DeFiance: billion-dollar finance, million-dollar hacks, and very little value
Over the last year or so, much-to-most of the cryptocurrency world has pivoted from the failure of “fat tokens” and ICOs, and the faltering growth of “Layer 2” payments like Lightning and the late Plasma Network, to the new hotness known as “DeFi,” which this week was used to … hack? acquire? steal? It’s pretty ambiguous … a cool million dollars.
DeFi stands for Decentralized Finance. It’s supposed to be an entire alternative financial system. One day, its visionaries say, you will be able to use DeFi to borrow and lend, to buy and sell all kinds of exotic securities, and to acquire insurance and make claims, all via completely decentralized networks and protocols, no banks or brokers or trusted third parties required, just irrevocable and implacable software, “code as law,” with no human beings involved except for you and (maybe) your counterparties, while never having to fill out any paperwork or apply for permissions, and trusting your money to no entity except whoever holds your private key(s). One day.
Many people find this a stirring, inspiring vision. However, DeFi today is very few of those things. Today it allows you to borrow crypto using crypto as collateral; use that lending market to earn interest on your crypto holdings; trade crypto via decentralized exchanges, or DEXes; commit your crypto to liquidity pools, in exchange for a percentage of fees; insure yourself against hacks somewhat; and, well, that’s pretty much it.
Some people also call stablecoins, prediction markets like Augur, and security tokens (aka stocks / real estate On The Blockchain) part of DeFi. The first two seem pretty separate to me, though, with the exception of the Dai stablecoin. Security tokens should be DeFi, but are currently an awkward fit because of their strict regulatory requirements, and anyway haven’t exactly taken the world by storm.
I should know; I spent some weeks eighteen months ago coding a security token. I’ve been writing about cryptocurrencies here for nine years. And I have followed the growth of DeFi with … well … eye-watering boredom, along with some dismay, until this week.
DeFi seems to me more like cosplaying a financial system than an actual viable alternative. I don’t see it crossing that divide any time soon, if ever. It even cosplays the De in its name, too, since very few of today’s DeFi offerings (beyond its base layers) are actually decentralized — as in, beyond the control of some kind of centralized administration — or has any real schedule for becoming so.
Technically it’s all pretty cool, I concede. But what is the point of “borrowing money using money as collateral” for the 99.9% of people who aren’t true-believer HODLers loath to even consider simply selling their crypto? Even if you accept the “floating cryptocurrencies are like gold, stablecoins are like money” analogy, this entire system only really benefits the vanishingly small number of whales who own sizable amounts of cryptocurrency already. Perhaps we shouldn’t be surprised that they who hold that gold have made the new rules, but it’s a bit much to ask that the rest of us genuflect in awe and call them the future.
Similarly, it’s nice that you can earn a little interest on your crypto holdings, but for floating cryptocurrencies, that trickle will be drowned out by the rogue-wave-like price swings in their valuations for the foreseeable future. (For instance, much of the credit for the “more than $1 billion locked into DeFi contracts,” much cited across the industry, should go to the recent rise in valuations rather than increasing participation.) Even for stablecoin collateral, no reasonable analyst would consider the interest rates commensurate with the risk —
— because, as the events of this week point out, that risk is immense. Credit where it’s due: those events were made possible because of a genuinely novel innovation, a “flash loan,” wherein an anonymous party can borrow an arbitrary amount of money — yes, you read that correctly — providing that they ensure it’s all paid back by the end of a single smart-contract transaction. Think of it as an ATM giving you all the money you want, but locking the door until you deposit it all back.
That may seem surreal and pointless, but the thing about DeFi is, a single transaction can include many different steps between the borrow and the payback. This week’s two hacks took advantage of that fact. The first used half the flash loan to short the price of bitcoin, and the other half to borrow a lot of bitcoin, which it sold to temporarily lower its price — then claimed the short profits. It also took advantage of a bug in a smart contract intended to catch such transactions.
The second used some of the loan to borrow a lot of a cryptocurrency, then the rest to bid that up in value, then used that increased value as collateral to borrow even more, then paid back the loan and kept the increased value. It didn’t appear to take advantage of any bugs at all. Combined, they reaped roughly a cool million dollars’ worth of cryptocurrency.
Were these thefts? Were these totally legitimate arbitrage plays, using the system(s) as programmed, and, at least in the second case, apparently as designed? You can at least make a reasonable case either way.
The risks certainly do not stop there. People have even floated compelling-sounding theories suggesting how a hacker could extract the entire reserves of MakerDAO, the system behind the Dai stablecoin, which represents more than half of the combined committed value of all DeFi. In fairness, the responsible people involved will cheerfully tell you that these are bleeding-edge systems with fairly broad attack surfaces, and you probably don’t want to commit money to them that you can’t afford to lose.
But all this cosplay, clever as it is, doesn’t help solve any of the hard problems preventing cryptocurrencies from mattering to most. The oracle problem: if you rely on third parties to tell the blockchain what to do, then why not just rely on third parties to manage your money? (While also offering valuable things like a help number and recourse in the case of erroneous transactions.) The identity problem: how can you implement decentralized identity and reputation, so that you can offer credit based on someone’s history and status, rather than current cryptocurrency holdings?
Working on those problems would actually help to “bank the unbanked,” something that many cryptocurrency people used to pretend to care about. They would actually reduce the power that gargantuan centralized financial establishments hold over ordinary people. They could lead to an actual decentralized financial system which, even if only 1% of the population actually use it, would keep the giants honest simply by providing a viable alternative in case they became too draconian.
Please don’t start talking about Venezuela or Zimbabwe. Unlike you, I actually spent time in Zimbabwe during hyperinflation. If we wanted to use cryptocurrencies to help the masses suffering under profligate governments using increasingly worthless fiat currencies — which I absolutely agree is a noble goal — we wouldn’t be spending our time, effort, and intellectual horsepower on the ability to use cryptocurrency A as collateral for loans denominated in cryptocurrency B. They are completely orthogonal.
Instead of tackling the hard problems, or bringing crypto to people who need it, DeFi today seems to be mostly about creating an alternative financial system which makes life mildly more convenient for those whales who happened to wind up holding a big bag of cryptocurrencies after the first few booms. And as this week’s events show, it may not even be good at that. Please can we get back to the important problems?