Funnel some small percentage of rewards towards a socialized insurance fund denominated in a mix of BTC/ETH that will be used to protect Yearn platform users from suffering losses in the event of hacks/smart contract issues.
If implemented, a percent of yUSD rewards that goes through TreasuryVault will be redirected to an insurance fund account, where they will be swapped for a TBD mix of BTC/ETH to minimize USDT exposure and smart contract risks carried by yUSD. These rewards will accumulate and be used to help cover losses for platform users affected by hacks/smart contract issues. Fund accumulation will occur until a community-determined dollar amount and/or a certain ratio of insurance fund to AUM is reached, allowing the insurance fund to scale along with the amount of assets on the platform. This complimentary insurance would cover as much as possible per user affected in any incident, taking into account the size of the fund. Payouts will be controlled by the multisig holders.
Insuring the safety of our users’ funds aligns with Yearn’s ethos of doing what it can to provide for the public good. Currently, we have some systems in place to wind down and prevent liquidations, but there remains risk from hacks and smart contract bugs. At a minimal cost to governance, this insurance fund will give users more confidence in the protocol and as it grows in size it will also function as an additional value add that cannot be easily replicated (moat), protecting YFI against protocol fork risk going forward. Lastly, it moves the DeFi space forward in general, as only reputable CEXs have implemented programs like this - it would be a first for DeFi.
Implementation TBD, but based on previous YIP by @banteg, if ratified, the easiest way to achieve the result may be to add to the middleware contract that already splits rewards between Governance and Gitcoin wallet. We would add another split for the insurance fund with conditions added. Multisig would be in control of distribution of the fund itself.
For: In favor of directing 0-5% of rewards towards insurance fund
Against: No Insurance fund
- In favor of directing 0-5% of rewards towards insurance fund
- No insurance fund
Are all vaults equally at risk of this type of liqudation problem? If not, those that are more risky or more likely to need the insurance should pay more?
Also, as has been suggested before, we should consider whether some compensation for strategy authors should be held back to cover these types of risks or even more generally to ensure they take risk of loss or failure into account.
Good point. This coverage certainly applies moreso to the debt-based strategies, but it could be useful in a USDT rugpull. I was thinking 1% of rewards to cover everything on the platform for simplicity (it would be good for marketing, too), but maybe it makes sense to be more granular here. Open to ideas
Edit: This YIP has since been changed to not cover liquidations, only hacks/theft and smart contract issues.
It may be worth figuring out if the strategy risk is generally similar or not, although the relative APYs suggest that they may have different perceived risks.
Also, have you considered what the insurance payout would look like (100% covered or pennies on rhe dollar) and how long it would take to get those assets? You suggest the assets would be invested in yUSD to be available for payouts, but that suggests yUSD has little or no risk. What if there are problems with two vaults back-to-back in short time period? Would only 1/2 the insurance amount be available for any vault?
I see what you’re saying about strategies having varying levels of risk but this insurance could also be used for coverage against hacks/theft of funds, smart contract issues. Another option is to change this proposal so that it no longer insures liquidations and only protects users against hacks and smart contract issues. That way, all users benefit. Perhaps liquidation insurance fund is a separate YIP.
As far as payouts, we obviously can’t guarantee this complimentary insurance will 100% cover all assets at first, but we can simply say that it will cover as much as possible per user affected, taking into account the amount in the fund.
I agree that the fund should probably be a mix of BTC, ETH to reduce risk since yUSD contains exposure to USDT as well as the underlying vault risks.
Updating the proposal with the changes in above comments
This is a fantastic idea!
Am for. But should we not denominate in yUSD as this is essentially our flagship token?
This would make more sense to me personally.
My original idea was to denominate entirely in yUSD, but my thinking now is if we are protecting against smart contract risk, yUSD isn’t the best choice because it’s exposed to all the underlying vault smart contracts. There is also the elephant in the room that USDT may very well be significantly undercollateralized (not 1:1 USD); if that $15B bubble were to pop, it would likely destabilize the yUSD basket (yyDAI+yUSDC+yUSDT+yTUSD).
Bump. Added poll so people can vote.
So while I think a mixture of ETH and ren/wBTC would be a good option– sticking them in other platforms (Aave, Compound, Curve) to earn some small amount of returns– what exactly are we worried about here?
For instance, is there code shared by all of the vaults that could serve as a potential weak point? If so, a more conservative strategy in ETH/BTC on other platforms makes sense– but what if we just held a few of our highest-yield vault tokens together as insurance against each other? They would earn much higher yields– perhaps a mixture of ETH/BTC and “sufficiently distinct” vault tokens would be a good option?
This would be for a “TheDAO 2016” situation where a significant amount of funds are drained from the DAO. If user funds are unrecoverable, this would be the fallback and would save the protocol’s reputation. My thinking was the fund should be probably be separate from the ytokens/yvaults used in normal investment operations so that it isn’t exposed to the underlying smart contract risks that are taken on when layering outside platforms for yield. This may mean that the insurance funds accumulated (or at a portion of them, at least) need to stay uninvested in the insurance account? Not sure
How much do you think we would have to set aside in non-yielding assets to have a fund large enough to meet this goal. What timeframe are we looking at for getting to that point?
Good questions… Hard to know how big a potential issue could be (DAO theft was ~50M USD, bzrx ~8M USD, Mt Gox ~500M USD) but with the growth that will be coming to vaults, I would say to let it accumulate in uninvested WBTC/ETH until the size of the fund is $100M (arbitrary) or a certain ratio (1:10? arbitrary again) to amount of assets under management and then invest any excess insurance funds contributed beyond that in yvaults to grow it. Hard to pin down timeframe for reaching full $100M coverage until we know the fee structure going forward, but this is definitely a longer term thing. I just think it’s important to have something set up starting to accumulate funds, even if it is only a few million dollars, in case we have some issue like bzrx did recently.
Given how volatile crypto is, I think it would good to have a portion of insurance funds in usd. USDC is a good choice as it is 100% backed and has good liquidity.
My concern with USDC is that it’s centralized, so individual coins could potentially be frozen by the issuer/regulators located in the USA. DAI may be a better option if we want to include USD in the mix. Trustless tBTC is looking interesting for this use case as well, as WBTC faces the same centralization problem. RenBTC will be decentralized in the future so that’s to be considered imo.
This is a good proposal, however, insurance will be difficult to get, as NexusMutual will most likely cover insurance up to a certain amount and not the whole Vaults and/or a specific Vault. That’s the only issue I see with this proposal.
There is not actually any insurance being purchased by this fund, so it’s not tied to Nexus Mutual or other insurance markets in any way. This proposal is effectively just a stash of emergency funds administered by the multisig to compensate users in case anything goes wrong. It’s a safeguard against the sort of thing that caused the collapse of TheDAO (and ultimately ETH, leading to ETC fork) in 2016.
With the new version of yUSD coming out, that could actually be a good fit. I know I said it would probably be best to keep these safety funds separate from yearn and underlying contracts, but if yUSD only makes up a portion of the reserve (1/3?), I think it might be OK
If capital is going to sit idle earmarked for a “rainy day” then it should at least be in the form of yUSD to organically grow AUM and the cash reserves.
There is not actually any insurance being purchased by this fund, so it’s not tied to Nexus Mutual or other insurance markets in any way. This proposal is effectively just a stash of emergency funds administered by the multisig to compensate users in case anything goes wrong.
Why not both? A mix of different insurance platforms + options + emergency funds earning interest.
Of course now it becomes something to actively manage…