Author: Catarina Urgueira
(Portfolio: FORM 2016, About Tomo: Illustrator of eth Foundation)
DeFi has experienced multiple security incidents in which billions of dollars have been lost, leading to a gradual loss of confidence in its core value proposition. But insurance solutions that mitigate the risks of DeFi are critical to ensuring that DeFi can be widely adopted.
This insurance series delves into the following protocols:
Nexus Mutual, Unslashed, InsurAce, Risk Harbor, Ease.org, Sherlock, Tidal Finance, InsureDAO, Neptune Mutual, Bridge Mutual, Cozy Finance, Bright Union, and Solace
Insurance Market Overview
While DEXs and lending account for the majority of the value locked in DeFi, insurance accounts for less than 1% of the total value. However, as TVL grows, so does the potential for smart contract vulnerabilities or other attack vectors. Insurance solutions are similar to safety nets in traditional financial markets, and a prosperous solution will encourage investors, individual users, and institutions to participate in the on-chain market with confidence.
Industry pioneer Nexus Mutual has dominated the insurance market since its launch, accounting for over 78% of TVL, but only 0.15% of DeFi’s overall TVL. The rest of the insurance market is fragmented, with the three agreements after Nexus accounting for about 14% of TVL.
Although the global traditional insurance market is very large and is expected to experience significant growth in the next few years, the DeFi insurance industry has become a small but very promising branch of the blockchain industry. As the DeFi insurance industry matures and upgrades, we can expect more innovations, with new protocols emerging and existing protocols improving their products to meet the needs of DeFi users.
How does DeFi insurance work?
Rather than obtaining insurance from a centralized institution, DeFi insurance allows individuals and businesses to insure their capital against risk through decentralized liquidity pools. In exchange, the insurance provider earns interest on locked-up capital generated from the percentage of the premium paid, creating a link between the premium and the risk of the agreement.
Overlay providers invest their funds in pools that are riskier and rewarding than the protocol. This means that individuals trade event outcomes based on their estimates of the probability of the underlying risk occurring. If a protocol underwritten by an insurance company suffers a negative event, such as a hack, the funds in the pool covering the protocol will compensate users who purchased insurance against that specific event.
Pooling resources and spreading risk among multiple players is an effective strategy for dealing with unusual or extreme events with significant financial impact. A common pool of funds can cover many times the risk with less money, providing a collective mechanism for tackling large-scale problems.
The popularity of parametric insurance in DeFi is due to its automated and transparent mechanism. A smart contract with pre-set parameters and real-time data from oracles can enable automatic claims settlement based on these parameters. This automation speeds up the claims process, increases efficiency, and reduces the possibility of human bias or error.
The ability for anyone to participate, the transparency of on-chain operations, is often highlighted as the main advantage of a decentralized insurance system. As DeFi continues to grow, the need for solutions to protect user funds becomes increasingly important.
DeFi Insurance Evolution
The concept of decentralized insurance dates back to the early days of blockchain technology. Launched on Ethereum in 2017, Etherisc, the first decentralized insurance platform, provides a peer-to-peer insurance marketplace where users can buy and sell general-purpose policies such as flight delays and hurricane damage without traditional insurance companies.
A turning point for DeFi insurance came in 2019 with the launch of Nexus Mutual, the first insurance protocol purpose-built for the DeFi ecosystem. It operates under a carte blanche structure, which means that the Board of Directors (all KYC-verified Nexus Mutual members) decides on all claims payments. The recent V2 release of Nexus Mutual facilitates the creation of an on-chain risk marketplace, allowing other companies to build and share crypto-native and real-world risks such as liability, catastrophe, property, and cyber insurance. Protocols built on top of this release can offer their services without requiring users to complete KYC requirements, which increases the accessibility of the platform’s risk management solutions.
After Nexus Mutual, many protocols were launched to address the remaining challenges in the field.
In November 2020, InsurAce launched, offering zero-premium pricing (ultra-low premium), no KYC requirements, and a portfolio-based multi-chain solution.
Unslashed, which subsequently launched in January 2021, provides insurance across a range of risks and allows anyone to become a capital provider and earn returns from premium policies, interest generated by finance, and the USF capital mining program, increasing the available capital for insurance.
Bridge Mutual, launched the same month, offers permissionless insurance pool creation, portfolio-based insurance coverage, and the ability to use stablecoins to underwrite policies in exchange for attractive yields. In December 2021, it released V2 with capital efficiency improvements, leveraged portfolios that allow users to underwrite multiple projects simultaneously, and Shield Mining, a feature that allows projects and individuals to contribute X tokens to the Project X Coverage Pool in order to increase Pool APY and attract more liquidity. It also introduces capital pools, the investment arm of Bridge Mutual, investing unused capital into third-party DeFi protocols and generating income for treasury and token holders.
Armor launched in late January 2021 using the Nexus Mutual model with no KYC requirements, but later introduced the Uninsurance model and rebranded to Ease.org in May 2022. In RCA (Reciprocal Covered Assets), the covered asset simultaneously underwrites assets in other ecosystems, which allows underwriting capital to be collected from capital deployed in DeFi yield strategies. In the event of a hack, Ease liquidates a percentage of funds from all vaults to compensate investors. Ease’s value proposition is based on the assumption that, on average, hacking costs far less than the premium paid.
Launching on Polygon in July 2021, Tidal Finance features a flexible weekly subscription system. The new upgraded version V2 has been on testnet since March 2023, and it will allow users to effectively set up their own custom insurance pools and policies.
Launched in May 2021, Risk Harbor is the first decentralized parametric insurance protocol that provides protection against smart contract risks, hacks and attacks. It provides automated, algorithmic, transparent and unbiased assessment of claims by comparing the redeemability of credit tokens with the issuance protocol. For example, in the case of overlay protection for the UST depeg event, when the price of UST on Chainlink falls below $0.95, Risk Harbor will compensate, enabling holders to automatically exchange their wrapped aUST for USDC. Risk Harbor is developing two upcoming releases, V2.5 and V3, with V2.5 serving as a stepping stone to V3. Improvements in V2.5 include ERC20 holdings instead of ERC721, automatic ERC20 pledge and sell-back protection capabilities, while V3 includes cross-chain recharge and purchase, allowing a vault that includes all EVM and other EVM farms, creating a vault that is not associated with risk . It’s worth noting, however, that Risk Harbor is primarily focused on the Terra ecosystem, on which it has focused the majority of its TVL since late 2021. The team aims to expand and shift focus to the Cosmos and Ethereum ecosystems.
In September 2021, Bright Union launched as a DeFi insurance aggregator, while Sherlock launched the same month with a unique auditing approach. Sherlock set up an audit firm staffed by blockchain security engineers to review smart contracts and then use them as part of the audit process to prevent hacking. This idea of providing code auditing and coverage directly to the protocol removes the need for users to manage their own coverage. As a result, insurance protocols followed suit and started offering a similar service by partnering with external audit firms to launch their own Audit Cover product, which provides protection against smart contract risks for protocols audited by its partners.
Launched in October 2021, Solace focuses on ease of use and offers portfolio coverage that dynamically adjusts risk rates as positions change, preventing overpayments and complex policy management. It derives its own underwriting capital based on the protocol-owned liquidity model and removes the underwriting risk for token holders. Solace puts the bond plan’s assets into an underwriting pool to sell policies and use the pool to pay claims. However, the Solace team has temporarily ceased operations to develop a new version of the protocol. They identified two flaws in the insurance model that they believe go against the essence of DeFi: the need for human input in the claims process, and the need for probabilistic underwriting to generate returns. Their goal is to fix these issues in the new version.
InsureDAO launched in February 2022 as an open-to-all protocol, similar to Bridge Mutual, and the team is currently working on revising the protocol to change the model to more closely match the current market.
Launched in November 2022, Neptune Mutual aims to provide users with guaranteed payouts. In Neptune, rules are not defined on smart contracts, which hinders the automation of the claims process and relies on reporters, which requires trust-based assumptions. However, this limitation provides Neptune with an advantage, as it allows them to offer insurance that does not rely on on-chain data, such as custodial insurance.
Cozy Finance, which offers parametric insurance, recently suspended all V1 markets to launch V2, based on the idea that other protocols are restrictively designed in terms of price, payouts, and risk management. This new version allows anyone to create a new marketplace with automated payments and programmatic pricing.
Decentralized insurance has come a long way as a promising solution that the market has pinned on to mitigate risk in a transparent and decentralized manner. Nexus Mutual, a pioneer in this field, still leads in TVL. However, as the industry becomes increasingly competitive, the market leader will be protocols that can provide scalable underwriting without fragmented liquidity, transparent and decentralized risk assessment, accurate pricing, and continuous payment of valid claims.
With more underwriting capital, protocols may offer more coverage, making them more attractive to users. However, the source of underwriting capital may affect the long-term sustainability and effectiveness of the agreement. For example, many protocols are splitting their capital pools across multiple chains, which spreads liquidity and may affect their potential for large-scale capital efficiency.
The table below compares several insurance agreements based on the source of underwriting funding.
In this section, we will explore the various types of coverage offered by different insurance companies.
Protocol coverage protects customers from financial losses that may occur when using DeFi protocols. Different providers offer different levels of coverage designed to protect against certain risks inherent in the agreement. Smart contract exploits/bugs, oracle failure or manipulation, economic design flaws, and governance attacks are all threats. It’s important to note that Protocol Cover generally doesn’t protect against front-end, Discord or Twitter attacks, and rugs, among other risks.
Custody safeguards prevent financial losses that can occur when Crypto assets are stored in third-party escrow accounts, such as centralized exchanges. Its main purpose is to provide protection in two main situations. The first occurs when the custodian suspends withdrawals unexpectedly for an extended period of time, leaving consumers unable to access their funds. The second situation occurs when the assets of the custodian are stolen.
Depeg cover prevents the event of depeging, which occurs when an asset loses its peg to the target currency. This form of insurance is widely used to protect stablecoins and other pegged assets such as stETH. Consider users who own a stablecoin that is designed to maintain a 1:1 peg to the US dollar. If the value of the stablecoin drops significantly and users are unable to convert it into the expected amount of dollars, they will suffer financial losses. Depeg insurance can help mitigate such losses by compensating users for some or all of their losses due to depeging events.
Certain conditions must be met before a claim can be submitted, and these criteria vary from provider to provider. These usually include elements such as price drop percentage and duration. When establishing a loss protection claim, the time-weighted average price (TWAP) of an asset over a given period of time is often used to determine the occurrence of a loss event. TWAP calculates the average price of an asset over a specific time frame, taking into account the asset’s trading volume during that window, to assess whether a decoupling event has occurred.
A number of agreements, including InsurAce, Unslashed and Risk Harbor, offered UST Depeg’s policies during the event. According to their UST De-Peg Cover Wording, InsurAce was officially activated on May 13, 2022, when UST’s 10-day TWAP fell below $0.88. Notably, they successfully settled claims of $11.5 million. Unslashed allowed the claim after UST’s 14-day TWAP was below $0.87 and they paid out over 1000 ETH in installments. Risk Harbor, a parametric insurance solution, facilitates reimbursement when the price of UST on Chainlink falls below $0.95, allowing holders to immediately exchange their wrapped aUST for USDC.
Yield Token Cover
The Yield Token Cover protects against financial loss due to discrepancies between the monetary value of yield-generating LP tokens and their actual value. To qualify for a claim, the depeg percentage (eg, Depeg coverage) must exceed a specified threshold of token value.
Audit coverage is a protection that protocols can directly acquire to reduce the risk of vulnerabilities during audits. It adds an extra layer of security after being audited for a short period of time.
Sherlock pioneered the concept and offers up to $5 million in insurance against smart contract vulnerabilities after audits. This coverage can be activated at any time after the audit is complete, as long as there are no further changes to the codebase. InsurAce, on the other hand, has partnered with an audit firm to offer a similar product with a three-month underwriting period.
The slash guarantee provides financial protection to professional validators participating in Proof-of-Stake (PoS) chains who may face losses due to slashing events. Slashing events occur when a validator violates the rules of the consensus mechanism, resulting in a penalty in which a portion of their stake is slashed or reduced.
In 2022, Blockdaemon, a well-known provider of blockchain infrastructure services for node management and staking, teamed up with Marsh, a well-known insurance broker and risk advisor, to launch an insurance policy to protect its customers from slashing events. This program attempts to provide additional security to validators while slashing penalties. That same year, decentralized insurance provider Nexus Mutual developed a decentralized solution to protect validators on the Beacon Chain, providing an additional option for validators seeking to cut insurance.
Bridges enable the transfer of funds between different networks, but they also introduce risks such as smart contract vulnerabilities, hacking attacks, and implementation or design flaws. These risks may result in inaccurate funds transfers or slippage calculations.
Some centralized bridges are vulnerable to bad actors who can manipulate liquidity pools. Whether funds are stored centrally or decentralized, points of storage can be targeted by bad actors. In 2022, hackers stole over $1.8 billion from bridges alone. The Bridge Cover was created to mitigate these risks by protecting consumers from financial loss when transferring funds across bridges.
InsurAce introduced this concept by launching a new product in partnership with LI.FI Bridge Aggregator, which has accumulated over $1 million in coverage. Risk Harbor is also working with Socket on a bridge protection system, which is still in beta testing.
Insurance providers can preserve their underwriting capital by transferring some of their exposure to other insurance providers. This reduces the provider’s overall risk and allows them to continue to offer coverage for a variety of risks without being overly exposed.
Nexus Mutual is one of the insurance companies that provides excess insurance, which insures Sherlock’s audit protocol and protects the 25% base insurance provided by Sherlock.
Insurance agreement coverage comparison
With the development of the decentralized insurance industry, various insurance agreements continue to emerge, offering different types of insurance products. A comparative table detailing the different types of coverage offered by existing insurance agreements has been prepared to help readers understand what coverage is available.
As DeFi continues to grow, it becomes more vulnerable to security attacks. In order to protect users from such risks, viable insurance protocols need to emerge. However, the DeFi insurance industry faces many challenges in providing diversified insurance coverage and accumulating sufficient underwriting funds. Protocols that split pools across multiple chains fragment liquidity and suffer from their ability to be capital efficient at scale, while adequate risk management remains an issue for improvement.
In the current environment, the availability of underwriting capital in insurance pools limits coverage. The protocol has been exploring strategies to generate additional income and attract more liquidity providers to expand coverage, such as depositing a certain percentage of the fund pool returns into platforms such as AAVE or Compound. However, these approaches introduce additional risks, including third-party smart contract vulnerabilities and market volatility, forcing a trade-off between yield generation and risk management.
To address these challenges, incumbents are prioritizing protocol upgrades to improve capital efficiency, coverage capacity, and user experience. Customized insurance and marketplaces are being developed to meet the specific insurance needs of DeFi users.
Parameter overrides provide a viable solution to some risks, but it may not be suitable for all override types. Reliance on oracles for data exposes the system to oracle failure or compromise, and limitations arise when interest-bearing tokens become non-transferable due to protocol upgrades. Enforcing coverage rules via smart contracts poses challenges as it requires storing all relevant information on-chain and limits the scope of risks that can be adequately covered, but it also provides the ability to automate claims assessment.
In addition, reinsurance, as an important part of traditional insurance, is still missing in the DeFi insurance market. The practice of an insurance company transferring a portion of its risk portfolio to a third party to reduce the likelihood of having to pay a significant obligation arising from an insurance claim is called reinsurance. By transferring risk to third-party professional investors, the reinsurance approach can increase underwriting capacity, capital efficiency, and resilience. Exploring reinsurance can help mitigate the financial impact of catastrophic events like UST depeg.
In the next post, we’ll delve into DeFi insurance pricing models, exploring different approaches taken by protocols.