Kerman Kohli

Share this post

Insurance Mining + Opyn Musings

kermankohli.substack.com

Insurance Mining + Opyn Musings

Some observations from the recent Opyn $100k hack and why insurance mining could be the next big thing

Kerman Kohli
Aug 5, 2020
4
Share this post

Insurance Mining + Opyn Musings

kermankohli.substack.com

It’s never a dull day in Crypto Twitter, yesterday’s highlights were probably Opyn getting hacked for $100k and Trail of Bits saving a $400k exploit in the YFI v2 vault contract. The main topic I’d like to discuss is the Opyn hack - given their rivalry with Hegic, which also got hacked earlier this year (for a smaller amount). I’ll make a video to explain how the hack itself happened later on. For now I’m going to help you reconstruct my thought process as I read about these events as they unfolded with takeaways throughout.

Something’s in the air

It started off when rumours went around that something funky was going on with Opyn and then the team announcing the exploit via Twitter here:

Twitter avatar for @opyn_
opyn @opyn_
Here is an overview of the incident affecting ETH Put contracts. No other contracts are affected. ~371k USDC was lost. We worked with @samczsun to whitehack, securing ~439k USDC. Affected users, please see below. Full post-mortem coming in next few days.
medium.comOpyn ETH Put ExploitAn exploit affecting the Opyn ETH Put contracts has been discovered. Other Opyn contracts and options beyond than the ETH Put contracts…
10:50 PM ∙ Aug 4, 2020
210Likes67Retweets

My initial thoughts alongside many others was that there’ll be a payout given they’re venture funded and paying $100k to retain your reputation given you raised $2m isn’t a large deal. But the problem is that this starts to create VERY skewed expectations to users.

Twitter avatar for @DegenSpartan
찌 G 跻 じ ⚡️ 🔑 @DegenSpartan
this space walks a fine line between shared risk-taking and bailout culture but as long as the bailout money is coming from VCs, i guess i don't really care? then again, this culture makes for weak warriors who will be annihilated later since they have no experience with risk
5:56 AM ∙ Aug 5, 2020

DeFi is inherently risky, treating it as otherwise is a very dangerous mentality which I see forming all over DeFi and it’s getting pretty concerning. Here’s a few takes from Lesher and Andre:

Twitter avatar for @rleshner
🤖 Leshner @rleshner
@intocryptoast Yes - watching people chase returns without taking a half-second to ask questions, contemplate risk, or understand what they are doing. It's a recipe for disaster, and a lot of users will get burned - badly. It's a question of when, not if.
7:56 PM ∙ Aug 1, 2020
68Likes6Retweets
Twitter avatar for @AndreCronjeTech
Andre Cronje @AndreCronjeTech
"intentionally" aside, I do agree with him. People are putting far too much capital at risk. It is at a point again where I'm terrified to build, just because of the sheer amount of potential losses.
9:47 AM ∙ Aug 2, 2020
122Likes10Retweets

I agree with both of them. We’re starting to get retail level FOMO for some of the most complex pieces of software that handle money used by people who understand very little about how the mechanics of all of this works. 2017 “dangers” were way more clear since it took someone with at least half a brain to figure out what was wrong with the hypothetical dream being sold to them for $100m. It’s funny because the number of people who understand how a consensus protocol works and can figure out what happens in certain scenarios is pretty high. We’ve had about 10 years of experience in this industry deconstructing the mechanics of Bitcoin, Etheruem and plenty more. Furthermore, you just need good computer science fundamentals with cryptography to really understand the bulk of it all. DeFi on the other hand is a whole new skillset that requires pretty detailed financial knowledge alongside technical knowledge. The overlap of these two skillsets is becoming increasingly rare and the pace of innovating means that very few are left with enough to understand what’s up. I’d think this changes after the next bear market after 10x new talent comes in and the new crypto community is much larger than it was before. For now though, DeFi is quite literally a game for certain rich techno-elites.

Double Standards

If there’s one thing I find hilarious in the ETH community, it’s that the reaction you get from an event will always be based on the kinds of relationships you have. Once again I find myself quoting DegenSpartan as he captures this sentiment perfectly.

Twitter avatar for @DegenSpartan
찌 G 跻 じ ⚡️ 🔑 @DegenSpartan
i for one am personally looking forward to all the ppl that had spicy hegic takes to absolutely crucify and then quarter the opyn team and their SC auditors for today's exploit because they are ethically consistent and their standards have nothing to do with personal relations
Twitter avatar for @DegenSpartan
찌 G 跻 じ ⚡️ 🔑 @DegenSpartan
@Onchained @DeFi_Dad @HegicOptions @0mllwntrmt3 all i can say is that the ETH community has massive double standards of what is considered acceptible mistakes and what is grossly negligent and irresponsible
12:45 AM ∙ Aug 5, 2020
44Likes3Retweets

I don’t have anything against auditors or the Opyn team, however what I find hilarious about the Crypto Twitter reaction of this event is the lack of crusading for this bug. Sure Hegic, didn’t write tests. But the anon dev paid out of his own pocket (no money raised) to pay for an audit since he fundamentally cared for the security of his/her users. So why is there no outbreak? Well take a read of this following headline and first few paragraphs:

Anyone on Crypto Twitter you know associated with these people is basically guarding the crusading. You come out against these people, you’ll basically get steamrolled in way you don’t want to. Is that wrong? Not really, it’s just the nature of the game. So what’s the takeaway?

Don’t rely on Crypo Twitter to form your opinions on issues, look at the events and see what isn’t being said.

That being said, when things go wrong by someone who doesn’t have these powerful names behind them and doesn’t show complete negligence, we should probably have a bit more empathy rather than causing the following situation:

https://medium.com/@andre_54855/building-in-defi-sucks-b8fdfda0ef58

I somewhat think that the reason for YFI’s popularity is that Andre is against the establishment and represents it through the experiences he’s been through.

Auditing Issues

Going back to the root of this whole incident, I find the process of auditors extremely broken still. It’s frustrating to see, especially as a builder and someone who is looking for one right now. The going price for an audit at the moment is anywhere between $30k-$75k USD. Yes, you read that right. Oh and the best part is that it’s a one time hit of such a large capital hit. Any updates you make, either you keep forking out money or you have to take a probabilistic bet of anything going wrong - which Opyn had to do. Of course an audit is still cheaper than having your contracts hacked but not everyone can afford to keep paying such large amounts of money. So what’s the solution? Best answer so far, have community buy-in through multiple avenues.

Twitter avatar for @kermankohli
$KERMAN @kermankohli
@DegenSpartan @tbr90 @opyn_ maybe the real point of having a token isn't to make people rich but keep your users safe? who would have thought ahhahah
6:15 AM ∙ Aug 5, 2020

Think about it, YFI basically gets free audits now given the large number of people that care about it succeeding. Synthetix, MakerDAO and Aave are on the same league as well. The number of people who have a financial interest in it succeeding is so high that any code that gets pushed has tons of eyes on it from day 1. This is where I think increasingly making your early community rich is going to become more and more important. There’s another very interesting approach going on that’s being floated and that’s one of insurance mining:

Twitter avatar for @kermankohli
$KERMAN @kermankohli
@DegenSpartan @tbr90 @devops199fan @opyn_ @NexusMutual what if rather than launching with an audit you launch with insurance mining? value locked is capped based on the amount of insurance
6:29 AM ∙ Aug 5, 2020

That being said, Tyler does raise a good point:

Twitter avatar for @tbr90
Tyler Reynolds @tbr90
@kermankohli @DegenSpartan @devops199fan @opyn_ @NexusMutual Underwriters are ****not**** auditors They should be if they want to take well ignored risks, but they aren’t doing that currently. You might get them to fund an audit if your project is offering high enough rewards like $YFI
6:40 AM ∙ Aug 5, 2020

I personally love the idea of limiting a protocol based on the amount of insurance it has, although I don’t know if you can get rid of an audit entirely. One side says that you still need it, but at $50k and 2-3 months of wait time - I’m not so sure. Anyways, I’m still wrestling with this in my head and would love everyone’s feedback/thoughts on this.

Share this post

Insurance Mining + Opyn Musings

kermankohli.substack.com
Comments
TopNewCommunity

No posts

Ready for more?

© 2023 Kerman Kohli
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing