Decentralized Danger
Managing risk in decentralized finance is the newest cyber challenge.
While most cyber attacks target data stored on corporate or individual computers, a small portion of cyber criminals have pivoted to a new interest: crypto investments.
The cryptocurrency world has expanded in the past few years, and the latest trend in cryptocurrency is investing in financial products developed on a blockchain-based environment called decentralized finance, or DeFi. Decentralized finance is a set of financial applications that allow users to earn interest, borrow or lend, buy insurance, and trade derivatives and assets developed on public blockchains via the use of cryptocurrencies. As with blockchain and crypto, DeFi allows global users to connect via a peer-to-peer experience in which no information is routed through a centralized entity.
DeFi allows global users to connect via a peer-to-peer experience in which no information is routed through a centralized entity.
The rapid increase in funds invested in DeFi applications and relative immaturity of the technology has allowed hackers to exploit the system.
Decentralized finance companies have developed self-insurance pools.
“In simple terms, DeFi is a financial services system without centralized intermediaries,” says Benjamin Peach, associate director of digital assets at Aon. “The main technology that DeFi has implemented is in global financial transactions by cutting out the middleman or offering services without an intermediary. In this environment, individuals can transfer money across the world in a faster and cheaper way.”
Cyber Losses in DEFI
According to Elliptic, a blockchain analysis provider, DeFi has grown to staggering heights in the past few years. In 2021, the total capital locked in DeFi services, which measures market liquidity, saw an increase of 1,700% over 2020, reaching $247 billion. Similarly, the monthly trading volume on decentralized exchanges reached $300 billion for each month of 2021, representing an increase of 1,500% over the previous year.
However, the rapid increase in funds invested in DeFi applications and the relative immaturity of the underlying technology has allowed hackers and criminals to exploit the system. In fact, in 2021 there were many instances of crypto-related crimes which caused users and investors to suffer $10.5 billion in total losses, up from $1.5 billion in 2020.
Blockchain A decentralized system for storing data across a peer-to-peer network, without a central authority.
Bitcoin blockchain Maintained by a distributed network with no controlling central authority, it ensures accuracy of user balances through a process called “proof of work.”
Ethereum blockchain Intended as a base layer for any decentralized application by processing smart contracts.
Cryptocurrency (or crypto) A digital currency distributed by no controlling central authority that instead uses blockchains to record transactions and issue currency.
Smart contract A set of rules defined in code that can be executed by an underlying blockchain when predetermined conditions are met.
Token A protocol that gives owners access to digital assets such as cryptocurrencies on the blockchain.
“We’ve seen a lot of breaches and hacks of smart contracts of DeFi companies, causing large losses during 2021,” Peach said. “Most of the breaches are, however, caused by poor coding or programming, which is not fixed before the company is launched onto the blockchain platform. So, often, hackers will find that open back door, breach the system, and then steal the crypto assets.”
A coding error can prove extremely costly in DeFi applications, as in the case of a decentralized exchange called vSwap. In May 2021, one of vSwap’s accounts, holding user funds in the form of crypto tokens, was emptied—resulting in an $11 million loss. The cause of the incident was discovered to be a single line of code (initialized=true) which was omitted during a code merge. Without that line of code, any user could set himself as the owner of the account, enabling the user to take control of the account and move the funds contained within it.
Similarly, Qubit Finance, a decentralized lending and borrowing platform, was hacked in late January 2022. By injecting malicious data, the hacker exploited a logical flaw in Qubit’s code, allowing him to withdraw 206,809 Binance coins (worth about $80 million). As of June, the Qubit Finance hack is the 10th-largest attack on a DeFi platform and the third-largest in 2022, after Wormhole Network lost $326 million from a hack in early February, and Ronin, a play-to-earn game using non-fungible tokens (NFTs), was victim of a $625 million hack in late March.
Insuring Crypto Risks
The attraction of DeFi applications also comes from the ability to trade and exchange tokens in decentralized crypto exchanges (or DEX), which facilitate direct, peer-to-peer crypto trading via smart contracts.
Contrarily, a centralized exchange (or CEX), like Binance, is a crypto trading platform that acts as a middleman between users and the blockchain to facilitate smoother transactions. This is similar to how investment brokerages and banks work, by providing storage for crypto assets and providing customers with support, security and monitoring.
When dealing with centralized exchanges, investors are relatively safe, as most centralized exchanges have some sort of insurance against hacks to their systems. However, decentralized applications, like on Ethereum, have much higher risks due to a lack of audit protocols for their programming code.
“What could highly reduce the risks from smart contracts is the insurance industry,” says Patrick Schmid, vice president of RiskStream Collaborative, the insurance industry’s largest blockchain consortium, which seeks to leverage investments and risk solutions on blockchain platforms. “The industry is very interested in learning more about decentralized finance. However, large scale insurers aren’t quite ready to develop products for this market yet. This technology is just emerging, and it is considered immature, especially when looking at potential regulatory risks.”
Another reason why traditional insurers haven’t entered the DeFi space in full is the lack of historical data. As per any sort of risk, it is difficult for insurance companies to effectively quantify and evaluate risks that crypto investors face without a significant amount of information about blockchain, buying behaviors and, of course, potential losses from hacks.
Despite the absence of DeFi insurance products being developed by traditional insurers, the insurance industry remains highly alert about potential for the technology behind DeFi to develop new business models and new products.
“The self-insurance pools that DeFi companies have developed are extremely interesting to us at Aon,” Peach says. “Some of the decentralized insurance applications essentially act as self-insurance pools by automatically and instantly replenishing all their customers’ assets—either via a separate smart contract or by reissuing tokens—when a smart contract gets hacked.”
For example, Syntropy, a decentralized exchange built on the blockchain, reissued its NOIA tokens in a ratio of 1:1 via a new smart contract in order to reimburse all those affected by a cyber attack that stole 81 million NOIA tokens (worth around $5 million) in September 2020. The reissued tokens were distributed to holders automatically, rendering all previous tokens—including stolen ones—obsolete, preventing the hacker from exploiting the stolen tokens.
Other forms of crypto risk that impact decentralized finance include severe value fluctuation. In the second quarter of 2022, the market value of many popular crypto currencies fell, leaving investors and regulators concerned about the true value of digital asset classes. One of the most popular cryptocurrencies, Terra’s Luna, saw its value drop from over $77 to $0.000017 for a token in less than six days. According to Al Jazeera, an estimated $45 billion was wiped out.
Around the same time, fearing further losses in the crypto market, Coinbase disclosed, in its first-quarter earnings report, that the firm does not own liability protection in the case of bankruptcy, potentially putting nearly $256 billion in investor assets at risk. “Because custodially held crypto assets may be considered to be the property of a bankruptcy estate, in the event of a bankruptcy, the crypto assets we hold in custody on behalf of our customers could be subject to bankruptcy proceedings, and such customers could be treated as our general unsecured creditors,” the company shared in its quarterly filing.
The technology behind cryptocurrencies is currently being used for permissioned blockchain, also known as enterprise blockchain. A permissioned blockchain is a private system that allows determined participants—which can join only after suitable verification—to perform only designated activities within the network.
This sort of blockchain is best suited for organizational collaboration, in which a group of two or more parties—for example, a broker, carrier and reinsurer—can streamline business processes, such as claims information, data sharing or verification, between different parties via a more scalable and secured network.
Another interesting area of implementation for blockchain technology, and specifically smart contracts, is with parametric insurance for catastrophe events. “At the RiskStream Collaborative, we’ve developed a case study where this type of product could be implemented,” says Patrick Schmid, the company’s vice president. “The scenario is as follows: a food truck operator going to a sporting event loses the cost of raw materials because the event is rained out; with a smart contract, the system would automatically check the amount of rainfall within that ZIP code and, if above a certain threshold, pay out the claim. However, that is a very specific insurance product.”
In addition to being very specific, such insurance products would rely on the collection of real-time weather data in order to accumulate the losses from a catastrophic event and allow claims to be triggered immediately. Most such events, however, still rely on human intervention—from a loss adjuster, claims handler or investigator—to effectively quantify losses and to input the information into a database, especially when it comes to property damages.
Regulatory Beginnings
With any breakthrough technology comes new risks that can quickly hurt investors and stifle mass use of the technology. At the same time, governments have been slow to develop precise regulations to protect investors in blockchain-based applications due to a lack of understanding of the technology. The recent hyped media coverage has pushed many regulators to begin studies and discussion of this new technology, leading to some proposed legislation. For example, the proposed Crypto-Currency Act of 2020 sought to identify existing government agencies to define and oversee digital assets. Since then, many states have enacted or proposed legislation or adopted resolutions aimed precisely at blockchain and cryptocurrencies.
Government is working toward new legislation, such as The Responsible Financial Innovation Act, a newly proposed, bipartisan bill aimed at providing a clearer regulatory framework for digital assets. For now, however, private industries are left to experiment with new technologies. While the insurance industry is not developing products for decentralized application firsthand, many insurers are working behind the scenes to support upcoming business models—such as smart contracts and self-insurance pools—and to implement blockchain technology in existing infrastructures.
While traditional insurers study the potential for new insurance products, some blockchain-based platforms have had insurance solutions built into them to cover the risk of theft of crypto assets in case of hacks. One example of a DeFi insurance application is Nexus Mutual.
As a fully decentralized Ethereum-based platform, Nexus Mutual offers insurance products via community-driven management and financials. Its Smart Contract Cover allows investors to protect their cryptocurrency investments against smart contract vulnerabilities (such as hacks and thefts) on various DeFi platforms, such as Binance. This insurance product would cover any token the insured has in the determined DeFi platform, and, in case of a claim, the insured will receive the equivalent of the lost funds in Ethereum tokens (or ETH) up to the covered amount.
Nexus Mutual is structured as a decentralized autonomous organization (DAO) that is wholly owned by its members. Anyone can become a member by purchasing Nexus Mutual’s native token, NXM. This ensures the funding of the risk pools and allows investors to participate in Nexus Mutual’s governance process, such as assessing the risks of covering particular smart contracts and voting on whether to accept claims.
