Without standard tools for risk assessment, investors may feel they are flying blind in decentralized finance. That doesn’t have to be true.
Risk management is baked into the investment mindset as the inevitable corollary to opportunities for alpha. In traditional financial markets, quantifying the value of a portfolio at risk focuses mainly on managing price-related factors, such as forecasting volatility or developing hedging strategies to offset potential losses.
But asset managers entering DeFi from traditional finance will discover substantially more complexity when it comes to risks. Furthermore, there is still little awareness of how to quantify risk in DeFi, along with a dearth of tools that are fit for handling the job. Building a sound understanding of the market specifics, along with some core tools to help assess risk exposure, can help asset managers to manage risk more effectively.
DeFi, like the broader digital asset sector, lacks standardization. Without a standard methodology for calculating risk, such as the Value-at-Risk models that exist in traditional finance, or even a standard nomenclature to describe the different types of risks that exist in DeFi, it has proved difficult to establish risk management strategies for the sector.
However, there is a growing body of work covering the risk landscape in DeFi, including a 2023 report from the Financial Stability Board, which examines the risks from the perspective of systemic and institutional financial stability. In addition, crypto-native analysts have also lent their expertise to this endeavour. Taken together, this work provides a broad overview of the various types of DeFi risks that investors need to consider when assessing their portfolios.
In traditional markets, brokers oversee margin accounts, and emergency mechanisms such as circuit breakers are implemented to prevent price contagion in the event of a sudden market shock. Intrinsic risk refers to the risks inherent in using DeFi applications, which are automated protocols based on smart contract programming that operate without human intervention.
Brokers do not exist in DeFi, and leveraged positions that fail to post the requisite collateral can be automatically liquidated. The volatility of digital asset markets, along with non-stop trading hours, means that auto-liquidation is a risk that must be continually monitored. Systemic analysis of DeFi markets shows that auto liquidations have an adverse effect on price, creating a feedback loop where falling prices lead to more liquidations.
Another example of intrinsic risk is slippage in token pools on decentralized exchanges, caused when the price of one token in a pool moves against its counterpart. The price quoted by the smart contract of the underlying automated market maker is a function of the token liquidity in the pool. As a consequence, if a transaction that changes pool liquidity is recorded on the blockchain prior to the swap transaction, the price of the transaction may end up being different to that quoted.
Extrinsic risk refers to any unanticipated risk that changes the expected behavior of a protocol. The Financial Stability Board refers to these risks under the broad heading of operational fragilities, and they can be categorized into four areas: smart contract risk, oracle or bridge risk, blockchain risk, and governance risk.
Smart contract risk arises from the fact that the programming languages used to code smart contracts are typically Turing-complete languages, meaning they can be programmed for any eventuality. However, this also means that they can produce unexpected outcomes that are often mistakenly referred to as “hacks.” One such example is re-entrancy attacks, which are a code vulnerability allowing an attacker to repeatedly make the same withdrawal, draining funds from a smart contract.
Similar risks can arise when blockchains use data oracles or bridge assets from other ecosystems. For instance, price oracles used for low liquidity tokens can become easily manipulated, as happened in October 2022 with a particularly brazen attack on Mango Markets, a DEX on the Solana blockchain. Bridge attacks, such as the $650 million hack of Axie Infinity’s Ronin bridge, typically arise due to poor bridge security.
Blockchain risk is the possibility that the underlying blockchain architecture could be compromised or face downtime. While Bitcoin and Ethereum are renowned for their resilience, other networks – notably Solana – have come under fire for suffering repeated outage incidents. Such downtime could result in the inability to withdraw funds if the market slides or loss of profitability if strategies cannot be implemented as planned.
Governance risk refers to the risks posed by poorly designed or executed decision-making processes for projects that are governed through token voting. Just last month, the controversial privacy protocol Tornado Cash was the subject of an attack where a malicious entity managed to seize enough TORN tokens to gain total control over the project.
Systemic risks resulting from a high level of interdependency between DeFi protocols, CeFi platforms and the broader ecosystem are “arguably the most concerning” risks, according to the Financial Stability Board. It describes liquidity and maturity mismatches between various platforms, which often seem to be opaque, despite the fact that the evidence is publicly available on-chain.
The FSB cites the example of Lido Finance, the ETH staking protocol, which inadvertently became caught up in the collapse of the Terra ecosystem in May 2022. Users had been depositing stETH tokens, representing staked ETH, into Terra’s Anchor protocol to take advantage of the yields there. When Terra collapsed, and the value of stETH declined relative to the underlying ETH, CeFi lending protocol Celsius was forced to halt withdrawals of stETH from its own platform, creating a domino effect.
The permissionless nature of DeFi means that anyone can participate – not only as a user, but as a token issuer and protocol operator. Therefore, counterparty risk could refer to the risk that a token issuer simply drains liquidity from a project, or the risk that an investor may be involved in transactions that put them in proximity with unfavorable counterparties, such as wallets that have engaged in suspicious activity.
Given the complexity involved, along with a lack of standardization, there are no easy ways to assess or mitigate the risks involved in DeFi. Historically, investors have been forced to rely on a patchwork of information to carry out due diligence in an attempt to make an educated assessment of areas such as smart contract risks or governance risks.
However, as DeFi has grown, there are increasing signs of improving standards. DeFi protocols are under increasing pressure to engage in code audits with reputable independent firms and publish the results. Compliance is another area of focus, where the growing availability of institutional DeFi services allows for permissioned participation by whitelisted wallets and enhanced risk management tools such as Know Your Transaction monitoring.
Nuant is now stepping up to the challenge with the development of the Nuant Quantitative System, a brand-new, state-of-the-art quantitative analytics, risk management, and research system for decentralized finance. The NQS comprises three layers: the Data Stream provides the underlying data architecture; the Integrated Environment allows for the development of custom applications and analytics; and the Quantitative Framework enables modelling and evaluation of DeFi protocols and strategies. The framework employs a data-driven approach to identify, assess, and mitigate DeFi risks – both within and across protocols. Along with quantifying opportunities for yield, NQS users can more effectively gauge the stability, security, and resilience of DeFi protocols and cross-protocol strategies, and test them under a wide variety of market conditions.
To learn more about the Nuant Quantitative System, or see a demo of our cutting-edge portfolio management system, book an appointment today.
A Broad Overview of Reentrancy Attacks in Solidity Contracts | QuickNode | The Blockchain Development Platform—Guides. (2023, February 8). Quicknode Documentation.
Bachini, James. DeFi Risk | A Framework For Assessing & Managing Risk in DeFi. (2021, December 9. James Bachini.
Elliott, S. (2022, June 14). How the Celsius Liquidity Crunch Is Linked to Lido’s Staked Ethereum. Decrypt.
FSB. (2023, February 16). The Financial Stability Risks of Decentralised Finance. Financial Stability Board.
Gladwyn, R. S. (2023, May 22). Tornado Cash Governance Attacker Offers DAO New Lifeline—And an Expensive Lesson. Decrypt.
Jha, P. (2022, April 12). The Aftermath of Axie Infinity’s $650M Ronin Bridge hack. Cointelegraph.
Lehar, A., & Parlour, C. A. (2022). Systemic Fragility in Decentralised Markets. Bank of International Settlements.
Oracle Manipulation Attacks Rising: A Unique Concern for DeFi. (2023, March 7). Chainalysis Blog.
Reguerra, E. (2023, February 7). Solana Outage Triggers Ballistic Reaction from the Crypto Community. Cointelegraph.
Rodriguez, J. (2022, February 3). The 5 Big Risk Vectors of DeFi. CoinDesk.
Value at Risk—Learn About Assessing and Calculating VaR. (2023, May 7). Corporate Finance Institute.
