When Things Go Wrong

There’s a warning I give every newcomer to this space in my Rabbit Hole speech; this is the frontier.

“There are no guard rails. There is no one you can sue to correct your mistake. There is no one the government can point a gun at to get your money back. There is no FDIC insurance that is going to bail you out. Once you are in custody of your funds, if you fuck something up, it is literally gone forever. Take this seriously.”

In my few short years in Defi I have personally narrowly dodged half a dozen hacks and been caught in at least two. When a hack does happen I’ll usually track down the technical retrospective just out of morbid curiosity even if I wasn’t affected. I am someone with decades of software background who has audited contracts personally before putting money in. I know enough Solidity to at least have written my own Defi project and to recognize the code origin many projects are forked from. Despite all of that, I have still been caught out more than once. Suffice to say, if I can’t see it coming the majority of investors are hopelessly out of their depth. Seasoned veterans in this space will resonate with this next statement. Even if you do everything right sometimes you can still lose. So, let’s talk a bit about what this ecosystem does when things go wrong.

“It is possible to commit no mistakes and still lose. That is not a weakness—that is life”

-Picard

Too often DAOs have no explicit plan for how to respond to a hack until one happens. It is at that moment that the culture and values of a DAO are truly defined. Despite this being the frontier there is a theme of good faith efforts from quality projects to do right by their users. Let’s go over the different approaches DAOs have taken when the worst happens.

One of the more common approaches to reimbursement has been around a long while. Basically the DAO repays those harmed using future revenue. The DAO creates a token, issues it to those affected, and allows them to redeem their IOU as revenue allows. The earliest example of this I’m aware of wasn’t even Defi. Rather it was Bitfinex. In 2016 Bitfinex was hacked and lost almost 120k BTC. Rather than simply default, they socialized the loss across their customers balances and issued BFX, a bond token, that was redeemable for $1 for each $1 lost in the hack. They then siphoned exchange fees to a pool that allowed customers to redeem their BFX token. Harvest in Dec 2020 followed an almost identical approach with the introduction of their GRAIN token. They gave everyone 1 GRAIN per $1 lost in the hack and directed future revenue to a grain buyback market. Then they added liquidity mining on the GRAIN/USDC market. If your protocol has enough revenue to repay the loss in a reasonable timespan and you can get governance token holders to agree to it this is an honest approach that’s a good compromise between user opportunity cost (reimbursed by farming yield) and DAO loss (lost revenue and added issuance).

The next approach tilts more heavily on the side of DAO loss. Basically, the DAO can repay users from its’ treasury. This is tricky because when a hack happens the governance token price craters. So if the DAO tries to reimburse users with their governance token, that token is at an all time low due to the hack. This leads to both users and the DAO generally getting screwed because the token gets sold far below fair market value. So what is a DAO to do? Yearn had the simplest approach to this. Rather than paying users out in YFI, they took a loan on Maker using their YFI and repaid the $11M loss in DAI. They also explicitly said this was a one-off event and to buy your own insurance next time. XToken, instead of taking a loan, used a timed release mechanism to give the token time to stabilize before the sell pressure of reimbursement hit. Mechanically, they issued an rXTK token that can be redeemed for more XTK over time the longer you delay claiming (up to a year). It’s a simple workaround to the problem and it’s not as though there was an XTK vault on Maker they could use.

Perhaps the most novel approach I’ve seen is to just, uh, ask nicely for the funds back? When Alchemix had their red carpet exploit, rather than threatening users they created an NFT to commemorate good citizens and celebrated their community. Carrot works better than hollow stick as it turns out. If I had to generalize the concept to include black hat scenarios I’d say their approach of offering NFT incentives to fundraise and commemorate helping out in a time of need is a capital efficient strategy compared to the alternatives discussed above. Really, it’s amazing how much they got back and how it brought the community together. I personally was an asshole, but at least I feel bad about it.

All of the above is what you can do if you get hacked without a plan. Surely there must be something you can do proactively, right?

First, as a user you may be able to buy insurance. There are platforms that resemble traditional insurance such as Nexus Mutual and Armor, Yam’s Umbrella, Yearn’s Cover, and prediction market approaches using Augur or UMA’s expiring derivatives. Implementation details vary but the basic idea is you buy an “I got hacked” NFT that can be redeemed for money if you indeed got hacked. As with any insurance, they will try to weasel out of it. For example, Badger got hacked recently and users with insurance didn’t get paid because the hack wasn’t on the smart contract but on the frontend. This doesn’t exactly inspire confidence. At the end of the day, some combination of terrible UX, gas-intensive processes, and a lack of user trust is holding back the Defi insurance market.

In light of that, DAOs have taken to making their own insurance pools (with blackjack and hookers). As I mentioned above, DAOs make money. Shocking, I know. Now, they could put some of that money in a “break in case of hack” piggy-bank but what if the loss is bigger than the piggy-bank? Then they’re stuck in the reactive zone above. Option two is to use the rewards to buy insurance for all their users from an insurance protocol. This is too contractually clunky to work. The amount they have to insure can scale faster than the contract can be amended and there are trust issues regarding payout.

Ultimately, what a DAO wants is for the DAO to decide when to cover a loss so it can protect its’ brand and for there to be clear accountability for who is covering that loss in what order (potential for tranches). So, instead of the options above, some DAOs are creating a staking pool of bonded assets that will be used at the DAOs discretion in the event of hack and they take a slice of the protocol revenue and compound the bonded assets with it. The stakers end up making an amplified share of the DAO profits for accepting extra risk and performing an essential service for the DAO. Aave does this with stkAave, XToken does this with xXTKa, and Alchemix is doing this with their v2 launch. These examples use the governance token as the bonded asset which seems to me to be unwise but that isn’t required for this scheme to work.

This system is really a clever inversion of the insurance model as we know it. It insures all users with leverage compared to a reserve pool (kind of like rented liquidity), cuts the insurance protocol out as a middleman, and effectively makes the DAO the claims assessor which removes the trust problem. If you don’t trust a DAO, don’t use their product. More trusted DAOs will gain market share, which will increase their revenue, which will scale their insurance budget. It’s so much cleaner than a Nexus Mutual design and it’s totally native Defi.

What I don’t like about this model is that the bonded assets are usually the governance token. This comes with two problems I’ve alluded to above. The first is the equivalent of congress voting on their own paycheck. The second is that if you think you have $100M in insurance and you get hacked, by the time you can so much as write up a proposal to liquidate some of those bonded assets your token value has fallen in half.

Here’s some ideas of my own that no one asked for.

  • Audits could come with insurance against hacks they didn’t catch.
  • Developers should be able to buy the equivalent of malpractice insurance.
  • Bonded assets that serve as an insurance pool should be of the same type as the potentially lost funds.
  • More protocols should do as Maker and Yearn have done and make a surplus buffer rather than immediately distributing funds as revenue is generated. The full topic of protocol controlled assets (PCA) or protocol owned liquidity (POL) is vast but having an insurance pool is a rather universal suggestion.

In summary, despite this being the frontier the people here generally want to do the right thing. It’s not just selfishness and brand protection. Literally, the majority of people want to do the right thing. The reason we have to obsess over incentive structures and loopholes all day is because not everyone does (evil exists and is relentless) and because these systems are permissionless (we can’t stop bad actors at the door). So, yes, bad things happen in this space. But we’re also figuring out what to do about that. And somehow, I think the good guys are generally going to come out on top.