DeFi needs Last Resort Overrides
If DeFi were a ski-resort, the slopes would be one metre-wide knife edges, with a guarantee of avalanches, and the skiers would almost entirely be first-timers, skiing naked without poles. Meanwhile, a few nefarious ‘guides’ would lurk around, pushing others off the ridges to take the slopes for themselves, or scamming tourists as they make their way into the ski-lifts. For now, there are probably better places to go on holiday.
Yet the collapse of FTX makes it clear that DeFi is needed more than ever. Had FTX’s reserves been openly-auditable — one of the main value propositions of DeFi — the situation could simply not have occurred. And, critically, no-one, not even financial auditing firms or regulators, would have had to be trusted to ensure this: anyone would have been able to verify the health of the reserve on-chain. Open auditability is one of the key technological advances of DeFi, and it’s ironic that something so tarnishing for the crypto industry as the collapse of FTX actually showcases why we need crypto and DeFi in the first place.
However, DeFi blatantly needs to make significant advances in order to offer a viable alternative to the mainstream financial architecture of the present. Not least of all, is the fact that at present, DeFi is really SingleFi: Single-point-of-failure Fi.
This piece is going to explore how we might go from SingleFi to a DeFi that could power the world’s economy.
What is SingleFi?
Before explaining what DeFi is, let me state some basic (and loose) definitions:
TradFi: our existing mainstream financial system, comprising retail, commercial and investment banks as well as FinTech firms.
CeFi: centralized finance focussed on cryptoassets. For example, Coinbase, Binance and, of course, FTX.
DeFi: decentralized finance that does not rely on intermediaries and is fully public blockchain powered.
So, what is SingleFi?
At the moment, many DeFi applications have a single point of failure. For example:
- One smart contract bug, and the protocol is gone.
- One flash-crash, and the market is gone.
- One erroneously used address, and the funds are gone.
- One incorrectly initialised smart contract, and the protocol is gone.
- One scaling error, and the vegetable-named protocol is gone.
- One forgotten permissions change, and the funds are gone.
The list goes on forever.
While the main technological advance of layer-one blockchains was redundancy at the level of data storage and compute resource, DeFi applications need additional redundancy at a different level: program logic. The examples above demonstrate that right now, much of DeFi can be characterised as featuring a single point of failure.
That’s SingleFi, and it’s hard to imagine that the world economy could run with such fragile software. At true scale, a DeFi bug could result in an accidental deletion of a nation’s funds, the instantaneous vaporisation of a pension fund or the collapse of an on-chain institution.
Indeed, the parallels to aviation are strong. Part of the trouble for the Boeing 737 MAX airplane seems to have been that the company designed a flight control system with a single point of failure, entrusting automated decision-making to a single, failure-prone, sensor.
“A single point of failure is an absolute no-no […] [t]hat is just a huge system engineering oversight. To just have missed it, I can’t imagine how.” — a former Boeing engineer who worked on the 737 MAX
But, even software redundancy is not enough
However, to go from SingleFi to DeFi is not just a software question. Even a DeFi powered by a thoroughly redundant backend would still have some risk of a serious error. After all, even the triple-triple redundant Boeing 777 has experienced serious software glitches, with one causing a plane to take on a ‘mind of its own and zoom 3,000 feet upward’.
For aviation, the solution to this problem is to have a pilot who can take over control of the aircraft. It’s clear that a mature DeFi should also permit a Last Resort Override: in the event of a smart contract bug, something else — that must be off-chain— should be available to be called upon. Some social mechanism seems to be necessary to ensure that in the long-run, a protocol can always follow the vision of its users.
It would be desirable that this Last Resort Override:
- is itself decentralized and selected through a decentralized process to the greatest extent possible
- functions according to a legal contract, rather than a smart contract
- is truly a Last Resort device. Ideally, it is never used, with improvements in smart contract redundancy eliminating most hacks. However, with 2.7bn USD lost to hacks in 2022, some fall back seems necessary to protect users
- can perhaps be switched off once certain conditions are met. For example, the protocol doesn’t have any bugs for 10 years.
For example:
- Off-chain insurance of on-chain protocols, with the contract entered into by a DAO
- Off-chain DAO elected and decentralized emergency committee that is able to perform certain recovery actions within bounds set by the DAO. For instance, in the event of a large hack, this DAO elected emergency committee has the authority to pause the protocol and undo the damage, by whatever means necessary provided they are in the interest of the DAO. If time allows, the DAO could vote on the options during a pause-window, and the emergency-committee then implement the changes
- Defining conditions under which a layer-one blockchain should be rewound, with an off-chain DAO elected emergency committee deciding when predefined conditions for this rewind have been met
What’s important is that the Last Resort Override allows for human judgement to enter the picture. To work, this control must in part be a social construct: some off-chain, social, mechanism should be available to be relied upon. But by the same token, for the related DeFi protocol to work, i.e. be sufficiently non-custodial, the scope and responsibility of this override must be extremely tightly bounded, and only available for use in the most extreme of scenarios.
Of course, explicitly opening the door to a degree of human judgement reintroduces the moral hazard risk that DeFi is supposed to be removing from TradFi and CeFi. So the question is: does the benefit of doing so outweigh the risk?
It seems overwhelmingly clear that at present, DeFi at scale would lead to more harm than good for society due to the significant probability of outcomes terrible for society. The expected value of a world economy run on DeFi at present is simply lower than that of CeFi or even TradFi due to this probability of poor outcomes. Factoring in a Last Resort Override could swing the balance.
The Expected Value of the Last Resort Override
One very simple way to reason about the value of DeFi in relation to Tradfi/CeFi is by looking at expected value. The main idea is that by weighting each possible outcome by the probability of it occurring, and adding up all the possible outcomes, you can measure the overall ‘value’ of a collection of uncertain outcomes.
I’m going to develop an extremely simple model to capture the main idea of this piece.
First, let’s group CeFi and TradFi together, and assume there are two possible outcomes for a financial system powered fully by these technologies:
- The economy remains perpetually stable, such that the world receives a utility payoff of S with probability p
- The economy experiences cyclical crashes, such that the world receives a payoff C with probability (1-p)
Of course, C < S. Then the expected value of this is:
Now let’s consider the expected value of DeFi as SingleFi. There are three possible outcomes:
- The economy remains perpetually stable, such that the world receives a payoff of D with probability a. Notably, D > S: this captures the idea that DeFi increases the world’s Production Possibility Frontier.
- The economy experiences cyclical crashes, such that the world receives a payoff of F with probability (1-a-q). Importantly, (1-a-q) < (1-p). This captures the notion that with DeFi, cyclical crashes are less likely to occur than in TradFi/CeFi, whether this is due to transparency, decentralization or other innovation in risk control.
- The economy experiences uncovered, extreme crashes due to a single point of failure. These are extremely destructive and result in great harm to the world economy, resulting in negative payoff -X, which occurs with probability q. Think of q as the risk that is created through the existence of single points of failure.
This results in expected value:
For DeFi to be an improvement, we need
All too often the argument that DeFi > CeFi/TradFi ignores the existence of the -qX term. However, its existence completely changes the calculation of whether DeFi is really preferable to TradFi. The term exists because DeFi is really SingleFi. The -qX term captures the notion that there is a non-zero probability of a devastating outcome.
Software improvements can reduce the value of q to a certain extent: smart contracts redundancy, for example, can reduce the probability of a severe code-bug-caused crash. But it seems hard to imagine that it could take the value to 0. However, perhaps a Last Resort Override could.
DeFi for humans requires humans
Imagine you built an airplane which controls itself with only a single computer and no pilot: you wouldn’t board it, let alone try to get the world’s population to board it. The same should be true for financial infrastructure. For DeFi to offer a credibly better technological stack for powering the world economy, it cannot contain enormous tail risk of catastrophic and impossible to mitigate smart contract failures.
I’ve argued that this tail can be made smaller by improved smart contract redundancy, in the same way that aircraft have multiple flight controllers to keep everyone safe. But, also similarly to an aircraft, I’ve argued that — at least for now — we need human Last Resort Overrides.
Creating meatspace Last Resort Overrides for DeFi that preserve its decentralization to the greatest extent possible seems to be a critical task for a DeFi for humans to mature.
Thanks and disclaimer
Sincere thanks to everyone who provided feedback on this article. The opinions expressed in this piece are just my own views.
