

An improperly configured or illiquid asset can put all the other protocol’s deposits at risk. A way of mitigating this is to limit exposure to the asset, meaning some sort of asset isolation. Let’s dive deeper:

  • Isolated pools are a practice of pooling assets into small groups – pools – with no operations between two different ones, i.e. a user cannot deposit collateral into Pool 1 and borrow assets from Pool 2. Silo Finance (a lending protocol) couples tens of assets into separate pools with Wrapped Ether (WETH) and a stablecoin (USDC or their own token, XAI). This way, in each pool there is at most one asset with dubious properties, such as volatility, proneness to price manipulation and outside liquidity, and in case of attack only pool deposits are at risk, instead of the entire protocol;
  • There are other ways of limiting the asset’s scope of influence, such as Aave V3’s isolation mode, which narrows an asset’s borrowing scope to certain stablecoins, while also limiting the value that can be borrowed against this asset. This serves a role similar to a supply cap.

Withdrawal rate limits

Most exploits – both economic and code-based – happen in a matter of minutes and lead to the whole protocol’s TVL (total value locked) being drained. This could be mitigated by limiting the rate at which the funds are withdrawn from the protocol, so that the loss is not as severe before protocol administration takes action and freezes the market. Those rate limits can be implemented using protocol-level logic, like Solend are doing in their v2, or using an external protocol-agnostic wrapper, which was proposed in EIP-7265: Circuit Breaker.

How is it all connected? 

Now let’s see how these parameters affect the risks themselves.

Parameters as incentives

From a mechanism design perspective, there are several risk parameters that incentivize market participants:

APY for borrowers must rise once the utilization rate is too high to prevent too many borrows – which leads to liquidity risks – while also not incurring excess interest rate risks if this supply–demand balancing mechanism is too aggressive.

Excess deposits or borrows often lead to difficulties in liquidations when the prices fluctuate, as there is not enough liquidity outside the protocol to process all the orders. This brings us back to the aforementioned liquidation risk, liquidation impact and faulty liquidations. To mitigate those market risks, the parameters listed above must be set in such a way that identifies the optimal balance between motivating users and economic security.

Parameters as restrictions

Some parameters impose specific bounds on the state of the protocol, meaning that they don’t rely on supply–demand market dynamics, but explicit rules.

Borrow and supply caps set the limits for the protocol’s exposure to certain assets. This helps to make sure that there is enough liquidity for healthy liquidations – mitigating liquidation impact and faulty liquidations. Isolated pools address the same problem, restricting users from borrowing one volatile asset against another, and thereby reducing the probability of the position’s health factor dropping rapidly.

The larger the liquidation threshold, the lower is the margin before the position becomes undercollateralized (and generates bad debt), which would interfere with proper liquidations. Furthermore, the larger the difference between the max LTV and liquidation threshold, the lower the average risk factor of the positions at the time of creation, meaning they are further from liquidation and both borrowers and lenders are less likely to suffer losses.

Attack prevention

Now from the attack perspective: a low max LTV and a solid margin between this figure and the liquidation threshold help keep the positions at a distance from liquidations, and it also makes it harder for a malicious agent to manipulate the price enough so that it is profitable to deposit the overpriced asset and get back only a share of its (perceived) value. Other parameters that prevent pump/dump attacks:

  • Supply caps for illiquid assets, preferably quoted in USD or ETH;
  • Low max LTV and liquidation threshold for illiquid assets or assets with DEX-based oracles:

- Let’s say there is a $300,000 supply cap on a token, with a max LTV of 0.5. In this case, a price pump attack on this token would incur not more than $150,000 in losses, while the protocol’s TVL may be in the hundreds of millions.

  • Proper oracle configuration. A DEX-based oracle is more prone to manipulation than a Chainlink oracle, although the latter is not invincible by any means;
  • Pool isolation. This is a good way to give liquidity miners a choice of exposure to certain assets’ risks, without limiting this exposure with a supply cap for those willing to participate (and possibly receive higher returns).

The same principles apply to the forced liquidation scenarios, as this is a type of price manipulation. The following also help prevent losses for borrowers:

  • The aforementioned difference between the max LTV and liquidation threshold, which lowers the average risk factor;
  • Non-aggressive close factors and liquidation incentives, which take too much from borrowers when they are high.

Conclusion 

You may be wondering: what do I do now to find the safest investment option? Should the liquidation incentive be high or low, if both extremes incur different risks? Is a max LTV of 0.6 too much for $YFI? The answer is simple: there should always be a balance, and finding it is the protocol’s task. Your task, as a user, is to spot any extremes or suspicious parameters and ask as many reasonable questions as possible. Every major lending protocol has a Discord server where you can communicate with the admins and the community, and we highly encourage you to do so. You can also refer to our security ratings, which will be available soon for all major lending platforms. 

Remember: the only risk-free protocol is one with no borrows or no deposits at all. Stay safe!