The DeFi Insurance Problem

Why Decentralized Finance doesn’t have scalable insurance

There’s no denying it — hacks are rampant in DeFi. In the first half of 2022, hackers stole billions of dollars via smart contract exploits like the Wormhole bridge hack that stole $321 million, the Ronin Bridge hack that stole $650 million, and the flash loan governance attack that targeted Beanstalk and stole $178 million.

Real solutions are slim. Right now, If a DApp wants to test their security and establish public trust of their code base, they look to audit groups to give their figurative stamp of approval (e.g. OpenZeppelin, Trail of Bits, Zellic, and Peckshield, to name a few).

However, audits are not perfect solutions. Just a few weeks before Beanstalk was hacked, Omniscia completed an audit of their code base and found several critical vulnerabilities. Similarly, Wormhole contracted Neodyme to audit their code prior to launch.

The reality is that audits are not comprehensive solutions to securing DeFi — and only perform one part of necessary security practices.

While there are audit groups, bug bounty platforms (ImmuneFi, Hats Finance), and on-chain monitoring networks (Forta) working to secure DApps, DeFi still lacks scalable insurance. Without such financial infrastructure, DeFi remains at a disadvantage when it comes to predicting and managing loss events, and it will be to the detriment of all the builders, investors, and believers of crypto technologies.

Despite several attempts to solve the riddle of DeFi insurance, we have still yet to see any major examples of financial or functional success. This begs the question; why hasn’t DeFi insurance succeeded yet?

The answer— the fundamental problem paralyzing DeFi insurance’s growth and success — is the lack of underwriting capital.

What is underwriting, and why is it a unique problem in DeFi?

Underwriting refers to the research and risk assessment process an insurer conducts before taking on another party’s financial risk for a fee. That fee is often named the “premium.” In the context of insurance, underwriting is concerned with balancing the risk load of insured capital versus liquid capital under management. Insurers ask the question:

What’s the probability that this asset loses its current value compared to the revenue generated from premiums?

With a large enough capital pool, insurance companies can theoretically leverage their liquid assets to pay for every qualified loss event.

Consider your car insurance as an example. Every month, you pay a premium to your car insurance company, so in the event where you have an accident, you don’t have to cover the expenses of repair or buy a car out-of-pocket. Those expenses are your financial risk.

To ensure they can cover the financial risk of your potential accident, the car insurance company takes on the risk of thousands of drivers. By distributing the risk of individual drivers, insurers can offer lower premiums as the risk of the aggregate decreases in proportion to the number of policyholders. In effect, insurers pool the risk of many drivers, and the law of large numbers makes losses more predictable. Thanks to the capital reserve amassed from premiums, the car insurance company can pay for all covered losses while making consistent profit.

The magic of underwriting is calculating the estimated losses in comparison to the flow of new capital. The ideal goal of the insurer? Minimize losses, maximize capital gains. The best insurance companies have swarms of actuaries just to balance this mantra.

The Chicken and the Egg

Which one comes first?

As of September 17, 2022, DeFi insurance’s Total Value Locked (TVL) is roughly $516 million, standing in stark contrast to DeFi’s ~$54 billion TVL. It’s an abysmal comparison. Moreover, the TVL of $516 million is stretching the truth, because $200 million of it is just Armor’s wrapper on Nexus’s existing $200 million in ETH reserves.

Armor’s TVL on DeFiLlama is coming from the same Nexus contract viewable here.

There are two reasons why depositors don’t underwrite for smart contract risk:

1. Lack of Trusted, Standardized Risk Assessment: Each DeFi insurance group assess risk differently, and often times, they lack transparency regarding their risk assessment process. In an industry such as DeFi, where data transparency is central to its technological thesis, ambiguous or secretive risk assessment process deteriorates trust.
2. Underwriting Returns: The ROI associated with underwriting for DeFi insurance is much smaller than most other DApps. Most DeFi insurance reward APRs are not strong enough compared to the risk of loss for underwriting. As DeFi projects continue to offer triple digit APRs, DeFi insurance can’t guarantee that return unless they have thousands of consistent paying policyholders.

I believe that, in the long term, we will solve the first issue as we gather more data on exploits, more projects enter the space, and more risk strategists break into DeFi.

However, the second issue is much trickier. Herein lies the first major roadblocks for gathering underwriting capital for DeFi insurance; How do we convince the ecosystem that investing in DeFi insurance is a good idea?

DeFi Insurance Business Models

Let’s dive a bit more into how teams are trying to solve the DeFi insurance problem today. As of September 2022, there are four major business models in the DeFi insurance industry at play. We’ll briefly discuss each and examine their respective approaches to gathering underwriting capital.

Model #1: Staker-as-Underwriter Model

The earliest and most common DeFi insurance business model is the “Staker-as-Underwriter” (SAU) model, pioneered by Nexus Mutual. In this business model, Nexus issues native tokens ($NXM) to their mutual members, each of which have an arbitrary underwriting value tied to the existing underwriting capital available and the current funding rate. Token holders can then stake their tokens in individual underwriting pools for covered protocols. Moreover, stakers have the option to leverage their tokens’ underwriting value to sell more policies and earn more premiums.

It’s a great underwriting model when no one submits claims. Everyone’s happy when premiums are paid because stakers make money and capital management is stable. However, this model starts to deteriorate once depositors want to withdraw their funds from underwriting.

Nexus keeps a minimum capital requirement (MCR) in reserve, which is the dollar value required to adequately underwrite against all previously sold policies. If the ratio between MCR and reserve is at or below 100%, users cannot withdraw their funds, at least not until there are more capital reserves deposited.

This has caused some rather unpleasant experiences for Nexus investors.

One of the many forum submissions on Nexus sharing their inability to withdraw funds.

There have also been forum discussions to increase capacity with the same MCR, but the problem remains. Nexus simply doesn’t have enough underwriting capital to safely underwrite while also maintaining enough liquidity for their underwriting users to exit.

Model #2: Staker-as-Liquidity Provider Model

Shortly after 2020's DeFi Summer, liquidity incentives proved to be a powerful method to bootstrap capital and jump start a project. InsurAce noticed this incentive method, and designed their underwriting model around it.

To bootstrap underwriting, InsurAce created their Mining incentives, which offers underwriting liquidity providers APY paid in the $INSUR token. To keep an even spread of underwriting tokens that maintain sufficient capital for modeled payouts, InsurAce sets the APYs for each token to incentivize depositers to help rebalance tokens in the pool.

$INSUR is also the governance token that has claims assessment and proposal voting power. However, unlike $NXM, $INSUR’s is not directly tied to an underwriting value. It’s core utility is its governance power.

To manage their underwriting capital, InsurAce maintains a Solvency Capital Requirement (SCR). Inspired by Nexus’ MCR, InsurAce’s SCR calculates the funds required to cover policyholders over the next 12 months with a 99.5% probability. Dive into their methodology here.

The pro to this model are that liquidity can be quickly bootstrapped through appetizing incentives. But like a double-edged sword, this is also where one con lives. A majority of liquidity providers are mercenary LPs — ones that look for the highest return and leave a pool as soon as they find a new pool with a higher APY.

Model #3: Reciprocally-Covered Assets Model

Developed by Ease (formerly ArmorFi), Reciprocally-Covered Assets (RCA)are a means to gather underwriting capital directly from deployed capital inside DeFi yield strategies.

Ease deploys several strategies that investors can deposit into. Premiums are subtracted directly from the yield generated, and in the event that one of the strategies experience an exploit, Ease liquidates a proportional percentage of funds from all vaults to pay back the loss events. From there, any future premium payment replenishes the capital from the payout liquidation.

Functioning of a payout after a hack with RCA.

The advantage to this model is the user experience. All a user has to do is invest in one of Ease’s strategies, and they are (theoretically) insured for exploits. The disadvantage is that Ease users are limited to the investment options that are created and insured by Ease, which are significantly more limited than what DeFi offers.

Model #4: Protocol-Owned Liquidity Model

Protocol-Owned Liquidity (POL) is a model in DeFi insurance directly inspired by the OlympusDAO model. Conceived by Solace, the POL model aims to separate the conflict of interest that the SAU model creates for the claims process. By utilizing a bonds program to exchange various crypto assets for native tokens, $SOLACE can be staked to earn policy emissions. In POL, stakers don’t lose their locked $SOLACE if a hack occurs because the protocol manages the underwriting pool.

Solace sells policies for portfolios instead of individual positions and utilizes a category-based risk assessment model, where risk loads are calculated by protocol category instead of by each protocol. As protocol diversity increases across policies, Solace’s underwriting capacity increases. This is the secret weapon in Solace’s underwriting arsenal that separates them from their competition.

The disadvantage of this model, however, is the inflationary mechanics of $SOLACE. There’s a growing belief that staking alone is a bad token model design. It inflates the token supply as it does not provide any inherent value generation, and when unchecked, the token price can decline to adjust for the new supply. As DeFi 2.0 investors may recall, this model did not work particularly well.

That’s not to say Solace is entirely in this position. There are more plans in the Solace roadmap for the $SOLACE token, one of which is to accept $SOLACE as a means to pay for coverage.

But the fact remains the same: Solace tokens continue to be emitted without attaching any true utility to the emission schedule.

Model #5: The “Nuclear Power Plant” (NPP)

Sherlock takes an entirely different approach. Instead of bootstrapping underwriting capital, Sherlock focuses on the risk assessment process by providing audit services and underwriting DApps against their own audits. Sherlock treats each DApp like how private insurers treat nuclear power plants; by applying a thorough investigation and assessment of the financial risk of catastrophic losses. In Sherlock’s case, they underwrite up to $10 million per DApp.

The advantage of this model is that Sherlock is betting against their own audits, which makes for aligned security goals for both Sherlock and its insured DApps.

The disadvantage, if not obvious, is the ability to scale such an operation. Good audits take significant time, resources, and manpower. Sherlock puts in more effort than the average audit, considering it’s their underwriting dollars on the line if they misjudge how secure a DApp’s code base is (up to $10 million each, remember?).

To mitigate the scaling issue, Sherlock recently announced their new audit contests initiative, where auditors across DeFi can compete to provide audits to Sherlock for DApps they want to underwrite.

It seems like they’re onto something considering that data on audit contests show that DApps that participated in an audit contest have a 0% exploit rate afterwards on-chain. In contrast, ~32% of hacked protocols were audited via an audit group, according to the Rekt.News leaderboard.

Money Makes Money

All it takes is time and a little bit of luck.

While there are some insurance companies whose revenue depends on the practice of denying as many claims as possible, the vital dimension to the insurance business is investing in yield-generating assets. Insurance follows the age old advice: get your money to make money.

In their 2021 report, insurance giant Northwestern Mutual disclosed that they have $570 billion in assets under management (AUM). $286 billion are in invested assets, $42 billion are in non-invested assets, and $224 billion are client investment assets, which rose 25% from the previous year.

In context, the $570 billion in AUM dwarfs the $978 million in net income. One could argue that insurance isn’t really about the premiums, but rather a reflection of what investments those premiums fund.

Above is the year-over-year growth of Northwestern Mutual’s invested assets.

Above is the year-over-year growth for client investment assets, which grew 25% just in 2021.

In DeFi, this should be no different. DeFi insurance must find a way to utilize its start-up capital and premiums to obtain yield-bearing AUM for long-term, sustainable success. However, this is where another major limitation of DeFi insurance surfaces.

DeFi Doesn’t Have Many Stable Assets

Crypto is well known, perhaps even infamous, for its volatility. Whatever altcoin might be up 50% today may go down 50% tomorrow. DeFi strategies can be up in the thousands of percent in APY for token pairs. All the while, impermanent loss can eviscerate any meaningful gains. The reality is that it’s not easy to calculate accurate yield over time in DeFi, with the exception of battle-tested stablecoin pools.

So if the goal is to increase the AUM of a DeFi insurance protocol, what exactly constitutes a safe, yield-bearing investment? If it is inevitable that DeFi DApps will be hacked, insurance DApps have to add smart contract risk to their risk management process.

One strategy is to diversify investments across dozens of DeFi protocols. Therefore, in the case one investment gets hacked, all other investments are still generating yield. But even then, there remains a significant risk for investors when putting underwriting capital into contracts that could potentially be exploited.

Only in DeFi does insurance consider the reality that their AUM could be stolen from hacks.

Another strategy is to outsource treasury management to a DApp like Enzyme. Both Unslashed and Nexus use Enzyme, but their strategies are quite conservative, holding only ETH and staked ETH (stETH) in the vaults. In theory, stETH is an interest bearing asset that should be predictable in its growth (~4% APR). However, stETH has de-pegged in the past, which has caused some investors to lose confidence in its ability to remain stable.

Displayed above is the weekly chart for the Nexus and Unslashed vaults.

Not surprisingly, guess what vault of theirs is most consistent in its returns?

Stablecoins.

Unfortunately, this vault only generates an average monthly return of 0.07%.

Reality Check

Time to pay reality’s dues.

There’s never been a successful decentralized insurance model. While there are some DeFi insurance DApps that would argue against this claim, the truth is that any protocol pushing a decentralized narrative is made to fail from the start. There are three dimensions that are exceptionally difficult to decentralize:

1. Risk Assessment
2. Asset Management
3. Claims Assessment

Risk Assessment

Risk strategists might immediately understand why the risk assessment process is not something that can be easily decentralized. Why? It takes a set of very specialized skills to properly gauge how much to charge for the financial risk taken on for an asset class. That’s why actuaries spend years both in university and in their professional careers learning about the risk assessment process. It’s not an easy job, and it is unreasonable to assume community members can create robust risk assessment models for something as complex and risky as DeFi.

Imagine if every time you went to mail a letter, the post office asked you to design the route of transit? The system would fall apart.

Asset Management

It is one thing to manage conventional assets. It is an other beast entirely to manage crypto assets. Similar to the risk assessment process, managing crypto assets requires a set of skills that, I would argue, are even rarer than actuaries due to the nascency of crypto investing. The average retail crypto investor-turned-millionaire is usually just lucky. Very few traders and DApps design investment strategies with consistent gains. It is unreasonable to assume insurance DAO members should be directly responsible of the assets under management.

Claims Assessment

The claims assessment process is both the most difficult and most exciting dimension of DeFi insurance. It raises a difficult question: who exactly should assess claims for loss events? Should it be policyholders, token holders, core team members, DAO members, third parties— or should the protocol instead rely on parametric assessment tools? A definitive answer remains elusive because no one’s implemented a winning system.

Historically, insurance giants like to control the claims assessment process to their advantage whenever possible. That power disparity between insurers and claimants should not exist in the DeFi world — not while we have something as revolutionary as smart contract technology and the greater Ethereum ecosystem.

How do insurance DApps handle claims?

DApps following the SAU model give their stakers the claims assessment power. Since stakers are also the users with voting power to approve or deny claims, a major conflict of interest is inherently designed into the claims process. Stakers in this protocol structure often want to protect their investment, and as a result, they deny claims as often as possible. Moreover, the value of the native token decreases with each approved claim.

What investor would want to approve a claim when that means the token loses value and they lose some or all of their staked capital — especially when they might be on leverage? On the other side, what user would trust a system where their underwriters get to choose what claims get approved or not? This type of conflict of interest inevitably results in a loss of trust.

Other protocols outsource their claims assessment process. One example of a DeFi insurance DApp that outsources the claims assessment process is Unslashed Finance. They use Kleros, a decentralized dispute resolution protocol, as a third-party to assess their claims. However, Unslashed’s biggest claim to date — a 742 ETH loss event — was rejected multiple times due to a 51% attack in the Kleros court arbitrating the case.

Full thread viewable here.

This spotlights another critical concern; Can the claims process be decentralized, and if so, how?

What should be decentralized?

Conventional insurance is successful in part because they can fully control their operations, including the risk assessment, asset management, and claims process. DeFi insurance should integrate the best components of traditional insurance and adopt a framework that provides a transparent, hybrid operation.

In the Staker-As-Underwriter (SAU) model, we observe the following characteristics:

1. Decentralized Risk Assessment (stakers choose which protocols should have the most underwriting capital)
2. Centralized Asset Management (Core team controls AUM)
3. Semi-centralized Claims Assessment (stakers alone choose what claims to pay)

In the Reciprocally-Covered Assets (RCA) model, we observe the following characteristics:

1. Centralized Risk Assessment (models designed by core team)
2. Centralized Asset Management (Core team controls AUM)
3. Decentralized Claims Assessment (the losses occur directly in the vaults Ease configured)

In the Protocol-Owned Liquidity (POL) model, we observe the following characteristics:

1. Centralized Risk Assessment (risk management team dictates)
2. Centralized Asset Management (Core multisig controls AUM)
3. Semi-Centralized Claims Assessment (Risk management team pays out using optimistic payouts approach, and deploys third-party arbitration in the event of claim disputes)

In the “Nuclear Power Plant” (NPP) model, we observe the following characteristics:

1. Semi-Centralized Risk Assessment (audit contests make the process available to everyone, but Sherlock team ultimately makes the assessment).
2. Centralized Asset Management (Core team controls AUM)
3. Semi-Centralized Claims Assessment (Integrated with UMA for third-party arbitration).

What We Can Learn from Traditional Insurance

Berkshire Hathaway, Warren Buffet’s conglomerate holding company, acquired GEICO in 1996. Surprisingly, one of the first changes Buffet made to GEICO was to increase the coverage capabilities for their insurance policies. Intuitively, it doesn’t seem like a great business model to accept a wider variety of claims.

Buffet saw it differently. According to the insurance mogul, rising claim costs also comes with rising premiums, which increases the floating capital to invest and later pay claims.

“Over the years, inflation has caused a huge increase in the cost of repairing both the cars and the humans involved in accidents. But these increased costs have been promptly matched by increased premiums. So, paradoxically, the upward march in loss costs has made insurance companies far more valuable. If costs had remained unchanged, Berkshire would now own an auto insurer doing $600 million of business annually rather than one doing $23 billion.”

In contrast to GEICO, DeFi insurance teams intentionally limit qualified coverage events. Simultaneously, investors are concerned with all the possible risks in DeFi— many of which are not covered by any DeFi insurance DApp, and some of which have yet to be discovered. As it stands, DeFi insurance is an exceptionally under-developed market.

Heavy is the Head the Wears the Crown

Very few are destined to hold the weight.

So what can we do to solve the underwriting problem in DeFi? Having spent the past year immersed in the DeFi insurance industry, I’ve been able to develop some theories on how these issues may be addressed. By no means are these definitive answers, but in my opinion, they are concepts worth exploring.

1. Insure more loss events. DeFi insurance teams usually specialize in the coverage they offer (Unslashed = slashing insurance, Solace = smart contract insurance, etc.). However, DeFi insurance can and should diversify the financial risks they take on in order to increase revenue from premiums and decrease the likelihood of a black swan event liquidating a DApp overexposed to one type of risk. As Buffet proclaimed, “if you see your costs rising, so should your premiums.”
2. Have DApps underwrite each other at scale. Instead of designing a mutual insurance group of individual risk strategists underwriting DApps, we should be designing a mutual that DApps can enter into to insure each other.
3. Bundle multiple security services: Sherlock’s audit-focused insurance model is an excellent example of what happens when insurance is coupled with additional security measures. And it shouldn’t stop at audits. DeFi insurance should include on-chain monitoring services and bug bounty contests as prevention tools to secure their financial risks.
4. Create an exploits oracle. The goal of an exploits oracle is to be the source of truth for whether or not an exploit occurred. The oracle could classify the kind of exploit, which contracts were exploited, and or what funds were affected. An oracle like this is to the benefit of all DeFi security players, and DeFi insurance can use it to verify exploits they cover.

Here’s the bottom line: whichever insurance DApp can demonstrate scalable underwriting and gain the market trust through transparent risk assessment and consistent payouts of valid claims will be crowned market leader. But the truth remains: no one’s been able to rightfully wear the crown yet.

Special thanks to Matt Ladin, Kevin McDonald, @FatManTerra, the community members of Nexus, and my friends for motivating me to write this piece. Another special thanks to Jack Sanford of Sherlock and Vagrantcrypto of InsurAce for sharing their thoughts on the DeFi Insurance landscape.

Written by Nima Cheraghi & Edited by Kyler Wandler

Nima Cheraghi is a master’s student at University of Southern California studying Music Industry and a researcher at the Blockchain@USC, focusing on DeFi and tokenomics. Cheraghi previously worked at Solace as Head of Growth.

Kyler Wandler is the Director of Operations for the DAO Research Collective, the co-founder and director of the Around the Blockchain crypto law newsletter, and a contributor at several DAOs. In addition, he is a pre-law student at Bryant and Stratton College finishing a Bachelor’s degree in Legal Studies.