In light of the Cashio hack, some people suggested we should change our due diligence on the protocols we deploy capital on, opening this thread so that we discuss.
I’m personally against a blanket ban on all unaudited protocols as for instance some of the largest are unaudited (eg. Mango Markets). Something that could work is a cap in terms of % of total asset when deploying
let me know what you think
Security should be the number 1 priority. I do not know enough about the technicals but I have some questions. What are the security implications of open source vs closed source and unaudited vs audited for the DAO? Our money is the most vulnerable in which parts of the system and during which transfers? All transfers between two contracts more vulnerable?
The cap in terms of total asset can be adapted per asset class and per security level of the specific project.
Our identity is that we believe in Solana as an ecosystem. We should trust that the treasury will get its profits in patient and healthy ways with the ecosystem.
From my perspective it was just bad luck. Hacks are an idiosyncratic risk we run, and is very hard to price in. Even if we had the technical ability to audit smart contract code, I’m not sure it would be the best use of our time. In conclusion, I don’t think we need to overhaul our methods. Taking risk is part of the game, and its just a matter of deciding what level of risks we are willing to bare.
The only thing I would say is not to put more than 25% in one ‘ecosystem’
The hacks are only gonna get bigger in size with the amount of money flowing in. The fact that hacks are an idiosyncratic risk makes it even more obvious to me that we should hedge in whatever way is possible. I do not think we have the technical ability to audit, but we should develop the ability to chose safe places to put our money and have tight risk management.
Thanks @PorcoRosso I agree with you. We do not have the technical abilities to properly audit contracts, and if we had it would not be the best use of our time (security and audit services are in extremely high demand)
@EliteMentality I appreciate your points but at the same time, do you have some concrete proposals on how to do them?
we should hedge in whatever way is possible […]
we should develop the ability to chose safe places to put our money and have tight risk management
What does that mean in practice?
Tbh I don’t see the benefits of putting our stablecoins in strategy yielding 20% if there is a meaningful chance of an hack. I think it would be much better to put our stablecoins in established pools/lending which have not been subjected to hacks, so with an expected risk free of hacks, for an average of 10% return, like on Francium, rather than chasing an additional theoretical return of 10% with an additional meaningful risk of losing all of our position. Because then I prefer to invest in SOL directly. I mean either we decide a safe position with our stablecoins with lower returns, or we pick a more volatility one with SOL, with higher returns, but no risk of hacks, rather than complicate ourselves and picking unnecessary hack risks. The way I see is that the stablecoins return is driven by the provision of liquidity to the market, the SOL return is a volatility premium, whilst weird stablecoins pool returns are a sum of liquidity providing premium and hack risk premium, that is you get compensated for the risk of an hack. So I would rather the DAO to invest in liquidity providing strategies and volatility risk, rather than hack risks, as I don’t think the last one is worth it, at least not for a 12% position like the Cashio one was
The issue is that one can hardly recognize “a meaningful chance of hack” beforehand. Cashio was yielding similar to other pairs eg UST-USDC and there is no “expected risk free of hacks” in DeFi unfortunately.
Pre-hack, I would argue that most people would have perceived Cashio and Francium as having similar risk (partly because Saber endorsement), which goes back to my original point of these hacks being very hard to anticipate.
The “hack risk premium” that you mention is actually a key component across all DeFi. Finally, Cashio rose to #1 decentralized stablecoins in Solana so it was not some niche stablecoin strategy but a key part of the stablecoin ecosystem on Solana.
While I agree 100% with your theory @Keabla I don’t think it is reflected in practice. Our best bet might just be to rely on one of the only true magic mechanisms in finance: diversification.
Extrapolating hack risks to the market pricing is overstating the market’s ability to price these kinds of risks effectively, and thats coming from me a big believer in efficient markets hypothesis. Maybe we just weren’t diversified enough?