Distressed crypto markets might finally give DeFi insurance a chance to flourish, but only if it can overcome some headwinds.
At the moment, less than 1% of all the assets in the $47 billion DeFi ecosystem are covered by a policy that’ll help replace them after a hack or code error. That was also true last June, in the aftermath of Terra Luna’s algorithmic stablecoin, TerraUSD, losing its peg and wiping out $40 billion in the process. For the rest of the year, and arguably even now, the effects of that black swan event worked their way through the industry, taking down other companies.
In its wake, tens of millions of dollars worth of DeFi insurance claims were filed as users tried to recoup their losses. Roughly 68% of the claims filed since June have been paid. Now that the companies selling DeFi cover, the preferred term in the industry for this type of insurance, have survived their baptism by fire, they’re optimistic about keeping the momentum going.
“DeFi cover” is a catch-all term for insurance that covers blockchain-related activity. It uses the same basic principles as traditional insurance: Policyholders pay a premium and receive a payout if and when they file a claim for a covered event. Those events are where the products really depart from traditional insurance: stablecoins losing their peg, crypto assets being stuck on a platform, hacks, or code errors causing smart contracts to behave erratically.
How and how quickly payouts happen can vary.
For something like a stablecoin losing its peg, such as when a coin designed to hold a value of $1 suddenly drops below that mark, these tools can send payment to a policyholder as soon as it detects that the stablecoin has dropped 5% or more below the value of its target asset. In other cases, like customer funds getting stuck on a company’s platform, there’s usually a 90-day waiting period before claims can be filed. For those, humans usually get involved to assess which ones are valid.
Despite all the parallels, DeFi cover has to contend with the fact that the insurance industry has been highly regulated in the U.S. since the 1940s. So even though DeFi cover looks and acts a lot like what most people would call insurance, the companies selling it—including all the ones Decrypt talked to—prefer the term “DeFi cover.”
Since June, more than 17,000 covers have been sold, according to OpenCover. The website was launched in December by Jeremiah Smith to aggregate data from the burgeoning DeFi cover industry across the Ethereum, Polygon, Arbitrum, Optimism, BNB Smart Chain, and Avalanche networks. As of Tuesday, there was $284 million worth of total value locked in DeFi cover providers like Nexus Mutual and InsurAce.
That means less than 1% of the $47 billion worth of assets sitting in DeFi protocols, like Aave and Lido, is covered. When OpenCover first started tracking total value locked in cover providers in June, $394 million was locked in covers compared to almost $80 billion worth of assets in the DeFi ecosystem—higher totals, but roughly the same coverage ratio.
It makes sense that it would take slumping prices, bankruptcies, and hacks to highlight the appeal of DeFi cover for the degen community.
Degens, a crypto-specific term that’s short for degenerates, thrive on high-risk trading and an obsession with crypto. And even if they don’t sign up for DeFi cover policies directly, they could still find themselves with a backstop the next time they get rekt.
That’s becauseDAOs, DeFi projects, and other crypto businesses are now buying insurance themselves, Smith told Decrypt.
“As a user, you don’t need to buy your own insurance. And as a protocol, you can make sure that all your users are protected,” he said. “Just organizing the whole thing that way is way easier.”
By doing so, the teams launching new DeFi apps can guarantee at least some portion of lost user funds can be reclaimed.
That also means there’s room for very focused cover providers like Sherlock Protocol, which exclusively covers smart contracts. Smart contracts are pieces of code that execute a set of instructions in reaction to a given input, such as selling or buying a token if it reaches a certain price. To date, Sherlock has sold coverage to protocols including crypto lender Euler, staking platform LiquiFi, and DeFi options exchange Lyra.
“We only cover smart contract exploit risk,” Jack Sanford, Sherlock co-founder, told Decrypt in late November. “We were lucky in that we’re very focused and so we weren’t exposed to anything. We’ve had no claims since inception 14 months ago.”
There still haven’t been any claims from the 15 protocols that Sherlock covers, but there has been some exposure to the long tail contagion of the FTX bankruptcy.
After FTX filed for bankruptcy on November 11, Sherlock wanted to withdraw its funds but couldn’t because of the mandatory 90-day lockup period. By the time Sherlock was able to access its USDC, it was too late and the company had lost $4 million.
“Sherlock is still finding its identity when it comes to its place in the ecosystem, but it’s becoming clearer that Sherlock should have as little exposure to centralized entities as possible and that Sherlock should delegate capital allocation elsewhere, potentially back to stakers themselves,” the company wrote in its December 5 blog post.
Since the start of the year, the company has covered five more protocols and launched an audit contest for Optimism on January 20. Sanford said he’s found turning smart contract audits into open competitions among blockchain security analysts for bounties to be more thorough than employing in-house teams, but it’s not perfect.
“You can never have 100% certainty that there’s not a bug in it. I don’t care what contract you’re looking at. If it’s Uniswap’s very first contract, there’s always a chance that there’s a bug that no one’s found yet and everything gets stolen out of it,” he said. “And so you have this contradiction of people needing 100% certainty to put their funds in never being able to get to 100% certainty because of the way that code works. And so the only way, in my opinion, that we will be able to bridge that is with insurance.”
Meanwhile, InsurAce has become the third-largest DeFi cover provider behind Nexus Mutual and Unslashed Finance, with $12 million total value locked in coverage for 150 protocols across 20 different chains.
Of the 219 claims the company has received, 182 of them involve the TerraUSD algorithmic stablecoin losing its one-to-one peg with the U.S. dollar in May 2022, according to its claims records. Of those, 141 have received payouts totaling more than $10 million.
Dan Thompson, InsurAce’s chief marketing officer, said payouts help build a sense of trust and reliability with potential customers. But now InsurAce finds itself at an inflection point because it would like to start providing coverage to much bigger clients.
“We are looking to get set up in Bermuda so that we can allow for reinsurance. There are reinsurance companies in the market who have been chasing us for about a year now to get into the space,” he told Decrypt. “And this is good because this will allow us to take on some of the bigger clients and customers who are looking for big coverage numbers.”
There have been weekly inbound requests from institutional funds and high-net-worth individuals looking for coverage for up to $20 million that InsurAnce won’t be able to service, Thompson said, until the company moves to Bermuda. The regulations in Bermuda around insurance will allow it to start working with a reinsurer, who acts as an insurer for insurance companies and allows them to take on more risk than they could otherwise handle.
When InsurAce does make the move, it won’t be alone. One of its competitors, smart contract coverage provider Chainproof, moved there in July, according to a press release.
It’s a relatively new development that traditional insurance players want to get in on covering blockchain activity. Until recently, many of them didn’t understand the industry well enough to come up with a workable DeFi strategy, Paul Ricard, a partner in consulting firm Oliver Wyman’s insurance practice, told Decrypt.
Now they’re going through a process similar to what happened in the 1990s when the first cyber insurance policies covered business liability for errors in data processing, he said. Those have since evolved to cover data breaches and ransomware attacks.
“Traditional insurers have been very good at using historical data to predict how things would happen, but you know, Web3 is an emerging risk that is always evolving,” Ricard said. “And so striking the right partnerships with firms that are providing security audits for some of these Web3 firms, for example, is critical for players to continue developing coverage products.”
He thinks, much like what happened with cyber liability insurance, that DeFi insurance policies from traditional players will cover a very narrow set of risks while trying to augment their industry knowledge with an ecosystem of Web3 native partners.
That task has been made difficult by the fact that the insurance industry first got excited about blockchain five years ago, only for the hype to fizzle.
“There were a lot of proofs of concepts,” Ricard said. “But at the time, there were mostly solutions in search of a problem.”
Now Web3 has grown into an unignorable source of risk. And for all the turmoil created by last year’s crypto contagion, it also generated a ton of publicly available data to help DeFi cover and insurance providers better understand those risks.
“That’s the whole point, to have everything on-chain, transparent, auditable, self-custodied. There’s a lot of risks that DeFi, by design, solves,” OpenCover founder Smith said. “But then we also have to realize that there are new risks that it creates, and we need to define native solutions to those risks. That’s why we’re betting that this industry is going to be huge.”
Stay on top of crypto news, get daily updates in your inbox.