Insurance Mining + Opyn Musings

Some observations from the recent Opyn $100k hack and why insurance mining could be the next big thing

It’s never a dull day in Crypto Twitter, yesterday’s highlights were probably Opyn getting hacked for $100k and Trail of Bits saving a $400k exploit in the YFI v2 vault contract. The main topic I’d like to discuss is the Opyn hack - given their rivalry with Hegic, which also got hacked earlier this year (for a smaller amount). I’ll make a video to explain how the hack itself happened later on. For now I’m going to help you reconstruct my thought process as I read about these events as they unfolded with takeaways throughout.

Something’s in the air

It started off when rumours went around that something funky was going on with Opyn and then the team announcing the exploit via Twitter here:

My initial thoughts alongside many others was that there’ll be a payout given they’re venture funded and paying $100k to retain your reputation given you raised $2m isn’t a large deal. But the problem is that this starts to create VERY skewed expectations to users.

DeFi is inherently risky, treating it as otherwise is a very dangerous mentality which I see forming all over DeFi and it’s getting pretty concerning. Here’s a few takes from Lesher and Andre:

I agree with both of them. We’re starting to get retail level FOMO for some of the most complex pieces of software that handle money used by people who understand very little about how the mechanics of all of this works. 2017 “dangers” were way more clear since it took someone with at least half a brain to figure out what was wrong with the hypothetical dream being sold to them for $100m. It’s funny because the number of people who understand how a consensus protocol works and can figure out what happens in certain scenarios is pretty high. We’ve had about 10 years of experience in this industry deconstructing the mechanics of Bitcoin, Etheruem and plenty more. Furthermore, you just need good computer science fundamentals with cryptography to really understand the bulk of it all. DeFi on the other hand is a whole new skillset that requires pretty detailed financial knowledge alongside technical knowledge. The overlap of these two skillsets is becoming increasingly rare and the pace of innovating means that very few are left with enough to understand what’s up. I’d think this changes after the next bear market after 10x new talent comes in and the new crypto community is much larger than it was before. For now though, DeFi is quite literally a game for certain rich techno-elites.

Double Standards

If there’s one thing I find hilarious in the ETH community, it’s that the reaction you get from an event will always be based on the kinds of relationships you have. Once again I find myself quoting DegenSpartan as he captures this sentiment perfectly.

I don’t have anything against auditors or the Opyn team, however what I find hilarious about the Crypto Twitter reaction of this event is the lack of crusading for this bug. Sure Hegic, didn’t write tests. But the anon dev paid out of his own pocket (no money raised) to pay for an audit since he fundamentally cared for the security of his/her users. So why is there no outbreak? Well take a read of this following headline and first few paragraphs:

Anyone on Crypto Twitter you know associated with these people is basically guarding the crusading. You come out against these people, you’ll basically get steamrolled in way you don’t want to. Is that wrong? Not really, it’s just the nature of the game. So what’s the takeaway?

Don’t rely on Crypo Twitter to form your opinions on issues, look at the events and see what isn’t being said.

That being said, when things go wrong by someone who doesn’t have these powerful names behind them and doesn’t show complete negligence, we should probably have a bit more empathy rather than causing the following situation:

I somewhat think that the reason for YFI’s popularity is that Andre is against the establishment and represents it through the experiences he’s been through.

Auditing Issues

Going back to the root of this whole incident, I find the process of auditors extremely broken still. It’s frustrating to see, especially as a builder and someone who is looking for one right now. The going price for an audit at the moment is anywhere between $30k-$75k USD. Yes, you read that right. Oh and the best part is that it’s a one time hit of such a large capital hit. Any updates you make, either you keep forking out money or you have to take a probabilistic bet of anything going wrong - which Opyn had to do. Of course an audit is still cheaper than having your contracts hacked but not everyone can afford to keep paying such large amounts of money. So what’s the solution? Best answer so far, have community buy-in through multiple avenues.

Think about it, YFI basically gets free audits now given the large number of people that care about it succeeding. Synthetix, MakerDAO and Aave are on the same league as well. The number of people who have a financial interest in it succeeding is so high that any code that gets pushed has tons of eyes on it from day 1. This is where I think increasingly making your early community rich is going to become more and more important. There’s another very interesting approach going on that’s being floated and that’s one of insurance mining:

That being said, Tyler does raise a good point:

I personally love the idea of limiting a protocol based on the amount of insurance it has, although I don’t know if you can get rid of an audit entirely. One side says that you still need it, but at $50k and 2-3 months of wait time - I’m not so sure. Anyways, I’m still wrestling with this in my head and would love everyone’s feedback/thoughts on this.