Like many in the DeFi space, we were shocked and saddened to see Balancer get exploited. This time felt different since Balancer is such a stalwart of the DeFi ecosystem and we really respect the team. 

Many of the attributes that typically indicate a ‘safe’ protocol applied to Balancer: time in market (4+ years without major exploit); TVL (>$1b at its peak); number of forked implementations (many); number of audits (many); etc. 

Stream, while very unfortunate for depositors, did engage in risky practices and there were early warning signs.

But given all of that, we thought it’s a good time to reflect on the risks of DeFi, why we think DeFi vaults can mitigate these risks, and rebuff some of the critiques of vaults: this is a RockSolid Defence of vaults.

DeFi has risks

Crypto innately has risks. There’s no hiding this. DeFi adds extra risks (as well as extra returns).

We think of crypto risk as being on a risk/reward curve. Owning crypto itself is risky. But we assume that if you’re reading this you already own crypto, and are comfortable with that inherent risk in that portion of your portfolio. 

Owning spot crypto is the ‘lowest risk’ way to be exposed to crypto.

Staking is the next least risky thing if you want to earn more than spot returns. You introduce some new risk: slashing risk, and some counterparty risk depending on node architecture.

Beyond that you end up in DeFi, and there is a very large spectrum of risk within that:

Self-managed 'simple DeFi' is the next least risky thing you can do. But a key requirement here is that users have technical and DeFi proficiency (knowing how to use a wallet, keep their keys safe, assess protocol risk, etc). In this category we put 'set and forget' strategies like:

• simple borrow/lending in very large and battle-tested protocols like Aave
• simple LPing in DEXes like Uniswap (and we would’ve mentioned Balancer in the same breath)

‘Balanced’ DeFi vaults are next on the risk spectrum. Vaults introduce a new set of risks and trust assumptions, and several new parties are involved. You trust that the vault distributor, infrastructure, and strategy manager (aka curator) all do what they say they’ll do. You trust that the security/custody set up is strong. You trust that the strategies are transparent and are actually what are advertised on the front-end. And you’re exposed to the risks of the underlying DeFi strategies. 

But well-managed ‘Balanced’ vaults have several advantages: a professional DeFi strategy manager is monitoring positions 24/7 (so you don’t have to); well-run vaults can diversify their exposure into a range of protocols and strategies (meaning even if one is exploited, losses are contained to that portion of the portfolio - notwithstanding correlation or contagion); vault curators have personal relationships with DeFi protocols and founders (allowing them to negotiate the best ‘deals’ for depositors).

Self managed ‘complex DeFi' is next on the risk spectrum. This is where you as an individual manage more complex strategies such as looping, borrowing non-correlated assets (e.g. stablecoins against your ETH), depositing into new protocols or airdrop farms, etc. Here it’s (mostly) ‘your keys, your coins’ and you don’t need to trust a third-party manager or vault infrastructure, but you are still exposed to the underlying risk of the DeFi protocols.

The cost of this is that it’s up to you to monitor positions and health factors. If something blows up in DeFi while you’re asleep, you might lose your funds - e.g. if you were on a US timezone when the Balancer exploit came to light, you were likely asleep, and so you probably weren’t going to be the first one to the exit. In order to effectively monitor risk, you need sophisticated monitoring tools, need to live on crypto twitter, and can never take a vacation. 

YOLO DeFi is what we call the next step on the curve. Activities here include participating in eyewatering yield farms and incentive campaigns, earning (on paper at least) 10’s or 100’s of % APRs. People participating in this part of DeFi probably understand the risks (no crying in the casino). So it goes without saying these APRs are highly risky and mostly unsustainable, but offer opportunities for short term gains.

YOLO DeFi vaults we put at the top of our risk spectrum. These have all of the trust assumptions of what we called ‘Balanced’ vaults, but introduce even further risks. They are often opaque in their strategies. They often offer very high APRs, powered by unsustainable strategies, high leverage, and directional price risk that gets exposed during times of high market volatility. They are often anonymous teams (increasing rug risk). They often use questionable practices to inflate their TVL (e.g. looping their own vault receipt token or recycling TVL through related-party vaults), and often have large exposure to “offchain” lending arrangements that are impossible for depositors to see.

Such vaults are arguably worse than YOLO DeFi, because they present themselves with an aura of legitimacy and target users who don’t understand the risks. That's why we place them off the 'efficient frontier' of the risk/reward curve.

Not All Vaults are Created Equal

There is a spectrum of risks within vaults and the strategies they run. And there is a spectrum of competence and integrity of the teams operating them.

We agree with Morpho cofounder Paul Frambot’s tweet below. And we’d also add to it that transparency, education, and clear communication about risks is also very important. Too many DeFi projects obscure risks (either deliberately or via incompetence) by using jargon - both technical and financial.

For an example of the lack of transparency of many vaults, see screenshots from the Stream pages below:

Stream provides a general overview of what the strategies could be, but doesn’t list the specific strategies that are deployed. It took @Schlagonia to do onchain sleuthing to surface the risk of the Stream strategies. On the Stream front-end, it lists a series of risks of its vault, but notably they don’t list leverage or recursive looping as one of their risks (this is what ultimately brought them undone). Their transparency page was “Coming Soon”.

Not all vaults are created equal. Vaults can do better. And we believe RockSolid vaults do.

Addressing some arguments against vaults as a product

The collapse of Stream has led to some critiques of vaults as a DeFi product more generally. We wanted to highlight these arguments, and why we disagree with them:

“Vaults Lack Transparency”

We agree many vaults lack transparency, and agree that many vaults rehypothecate risk in complex and obfuscating ways. Stream was an example of this.

But vaults need not be that way.

RockSolid is different: Our strategies are listed at the bottom of our app under the "Portfolio" heading, with detailed weekly allocation and APR breakdowns. These deployments can be verified on Debank.

“Vaults are too centralized”

Many vaults have trust assumptions. A rare few are fully decentralized. There are tradeoffs to both approaches. But this is a deliberate design space.

Transparency and the enforcement of controls are critically related to these decisions.

RockSolid is transparent about the roles and trust assumptions of our vaults in our architecture docs. The vault design intentionally favors the ability to move quickly (to access opportunities and mitigate crises) and the lack of reliance on trustless oracles (which mitigates mispricings and economic exploits). These are deliberate decisions, and are features not bugs.

“Just use Aave”

Aave is great, and it serves a critical role within DeFi. But DeFi exists on a risk spectrum. 

The RockSolid rETH Vault deploys rETH. Supplying rETH on Aave earns <0.01% APY. Supplying ETH on Aave at time of writing earns 1.88% APY - less than the staking rate. So as an ETH holder you’re better off staking or simply holding rETH than lending on Aave.

Saying "Just use Aave" is equivalent to someone in TradFi saying "Just use your FDIC-insured checking account and earn 0.01% APR on your cash". The checking account is one product on the risk/reward spectrum of TradFi products, but it doesn't meet all of your TradFi needs. Likewise, Aave serves a different purpose to Vaults, and Aave lives at a different part of the risk curve. Aave doesn't help rETH holders earn a higher APR, but RockSolid does.

“DeFi isn’t worth the added risk”

DeFi involves risk. But DeFi exists on a risk/reward curve. Vaults can actually help manage this risk. Managed vaults can add diversification and monitoring from an active professional strategy manager. 

Balancer shows that even bluechip protocols can be subject to exploits. A vault that responsibly diversifies across a range of protocols can mitigate this risk.

The details matter though: Stream was ostensibly deployed across a range of strategies. But in reality it was highly concentrated and over-leveraged. Vaults must be well managed and actively monitored by professionals in order to mitigate risk (notwithstanding contagion or correlated losses).

RockSolid aims to be better

It’s in our name. We want to do better than what’s the norm in DeFi. We want to make DeFi more accessible, while also being clear and transparent about risks.

We want to be RockSolid. Here are some things we do to achieve that goal:

Transparency and clear communication

We strive to be transparent (both onchain and offchain). The strategies run by strategy managers are listed at the bottom of our app under the "Portfolio" heading, with detailed weekly allocation and APR breakdowns. These deployments can be verified on Debank.

We aim to communicate clearly in plain language, avoiding jargon which masks what’s going on under the hood. 

Our docs describe our product architecture, risks, trust assumptions, and design tradeoffs. Our team is doxxed, and have experience in TradFi.

Seeking the best risk-adjusted rewards

We don’t simply chase the highest headline APR or other vanity metric. RockSolid partners with strategy managers who seek the best risk-adjusted reward while maintaining liquidity for users and mitigating liquidation risk.

This means RockSolid vaults don’t engage in highly leveraged and self-referential strategies. RockSolid's founders have spoken publicly about the contagion risks from leverage in DeFi.

Seeking the best risk adjusted rewards means our APRs and TVL are going to be lower than other competing vaults that run aggressive highly leveraged strategies (and often also run self-referential loops on their own vault tokens to artificially inflate TVL, like Stream).

Conservative looping

Other vaults have compensated for falling APRs in DeFi by taking on more leverage and looping more aggressively. Indeed during recent market turmoil, some vaults have had trouble honoring timely withdrawals due to the cost and difficulty of unwinding their loops. Curators have frantically be shuffling funds to meet redemptions. Some vaults have been stuck with negative returns on their looped strategies when funding rates turned sour, but have been unable to exit due to the amount of leverage.

Our strategy managers have deliberately decided not to do this in order to avoid the liquidity and liquidation risks of high leverage. In the RockSolid rETH vault, allocation to looped rETH is in low single digits (as seen in our strategies reports, and verifiable onchain via Debank).

Importantly, the vault doesn't don’t loop its own rock.rETH receipt token within the vault to inflate TVL.

Institutional-grade MPC signing

We’re transparent on our infrastructure and signing set up. Vault transactions are executed via MPC policy using Fordefi, an institutional-grade solution. Transactions require multi‑party signing across multiple entities to ensure that no single entity can unilaterally move funds. We use Fordefi to enforce policy controls so that funds can only be deployed into pre-approved and whitelisted strategies.

Summary

We’re sad about Balancer. We're sad about Stream. Both of these events hurt users and hurt the reputation of DeFi.

But we believe vaults will be a fundamental part of mainstream DeFi adoption. Vaults abstract away DeFi complexity. They allow single click access and seamless integration to products. And they can help mitigate the risks of DeFi via diversification and active management.

Not all vaults are created equal. Our vaults are RockSolid.

About RockSolid

RockSolid offers institutional-grade liquid vaults with managed DeFi strategies to help asset issuers and custodians generate higher rewards for token holders. Rewards are generated through active DeFi management, optimising DeFi positions and securing the best private deals available.