Composability is the best and worst part about DeFi
Decentralised Finance (DeFi) is quite possibly the strongest and most obvious use case for Web3. It's reinventing the traditional financial system, making sophisticated financial products accessible to anyone with an internet connection.
One of the key features of DeFi is composability, where every DeFi app becomes a one-size-fits-all public API that everyone else can build and innovate upon. In this composable stack, each DeFi app specialises in one specific function and can connect to all other apps leveraging their unique value-add, becoming “money legos”. This is in stark contrast to the traditional banking system which are siloed tech stacks.
However, composability is a double-edged sword. While DeFi’s money legos facilitate more sophisticated transactions, this also increases the number of interactions with external and possibly untrusted code. In fact, any transaction on Ethereum other than simply sending ETH will interact with one or more smart contracts, with the average number of smart contract calls per transaction growing from 1.19 to 2.40 between 2019 and mid-2021. Increasingly complex DeFi interactions represent a challenge to protocol security, as by the end of 2022, DeFi has already lost over $3B due to ecosystem or protocol logic attacks.
The open nature of smart contracts means that loopholes and vulnerabilities are visible to everyone. With billions of dollars in value locked in DeFi protocols, they are an increasingly lucrative target for hackers.
The solution is to simulate attacks and continuously manage risk
The most common solution used by protocols today is a security audit, but these are only performed at a point in time. Teams may add new code or make code changes without getting another audit done, opening the door to previously out-of-scope attack vectors. Additionally, these audits solely focus on a protocol’s code but don’t address the execution environment or the context in which the code will be consumed.
With DeFi, bad code will unquestionably cause financial impact. Hence, it is even more important for teams to continuously battle test their code to identify bugs and economic vulnerabilities. DeFi protocols are inextricably linked to each other one way or another.
For example, Lido’s stETH-ETH “depeg” will impact Aave as stETH represents almost 40% of collateral locked, and the price of stETH is heavily dependent on the liquidity of the stETH-ETH Curve pool. Hence, a malicious actor could initiate a liquidation spiral by executing a large stETH-to-ETH swap on Curve to push down the price of stETH and liquidate underwater Aave positions. Because of this, teams will need to perform simulations that involve multiple protocols and long interaction scenarios.
Another recent example is Mango Market exploiter, Avraham Eisenberg’s “hypothetical” complex attack on Aave which involves REN and USDC on Aave (and CRV). Without a robust agent-based simulation tool, it would be incredibly difficult to measure the impact of such a complicated multi-protocol attack.
With the billions at stake today, more is needed than a one-off consulting type security audit. Teams need to manage risk internally and simulate various edge cases on a continuous basis. This is where Chaos Labs comes in.
Where Chaos Labs Comes In
Chaos Labs is the first highly automated economic security system for crypto protocols. It allows improved risk management and optimisation, helping protocols navigate the challenge between capital efficiency and economic security.
A great example is how Chaos Labs’ simulation platform has been used to optimise risk parameters on Aave. Chaos Labs has also worked with and secured top DeFi protocols, including Aave, Uniswap, Chainlink, DYDX, BenQi, and Osmosis.
More specifically, Chaos Labs’ risk suite can be used to:
Optimise Risk and Capital Efficiency: Chaos Labs arms teams and communities with protocol-specific simulation models to understand the impact of varying parameter settings on protocol capital efficiency and risk. The underlying methodology and inputs are shared for transparency so that the testing process and output results are clearly understood and communicated. Chaos Labs’ state-of-the-art scenario simulation engine can recreate specific attack strategies to test and discover their applicability and profitability — as well as suggest risk mitigation tactics that should be implemented in response.
Streamline Risk Assessments: Similar to a smart contract audit, but focused on economic vulnerabilities. Developers experimenting with new economic systems and money flows can work with Chaos Labs to analyse how market shifts (e.g., liquidity, oracles, volatility, etc.) may influence or break their protocols’ economic design.
Spend Optimisation: DEXs compete rigorously to scale liquidity available to users to attract trading volume. Chaos Labs’ simulation engine helps protocol teams strategically set incentive spending to maximise ROI on lower budgets, extending runway through turbulent markets.
Conclusion
With DeFi protocols now securing hundreds of billions in value, the stakes have never been higher. In a future where DeFi continues to grow exponentially, complexity and interdependencies between protocols will only continually increase.
As such, Chaos Labs will play a crucial role in providing protocols with custom and automated economic security tooling that verifies a protocol's durability and stability in any market condition.
If you are a protocol looking for a risk management suite, we welcome you to reach out to us (deal@tioga.capital) and we’ll make a warm intro to our friends at Chaos Labs.
_____
Disclaimer: This post is for general information purposes only. It does not constitute investment advice or a recommendation or solicitation to buy or sell any investment and should not be used in the evaluation of the merits of making any investment decision. It should not be relied upon for accounting, legal or tax advice or investment recommendations. This post reflects the current opinions of the author(s) and does not necessarily reflect the opinions of Tioga Capital. The opinions reflected herein are subject to change without being updated.