Risk Management in DeFi: Paternalism vs. the Invisible Hand
In the dynamic landscape of decentralized finance (DeFi), risk management is the bedrock upon which sustainable lending protocols are built.
The challenge lies in finding the delicate balance between paternalistic management of risk (i.e. thresholds for borrowing are determined by DAO governors and risk managers) and allowing the invisible hand of the free market to determine risk tolerance.
Michael Bentley is CEO of Euler Labs.
As the space grows, it’s crucial that we properly understand the trade-offs inherent in different risk management models.
Euler v1 serves as a thought-provoking illustration of the perpetual debate between immutable code and governed code. While Euler v1 adopted a paternalistic protocol design, with code governed by a decentralized autonomous organization (DAOs) that could adapt to economic shifts or bug discoveries, it faced a critical turning point in early 2023: a $200 million exploit.
Despite rigorous auditing, insurance and a substantial bug bounty instituted at launch, a seemingly minor bug emerged, leading to a code fix followed by an additional audit and DAO vote in the months leading to the attack. However, this fix inadvertently exposed a larger attack vector, culminating in the exploit last year.
Although we ultimately took actions that would lead to one of the largest recoveries the crypto space has ever seen, the question still arises: is paternalism in DeFi inherently bad?
I still think, as I always have, that paternalism is all about trade-offs and personal risk tolerances. Ultimately, users must weigh the perceived risks themselves and decide what is right for them.
The complexity of risk in lending protocols
Imagine a lending protocol where borrowers use USDC as collateral to secure loans in ETH. Determining the optimal loan-to-value (LTV) ratio for this transaction becomes a formidable task. The ideal LTV constantly shifts, influenced by factors like asset volatility, liquidity, market arbitrage and more. In the fast-paced world of DeFi, calculating the perfect LTV at any given moment is impractical.
Lending protocol design therefore necessitates heuristics and pragmatic choices. This leads to three broad classifications of risk management models.
Global paternalism via DAO governance
Today, the most popular form of risk management for DeFi lending protocols is the “paternalistic” model, governed by DAOs and risk management organizations like Gauntlet, Chaos and Warden. I call this the “paternalistic” model as it tends to assume that a governing body — be it a DAO or other form of organization — understands the risk tolerance its users should assume better than the users themselves.
This “global” approach, adopted by protocols like Euler v1, Compound v2, Aave v2/v3 and Spark, involves setting LTV ratios relatively conservatively. If the risk environment deteriorates, governance can adjust the protocol-wide LTV ratios for all users.
While this model ensures capital efficiency for borrowers and prevents liquidity fragmentation, it is not without drawbacks. DAOs are made of people with varied skill sets, many of whom may not be qualified to vote directly on risk parameters themselves.
Delegation of voting power can help put control in more qualified DAO member hands, but this only helps to centralize decision making in the hands of a few individuals, who often end up wielding considerable power. Even when these specialists make “good” decisions, DAO governance takes time and decisions might not be implemented sufficiently quickly if the environment changes rapidly.
Governance also forces protocol users to accept or reject a single risk/reward outcome, when in reality users have very different tolerances. It also arguably trains users to expect that risk will be managed for them, therefore conditioning users to rely on paternalistic risk management, potentially hindering their ability to make informed risk/reward decisions for themselves in the future.
The invisible hand via isolated pools
The free market principles underpinning the “invisible hand” model empower lenders to choose their risk/reward preferences actively. First coined by economist Adam Smith, the “Invisible Hand” is a metaphor for the unseen forces that drive a free-market economy toward optimal solutions. Although certainly not infallible, it is the basis of most all free-market capitalism today.
Protocols like Kashi, Silo, Compound v3, Morpho Blue, Ajna and FraxLend allow lenders to deposit into various (for the most part) ungoverned, isolated pools, offering flexibility in LTV ratios, based on free-market principles. With many pools to choose from, users are free to lend across a wide range of possible LTV ratios (and other risk parameters). Some might take a cautious approach, lending at low LTV ratios and attracting fewer borrowers, while others might be more open to risk and leverage.
This, in turn, allows different use cases for lending and borrowing to emerge. At the protocol layer things are often somewhat simpler with free market models too. The absence of governance allows immutable primitives to be constructed that can be used by anyone. Complexity and product-specifics can be pushed to an aggregation-layer or user-interface layer (see below). Whilst this does not necessarily reduce the complexity of the system overall, it does simplify the complexity of the trusted codebase for the subset of users who are happy to manage their own risks.
However, this approach isn’t without its own challenges, such as liquidity fragmentation, which makes it harder for lenders and borrowers to connect. Isolated pools not only make it harder for lenders and borrowers to find one another, but they often also make borrowing more expensive (even when users are able to find a match). That’s because in most isolated lending market protocols borrowers use collateral which earns them no yield (i.e. Morpho Blue, Compound v3, FraxLend).
In contrast, in monolithic lending protocols borrowers can simultaneously use an asset as collateral and lend it out at the same time. This can substantially reduce the costs of borrowing, and even make borrowing profitable, enabling interest-rate arbitrage (via “carry trades”). And with more borrowing, comes more yield for lenders. But there is no free lunch here. Lenders are exposed to rehypothecation risks on monolithic lending protocols in a way that they are not on isolated lending protocols.
Local paternalism via aggregators
Aggregators are a solution to the drawbacks of isolated pools. It is sometimes claimed that aggregators help to solve the liquidity fragmentation problem associated with isolated pools, since the isolation is largely abstracted away for lenders. However, lenders are only half the equation here. Even when lenders use aggregators, the picture for borrowers is still fragmented. Aggregators enable users to deposit assets into a managed pool, where risk management is delegated to a local risk manager. They abstract away the complexities of isolated pools, offering passive access to diverse risk/reward opportunities.
Aggregators today come in several flavors. There are neutral aggregators, like Yearn and Idle, which are generally agnostic about the downstream lending markets they deposit into. They simply try to maximize the risk/reward for their users, regardless of how rewards are achieved. And there are more protectionist aggregators, like MetaMorpho, that are more opinionated about where the yield comes from, generally trying to manage risk by preserving capital inside their own ecosystem or products.
While aggregators enhance flexibility for lenders, they come with additional fees and inherent paternalistic drawbacks. And they do nothing to address the challenges facing borrowers, who still have to work with fragmented experiences and may require their additional strategies or models for effective risk management.
The need for modularity and flexibility
To truly scale decentralized lending and compete with traditional finance, DeFi needs a lending ecosystem with modularity at its core, in which different protocol designs serve different user needs. There is no one-size-fits-all solution to building a lending protocol.
Governed monolithic lending protocols provide capital efficiency but lack diverse risk/reward opportunities. Isolated lending markets, driven by the invisible hand, offer flexibility but suffer from liquidity fragmentation and high borrowing costs. Aggregators, while addressing some issues, introduce their own set of challenges.
This is where protocols that leverage modularity will really shine — by their very design, they will facilitate the creation and use of highly customizable experiences — bridging the gap between monolithic lending protocols and isolated pools. Recognizing diverse user preferences, they will enable the deployment and interlinking of customized lending vaults in permissionless environments.
Modularity marks a paradigm shift in DeFi composability and connectedness. Protocols like Euler v2 will empower users to seamlessly switch between different risk management models based on their preferences. True freedom is not about choosing between paternalism vs. the invisible hand; it is about being able to switch seamlessly between whichever kind of model you prefer at any time you want.
It is this flexibility that will foster innovation and growth through network effects as more and more diverse vault types are deployed.
At the core of Euler v2’s design philosophy is the Ethereum Vault Connector (EVC) being built in-house. Although not yet deployed, the EVC is currently undergoing rigorous reviews, audits and is supported by a substantial bug bounty. Once live, it will be the bedrock on which users can build vaults on top vaults. This agnostic approach accommodates both immutable and governed preferences. Users seeking the simplicity of immutable, governance-free vaults can create and utilize them in a permissionless manner.
On the flip side, those desiring a paternalistic experience led by a DAO, risk management organizations, or a specialised aggregator layer can opt for that alternative. Crucially, the underlying code maintains neutrality, providing users the freedom to express their personal preferences.