The Ease Risk Rubric
The Ease Risk score or Protocol Rating is a combination of 2 sub-scores.
The first major score is taken from DeFi Safety. DeFi Safety is a leader in rating a protocol’s transparency and documentation on their contracts, as well as the use of auditors and bug bounties, and if recent hacks have occurred. This score is initially out of 100, but we apply a 0.5 weight to it, to score it out of 50.
Secondly, the team at Ease applies their own ratings to a set of metrics not covered by the DeFi Safety rating. DeFi Safety’s focus is on grading a protocol’s end-user safety. Our ratings are designed with the specific intent of judging how likely claims are to occur on Nexus. These two are added together to provide a general risk rating out of 100.
There are 5 different metrics, each with their own scores:
1. Time Weighted Total Value Locked
0-20 (TW-TVL): We grab TVLs of protocols from DefiLlama API and time-weight these from the protocols’ genesis, based on data on daily intervals.
- 0: 0 – $1B
- 5: $1B – $10B
- 10: $10B – $100B
- 15: $100B – $1T
- 20: >= $1T
Rationale – Two factors determine the belief of a protocol’s “battle-tested” nature. How long the contracts have been live, and the amount of value locked in the contracts. So, we account for both. We take daily TVL numbers and add them together, because the longer the TVL has been locked, the more time a black hat has had a chance to attempt to find a vulnerability and exploit it.
0-5: We rate the impact upgradeability has on the perceived risk of the covered protocol.
- 0: The contracts or protocol covered under nexus are upgradeable
- 5: The contracts or protocol covered under nexus are NOT upgradeable
Rationale – As an example, Uniswap v2 is never upgradeable. A Uniswap v2 policy on Nexus will always only ever cover Uniswap v2 pools. However, a policy for Yearn (all vaults) can cover more and more added contracts over time. So an exploited contract in the future might not have been a part of the ecosystem when stakers initially underwrote the protocol. This potential for an unknown risk leads to a lower score.
1-5: We rate the impact an oracle might have on the potential risk of the protocol
- 1: v2 TWAP
- 2: v3 TWAP
- 3: ChainLink
- 4: Centralized; ChainLink w/ redundancies
- 5: No Oracle
Rationale – Oracles are an extremely common attack vector for DeFi hacks. However, not all oracles are exploited equally. A v2 TWAP oracle would rate lower than Chainlink. Centralized oracles are not covered by Nexus policies, meaning the risk to underwriters is unlikely in the event an exploit were to occur through one.
4. Protocol Type
0-5: We apply a rating depending on the service that the protocol offers
Rationale – Historically, some types of protocols are more susceptible than others. A lending protocol is usually susceptible to a loss of a large portion of its TVL. While a yield farm usually results in losses from only a single strategy.
0-10: While DeFiSafety does provide a rating on whether or not a protocol has audits, Ease found it important to also provide an additional rating based on:
- Are the audits up to date
- What is the reputation and quality of the auditor
- 0: No Audits
- 3: Low Quality
- 5: Medium Quality
- 10: High quality
- +1: Additional points can be given for multiple audits
- -X: Audits for old code bases
Rationale – Some auditors dedicate weeks worth of work hours to each of their audits with a backlog sometimes spanning into the next year. On the other hand, some auditors have a much quicker turnaround and dedicate significantly fewer hours to their auditing process. We determine audit quality through ours and industry experiences with auditors, their noted processes, and reputation regarding past hacks and bugs. Also, regardless of the auditor if the only audits are for an old code base, then the relevance of the audits are in question
6. Bonus Points
Rationale – Not everything can be quantified into this scoring system. So we leave the opportunity open to add or subtract bonus points from protocols in a subject nature. If this occurs a note will be made on the amount of points given or taken and the reasons why. For example, Eth2 staking will receive an automatic 100. In the event of an issue in the staking mechanism a hard fork is likely.
The max sum of these 5 scores is 45. We take the percentage total a protocol received and apply the same 0.5 weight to it that DeFi Safety receives.
Adding these together we arrive at a score out of 100%, known as the Protocol Rating. We then utilize this rating to determine two things:
- Which Ease managed staking-pool the protocol is allocated to
- The target price premium for that protocol
We will go into detail on these two items below.
With the Protocol Rating determined, we now apply our pricing model which is used to determine the Target Price that we will set for that protocol in our management pool.
The Minimum Price in the system is set by Nexus, which is 1%. Meaning, a protocol with a perfect score will also have the lowest possible target price.
With the launch of Nexus v2 there will now be managed staking pools. In which NXM stakers can allocate their staked NXM to managed staking pools. The manager of the pool will determine what protocols are underwritten, at what prices, and in which capacities. Ease will manage 3 pools, whose protocols are determined by this risk rubric, and stake arNXM into them. The first two these three pools will be available at the launch of v2, with the other one coming shortly after.
To start, the aim of Ease managed pools is to support DeFi. Meaning, Ease will not provide underwriting cover to custodial services. The centralized nature of these entities prevents us from being able to accurately assess the risks they pose to Nexus underwriters.
This pool will consist of only the highest rated protocols, the cut off being a Risk score of >= 75. These protocols will have the cheapest target prices for premium costs (<1.9%). These protocols generally are the “least risk” to underwrite, and historically utilized high capacity (though that is no longer the case for some). The small pool of protocols means that maximum leverage is not needed to support this bucket. Returns will be safer for stakers as the risk of a potential coverage event is lower.
This bucket will contain protocols between the 75-60 threshold. These protocols will have the target prices for premium costs between 1.9% and 3.4%.
It is unlikely that the full weight of user stakes will be used on the protocols, as cover demand is consistently lower for most of these. But more NXM leverage will be used to cover the wide range of protocols, as the AAA bucket will be rolled into this one.
This bucket will be much more dynamic and likely use full leverage on the protocols to maximize capacity with the least amount of arNXM possible. It will include protocols below 50-60, as well as higher rated protocols that begin to experience capacity issues.
We will launch with two pools. The AAA and the AA buckets. The protocols included don’t include every single rated protocol. We are launching based on ratings + current demand (using active cover values via nexustracker.io). We also used this to determine the starting weights in which NXM is allocated, to reduce excess capacity. The included protocols, their allocated weight and their ratings are subject to change at any time.
UPDATE: With the Euler hack that occurred on 5/13/2023, before our Risk pools launched on Nexus v2, the decision was made to not launch with Euler in the AA bucket. It is not underwritten by Ease.