DeFi liquidity providers exist to maximise the risk-return of their portfolio. This certainly applies to all asset classes but DeFi risks are unique and highly specialised. In contrast to the recent contagion risks working their way through the centralised crypto market, decentralised protocols offer unprecedented levels of transparency and insight for risk management but the data is hard to obtain and there is no well established framework for classifying such risks.
At Re7, we have developed a bespoke approach to evaluating and managing DeFi risks. In previous posts, we have reviewed how we manage specific risks to the portfolio like credit and counterparty risk. In this article we will give an overview of how one might think about the main DeFi risk - smart contract risk - and how it can be managed.
By taking a dedicated approach to risk management similar to how portfolio managers in traditional finance evaluate their positions we can apply tested frameworks to the new risks unique to the DeFi ecosystem.
Risk Management Process
DeFi is a bit similar to credit markets. On the surface, you are risking your capital to earn some yield and are theoretically exposing yourself to full downside risk. This payoff looks binary but as we know credit markets are more complex than that.
Risk ratings are a vital part of how funds allocate capital and compare opportunities. The largest rating agencies provide standardised ratings and these in turn drive many asset allocation. This creates a set of industry standards for how to assign and evaluate risk. At Re7, we have adopted this rating mentality to inform the risk management in our portfolio.
Example risk tiers from TradFi credit-rating agencies.
We evaluate all of our portfolio positions against a consistent rubric. This allows us to create comparable risk scores for each protocol we evaluate. Each protocol gets a risk score to inform the maximum size and ideal size of a position as a part of our portfolio. Further, we set up monitoring against metrics like yields, prices, and other important metrics for each position. By managing position size and overall risk for the portfolio, we can avoid many risks. However, when adverse events do happen, we look to be protected ahead of time with the purchase of DeFi insurance and other hedges to further control drawdowns.
Risk Scoring
In our risk reviews, we take a set of common risks in DeFi and score each protocol for how well they mitigate or eliminate these risks. We score protocols on over 30 metrics, but these fall into a few general categories.
The most important risk in DeFi is of course smart contract risk. As part of our scoring process, we read and review audits, and check for audit fixes against the current production deployments. Protocols that have up-to-date audits from multiple reputable firms get better scores as well. In addition, we review key contracts for owner functions. Where there are privileged functions, we look that these are controlled by a multisig with known signers.
We also look at common smart contract attack vectors based on the protocol type. For example, we will evaluate the risk of reentrancy and inflated collateral attacks when evaluating lending protocols. Other common attacks like attacks against the oracle system or front-running risks are also factored in.
Protocols that undergo multiple audits, have strong documentation, and detailed data reporting get a higher score in our framework. But beyond smart contract risk, there are process risks that also factor into our ratings. For example, we include a review of governance processes and how these can introduce risk to a position. Often governance can change protocol parameters or control funds. We look at whether there is privileged ownership like a governance multisig as well as how new proposals are processed and executed.
DeFi is a growing market, and the risk of economic attacks or protocol failures is present as well. We look at whether there are risks to a protocol from liquidations and bad debt. For some positions, we look at the risk of impermanent loss or stablecoin depegs. In addition, we will score the sustainability of the yield and exposure to the chain ecosystem like bridges and other protocols.
Lastly, we incorporate several third-party review sources to help augment our data. In addition to using on-chain data, we will include a review of third-party risk scores and other market sentiment analysis. Another other useful data point is insurance and other underwriting rates. We will also consider the age of the protocol, the team makeup, and other support systems that go into a protocols community.
By scoring a protocol against each relevant metric in our risk framework we develop a normalised score that we use to compare protocols. This lets us limit position sizes if a protocol is deemed riskier. Less risky protocols can get a larger allocation in the portfolio.
The Re7 Risk Index
In the spirit of open ecosystems, we have just launched a site that gives a high-level overview of DeFi yields available per each risk category.
This combines our risk scoring into tiers and augments this with our real-time yield tracking infrastructure (across 9 chains and hundreds of liquidity pools). This creates a benchmark for risk-adjusted returns in DeFi.
Our risk index is a snapshot into the current DeFi market and is updated in real-time as scores and rates change across the space.
The Re7 DeFi Risk Index can also be used as a further input to risk management processes across the space. Lending and portfolio management DAOs like Solv and DebtDAO may be interested in adopting the risk scoring to inform their own portfolio allocations and investment activities.
You can find the dashboard at re7.capital.
By continuing to publish and refine risk framework, we hope to continue improving the security stance of the space. Working together we can all reduce and standardise protocol risk and make DeFi a safer place for investors of all sizes.
If you are interested in learning more about our data and risk framework, reach out!
Re7 Capital - DeFi liquidity providers