Web3 security vulnerabilities pose a significant threat, with smart contract security issues accounting for $3.8 billion in losses, according to Chainalysis. The following chart demonstrates the escalating number of hacks in Web3.

DeFi encompasses various risk categories, including:

• Financial risks: These pertain to the financial stability of DeFi protocols, such as bad debt in lending protocols or extreme market volatility affecting protocol stability.
• Smart contract risks: These involve vulnerabilities in smart contracts utilized by DeFi protocols.
• Off-chain security risks: DeFi protocols extend beyond smart contracts, with other web infrastructures or applications also susceptible to compromise, including phishing attacks or seed phrase breaches.

Specific examples of DeFi risks include:

• Financial risks → Liquidity risks: These concern users’ ability to trade assets on a specific exchange or platform. In DeFi, liquidity risks may result from insufficient trading volume or locked funds.
• Smart contract risks → Oracle risks: These entail data manipulation by oracles, causing inaccurate pricing or other complications.
• Off-chain security risks → Custody risks: These involve losing access to funds due to private key storage or security issues.
• Smart contract risks → Smart contract upgrade risks: These occur when a smart contract upgrade goes awry, leading to fund losses or other problems.

While smart contract risks contribute to security issues in DeFi, financial risks can cause even greater challenges.

For example, the bad debt in the lending protocol. In protocols like Compound, an account is deemed insolvent when the amount borrowed is greater than the total collateral value in US dollars. If an account goes beyond its collateral limit, it is usually liquidated by a third party, such as a bot, and the user loses their collateral to repay the debt. However, if liquidation doesn’t occur on time, the sold collateral may not be enough to cover the debt, leading to increased bad debt within the protocol. This situation can pose a risk to protocols and lenders. There would be a system-wide risk where there is more outstanding debt than the collateral to cover that Borrowers may not be able to withdraw all their funds. In such a scenario, a bank run is easy to happen.

Venus is one of the examples. On May 8th, the collateral factor was increased from 60% to 80%, leading to an increase in borrowing with XVS as collateral. On May 18th, the price of XVS suddenly shot up from $80 to $145, prompting borrowers to sell their XVS to secure profits. This led to a sharp decline in XVS price, triggering liquidations and resulting in over $100M of bad debt for Venus. Choosing the right collateral factors and collateral assets is crucial to the security of the lending protocol.

Solutions

Numerous projects are addressing financial risk in the DeFi sector, a key area within the Web3 world. They offer products to institutional investors and protocols to help them understand underlying risks and manage their products in extreme markets.

Three primary research areas include:

• Risk Dashboards
• Simulations
• Credit Rating

Several projects fit into these three solutions:

Risk Dashboards

Risk dashboards are a primary solution in the DeFi world, where noise often obscures valuable data. While market data such as volume, TVL, and market cap is easily accessible, liquidation data and bad debt data are more challenging to track. Developers need to build databases to monitor core risk factors for DeFi projects.

Commonly tracked data includes:

• Collateral ratio
• Collateral at risk
• Total collateral
• Supply & Borrow
• Liquidation amount & event
• Protocol health
• Active wallets
• Whale TVL
• Asset types
• Trading data
• Oracle

Some projects are working to cover the gaps left by existing security companies like CertiK and Runtime Verification.

Chaos Labs

Chaos Labs specializes in risk dashboards, offering market information such as total borrow amount, total supply, TVL, and collateral at risk on different chains.

They also provide wallet insights, allowing users to manage their wallet liquidation risk in one dashboard.

Chaos Labs collaborates with AAVE, BENQI, dYdX, Osmosis, Avalanche, Chainlink, and Uniswap Foundation to build more secure DeFi protocols.

They collaborated with BenQi to secure their safety. They build total 4 dashboards to unveil some hidden data on the blockchain:

• Risk monitor
• veQi calculator
• Liquidity staking analytics
• Reserves dashboard

Risk monitoring is one of the core dashboards to ensure the health of the BENQI protocol. The dashboards evaluate the distribution of supplied/borrowed/mint/reserve assets. Besides distribution, it also incorporates some overall data like collateral, borrowing, liquidation, and active wallets.

It provides a breakdown of different BENQI-supported assets. Users can also look at these data groups by the wallet. In the liquidation tabs, users can see recent liquidation events and liquidation volume.

In Risk explorer, users can get insight on extreme markets. Input the price change of underlying assets, the explorer will provide predicted liquidation data.

Similarly, Chaos Labs also corporate with AAVE. The risk dashboards provide similar data, but collateral ratio over time and GHO at risk.

Apostro

Apostro offers risk dashboards to protocols, focusing on on-chain monitoring. By monitoring on-chain protocol data and transactions, they can alert users to potential incidents, exploits, and attacks. Apostro also closely monitors extreme market activity and oracle prices, which are susceptible to manipulation. Oracle price manipulation is one of the most famous hack techniques. Hackers can use this technique to enforce arbitrage on the protocol.

Apostro provides three main dashboards:

• Risk
• Oracle price
• Market

Arkhivist

Arkhivist works on risk dashboards with a focus on smart contract security. They allow individual investors to subscribe to protocol pages, with intelligence scanners continuously monitoring the protocol for exploitations.

Arkhivist plans to offer three dashboards:

1. A main dashboard showing security scores of different protocols and their changes over one and seven days.
2. A dashboard displaying security vulnerabilities in these protocols.
3. A dashboard analyzing smart contract interactions and conducting network analysis.

Solity

Solity gathers both on-chain and off-chain data and analyzes them with ML to quantify, norms, and process fundamental risk.

With the on-chain and off-chain data, Solity provides customized risk analysis and monitoring. It focuses on the data like oracle data, governance data, smart contract security, protocol activity, and market volatility.

Risk DAO

Risk DAO provides two dashboards:

• Bad debt
• Financial risks

The bad debt dashboards include bad debt-related info for major protocols. Users can also review it by the date.

The financial risks dashboard varies for different projects. Here is an example made for Vesta Finance. It provides the following data:

• System status

• MCRS(Minimum Collateral Ratio)

• Risk parameters sandbox

• Asset distribution

• Stability

• Pool

• Open liquidations

• Oracle deviation

• DEX liquidity

• Qualitative analysis of different assets pool

• GLP utilization

  
  

Simulation

Simulation is an important technique used in traditional finance and banking. Financial institutions use simulations to model various market scenarios, such as changes in interest rates or stock prices, to assess the impact on their portfolios. These simulations allow institutions to better understand the risks associated with their investments and make more informed decisions.

One common simulation technique used in finance is Monte Carlo simulation. Monte Carlo simulation involves generating random variables to simulate various market scenarios. By running many simulations, institutions can gain insight into the likelihood of different outcomes and adjust their portfolios accordingly.

Another common technique is stress testing, which involves simulating extreme market scenarios to assess the impact on institutions’ portfolios. Stress testing can help institutions identify potential vulnerabilities and take steps to mitigate risks before a crisis occurs.

Now simulation is now becoming the solution for DeFi risks as well. In this approach, projects apply some models to the protocols. Projects first decide on some important risk factors. They quantitatively analyze these risk factors and predict the potential outcome by adjusting the risk factors one by one.

With these methods, simulation can be used for the following purpose:

• Collateral ratio
• Optimize fees
• Token emission
• Extreme cases like depeg, potential exploit

Gauntlet

Gauntlet is a project focused on simulation. They use their simulation model to help protocols find better factors. They work closely with Compound and help Compound perform market risk assessments, contribute to treasury management, optimize incentives, calibrate risk parameters, and upgrade the protocol.

Gauntlet uses three key metrics to evaluate the capital efficiency and risk of a DeFi lending protocol:

• Value at risk: the 95th percentile insolvency value with different market volatility settings. Lower is better
• Liquidation at risk: the 95th percentile potential capital liquidation with different market volatility settings.
• Borrow usage: Total supply of collateral / borrow amount

They made a dashboard for all collateral on the compound. Here is an example of $BAT.

Chaos Labs

Chaos Labs also provide simulation to customers. They have their Python-based agent-based EVM simulation environment. They can replay on-chain historical protocol data. Their use cases would be the following:

• Predict liquidation under extreme market conditions
• Predict liquidity under extreme market conditions
• Depeg simulation
• Stress test

Risk DAO

Risk DAO provides an interest rate simulator for lending protocols to find the long-run equilibrium states.

Users can input several important parameters of the lending protocol and get the final state of the lending protocols.

They also provide several simulations for risk dashboards:

• Recommended risk parameters with different parameters
• Liquidations on the extreme market movements

Credit Rating

Credit Rating is another quantitative way to see the risk. Projects use users’ on-chain transaction history to generate a credit score for them. Projects can use these scores to decide who is more risky and provide customized products to them.

Credit rating is a common practice in the traditional finance industry, used to assess the creditworthiness of individuals, companies, and securities. The business model of credit rating agencies is to provide independent opinions on the credit risk of entities that issue debt, including governments, corporations, and financial institutions. Credit rating agencies assign credit ratings to these entities based on their ability to repay their debts.

The credit rating industry is highly concentrated, with three major agencies — Standard & Poor’s (S&P), Moody’s, and Fitch — dominating the market. These agencies have been criticized for their role in the 2008 financial crisis, as some of the securities they rated highly later turned out to be worthless.

In recent years, there has been increased interest in the development of alternative credit rating models that rely on big data and machine learning to evaluate creditworthiness. These models can incorporate a wider range of factors than traditional credit rating methods and may be more effective at predicting credit risk. However, they are still in the early stages of development and may face challenges in gaining widespread adoption.

Cred protocol is working in this direction. They apply ML to the following data to evaluate the credit score:

• Borrowing history
• Account composition
• Account health
• Interactions
• Trust
• Credit History

Currently, the borrowing history only supports a few large lending protocols on large chains. Here is a detailed coverage list.

Insight

Currently, there are three solutions for addressing non-smart contract risks in the DeFi world: simulations, risk dashboards, and credit ratings. These solutions complement each other and work more effectively together.

Business models

These solutions are still in their early stages and have not yet established clear and mature customer segments. Their target customers could include institutions, protocols, and individual investors, all of whom are affected parties in the event of an exploit. Institutions, especially DeFi funds, may invest significant sums in protocols and therefore have a strong interest in understanding the underlying risks. Protocols require security information to maintain safety and demonstrate their authenticity to investors. Individual investors care about security because they do not want to incur losses during exploitation.

The early adopters of simulations are likely to be protocols. Simulations can be a one-time service, such as simulating protocol performance under extreme market conditions, or a subscription service that helps protocols regularly adjust risk and reward factors. As DeFi becomes more complex, it becomes increasingly challenging for humans to design and adjust these factors. Big data is a growing trend that can continuously fine-tune parameters to offer more reliable and profitable alternatives.

DeFi funds are likely to be the early adopters of risk dashboards. Although risk dashboards may be optional for individual investors, they are essential for DeFi funds, which invest substantial amounts in protocols and want to understand the underlying risks. If any exploitation occurs, they want to be the first to receive the information and take action to minimize potential losses. Risk dashboards can charge subscription fees to DeFi funds, with pricing varying based on the number of dashboards used.

Credit protocols can be used to assess the risk of protocols, institutions, and individuals. Currently, the early adopters are likely to be protocols. These protocols can access data from credit protocols to provide different services to customers, such as offering more profitable products to customers with good risk profiles. Credit protocols can charge API usage fees to DeFi protocols and credit rating fees to institutions.

Future

During the last bull cycle, investors focused on APY without considering risks. However, after several major project crashes, investors now place more emphasis on risk management. By taking risks into account, the stability of the entire DeFi ecosystem can be improved. The projects mentioned above provide extensive risk-related data, and making this data easily readable is crucial. For example, projects could incorporate risk directly into APY, with risk-adjusted returns serving as a useful indicator.

With the growing complexity of DeFi protocols, it becomes impossible for humans to accurately track all risks. The adoption of big data and machine learning is inevitable. Simulations will become as important as security audits, ensuring not only smart contract security but also economic security under stress tests. Both engineering and finance are essential pillars in the DeFi world, and the security of both must be guaranteed.

Risk dashboards must prove their competitiveness compared to open-source data dashboards like Dune. They need to persuade customers to pay for subscriptions rather than resort to free data dashboards on Dune. To strengthen their competitiveness, risk dashboards are currently working on:

• Real-time data
• Exploit alerts
• Off-chain data

However, they still lack customizability, making it difficult for users to tailor risk dashboards to their specific needs. Users may require custom indicators or want to integrate risk data into their data pipeline or automation.

Credit protocols are still in their infancy and currently only cover a small portion of on-chain data, making it difficult for new DeFi protocols to build on top of them. To unlock the potential of big data, credit protocols need to expand their datasets to include both on-chain and off-chain data. This will enable more reliable and accurate credit ratings.

We believe that credit protocols should expand their datasets to include both on-chain and off-chain data to harness the potential of big data. Big data can lead to more reliable and accurate credit ratings.

Another important feature is customizability. DeFi protocols may want to select specific features and adjust weights to suit their needs. For instance, a protocol on Avalanche might place greater value on transactions occurring on Avalanche rather than on other chains.

A significant risk to consider is the potential inapplicability of current credit rating models if credit protocols become popular in the future. For example, a wallet with a good credit rating might act maliciously if it discovers the possibility of obtaining a large number of uncollateralized loans from certain DeFi protocols. As the game changes, the underlying assumptions and models of credit protocols must adapt accordingly.

In order to address these risks, credit protocols need to engage in continuous monitoring and model updates. This may include:

1. Predictive models: Develop predictive models based on big data and machine learning to identify potentially malicious behavior and credit risk.
2. Dynamic adjustments: Regularly adjust credit rating models according to market changes and variations in behavioral patterns to ensure their accuracy and effectiveness.
3. Multi-dimensional assessment: Adopt a multi-dimensional approach when assessing credit risk, including on-chain and off-chain data, historical behavior, and real-time behavior, in order to gain a more comprehensive understanding of potential risks.
4. Community involvement: Encourage community members to participate in the improvement of credit rating models, providing feedback and suggestions to enable adaptation to the constantly changing DeFi ecosystem.
5. Transparency: Increase the transparency of credit rating models, allowing users and protocols to understand the underlying principles and criteria for ratings, which will help in making adjustments when potential vulnerabilities or shortcomings are identified.

By taking these measures, credit protocols can continuously optimize and improve their credit rating models while addressing future potential risks, keeping pace with the development and innovation of the DeFi ecosystem.