Underwriting Case Study

Updated on 2021 Apr 14

I. Purpose

Since the official underwriting module launched on mainnet, we've spotted a low leverage ratio (1.45 as of 2021 Apr 14) used by underwriters, which might be a signal of participants' confusion on selecting the target protocol. This article intends to show you the expected reward and risks associated with 3 underwriting portfolios. Please note that the estimates are based on a set of assumptions that are valid now but keep evolving as Nsure grows. We will update them to reflect the underwriting picture up to date.

II. 3 Portfolios

We study 3 underwriting portfolios – high risk, mid risk, low risk, distinguished by the security rating.

No.

Portfolio

Security Rating

1

Low risk

4-5

2

Mid risk

3

3

High risk

1-2

In genuine underwriting, we suggest users to opt in a mixed portfolio, to take most advantage of the diversification effect. However, for illustration purpose, in this case study we analyze the reward and risk of the above portfolios individually and independently.

III. Leverage

Leverage is an inevitable concept when talking about underwriting. We use the term leverage to describe the ratio of staking power used to underwriter's deposited Nsure. A higher leverage means the underwriter utilizes his Nsure tokens more efficiently in earning underwriting return, regardless of the risks associated.

If underwriters wish to make full use of their deposited Nsure (seeking for higher leverage), they should either stake on more secure protocols (check security rating), or allocate the staking into more less-correlated protocols to increase diversification effect.

If staking with same tokens on each protocol, the leverage ratio would be 737%, 462% and 309% respectively for low risk, mid risk and high risk portfolios. The decreasing pattern accords with the decreasing security level.

No.

Portfolio

Security Rating

Leverage Ratio

1

Low risk

4-5

737%

2

Mid risk

3

462%

3

High risk

1-2

309%

Please note that leverage is not a proxy of return, because it does not look into the risk side.

IV. Reward

In the event of no claims occurs, underwriters are able to obtain 50% of the premium earned on their staked protocols. In the estimate of the premium rate for each protocol, below assumptions are used:

  • As at the 7th day, staking reaches 40% of the total staking in its stable status. This is the condition for Underwriting Program.

  • DeFi insurance penetration is 1% and Nsure takes up 3% of the market. For protocols that Nsure collaborate with, the market share is 10% owing to the exclusive product and the high brand awareness for the users of those protocol.

The projection shows the premium rate and staking as below.

Based on the above projection, we are able to estimate the final APR for the 3 portfolios.

  1. The average premium rate is selected based on the minimal and maximum premium rate of the protocols in each category.

  2. Staking power is the product of staking and leverage ratio.

  3. Diversification effect assumes an even distribution among all protocols in the category.

The average return for the 3 portfolios are estimated as below.

No.

Portfolio

Security Rating

APR (no loss)

1

Low risk

4-5

14%

2

Mid risk

3

36%

3

High risk

1-2

52%

V. Risk

In this section we extracted the historical attack happened to all listed protocols in the past 1 year from Slowmist Hack Zone. As we know all hacked protocols have fixed the defects in their smart contract. Please note a that historical loss is for reference only and does not present the full picture of potential exploit in the future. Our risk assessment opinion is reflected in the security rating.

1.Dodo 2021 Mar 9 (~$500,000 loss)

The main reason for this attack was that the crowdfunding fund pool contract initialization function did not prevent repeated calls, which led to hackers reinitializing the contract and completing the attack through lightning loans.

2.Curve 2021 Mar 5 (~0 loss)

Curve Finance tweeted that a vulnerability was found in the Pool Factory v1 version of the fund pool, and it is recommended that v1 users use crv.finance to withdraw funds immediately. But it only affects the v1 pool, and hackers cannot use it to steal user funds.

3.Yearn 2021 Feb 5 (~$11,000,000 loss)

Yearn v1 yDAI vault was attacked and the attackers stole 2.8 million US dollars. Banteg, the core developer of Yearn finance, subsequently stated that the attacker received 2.8 million US dollars and vault lost 11 million US dollars.

4.SushiSwap 2021 Jan 27 (~81 ETH)

On January 27, 2021, according to SlowMist Zone Intelligence, SushiSwap was attacked again.

5.SushiSwap 2021 Nov 30 (~$15,000)

SushiSwap was attacked by a liquidity provider. The attacker obtained between 10,000 and 15,000 US dollars in a transaction. However, after this operation was discovered by 0xMaki, 0xMaki sent a transaction to the attacker with a message saying "I found you and we are working hard to fix it. Contact me on Discord to get bug bounty-0xMaki".

6.Compound 2021 Nov 26 (~0 loss, ~$90,000,000 liquidation)

Compound is suspected of being attacked by an oracle, and 90 million US dollars of assets have been liquidated. According to DeBank founder hongbo, the huge liquidation of Compound was caused by the dramatic fluctuations in the DAI price of the oracle information source Coinbase Pro.

7.88mph 2021Nov 19 (~0 loss)

Chain Wen previously reported that on November 18, an attacker used the vulnerability to obtain $100,000 in MPH tokens. Afterwards, 88mph discovered a vulnerability in MPHMinter, the MPH token minting contract, which could allow potential attackers to steal all ETH in the Uniswap fund pool. With the help of the well-known white hat samczsun, ETH has been withdrawn into the governance multi-signature, so all funds are safe.

8.Balancer 2020 Jun 30 ($2,408 loss)

According to DeBank Twitter, hackers once again used dYdX's lightning loan to attack the COMP trading pair in Balancer's part of the liquidity pool, and took away the unreceived COMP rewards from the pool to make a profit of 10.8 ETH, which is about $2408.

9.Balancer 2020 Jun 29 (~$500,000 loss)

The Balancer liquidity pool was attacked by Lightning Loan and lost $500,000. The two losses suffered by Balacer are STA and STONK. At present, the liquidity of these two token pools has been exhausted. Both STA and STONK tokens are deflation tokens, which means that this attack only affects the liquidity pool of deflation tokens.

10.Bancor 2020 Jun 18 (~$135,229 loss)

Due to the unverified safeTransferFrom () function in the new Bancor network contract, user funds are about to be depleted.

11.Loopring 2020 May 7 (loss unknown)

Loopring has appeared a serious front-end error, the private key material is set within a range of 32-bit integer, you can find all user private key pairs by brute force method, due to the user's EdDSA key pair is actually limited to a space of 32-bit integer, the hacker can find out the EdDSA key pair of all users by brute force method.

12.Uniswap 2020 Apr 18 (~$220,000 loss)

Uniswap was hacked and lost 1278 ETH.

In the event of a successful claim, the same percentage of Nsure tokens staked on a specific product that underwent a payout will be deducted and burned as means to share losses resulted at platform level, as shown in below graph. Therefore the risk for underwriters relies not only on the chance of attack, but also the severity.

The overall loss ratio (amount of loss to TVL) for smart contract coverage is about 10%. We regard it a reasonable estimate of loss ratio for average security rating protocols (rating =3). To make a successful claim, policyholder is requested to provide the proof of loss, which reduced the abuse of claim by bad players and hence decreases the loss ratio.

VI. Diversification

Diversifying your staking into multiple protocols can largely increase your leverage ratio. In an extreme example that an underwriter stake same amount of NSURE to each and every protocol, the leverage ratio could achieve as high as 656.9%. It is not efficient to stake all your tokens on a single protocol.

Additional, less-correlated protocols and products for coverage beyond smart contract will be gradually introduced, with the means of reducing correlated risk exposure to capital providers and stakeholders within the ecosystem, and enlarging the diversification effect.