There have been many works done on the risk faced by owners and investors of defi tokens, but much less from the prospective of protocols themselves. In this literature review, we will briefly discuss on 8 types of risks exposure for protocols, and classify them under systematic and idiosyncratic risk.
The definition of systematic and idiosyncratic risk for defi protocols is slightly different from their definitions in traditional finance space. We define systematic risk as risks that are unpredictable and cannot be avoided by the protocol, this includes the market, user and tech risk. Idiosyncratic risk refers to those that can be mitigated under different specifications of protocol and depends on how well designed are the protocols to ensure its profitability and sustainability, this includes the currency, economic parameter (operational), governance, financial and liquidation risks. For each type of risk, we will explain in details on their definitions, potential methods for measurement, and their possible interactions with the other sources of risk exposures. Lastly, will discuss on the methods of overall risk assessment and comparison between different protocols.
Fig 1. Chart of protocol risk classification
As opposed to the widely known definition of risk inherent to the entire market segment in traditional finance, here we exceptionally define systematic risk as risk that cannot be predicted and avoided when analysing risk faced by defi protocols. The systematic risk represents a major group of risk consisting of market risk, user risk and the tech risk.
Market risk is the risk of losses arising from market variables like price and volatility. Similar to the case for traditional finance, market risk represents one of the largest group of risk exposures, because it consists of many areas and issues often occur on a large scale that cannot be mitigated from a single protocol’s perspective.
One of the most significant sources of market risk lies in regulation. In fact, this is faced by the defi sector in general. Being a newly developed and quickly growing industry, the whole defi sector is transiting from a financial space with little regulation interference to one that is getting much more attention and stricter government supervision and regulation. The defi service providers faces risk of the changing regulation affecting their operation, such as limitations on the lending rate, and taxation on revenues earned from trading of cryptocurrency, which make them a less attractive investment to users. In more severe cases, they may not be allowed completely in certain geographical regions. These risks are not foreseeable by the protocol owners.
Furthermore, due to the short development of defi sector, the financial regulators also do not have an extensive range of past data on how different types and degrees of regulation would affect the defi sector in various ways. This often result in them exerting an “incorrect” level of regulation that may cause significantly more harm to the defi service providers than the actual benefits. Also, even when the changes in regulation is relatively small and targeted, their impact may overflow to those that are supposedly less or non-affected as they stir up the market sentiments, causing token holders to react in a more negative way.
There is no concrete way to measure the significance of such regulation risk as government interference may occur at any time and any level, but we can set up our own scaling systems based on a variety of factors, including whether transaction for a particular token has been restricted in any countries, regulations on tokens of the same type or those closely correlated in prices and the degree of openness of regulating authorities towards that token. These would help us to come up with an expectation of whether the token would be faced with regulation risk in the short future.
b) Changes in prices
Another significant source of market risk is the changes in prices of other assets in the market. Due to the high significance of human behaviour, the defi sector is highly correlated. This especially forms a serious issue, when protocols are accepting collaterals of other types of defi tokens as assets. When the prices of these asset collaterals change, it may trigger the need for token holders to either put in more collaterals to meet the minimum requirement, or force them to liquidate their assets when they fail to do so. This may result in behaviours of token holders that are different from expectation, e.g. higher percentage of liquidation and withdrawals from the token, which may not be healthy for the protocol if they continue for a prolonged period.
A potential way to assess the degree of risk exposures from such price factors is to use a correlation matrix between the token and its competitors, and the larger coins. If the token shows a large correlation value with many other tokens, it hints that this token can be very prone to market volatility and changes.
For tokens accepting multiple types of assets as collaterals, it is also important to look at the correlation between prices of these different assets. In cases where these assets are less price correlated, the risk of price changes is actually diversified and may not be as serious.
Another gauge of market risk is to find out the beta of a token relatively to the market. This is comparable to the tradition finance model of using beta to determine market correlation. For defi protocols, it may be difficult to determine the beta relative to market as each trading platform holds a different pool of trading pairs, and there is also no established defi token indexes. Hence, we can either simulate a market using the top trading assets, or simply calculate the beta relative to another big coin like BTC and ETH instead. Given the general high correlation between token prices, these big coins should be able to give adequate information of the market. If a token’s beta is greater than 1, it is likely to be exposed to higher degree of market risk.
c) Competitors in the market
This is a similar source of risk exposure as the price risk above, but with slight difference when we analyse from the perspective of protocols. When new investors enter the defi sector, they are faced with a wide range of tokens to choose from, and hence need to make their investment decisions based on factors like their investment purposes, size of investment and time period. They have to consider the opportunity cost for their choices and make the best decision given their conditions and constraints. Thus who the competitors are can directly impact such decision making on token investment.
Furthermore, the competitors, especially those that operate in a similar way, usually have high price correlations with the protocol of choice and may affect token prices significantly. Such risk is again difficult to evaluate quantitatively, as there is no specific scale of measurement of the degree of competition yet.
d) Black swan events
Black swan events refer to the unpredicted events that is beyond normal expectations in the market, such as extreme price shocks. These events are generally unprecedented and unlikely to repeat, making it impossible to predict.
Due to this nature, we will not account for these events in risk assessment, but it is important to be aware of the impact of the historical black swan events in risk management, so we can gauge a suitable range of the potential value at risk when facing an extreme event.
e) Underlying blockchain layer
This is a risk exposure that is new and unique to the defi sector. Many of the defi protocols today reside on the blockchain of another protocol, for example, the Maker protocol runs on Ethereum. This directly gives a risk exposure that comes from changes in the underlying blockchain layer. The residential protocols have no control on how is the underlying protocol going to change. In cases where essential parameters like interest rate and inflation rate of the underlying changes, the relevant parameters and cost of transactions of the residential protocols may have to change accordingly in order to close any loopholes like arbitrage opportunities and reduce financial losses. In fact, this is known as the miner extractable value, where miners strategically generate more revenue by re-ordering transactions in each block.
Again, the risk exposure from this area would be difficult to measure as it depends on behaviours of the underlying blockchain, which are not controlled by the residing protocols.
2. User risk
The second major type of risk for protocols is the user risk. Contrary to the common definition of user risk to be investors’ manual errors, here the term refers to the risk of losses for the protocol arising from user behaviour.
a) User behaviour
One of the main determinants of user risk comes from how token holders are being incentivised on actions like arbitrage and liquidation. To assess the risk exposure from this area, we can begin with finding out who are the economic agents involved, and the purpose of users investing in the protocol. If users are investing in the protocol for yield by contributing to the liquidity pool, they are likely to put in assets when the protocol offers a high yield rate, and withdraw when the rate is below their expectations or completely stopped.
Meanwhile, user behaviour may be difficult to predict even when we have knowledge on their purpose of investment. The defi market is highly influenced by human behaviours, which may usually be irrational. Users are constantly being exposed to information from social media and online communities, resulting in a herding behaviour where individual investors tend to act collectively and follow decisions by others, instead of relying on their own financial research and decision making rules.
In events of large herding behaviour, the market may experience significant shock and volatility in prices. The degree of such behaviour is also relevant to how much the protocol is exposed to market price risk, as negative sentiment in one token could be spread to other similar tokens, or even the entire defi market. Although such shocks from market sentiments could be absorbed when the irrationality cools down, the short term potential losses are still an area of concern. They cannot be controlled and predicted from the protocol perspective, and hence contribute to potential areas of risk.
b) User concentration
Another way of analysing the user risk is through the concentration of tokens which can be measured by the amount of tokens held by the top addresses. For most tokens with governance features, token holders have the right to express their opinion though votes when new proposals are initiated for the protocol. Usually, the amount of voting power one holds depends on the number of tokens he has. Thus when large proportion of tokens are being held by only a few addresses, voting power is also concentrated. During governance polls, the large addresses may choose to vote for a change that is more favourable for their own interest, instead of voting for sustainability of the protocol and benefits of the general token holders.
For example, in August 2021, there was a governance vote for Uniswap to fund $25 million worth of UNI tokens to a small analytics service provider. The affirmative votes were once leading even though this funding would be of no value to the other token holders, as most were not even aware of this vote until a day before it ended. Although the vote was eventually reversed, this incidents shows the possibility of governance voting being used for malicious intents that do not benefit the majority of token holders.
An additional note on the user risk is that, while we categorise the user risk as a systematic risk that cannot be avoided, we need to acknowledge that user behaviour could actually be guided by how the protocol is designed. Some of the protocol specifications could guide users to behave in a specific way using different incentives.
The third type of systematic risk faced by defi protocols is the tech risk, which refers to risk exposure coming from the tech infrastructure and smart contracts.
a) Malicious attacks on smart contract
Although security measures in blockchain is already rather developed today, we should not oversee and disregard risk coming from this area. Occasionally, we still see cases of malicious attacks on smart contracts being reported. Malicious nodes on the blockchain could make false validations to transfer tokens to their own addresses, resulting in direct financial loss to the protocol.
Such issues also cause the price of tokens to fall, as investors will feel less confident and secure to put their investment into a protocol with security loopholes. In fact, we always observe down spurge in token prices and large liquidation losses from mass withdrawals after reports of security issues.
Assessment of such risk may be more arbitrary and involve high technical knowledge on blockchain and smart contracts. We have to analyse the codes and security implementations to make a fair decision on the level of risk exposure. However, this does not mean we can oversee such risks. Although they happen at relatively rarer occasions than market and user risks, they can bring a large and lasting loss to the protocol.
b) Failure of tech infrastructure
Besides security risks from the protocol’s own blockchain and construction, there is also risk from the underlying. As mentioned in the previous sections, many defi protocols today are residing on an another protocol. Thus when technical failures occur in the underlying, all activities have to halt.
Risks from the underlying, although occur at very rare occasions, cannot be controlled and is hard to predict from individual protocol’s perspective. In extreme cases that such events happen, all the residential protocols will be affected, making the relatively risk to be evened out if we are comparing protocols against each other. But nevertheless, we should stay aware that is a source of risk exposure that cannot be controlled.
As opposed to systematic risks that cannot be controlled, we define idiosyncratic risk as risks that can be predicted and mitigated. For defi protocols, the sources of idiosyncratic risk are generally related to the construction of protocols. They involve the unique parameters for defi segment, which is new and different from the traditional finance. But for ease of analysis and understanding, we will match them to a similar source of risk in traditional finance whenever possible. The idiosyncratic risk includes protocol risk, economic parameter risk, governance risk, financial risk and liquidity risk.
4. Protocol risk
The protocol risk is an unique source of risk to defi protocols. We define it as the risk coming from the assets held to make a judgement on the risk of the whole protocol. This is usually assessed based on empirical data.
a) Locked tokens against market cap
The first factor affecting protocol risk comes from the proportion of tokens, which are significantly affects token inflation in the future. We can look at the percentage of tokens in circulation, and the percentage that is circulating but locked up, which indicates how much token is currently locked in smart contracts and available for staking. Also, how much fresh token is going to be unlocked in the next batch, indicating the amount of token that will enter circulation. Defi protocols need to ensure its token inflation remains at a stable level, so the value of token is protected and investors can hold them for a long time period. These figures can be determined by the protocol’s parameters and voting, which will be explained in the later sections.
b) Default risk
The default risk here refers to potential failures of protocols to meet their obligations to investors. This is especially relevant to protocols designed for lending, which usually promise a high rate of reward for investors contributing to their liquidity pool. When the protocol has a low level of assets held, there is increasing possibility that it does not have the financial ability to provide such high rewards for a sustained period of time, thereby discouraging investors to join.
5. Economic parameter risk
The economic parameter risk here refers to the risk in everyday operation of the protocol. It is associated with economic policies and mechanism design. This can be compared to operational risks in traditional finance, which is the uncertainties coming from regular activities.
The defi sector has many unique parameters such as liquidation price and back stop that are determined by the protocol’s mechanism design. The existence of these additional parameters highly define the mode of operation and profit of a protocol. For example, the existence of liquidation price means that the protocol will require a fee when users liquidate their assets. This parameter not only influences the amount of cash inflow, but may also act as an incentive for them to hold on to their tokens if the liquidation fee is high.
These parameters are fully controlled by the protocol owner when they construct the design. They are relatively difficult to assess alone, as the types of parameters and values can be strongly related to other areas of risk exposures.
Governance risk refers to the risk exposure arises from uncertainties in the parameters that token holders can change by voting. This is a unique risk to the defi sector. While the system of voting, initiating changes and the types of changes that can be raised is different for each protocols, the general voting power of defi investors are still relatively higher than those of typical shareholders in traditional finance.
The system of governance is designed by the protocol owners according to the goals for initiating the token. To analyse the degree of uncertainty from governance factors, we need to carefully study the voting system, including who can vote, how is voting power determined for each person, what can be changed and to what degree can these changes be.
Some of the common parameters that can be voted to change are stability fees, debt ceiling and liquidation penalty. And sometimes, major changes to the protocol can also be open for vote, such as MKR was voted to accept multiple types of assets as collaterals. These changes will then affect the overall risk exposure in different areas, and we need to be aware that these changes may occur any time, as long as they are permitted by the protocol’s policy.
The financial risk of defi protocols can be defined in a similar way as traditional finance, which is the risk of losing money in business and investment. The key of financial risk lies within cashflow of the company, or protocol in the case of defi.
Whether a protocol has stable and adequate amount of cashflow is an important gauge of financial risk. Just like any other financial projects, protocols with healthier cashflow conditions are more likely to attract investor confidence and longer holding periods. The amount of cash that a protocol has on hand significantly determines its ability to stay through a market shock and other uncontrollable events. This area of risk exposure is also relevant to token inflation, as tokens with a healthier cash flow condition is likely to have more assets on hand, so inflation can be controlled to a stable level, benefiting the sustainability of protocol.
A potential method to determine the level of financial risk exposure is to analyse a protocol’s cashflow conditions. We can infer these data from the protocol’s official documents and reported figures, to determine the components of its cash inflow and outflow, and to model them into a discounted cash flow model for projection. Some of the common components to look at are the stability fees and liquidations fees paid by users when they commit the relevant actions. While these events are highly influenced by the market and behavioural factors that are difficult to predict, understanding the average amount of cashflow in each time period can help us to understand a protocol’s risk position. We can also use the historical high and low cashflows to determine the value at risk in extreme conditions.
For protocols offering yield reward to contributors of liquidity pool, it is also important to track any changes in the yield rate, which is a major factor affecting the cash outflow. An important note when analysing the cashflow is that, the parameters and rates used in the defi sector is not constant. They are prone to changes from governance voting, so if we are to analyse the risk exposure in future, we have to account for the possibility of changes in the rates too.
On top of modelling cashflows using reported figures, another way to gauge financial risk is using the protocol ratios. The collateralisation ratio, or the c-ratio, is the ratio of value of collateralised asset to the loan amount that users have to maintain to keep their vaults active.
By maintaining the collateralised asset above a specific level, the protocol will be able to hold a healthy level of cash and fast liquidations on hand. This concept is similar to the idea of reserve ratio in traditional finance, where businesses have to maintain a certain level of cash and cash equivalents. By asking for a higher collateralisation ratio, the protocol is more resilient to financial shocks and investor defaults.
Similar to the case of traditional finance, investments on leverage may result in significantly higher losses in negative market events. Protocols should be aware of how much of their investors are financing on leverage, i.e. using borrowed on-chain assets to have a stake of their tokens, to have a better estimate of the amount of potential liquidations that would take place in market downturns. Although the protocols might not be able to directly restrict investment on leverage, they can help to limit or discourage the use of leverage through social platforms.
This is also relevant to the users risk, which cannot be controlled by the protocol as some people are willing to invest on leverage to increase the size of their investment despite the risk involved.
The liquidity risk here refers to risks associated with the primary market. This is broader definition of the liquidity risk in traditional finance, which usually refers to a business’ ability to cash out their assets.
a)Inflation rate of token
Inflation rate of token refers to the growth of token supply on market in each time period. Such inflation usually comes from the liquidity mining schemes, where protocols reward users with new tokens for holding their tokens and contributing to liquidity. A high inflation rate of token may cause the token to depreciate in real value over time, hence protocols need to maintain a stable inflation rate of its tokens. This can be done through modifying the reward scheme to give different rates for contribution of different types of liquidity, different lengths of holding periods, any cap to the maximum reward rate and a specific date that each reward scheme remains valid for.
These factors can be controlled by the protocol’s mechanism design, and the degree of governance where only a specific set of relevant parameters can be changed through token holder voting.
b) Correlation with demand
Another area to analyse is how the demand for a specific token changes. This is relevant to the user risk, where we find out what are the reasons that drive investors in holding the token. There is a slight distinction between the two, where user risk is the observed reason for demand that cannot be controlled by the protocol owner, but for the idiosyncratic side, it is how the protocol designs itself to meet needs for different investment purposes.
With the understanding of different sources of risk exposures and how to measure each of them, we also need to come up with a way to analyse the general level of risk exposure. However, the above risk metrics come from different areas and may interfere with each other that we cannot simply sum them up. A potential method here is to determine a scale for each type of risk exposures that grades the amount of risk exposure into different levels, and combine all grades on a radar chart. By comparing the radar charts of a group of similar protocols, we can determine which protocol is being more exposed to what types of risks. This would help the protocol providers to understand their relative risk standing across the market, and also help investors to make decisions in which tokens to invest in.
A possible way of determining the risk level for each area is to assess the likelihood of happening and the consequence of loss, as shown in the following table.
Table 1. Risk exposure scale1
In conclusion, risk analysis for defi protocols is a very complex process as the areas of risk exposures are very different and often interfere with each other. For example a protocol that allows more freedom in governance will attract investors who want to make the most out of being able to cast their votes on a wide variety of factors, but it will also be subject to more volatility in changes and be undesirable to the other group of investors who want to hold the tokens for stability in asset value. Thus, we have to be clear of our purpose first, and then to make the relevant analysis and comparison across protocols.
Karp, H. (2019, December 2). Understanding risks in DEFI #2: Makerdao multi-collateral Dai. Medium. from https://medium.com/nexus-mutual/understanding-risks-in-defi-2-makerdao-multi-collateral-dai-dcce43156fea