The recent bZx exploit has the DeFi community searching for answers in the midst of a security crisis. Insurance is an efficient way to protect oneself against risk, and DeFi investors should know the difference between various insurance protocols in the space.
Insurance Against bZx Incident
Insurance protocols, on DeFi and in the traditional system, have pre-determined risk parameters that define what kind of incidents they will cover.
A bZx lender with Nexus Mutual, who was covered for 30,000 DAI, filed a claim after the incident, despite the bZx team stating that no lender has been affected by the exploit and all funds were safe. Nexus Mutual’s claims assessment team declined the claim with seven out of eight members ruling against it.
Why was the claim rejected?
Firstly, Nexus Mutual relies on human intervention to assess claims and identify potential fraud. If a claimant files for insurance coverage when the details of the attack are not public, the odds are naturally swayed against the claimant.
Secondly, Nexus Mutual’s contract covers technical bugs in the protocol’s code—not financial risks. At the time of assessment, the prevailing theory was that the bZx trader exploited a poor oracle setup. The claim was probably denied based on a lack of information and the possibility that this was not caused by a bug.
Recent research from Korantin Auguste, an ex-software engineer at Google, revealed however that the incident with bZx was not an oracle attack, but rather an exploit of logic in the protocol’s codebase.
If this is the case, claimants who lost money due to the incident, if any, will have a better shot at receiving compensation as an exploit of coded logic could be considered a technical bug.
However, as Nexus Mutual notes, claimants stand a higher chance of receiving compensation if they wait for information to be revealed by bZx before filing a claim.
To reiterate, bZx claims no money was lost. Even if this was a technical bug, nobody would get an insurance payout.
Many investors and lenders have taken out insurance policies on bZx after the incident occurred. Nexus Mutual warned against such practices as the insurance is not valid for incidents that occur prior to buying coverage.
This is the DeFi equivalent of buying automotive insurance after a car crash.
Comparing DeFi’s Insurance Protocols
Nexus Mutual is the first insurance protocol in the ecosystem to see considerable traction. Opyn is a strong contender that announced its arrival to the main stage earlier last week.
Rather than adopting the mutual structure of insurance with claims and fraud assessment procedures, Opyn offers simple risk mitigation tactics through the use of options contracts.
An important distinction between the two is the variety of risks covered by each protocol. Nexus Mutual covers technical risks, while Opyn covers technical, financial, and admin key risks.
Hypothetically, if Compound’s DAI money market hit 100% utilization and lenders were unable to access their funds, causing a liquidity crisis, holders of put options on Opyn would be able to cash out at a pre-determined minimum loss.
Alternatively, if the team at Compound were to lose control of their admin key, allowing a hacker to steal funds in the contract, those with coverage on Opyn would be able to book a minimal loss.
Without insurance, they would lose much more in the first scenario and everything in the second scenario.
Traditional Versus Permissionless Insurance
Comparing DeFi insurance protocols to that of the traditional ecosystem is premature, but there are some obvious takeaways.
Nexus Mutual is more in line with the traditional insurance model, having a human-run claims assessment that also checks for potential fraud. The main difference here is that someone who wants coverage can be turned down by the traditional insurance company while Nexus Mutual is permissionless, meaning they cannot discriminate on any basis.
An insurance company like AXA, a $62 billion insurance company, will offer different premiums and maximum coverage amounts to different customers relative to their risk profile.
Opyn is an options contract, so that’s exactly what it represents in the traditional financial system as well. One cannot take out an insurance policy against their stocks. Instead, they buy put options that give them the right to sell the stock at a particular price.
This is a capital-efficient way of hedging financial risk; pay a one-time premium and receive risk mitigation benefits until the contract expires.
Permissionless insurance has a long way to go before it can compete with its traditional counterpart, but the strides made thus far are promising. There are risks to the permissionless ecosystem that can only be solved by more capital and liquidity flowing into these niches.
Only time will tell if these mechanisms can be implemented for insurance more broadly, or if they can only thrive within the DeFi ecosystem at all.
