In-depth Analysis of the Current Status and Prospects of DeFi Insurance Protocols

Author: Catarina Urgueira

Compiled by: Shenchao TechFlow

Introduction

DeFi has experienced numerous security incidents, resulting in billions of dollars in losses, leading to a loss of confidence in its core value proposition. Insurance solutions that mitigate the inherent risks of DeFi are crucial for ensuring widespread adoption.

This article delves into the following protocols:

Nexus Mutual, Unslashed, InsurAce, Risk Harbor, Ease.org, Sherlock, Tidal Finance, InsureDAO, Neptune Mutual, Bridge Mutual, Cozy Finance, Bright Union, and Solace.

Overview of the Insurance Market

Although decentralized exchanges and lending account for the majority of DeFi's locked value, insurance represents less than 1% of the total value. However, as the total locked value grows, the potential losses from smart contract vulnerabilities or other attack vectors also increase. Similar to the safety nets in traditional financial markets, insurance solutions may be necessary for investors, retail, and institutions to confidently participate in on-chain markets.

Since its launch, industry pioneer Nexus Mutual has dominated the insurance market, holding over 78% of the TVL but only covering 0.15% of DeFi's TVL. The rest of the insurance market is highly fragmented, with the next three protocols following Nexus accounting for about 14% of the TVL.

The global traditional insurance market remains vast and is expected to see significant growth in the coming years, while the DeFi insurance sector has emerged as a small but promising area within the blockchain industry. As the DeFi insurance sector matures and gains acceptance, we can expect more innovations, new protocols to emerge, and existing protocols to improve their offerings to meet the needs of DeFi users.

DeFi insurance is not about obtaining coverage from centralized institutions but allows individuals and businesses to secure their capital against risks through decentralized pools of providers. In exchange, insurance providers earn interest on the locked capital from a portion of the premiums paid, establishing a correlation between insurance and risk.

Insurance providers invest their funds in pools that offer higher returns to compare the risks of protocols. This means individuals trade event outcomes based on their estimates of the likelihood of potential risks occurring. If a protocol covered by the insurance suffers a negative event, such as a hack, the funds in the pool covering that protocol will compensate users who purchased insurance against that specific event.

Consolidating resources and spreading risks among multiple participants is an effective strategy for dealing with anomalies or extreme events that have significant financial impacts. A common pool of funds can cover many times the risk with less capital, providing a collective mechanism for handling large-scale issues.

The popularity of parametric insurance in DeFi is due to its automation and transparency potential. Smart contracts with preset parameters and real-time data from oracles can automatically trigger claims based on these parameters. This automation accelerates the claims process, enhances efficiency, and reduces the likelihood of human bias or error.

The transparency of participation and on-chain operations is often emphasized as a key advantage of decentralized insurance systems. As DeFi continues to grow, the demand for solutions that protect user capital becomes increasingly important.

Evolution of DeFi Insurance

The concept of decentralized insurance dates back to the early days of blockchain technology. The first decentralized insurance platform, Etherisc, was launched on Ethereum in 2017, providing a peer-to-peer insurance marketplace where users could buy and sell general insurance policies, such as flight delays and hurricane losses, without traditional insurance companies.

The turning point for DeFi insurance came with the launch of Nexus Mutual in 2019, the first insurance protocol specifically built for the DeFi ecosystem. It operates under a fully delegated structure, meaning the board (all members of Nexus Mutual verified through KYC) decides all claims payments. The recently launched V2 version of Nexus Mutual facilitated the creation of an on-chain risk market, allowing other companies to build and share various crypto-native and real-world risks, such as liability, disaster, property, and cybersecurity insurance. Protocols built on this version can offer their services without requiring users to complete KYC, increasing the accessibility of the platform's risk management solutions.

Following Nexus Mutual, many protocols have been launched to address the ongoing challenges in the field.

In November 2020, InsurAce was launched, offering zero-premium pricing (ultra-low premiums), no KYC requirements, and portfolio-based multi-chain solutions.

Unslashed followed in January 2021, providing insurance for various risks and allowing anyone to become a capital provider and earn returns from premium policies, interest generated from Enzyme Finance, and USF capital mining programs, increasing the available capital for insurance.

Bridge Mutual launched in the same month, offering permissionless coverage pool creation, portfolio-based insurance coverage, and the ability to underwrite policies using stablecoins in exchange for attractive yields. In December 2021, it released its V2 version, improving capital efficiency, introducing leveraged portfolios that allow users to underwrite insurance for multiple projects simultaneously, and launching the Shield Mining feature, allowing projects and individuals to contribute X tokens to project X's coverage pool to increase the pool's APY and attract more liquidity. It also launched the Capital Pool, Bridge Mutual's investment arm, which invests unused capital in third-party DeFi protocols and generates income for the insurance vault and token holders.

Armor was launched at the end of January 2021, using the Nexus Mutual V1 model without KYC requirements, but later introduced the Uninsurance model and rebranded to Ease.org in May 2022. In RCAs (Reciprocal Covered Assets), covered assets simultaneously insure other assets in the ecosystem, allowing for the collection of underwriting capital from the capital deployed in DeFi yield strategies. In the event of a hack, Ease liquidates the corresponding amount of funds from all insurance vaults to compensate investors. Ease's value proposition is based on the assumption that, on average, the losses from hacks are far lower than the premiums paid.

Tidal Finance launched a flexible weekly subscription system on Polygon in July 2021. The new upgraded version V2 has been in testing since March 2023, allowing users to effectively set up their own customized insurance pools and policies.

Risk Harbor launched in May 2021 as the first decentralized parametric insurance protocol providing protection against smart contract risks, hacks, and attacks. It offers automated, algorithmic, transparent, and fair claims assessment by comparing the convertibility of credit tokens with the issuing protocol. For example, in coverage protection against UST depegging events, when the UST price on Chainlink drops below $0.95, Risk Harbor will make a payout, allowing holders to automatically redeem their wrapped aUST for USDC. Risk Harbor is developing two upcoming versions, V2.5 and V3, with V2.5 serving as a stepping stone to V3. Improvements in V2.5 include using ERC20 tokens instead of ERC721 tokens, automatic ERC20 token staking, and the ability to sell protection, while V3 includes cross-chain deposits and purchases, allowing the creation of an insurance vault with no correlated risks from all EVM and other blockchains. However, it is important to note that Risk Harbor primarily focuses on the Terra ecosystem, having concentrated most of its TVL since the end of 2021. The team's goal is to expand and shift focus to the Cosmos and Ethereum ecosystems after the release of this new version.

In September 2021, Bright Union launched as a DeFi insurance aggregator, while Sherlock launched in the same month, adopting a unique auditing approach. Sherlock established an auditing firm composed of blockchain security engineers to review any smart contract, which is then protected from hacks as part of its auditing process. This idea of directly providing code audits and insurance coverage to protocols eliminates the need for users to manage their own insurance coverage. Thus, insurance protocols also began to offer similar services by launching their own Audit Cover products in collaboration with external auditing firms, providing protection against smart contract risks for the protocols audited by their partners.

Solace launched in October 2021, focusing on usability and providing dynamically adjusted risk rates for portfolio coverage to prevent overpayment and complex policy management. It is based on a liquidity model owned by the protocol to acquire its own underwriting capital and eliminate underwriting risks from token holders. Sol places assets from its bond program into the underwriting pool to sell policies and uses that pool to pay claims. However, the Solace team has paused operations to develop a new version of the protocol. They identified two flaws in the insurance model that they believe contradict the nature of DeFi: the claims process requires manual input, and probabilistic underwriting needs to generate returns. Their goal is to address these in the new version.

InsureDAO launched in February 2022 as an open protocol for everyone, similar to Bridge Mutual, and the team is currently redesigning the protocol to align its model more closely with the current market.

Neptune Mutual launched in November 2022, aiming to provide guaranteed payouts for users. In Neptune, the rules are not defined in smart contracts, hindering the automation of the claims process and relying on reporters, which requires a trust assumption. However, this limitation gives Neptune an advantage as it can provide coverage that does not rely on on-chain data, such as custodial coverage.

Cozy Finance offers parametric insurance and recently paused all V1 markets to launch a new version V2 based on price, payout, and risk management designs restricted by other protocols. This new version allows anyone to create a new market, with automatic payouts and programmatic pricing for decentralized insurance as a transparent and decentralized solution, which has come a long way. Nexus Mutual, as one of the pioneers in the field, still holds a leading position in terms of TVL. However, as the field becomes more competitive, the market leaders will be those protocols that can provide scalable underwriting, transparent and decentralized risk assessment, accurate pricing, and consistently pay valid claims.

Underwriting Capital

With more underwriting capital, protocols can offer more insurance coverage, making them more attractive. However, the underwriting capital may affect the long-term sustainability and effectiveness of the protocols. For example, many protocols are diversifying their capital pools across multiple chains, which can dilute liquidity and potentially impact their capital efficiency at scale.

The table below compares the sources of underwriting capital for several insurance protocols.

Types of Coverage

In this section, we will explore the various types of insurance offered by different providers.

Protocol Insurance

Protocol insurance protects users from financial losses that may occur when using DeFi protocols. Different providers offer varying degrees of coverage aimed at protecting against certain inherent risks within the protocol. Threats include smart contract vulnerabilities, oracle failures or manipulations, economic design flaws, and governance attacks. It is important to note that protocol insurance typically does not protect against risks such as front-end, Discord, or Twitter compromises and rug pulls.

Custodial Insurance

Custodial insurance protects against financial losses that may occur when digital assets are stored in third-party custodial accounts (such as centralized exchanges). Its primary purpose is to provide protection in two main scenarios. The first scenario occurs when the custodian unexpectedly suspends withdrawals, preventing consumers from accessing their funds. The second scenario occurs when an unauthorized third party gains access to the custodian's security measures and steals assets.

On the other hand, automated event resolution solutions based on smart contracts focus on utilizing on-chain data and predefined conditions. It is important to remember that parametric insurance may have limitations when addressing risks unrelated to on-chain data (such as custodial insurance).

Depeg Insurance

Depeg insurance protects against the impact of depegging events, which occur when an asset loses its peg to a target currency. This type of insurance coverage is widely used to protect stablecoins and other pegged assets, such as stETH. Consider a user holding a stablecoin designed to maintain a 1:1 peg with the US dollar. If the value of the stablecoin drops significantly, the user may suffer financial losses if they cannot redeem it for the expected dollar amount. Depeg insurance can help mitigate this loss by reimbursing the user for part or all of the amount lost due to the depegging event.

Specific conditions must be met before submitting a claim, which can vary between providers. These typically include factors such as percentage price drops and duration. When establishing a depeg insurance claim, the time-weighted average price (TWAP) of the asset over a given period is often used to determine the occurrence of a depegging event. TWAP calculates the average price of an asset over a specific time frame, taking into account the trading volume of the asset during that window to assess whether a depegging event has occurred.

Many protocols, including InsurAce, Unslashed, and Risk Harbor, provided UST depeg coverage during the event. According to its UST De-Peg Cover Wording, InsurAce officially launched on May 13, 2022, when UST's 10-day TWAP fell below $0.88. Notably, they successfully paid out $11.5 million. Unslashed allowed claims to be filed after UST's 14-day TWAP fell below $0.87 and paid out over 1,000 ETH in different batches. When the UST price on Chainlink fell below $0.95, Risk Harbor facilitated payouts as a parametric insurance solution, allowing holders to redeem their wrapped aUST for USDC.

Yield Token Insurance

Yield Token insurance protects against financial losses caused by the discrepancy between the reference currency value of yield-bearing LP tokens and their actual value. To qualify for a claim, the depeg percentage (such as the depeg coverage rate) must exceed a specified threshold of the token's value.

Audit Insurance

Audit insurance is a type of protection that protocols can directly obtain to mitigate the risk of vulnerabilities missed during audits. It adds an extra layer of security for protocols shortly after an audit.

Sherlock pioneered this concept and offers insurance coverage of up to $5 million for vulnerabilities in audited smart contracts. This coverage can be activated at any time after the audit is completed, as long as the codebase has not undergone further changes. On the other hand, InsurAce collaborates with auditing firms to provide a similar product with a three-month insurance period.

Slashing Insurance

Slashing insurance provides financial protection for professional validators on PoS chains who may suffer losses due to slashing events. A slashing event occurs when a validator violates the rules of the consensus mechanism, resulting in a certain percentage of their staked assets being slashed or reduced.

In 2022, the well-known blockchain infrastructure service provider Blockdaemon partnered with the prominent insurance broker and risk advisor Marsh to launch an insurance policy that protects their clients from slashing events. The program aims to provide additional security for validators to prevent slashing penalties. In the same year, the decentralized insurance provider Nexus Mutual developed a decentralized solution to protect validators on the Beacon Chain, offering additional options for validators seeking slashing insurance.

Cross-Chain Bridge Insurance

Cross-chain bridges enable the transfer of funds between different networks, but they also carry risks such as smart contract vulnerabilities, hacks, and implementation or design flaws. These risks can lead to inaccurate fund transfers or slippage calculation errors.

Centralized cross-chain bridges are particularly vulnerable to attacks from malicious actors who can manipulate liquidity pools. Regardless of whether funds are stored centrally or decentralized, storage points become targets for malicious actors. In 2022, hackers stole over $1.8 billion from cross-chain bridges alone. The creation of cross-chain bridge insurance aims to protect consumers from financial losses when transferring funds across bridges.

InsurAce introduced this concept by partnering with LI.FI Bridge Aggregator, which has accumulated coverage of over $1 million. Risk Harbor is also working with Socket to develop a cross-chain bridge protection system, which is still in the testing phase.

Excess Insurance

Insurance providers can retain their underwriting capital by transferring a portion of their risk exposure to other insurance providers. This reduces the overall risk for the providers and enables them to continue offering coverage for various risks without being exposed to excessive risk.

One of the insurance companies providing excess insurance is Nexus, which offers coverage for audited protocols from Sherlock, protecting 25% of the underlying coverage provided by Sherlock.

Comparison of Insurance Protocol Coverage

As the decentralized insurance industry evolves, various insurance protocols have emerged, offering different types of insurance coverage. To help readers understand the various insurance coverages available, we have prepared a comparison table detailing the different types of insurance offered by existing insurance protocols.

Conclusion

As DeFi continues to develop, it becomes increasingly susceptible to security attacks. To protect users from such risks, viable insurance protocols need to be established. However, the DeFi insurance industry faces challenges in providing diversified insurance coverage and accumulating sufficient underwriting capital. Protocols that diversify their capital pools across many chains may dilute liquidity and be affected by capital efficiency at scale, while adequate risk management remains an area needing improvement.

In the current environment, the availability of underwriting capital in insurance pools limits the scope of coverage. Protocols have been exploring strategies to generate additional yields and attract more liquidity providers to expand their coverage, such as depositing a portion of capital pool returns into platforms like AAVE or Compound. However, these methods introduce additional risks, including third-party smart contract vulnerabilities and market volatility, forcing a trade-off between yield generation and risk management.

To address these challenges, established participants are prioritizing protocol upgrades to improve capital efficiency, coverage capacity, and user experience. Customized insurance coverage and markets are being developed to meet the specific insurance needs of DeFi users.

Parametric coverage provides viable solutions for certain risks but may not be suitable for all types of coverage. Relying on oracle data exposes the system to risks of oracle failures or attacks, and limitations arise when interest-bearing tokens become non-transferable due to protocol upgrades. Implementing coverage rules through smart contracts poses challenges, as it requires storing all relevant information on-chain and limits the range of risks that can be adequately covered, but it also provides the capability for automated claims assessment.

Furthermore, reinsurance, a crucial component of traditional insurance, remains absent in the DeFi insurance market. Insurance companies transfer a portion of their risk pool to third parties to reduce the likelihood of significant obligations arising from insurance claims, a practice known as reinsurance. By transferring risk to specialized third-party investors, reinsurance methods can enhance coverage capacity, capital efficiency, and resilience. Exploring reinsurance could help mitigate the financial impacts of catastrophic events like UST depegging.