In 12 months, from 1st May 2021 to 1st May 2022, the entire DeFi ecosystem suffered 2.56% in TVL losses due to hacks and exploits, according to @RektHQ. That’s close to the 10 Year Treasury Rate and also almost as high as annualized insurance costs in DeFi.
How does #TradFi handle such losses and why is DeFi not doing the same?
(This is part 2 in a series of thought pieces about the future of DeFi. Check out part 1 here.)
Why DeFi is attractive to hackers
According to @tokenterminal, DeFi protocols and their blockchains generated over $19b in revenue in the last 365 days as of the 31st of August 2022.
Some of these profits go to the founders and developers. Some get redistributed to the users through revenue-sharing tokens. Often smart contracts make revenue accumulate in treasuries.
There are many ways lots of value can flow within and between those transparent blockchains and smart contracts. So it is no surprise that malicious actors like hackers or scammers are looking for ways to get their hands on some of those internet tokens.
In our traditional financial (#TradFi) system, the FDIC/SIPC retrieves the funds, others prosecute malicious actors. How does that work? Check out our previous article if you want to learn more about how they operate.
DeFi vs TradFi
Why is there no such system in DeFi already? Let’s recap our previous article:
- Hacked assets are hard to recuperate in DeFi.
- Hacked amounts in DeFi are so big, that even taking a percentage of TVL instead of revenue wouldn’t be sustainable to cover lost amounts.
It points out that a system that would try to cover the entirety of DeFi protocols the same way the FDIC/SIPC does wouldn’t be sustainable. We cannot rely on or be funded by DeFi’s TVL, not to mention their revenue.
We saw that DeFi protocols’ revenues aren’t able to counter losses such as those from May 2021 to May 2022 (2.56%). Even their TVL wouldn’t be sufficient to sustainably bear the cost of insurance with given hacked amounts, especially in current market conditions. Why may that be?
Audited code vs exploits
One problem our research uncovered was that over 70% of the hacked protocols we examined had no audits that incorporated the exploited part of the code. Besides, all other protocols were audited by only a small number of auditing firms or even only internally by the DeFi protocol itself.
However, we cannot conclude that these well-known auditing firms are incompetent or unreliable. They typically also audited most of the unhacked part of the DeFi ecosystem, which could explain their overrepresentation in our data.
But ultimately we can still say, that there is a need for oversight on how auditing firms operate. This is to ensure thorough audits of the code of DeFi’s critical infrastructure! Audits do miss exploits fairly often or just do not audit for all previously used attack vectors.
A potential solution
Therefore, we propose the DeFi Investors Protection System (DIPS). This system should insure investors and their deposits from losses of failing protocols and hacks. It does so by assisting in the supervision and reviewing the rigorousness of participating protocols’ audits. It can also help with asset recovery efforts and potentially much more.
DeFi protocols should only be able to join the DIPS if they continuously go through the oversight of trusted, battle-tested, and -statistically speaking- most successful auditors. By doing so, the DIPS could give seals of approval to DeFi protocols. Those signal users that their investments are with DeFi protocols that have been rigorously tested and audited.
Ease Uninsurance is ahead of the game
By the way, to some degree, the Ease DeFi Uninsurance system (RCA’s) already acts similar to the FDIC/SIPC in that RCA’s also only cover established and thoroughly audited protocols. The main difference here is that the FDIC/SIPC relies on membership fees. Meanwhile, RCA’s rely on the deposits of the covered protocols’ tokens.
These are battle-tested and established protocols. Therefore, users of the Uninsurance system effectively don’t bear the entirety of all hacks that plague the DeFi ecosystem. Since the launch nearly 5 months ago, none of the vaults in the Uninsurance system has been exploited.
That’s why we have been able to send out the same tweet for 4 months in a row, in a few days #5 should be posted.
Check out this article to learn more: https://ease.org/the-ease-uninsurance-ecosystem-is-live/
Looking back at our numbers, this has the potential to decrease the currently massive amounts hacked drastically. The idea of a DIPS that relies on DeFis’ TVL or even its revenues to cover hacks under its umbrella wouldn’t seem far-fetched anymore.
Let’s cover every dollar in DeFi with native blockchain solutions, not repurposed TradFi solutions!
This article is part of a new series of Thought Pieces, in which team and community members explore the past, present and future of DeFi.
Ease.org’s mission is to help make DeFi easy and safe for everyone to use. We’re asking the big questions, and want to engage our readers in the dialogue. Let’s cover every dollar in DeFi with native blockchain solutions! Join us! Join the conversation!