The DeFi Insurance Problem

Why Decentralized Finance doesn’t have scalable insurance

What is underwriting, and why is it a unique problem in DeFi?

Underwriting refers to the research and risk assessment process an insurer conducts before taking on another party’s financial risk for a fee. That fee is often named the “premium.” In the context of insurance, underwriting is concerned with balancing the risk load of insured capital versus liquid capital under management. Insurers ask the question:

The Chicken and the Egg

Which one comes first?
Armor’s TVL on DeFiLlama is coming from the same Nexus contract viewable here.
  1. Lack of Trusted, Standardized Risk Assessment: Each DeFi insurance group assess risk differently, and often times, they lack transparency regarding their risk assessment process. In an industry such as DeFi, where data transparency is central to its technological thesis, ambiguous or secretive risk assessment process deteriorates trust.
  2. Underwriting Returns: The ROI associated with underwriting for DeFi insurance is much smaller than most other DApps. Most DeFi insurance reward APRs are not strong enough compared to the risk of loss for underwriting. As DeFi projects continue to offer triple digit APRs, DeFi insurance can’t guarantee that return unless they have thousands of consistent paying policyholders.

DeFi Insurance Business Models

Let’s dive a bit more into how teams are trying to solve the DeFi insurance problem today. As of September 2022, there are four major business models in the DeFi insurance industry at play. We’ll briefly discuss each and examine their respective approaches to gathering underwriting capital.

Model #1: Staker-as-Underwriter Model

The earliest and most common DeFi insurance business model is the “Staker-as-Underwriter” (SAU) model, pioneered by Nexus Mutual. In this business model, Nexus issues native tokens ($NXM) to their mutual members, each of which have an arbitrary underwriting value tied to the existing underwriting capital available and the current funding rate. Token holders can then stake their tokens in individual underwriting pools for covered protocols. Moreover, stakers have the option to leverage their tokens’ underwriting value to sell more policies and earn more premiums.

One of the many forum submissions on Nexus sharing their inability to withdraw funds.

Model #2: Staker-as-Liquidity Provider Model

Shortly after 2020's DeFi Summer, liquidity incentives proved to be a powerful method to bootstrap capital and jump start a project. InsurAce noticed this incentive method, and designed their underwriting model around it.

Model #3: Reciprocally-Covered Assets Model

Developed by Ease (formerly ArmorFi), Reciprocally-Covered Assets (RCA)are a means to gather underwriting capital directly from deployed capital inside DeFi yield strategies.

Functioning of a payout after a hack with RCA.

Model #4: Protocol-Owned Liquidity Model

Protocol-Owned Liquidity (POL) is a model in DeFi insurance directly inspired by the OlympusDAO model. Conceived by Solace, the POL model aims to separate the conflict of interest that the SAU model creates for the claims process. By utilizing a bonds program to exchange various crypto assets for native tokens, $SOLACE can be staked to earn policy emissions. In POL, stakers don’t lose their locked $SOLACE if a hack occurs because the protocol manages the underwriting pool.

Model #5: The “Nuclear Power Plant” (NPP)

Sherlock takes an entirely different approach. Instead of bootstrapping underwriting capital, Sherlock focuses on the risk assessment process by providing audit services and underwriting DApps against their own audits. Sherlock treats each DApp like how private insurers treat nuclear power plants; by applying a thorough investigation and assessment of the financial risk of catastrophic losses. In Sherlock’s case, they underwrite up to $10 million per DApp.

Money Makes Money

All it takes is time and a little bit of luck.
Above is the year-over-year growth of Northwestern Mutual’s invested assets.
Above is the year-over-year growth for client investment assets, which grew 25% just in 2021.

DeFi Doesn’t Have Many Stable Assets

Crypto is well known, perhaps even infamous, for its volatility. Whatever altcoin might be up 50% today may go down 50% tomorrow. DeFi strategies can be up in the thousands of percent in APY for token pairs. All the while, impermanent loss can eviscerate any meaningful gains. The reality is that it’s not easy to calculate accurate yield over time in DeFi, with the exception of battle-tested stablecoin pools.

Displayed above is the weekly chart for the Nexus and Unslashed vaults.
Unfortunately, this vault only generates an average monthly return of 0.07%.

Reality Check

Time to pay reality’s dues.
  1. Risk Assessment
  2. Asset Management
  3. Claims Assessment

Risk Assessment

Risk strategists might immediately understand why the risk assessment process is not something that can be easily decentralized. Why? It takes a set of very specialized skills to properly gauge how much to charge for the financial risk taken on for an asset class. That’s why actuaries spend years both in university and in their professional careers learning about the risk assessment process. It’s not an easy job, and it is unreasonable to assume community members can create robust risk assessment models for something as complex and risky as DeFi.

Asset Management

It is one thing to manage conventional assets. It is an other beast entirely to manage crypto assets. Similar to the risk assessment process, managing crypto assets requires a set of skills that, I would argue, are even rarer than actuaries due to the nascency of crypto investing. The average retail crypto investor-turned-millionaire is usually just lucky. Very few traders and DApps design investment strategies with consistent gains. It is unreasonable to assume insurance DAO members should be directly responsible of the assets under management.

Claims Assessment

The claims assessment process is both the most difficult and most exciting dimension of DeFi insurance. It raises a difficult question: who exactly should assess claims for loss events? Should it be policyholders, token holders, core team members, DAO members, third parties— or should the protocol instead rely on parametric assessment tools? A definitive answer remains elusive because no one’s implemented a winning system.

How do insurance DApps handle claims?

DApps following the SAU model give their stakers the claims assessment power. Since stakers are also the users with voting power to approve or deny claims, a major conflict of interest is inherently designed into the claims process. Stakers in this protocol structure often want to protect their investment, and as a result, they deny claims as often as possible. Moreover, the value of the native token decreases with each approved claim.

Full thread viewable here.

What should be decentralized?

Conventional insurance is successful in part because they can fully control their operations, including the risk assessment, asset management, and claims process. DeFi insurance should integrate the best components of traditional insurance and adopt a framework that provides a transparent, hybrid operation.

  1. Decentralized Risk Assessment (stakers choose which protocols should have the most underwriting capital)
  2. Centralized Asset Management (Core team controls AUM)
  3. Semi-centralized Claims Assessment (stakers alone choose what claims to pay)
  1. Centralized Risk Assessment (models designed by core team)
  2. Centralized Asset Management (Core team controls AUM)
  3. Decentralized Claims Assessment (the losses occur directly in the vaults Ease configured)
  1. Centralized Risk Assessment (risk management team dictates)
  2. Centralized Asset Management (Core multisig controls AUM)
  3. Semi-Centralized Claims Assessment (Risk management team pays out using optimistic payouts approach, and deploys third-party arbitration in the event of claim disputes)
  1. Semi-Centralized Risk Assessment (audit contests make the process available to everyone, but Sherlock team ultimately makes the assessment).
  2. Centralized Asset Management (Core team controls AUM)
  3. Semi-Centralized Claims Assessment (Integrated with UMA for third-party arbitration).

What We Can Learn from Traditional Insurance

Berkshire Hathaway, Warren Buffet’s conglomerate holding company, acquired GEICO in 1996. Surprisingly, one of the first changes Buffet made to GEICO was to increase the coverage capabilities for their insurance policies. Intuitively, it doesn’t seem like a great business model to accept a wider variety of claims.

Heavy is the Head the Wears the Crown

Very few are destined to hold the weight.
  1. Insure more loss events. DeFi insurance teams usually specialize in the coverage they offer (Unslashed = slashing insurance, Solace = smart contract insurance, etc.). However, DeFi insurance can and should diversify the financial risks they take on in order to increase revenue from premiums and decrease the likelihood of a black swan event liquidating a DApp overexposed to one type of risk. As Buffet proclaimed, “if you see your costs rising, so should your premiums.”
  2. Have DApps underwrite each other at scale. Instead of designing a mutual insurance group of individual risk strategists underwriting DApps, we should be designing a mutual that DApps can enter into to insure each other.
  3. Bundle multiple security services: Sherlock’s audit-focused insurance model is an excellent example of what happens when insurance is coupled with additional security measures. And it shouldn’t stop at audits. DeFi insurance should include on-chain monitoring services and bug bounty contests as prevention tools to secure their financial risks.
  4. Create an exploits oracle. The goal of an exploits oracle is to be the source of truth for whether or not an exploit occurred. The oracle could classify the kind of exploit, which contracts were exploited, and or what funds were affected. An oracle like this is to the benefit of all DeFi security players, and DeFi insurance can use it to verify exploits they cover.



| USC Grad Student | Blockchain@USC researcher | writing ✍️ | musician 🎸

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store

| USC Grad Student | Blockchain@USC researcher | writing ✍️ | musician 🎸