https://osom.finance/blog/understanding-how-to-diligently-take-part-in-decentralized-finance

Understanding how to diligently take part in Decentralized Finance

Smart Contract risks, Oracle risks, Regulatory risks,... all is laid out in this 40 minute webinar so you can understand for yourself what risks you should watch out for, how to mitigate them, and what rewards you might expect.

Check out the easy way to invest in crypto with DeFi Earn.

DeFi can be rewarding

Diligently investing in the crypto market space was already complicated before the Decentralized Finance (DeFi) revolution. Understanding the DeFi risks and the opportunities of the DeFi ecosystem adds to the required due diligence.

Content

You will find here below

• The video of the webinar we recorded

• The audio of the webinar we recorded

• The presentation used for the webinar

• The full transcript so you can easily refer to this or that bit (or better make out what was said 😉 )

Webinar transcript

We wanted to start with a definition so everyone's on the same page

DeFi, for “Decentralized finance”, is mostly defined in opposition to centralized finance which is pretty much what everyone just calls finance because it is the finance we've known until pretty much January of 2020. What decentralized finance is and the way in which it's different is that it does not rely on any central financial intermediaries such as your usual banks or brokerage and instead relies on what is called smart contract so computer code. There's nothing particularly smart about them, but they're contracts written in code on the blockchain so totally or pretty much immutable, and then what we mean by DeFi - decentralized finance platforms - which are a type of decentralized app or dApps as they get abbreviated usually allow people to lend or borrow funds from other or from each other; speculate on price movements on the very very wide range of assets using derivatives or to trade crypto with one another or against pools, and also ensure against some of the risks

So if you want to draw parallels to centralized finance while a crypto lender like Nexo might need 170 full-time people on its payroll at least according to its Linkedin profile to run the crypto lending business, AAVE pretty much needs no people. Now they still have some: they keep doing updates, they pay attention to the front end, they release v1 and then v2 so they can have people on the payroll, but it's not strictly necessary for the smart contract to run. And of particular interest as well is that it doesn't have any financial license so because they don't execute any of the transactions they just create the rules and put them they don't need a financial license That's a point where it's quite interesting because if you don't need a license then you're somewhat by default censorship-resistant as long as Ethereum is running the smart contract can be running so even if the regulators summon the team at Aave and ask them to a shut down the business because it's illegal; it wouldn't be unthinkable for the team at Aave to just issue governance token and then let the community run in a decentralized organization type of model the entire service without the need for anyone to actually be legally responsible; which is also something to which we come back.

minute 3:08 > So how did decentralized finance start?

It had started pretty much in 2015, the first idea was around Maker. Maker had the vision to create a decentralized financial system that would be governed by its users for its users and give borrowers more control over their assets, so what you can do at Maker is deposit collateral and it will give you stable coins, the famous DAI.

So you can borrow DAI for a collateral deposit. Dia is pegged to the US dollar so stable enough. And the entire protocol governs both the loan issues the loan repayment and the liquidation of the loan that doesn't get repaid.

Then Vitalik Buterin, one of the founders of Ethereum said something like an automated market maker should be doable on the blockchain and so someone said “I'll take up the challenge” and Uniswap came into existence around 2018.

So Uniswap allows you to create tools of any two tokens; the ratio of those two tokens in the pool gives you the price and anyone can come and exchange tokens one for the other for a small fee which is how it attracts liquidity and then Aave a really took off at the start of 2020.

They started with an ICO in 2017, they used to be called ETHLend. They rebranded the survey in the early 2020 allowed people to lend, borrow and earn interest on crypto assets.

So what they do is they create a pool of liquidity that people can come and borrow from. And what so all that is prior to 2020, but what we really saw in 2020 is if I take off like crazy.

So the first thing we see is that most of these centralized finances happening on Ethereum. You can see there's a bit of EOS a bit Ontology a bit of Neo some layer two stuff like Near Binance Smart Chain starting to come into real existence even though it's not really featured on the chart here, but really most of the volume is on Ethereum.

Maybe a bit thanks to the Ethereum 2.0 roadmap because if that were in there, the fees make it so crazy that maybe no one would keep building on Ethereum. But the roadmap gives us good hope and I’ll touch upon again on the fees later on.

What you can see also is that it's not because it's happening on Ethereum that it's only happening with ERC20 tokens or with Ethereum, there is also the possibility to use assets from other chains in DeFi. So there’s quite a bit of Bitcoin that has been “wrapped” and ported over to the Ethereum blockchain so as to be used in DeFi and one of the biggest growth which we've seen is in stable coins. My numbers are a bit old because I took a bit of time to put the presentation together so I only have numbers from February 4th, maybe it's even bigger now quite probably but what we saw was that by the end of January we had about 300 billion dollars of tokenized USD on-chain and January 2020 was a tiny tiny portion of that.

And what we see also is that the type of stablecoin is diversifying so whereas we had mostly USDT at the beginning, now USDC, BUSD, and DAI are becoming much more prevalent.

minute 7:24 > I wanted to introduce you quickly to the DeFi stack

so how it's built, what are all those decentralized app built on and how you interact with them.

Lots of names here, if you just remember half of them, I think you'd be fine. The most important is to understand that you can read this column both both from top to bottom and bottom to top so top to bottom is how you would interact with it. So you need something to click buttons on and you'll be; through those buttons, you'll be interacting with code to make stuff happen and sometimes that code will itself interact with more computer code in the background to make other stuff happen.

Behind all that code is a bit of a nervous system of price and events information that goes around so if you want to buy stuff the different markets you're doing it in kind of have an understanding of what the right price is.

Then there is what you handle so what is it you exchange value for and then the computers on which all that code runs or the accounting database.

Which, in computer speak, gets translated into the front end the aggregators of dApps or decentralized app, the DeFi primitives which are the basic decentralized finance use cases the oracles which are the ones that give us the price and the events price for exchange for example and events for insurance Then the units of value The transaction layer

so now I read it from the bottom up

the transaction layer is in most of DeFi; Ethereum. The units of value can be Ether or DAI or USDC or wrapped BTC the oracles are Chainlink, or Band. Your DeFi primitives, you'll find them around lending, automated market makers derivatives asset management so: Compound, uniswap, synthetic, tokensets,... and then you have aggregators so someone like Yearn is going to look into several lending pools to find the best yield; someone like 1inch is going to look at several automated market makers to try and find your the best deal if you want to trade one token for another then the front end is the buttons you click as I said, so OSOM, Metamask, TrustWallet or the more define native front end like Argent or Zerion

There is one thing to understand with all this is that although the entire ecosystem is hardening the more you take those money legos and put them together and the more those DeFi protocols are interconnected; the bigger your risk surface and also that your entire construction is likely to be as solid as the weakest link in your whole lego building endeavour. And so if one fails or one is used in properly it can really open up complications for all the other protocols that do depend on it.

minute 10:47 > So what does that mean for you?

You have a whole stack and new primitives...Well, it means that before you had to understand about 4000 coins which is what's listed on coinmarketcap, which I guess you checked just like me, and now those 4000 coins you can swap them, borrow them, farm them, stake them on DeFi, exchange them,... And each of the DeFi platforms on which you can do that comes with its own risk profile.

What I'm gonna focus on today, because the topic is vast and we could do at least one hour on each line, is on the DeFi primitives because what's new is the oracles, the DeFi primitives, the aggregator; but the aggregators are harder to talk about in terms of risk because they take the risk of many blocks and aggregate them and so it can become a little complicated to a untangle.

So I'll just focus on the DeFi primitives and because I assume everyone likes opportunities I'll be talking about the make the money making opportunities; so I'm going to focus on the applications for money with a lending profile.

So I'm not going to cover the borrowers scenario and we're not going to talk about all the different liquidation policies because that's a bit long. If you like it we can do another one we're looking for next topics for our webinars, so just let us know in the feedback form we'll send you in the end. (if you are reading this, you can let us know at research@osom.finance).

minute 12:18 > So what are the opportunities in DeFi as a lender or as a liquidity provider?

What we see is that whatever they are they're growing like crazy so I showed you the difference in stable coins at the January 2019 and January 2020. Overall the total value locked so the amount of money that's deposited in pools and collaterals and loans was at 19 billion USD in 2020 and it has in that year expanded like never before. So 2019-2020 wasn't bad but 2020-2021 was amazing.

What is it that those DeFi primitives mostly empower today: it's margin trading so a lot of people are looking to borrow money to trade another one is getting liquidity without selling your assets because if you you'd like to trade and you have a thousand dollars worth of ethereum, and you think that one thousand dollar is going to turn into fifteen hundred in two weeks, then it's better to borrow money against your eat than it is to sell your Eth and buy back in two weeks so you put your ethereum you get some money and because it's quite speculative usually the interest rates tend to be quite high. we've also found one guy who managed to refinance his house using DeFi, but so far it's only one guy and it's really new and he was a computer engineer in Australia, so it's not exactly something I'd recommend my brother or my parents to try just yet but it gives us a look into the future. He said he did it in a day and if he had had to manage to negotiate this kind of paperwork with his bank, it would probably have taken him 3 or 4 months.

So now we've talked about what defy is as it applies to lenders what the primitives are we know where it comes from we know where it happens mostly only Ethereum.

minute 14:40 > What can those primitives do for you?

Well they can mostly make you money, which is an interesting opportunity so if you have spare capital you can lend out to those people who are looking to borrow it; then you can potentially see pretty interesting returns especially right now by lending it in decentralized finance opposed to lending it in centralized finance.

I don't know what the interest rates are on your saving account, but mine is preceded by a lot of zeros.

And right now, I'll start with the opportunities first and would cover the risk later because I want to to get excited then cautious and not scared and then leaving.

So what types of return are we looking at in DeFi? So I'm just taking three DeFi platforms which are fairly primitive even though it's quite a step in terms of engineering but there are primitive in the sense that Aave is a place where you deposit money into pools and people can come and borrow from it

So you as a user you can go and deposit dAI or USDC or TUSD or BUSD and you're looking at returns per year of 9.4% 9.07% 11.32% or 10.9%.

So that's much better than my savings account at least.

At compound, so the algorithmic money market that lets you earn interest when people are borrowing, very close to Aave, you are also looking at 8.5% 11.4% and at DYDX which is a decentralized exchange platform, which asI mentioned before people are looking to borrow for their margin trades, you're looking for DAI on February 4th at 40% and USDC at 15%.

If that's what you get paid you can imagine how much people are paying to borrow, so as I said, this is mostly about speculation and expecting big gains. No one's looking at boring here at 15% for discretionary spending needs.

But that's the kind of returns you can look. And how are those APYs calculated?

So you understand what you're making money off of and also how likely is it to continue. This is a screenshot I took from compound because I think they explain it quite well: right now all rates are variable you have fixed borates on Aave but mostly on lending all rates are variable.

And they can go from very very nice to not so nice so history the yield for USDC at campaign was 2.98%, if you compare that to 10% that's not great if you compare it again to your savings account, you're not that bad.

How is it calculated it's calculated by looking at supply and demand and so supply is how much money is in the pool and demand is how much of it has been lent out. And so you can see as I took the screenshot 88% of the pool at compound for USDC had been lent out and that means that in order to try and attract more liquidity they’re increasing the interest rate and so at that time it's 13% to borrow and 10% to them or 10.9% .

And that's an important factor, especially for you when lending. It is to look at the market liquidity so what that means is basically how much money is in the pool that hasn't been borrowed yet. 88% is being used but that means there's some left over and it's interesting for you to look at because it gives you an idea of how likely you're able to take your money out at any time. So if anyone has put a hundred and fifty million in that pool, they can't take all their money out without any notice because there's not actually that much money in the pool.

Double digit money increase yearly and currently quite a lot of borrowing pressure so I'll assume you feel like lending and this is where I talk about the other side which is

minute 19:20 > the risk surface and risk mitigation strategies, which you can employ

So there's a very good news on this slide is that.

Nearly 99% of the major fraud volume in the second half of 2020 came from DeFi, protocol performing rock pools and exit scams. Which means that it had nothing to do with how safe and sound the protocols were or how good the engineers had been at making sure we had good DeFi, it just meant that the opportunities looked very good and a lot of people for the fear of missing out, just sent a lot of their money into stuff they hadn't let it at all.

And so in theory risk #1 is very easy to avoid. Just do some Due Dilligence. If it’s too good to be true, it probably is.

It s a bit like the ICO craze in 2017. But however easy it might seem to avoid in theory it looks like a lot of people are still feeling like they are going to miss out and take out a maybe undue amount of risks.

Then I wanted to go over a list of notable Defi Hacks

I'm not going to read them out one by one to you, but I want to point out and highlight some of the recurring themes here.

BzX revealed the used Kyber as Oracle and then two days later and attacker manipulated the price of SUSD by manipulating the Oracle and made away with money.

Akropolis fell victim to someone utilizing a flash load to manipulate the prices then Cheese Bank saw people using if flash loan to borrow swap deposit again and get in and out very quickly Then we had COVER where there it was actually more of a real flaw in the code Harvest Finance someone performed arbitrage, so it took the opportunity between two prices for the same asset on two different market by using a large flashloan. Opyn was a good old-fashioned bug, oUSD was attacked by using a flashloan. Pickle finance was hacked and it was covered by COVER who we talked about just before here you can see there's some more good old fashioned bugs and some more price manipulation by a flashloan

So if you've been paying attention you've probably heard me say flashloan about seven times and I wanted to take just a minute to explain what a flasloan is because it's a huge innovation probably neither you nor I or ever really going to take advantage of.

It’s a type of loan that was impossible before decentralized finance or blockchain, and it's a loan that is issued without collateral but that needs to be repaid in the same transaction than the transaction within which it has been issued. And if it's not paid back in the same transaction, then it is as if that loan never happened So it's something between finance and back to the future. It doesn't make sense intuitively how things can both happen and not happen and be cancelled if they don't happen but it does work and it does work well in two scenarios: if you want to manipulate the price of something you can take a huge zone to buy that thing with assets you wouldn't have had otherwise and you can move the price. If you can move the price even for a second, then you can also position yourself on the other side of that trade and possibly make out with quite a bit of money, which has been used recurringly and the other scenario where it has been used quite a bit is to get your hands on governance tokens. So if you don't want to spend your night and days trying to acquire MKR token so that you can vote when a proposal is up on the governance board, you can just borrow tokens five seconds before the thing needs to be voted on, borrow the tokens, vote and give the tokens back and you have the chance of having an outside influence for the price of borrowing those token as opposed to for the price of buying those tokens. Tthat's not really a DeFi use case but I thought I'd mention it anyways

Flashloans were invented by Aave and they've been great for arbitrageurs, which was pretty much the first thing they were invented for, but they've also been used a lot and they keep being used, for attacking DeFi protocols; mostly through price manipulation.

minute 25:05 > So what's your risk surface?

Because all those stuff do get attacked, what does it mean for you and your money and should you put any of your money there?

So as I said, your risk, mostly what's new to DeFi, is your smart contract risk.

You didn't have smart contract risk before you had DeFi (not like that, anyways) and so the number one is those oracle attacks and clever arbitrage execution which often go hand in hand because of this because you've manipulated the price that there is an arbitrage opportunity and also that no one else knows about it because you were the one manipulating the price so you have advance knowledge.

And then the second one is contract design: if you let attackers print tokens because you left a bit of a bug in your code, you can be sure that someone is going to go in and print those token.

The reentrancy attack is when you go out and back in and out and back in and sometimes if you do it enough it starts looking like a clever arbitrage execution as well.

And then there are a bit of front end issues which don't concern the protocol so much but might concern you. That might sound dumb but if you're computer isn't really up to date, if your browser isn't really up to date; you can't really know for sure that the website you're visiting is the website you were intending to visit. That was a problem faced by NiceHash. So for you as a user; even if you've done a lot of due diligence on Uniswap, and you're sure the smart contract risks are minimal and you really want to use it; it doesn't matter one bit if the website you actually go to is not the one you think it is. If you think it’s UNiswap but on the back end it isn't, then all your due diligence is rendered the useless, sorry. All because you just didn't keep chrome up to date.

You can have the same type of problem with the hacked notepad; a lot of very simple things like whenever you copy paste blockchain addresses people will try and get into your copy paste functionality and offer their address instead, so when you paste you send money to them, that's kind of what happened to Cover as well

So do pay attention to your front end issue, even if those are kind of old issues, they remain relevant even in the brand new world.

Now, because this is finance you still have a bit of financial brisk exposure.

So what while most lending platform use collateralization or overcollateralization in order to reduce the lending risk. If that collateral is not very good then it's of not much help. That's why most platforms don't allow you to use just any token as collateral because they need to be able to liquidate it a fast enough (or at all) if they need to liquidate a position in order to pay for the loan that a borrower didn't pay back.

In liquidity pools, which is a bit of a difference scenario, but still you do have the risk of “impermanent loss”’. That's what happens when the relative price of the two assets you've put in a pool because in a liquidity market maker you have two different assets. If the price of one changes relative to the other one, you might end up with less value than you would have had just holding those two assets in different independently. But because the price can change the other way it's called impermanent loss so you really have to assess it at the time when you exit and not before.

There are two two things that mitigate that: one is that you get paid a fee for providing liquidity, so if your fee revenue is higher than whatever impermanent loss then might still be worth it. And on the other side it's valid for some pools but not all so if you're lending if you're providing liquidity of DAI and USDT those are both stablecoins that are peg to the US dollar so their price is very unlikely to change by a lot

And then the last one as I said earlier liquidity: if you put, I don't know, USDC into a pool and it gets all lent out you can't take the liquidity you provided out before loans get repaid or someone else comes and adds liquidity.

Therefore it's not the liquidity of your savings account either. I mean if there's a hundred and fifty million there and you've provided one thousand you're probably good but if you provided 150 million then it's a bit of a problem. So it's better to look at pools that are quite liquid and pretty big if you're looking at providing liquidity.

Then also the APYs are variable. The one yea low is 0.68%. It's still better than your savings account but it's no 40%. But it can go anywhere between one and the other so right now there's a lot of borrowing pressure maybe a lot of people will come and lend where people will stop borrowing it could vary quite widely and if you remember the curve from Compound it's not exactly linear there's a it's pretty flat and then it gets really steep, so it won't go down gradually, the APY you expose yourself to; it could go down slowly and then very quickly.

If you rely on euros or any anything else you've heard me talk about the dollar pegged-stable coins a lot, that's because most of the activity is done in USD on Ethereum, and so if you're relying on euros or £ to eat when you take the money out and when you put the money in you might not have actually the same amount.

Now if it went up by 40%, maybe you don't care so much but.

And then there are all the risks that are just inherited from layer layer 1 or other level which I want to talk about but not for too long because at that point we potentially have much bigger problems so that's if your stablecoin gets hacked or loses all its value.

So, for example, if Tether can no longer ensure that it has a dollar for every USDT it issues or if Ethereum stops working your money might be 100% lost, but you definitely won't be alone then. But will be sad nonetheles.

And then the risks that come from you as I said pay attention to your font end but also hack notepads hacked keys, hacked Metamask, Paper wallet lost in the wash- always a terrible story. And again the biggest risk from you at least according to CypherTrace is that we're pretty gullible. So we fear to miss out and then we rush into anything stupid.

Wikipedia said it well ““Inexperienced investors are at particular risk of losing money using DeFi platforms due to the sophistication required to interact with such platforms and the lack of an intermediary with a customer-support department.”

So I want to talk a bit about someone who does have a customer support department because, It might have sounded scary for the last five minutes, but also this quite a lot of opportunities.

minute 33:10 > Risk mitigation

So it's best to think about it in terms of risk mitigation and not just “go” vs “ no go”. I don't have advice but I have ideas and if you have any to complement this I'd be very interested in hearing about them.

But I wanted to share is what I do.

So you could totally fomo into the next big thing but with very very very little money that we you really mitigate your risks.

Pay attention to the tech risk, so that's making sure you're looking at good codes. So, what are the indicators for good?

• How long it has existed for very basic, but pretty reliable And whether or not it has been hacked recently because if it has it both prooves that it can be an if the patched it well that maybe it won't be that way anymore.

• Look at how good the parameters that it inherits from layer one are. So you might trust Ethereum quite a bit but would you trust Tron just as much or the buying and smart chain or polka dot? That's a question for you to answer.

• Whether its smart contract has been audited; if that audit public how much time has been spent on that audit, so usually. Four weeks of work time for one person's considered an interesting number below that is we not much
• how recent is the audit, or has the protocol changed
• do they have a bug bounty program or are people incentivized to teach them about their bugs by stealing the money in their liquidity pool is of big interest for you
• and can you see any active GitHub page how many contributors they have there because usually an engaged Developer community it is a good indicator

If you look at your financial risks, which mean can you get up with at least the value you've put in look on the platform

• what kind of collateral it uses for making loans as that's the model it uses.
• Try and go in big liquid pools as I said before so that if you need to put at least some of your money out you can when you need to
• choose your stable coins or the assets you are lending carefully
• and because this is all, I would say in “Beta”, limit your exposure toDeFi risk and regard to your overall portfolio.

So I definitely don't consider this as a savings account or a pension funds.

Another aspect is when I look at DeFi projects is trying to understand how decentralized they are because obviously the more centralized they re the riskier it is that they are just going to run away with all my money so this is to limit the rug pulls or exit scams. Usually looking in the audits you can see whether they have time locks or multi-signature admin keys or if it's just one guy with one key who controls everything

And, if they use oracles, so you've seen Flash loans - the markets aren’t very big so it's pretty susceptible to manipulation - so if oracles are needed make sure that they appear to be sufficiently decentralized. It's always safer if no oracles are needed.

Then finally, my risks, so my computer up to date and fomo is a bad adviser.

Now if you're looking for a friend in that endeavor, I won't go too much into details, you can also buy decentralized insurance against decentralized contract risk. There is Nexus Mutula, Cover, Armor.fi and opium, and thanks to them for the table.

minute 38:08 > So do you still feel like lending?

I can show you how I've done it.

So first I spent a year reading to understand where to go and where not to go which is kind of what I try to give you back here and then I've used the Argent as a wallet because I think it's pretty easy and I like their social recovery model and has some DeFi built-in natively and I use Zerion to keep track because I think Argent doesn't do a very good job of letting me know what happens on my wallet, but you Zerion does.

So I tested Yearn.Finance and Rari Protocols, which are both aggregators because I wanted to take a little bit more risks, and I found out during that test that it cost me a hundred and thirteen euros in ETH transaction fees. So even at fourteen percent annually I'm gonna have to wait quite some time before I can make up just my fees assuming that maybe I'm gonna have to pay the same thing on the way back.

And so I gave up and I decided that I could either wait until Ethereum 2.0 and the fees were less important or look to other blockchains with better fees. But then I also thought “maybe I can find some people to pull the money in with me” because I will have paid the exact same amount of fees on Ethereum if I had sent one million euros to any of those protocols and that's how we figured with OSOM that maybe we could start offering.

We figured we can explain to you what is the risk surface you are exposing yourself to very easily so you can make your decision rapidly nice grid like decision tool which gets you to understand all those risking risk mitigation strategies I talked about; as well as an execution service so that you don't have to pay 130 euros to some 200 dollars by batching transactions and you don't have any of your own custody issues because you can't lose your keys If you don't have them.

Contact us at research@osom.finance if you want to be in the early adopters.

I also wanted to let you know a little bit of what the surface risk is with us.

so we've been working since 2017. So we're old compared to the space. We are regulated in Estonia and all our information is very public. You can go on the legal section of osom.finance. So there's very very very little risk of rug pull or exit scam with us because the regulators have all of our personal details and can very easily come after us. We undergo penetration testing two three times a year and we have a bug bounty program and have yet to be broken into. Don't take this as a taunt - but this is just something where happy to report so far. So we think we're not too bad on the tech aspect. The financial risk aspect going in with us are going all by yourself. It's pretty much the same. Except we will probably save you a ton of money on fees. And also on the whole “front end and you” issu, since we manage a lot of it there are probably less chances that you can make mistakes. There are still places like copying the wrong addresses where you could. So again, please be careful with your front end.