After a disastrous year of failures in the crypto lending space, more people are asking if their crypto collateral is safe. For now, the answer is easy – NO – but new legislation promises improvement.
In 2020 the average interest rate for savings accounts in the US was 0.04% APY. It was no surprise then that investors went looking to crypto to provide a better return. What many did not understand, however, was that the risk profile with crypto platforms was (and still is) very different from that of legacy financial institutions.
There are currently two types of entities operating in the crypto finance space. One is centralized businesses of the type that most people are familiar with. They have a head office, identifiable managers, a legal incorporation structure and they’re usually easy to contact in case of any issues.
The others are ‘decentralized’ organizations. They are sometimes referred to as DAOs which stands for decentralized autonomous organizations. They often don’t have offices or CEOs or a traditional legal corporate structure. Instead, their structure is provided by sets of smart contracts on a blockchain. These smart contracts are essentially computer code that governs how the business operates, how decisions are made, and how money passes from one cryptocurrency wallet address to another.
BlockFi and Celsius were centralized organizations (sometimes referred to as CeFi) and both declared bankruptcy with huge losses for their depositors. Compound and AAVE, on the other hand, are DeFi – and both have been hacked or had their smart contracts exploited, resulting in hundreds of millions in losses.
Why Did So Many Crypto Lenders Fail?
Since mid-2022 the Celsius, Vauld, Gemini Earn, BlockFi, Midas Investments, Inlock, MyConstant, Lendingblock, Hodlnaut and Coinloan platforms have all failed – and that’s not a definitive list, there might be more. While the exact details behind some of the collapses will be revealed in their bankruptcy hearings, the reason isn’t complicated.
Simply put, they all put their eggs into the baskets of people like Sam Bankman Fried (SBF) of FTX and Do Kwon from Tera/Luna. Both these men have been charged by the SEC with securities fraud. SBF and Kwon both offered very high interest rates for institutional investors to deposit on their platforms. 20% and above were commonplace.
Thus, the crypto lending platforms were able to offer their depositors rates much higher than legacy banks – like 8% for Bitcoin and 12% for stablecoins. They then would receive 20% from FTX or Terra/Luna and pocket a tidy 8% or more by essentially acting as middlemen and clipping the ticket on the transaction.
Like a typical Ponzi scheme, newcomer’s deposits kept things ticking over at FTX and Terra/Luna until the Bitcoin price fell steeply in early 2022, at which time the whole house of cards began tumbling down.
In Crypto, Government ‘Credentials’ Mean Nothing
Perhaps one of the most important lessons to take from the failure of so many crypto lending platforms is that government issued ‘credentials’ like licenses and registrations mean nothing from the perspective of investor protection. Almost all the failed platforms mentioned above were proudly displaying their government bona fides on their websites right up until the day they ceased withdrawals.
A month after declaring bankruptcy, Coinloan.io continues to tout its Govt credentials and millions in insurance.
Celsius, for example, was registered under the UK Money Laundering, Terrorist Financing and Transfer Regulations as a crypto asset business, and was registered as a Money Services Business with the US Financial Crimes Enforcement Network (FinCen). Hodlnaut was a Certified Fintech company by the Singapore Fintech Association. Prior to its disappearance, Lendingblock operated under a Distributed Ledger Technology Provider licence issued by the Gibraltar Financial Services Commission. BlockFi had a Digital Assets Business license from Bermuda and was registered to operate in almost every US state. None of it meant a thing in terms of protecting customer deposits.
What would have protected user deposits would have been some type of deposit insurance scheme, similar to that offered to legacy banks by the Federal Deposit Insurance Corporation (FDIC) in the US, and by similar organizations in most other modern economies.
This means that if your savings are stolen or a bank goes out of business, you will still have your money returned. In contrast, if your money is locked up in a crypto finance company, there is no government insurance to bail you out.
This may change in 2024, in Europe at least, with the introduction of the new MiCA laws and their requirement for crypto lenders to have substantial liquidity buffers and mandatory insurance cover.
In the US the situation is less clear in terms of crypto regulations, as the current (and previous) administrations have tabled no major crypto-specific legislation and instead seem intent on punishing easy targets like Binance, Coinbase and Kraken, while letting massive frauds like FTX occur right under their noses.
Who has custody of your cryptocurrency?
Despite the difficulties of 2022, many crypto lenders still remain. So for platforms Nexo, Youhodler, Cake and Compound, the question of who has custody of your cryptocurrency is critical to any assumption about its safety – and both CeFi and DeFi platforms are risky, albeit for different reasons.
A quick basics refresher. Bitcoin and all other cryptocurrencies are entries on a distributed ledger called a blockchain. When you purchase Bitcoin, you have it sent to your Bitcoin wallet address and you can access it using your private key.
In the case of a centralized organization, if you deposit Bitcoin to earn interest with a crypto finance company like Nexo, you send your Bitcoin to their wallet. It is now an entry on their ledger and they have the private key. They have agreed to pay you interest on the Bitcoin you have deposited. When you request to withdraw your Bitcoin, you stop earning interest and they return it to your wallet.
This is similar to a legacy bank. When you put cash in a bank savings account, they take the money into their vaults and agree to return the money to you. The notes they return to you are not the exact notes you deposited, but the quantity is the same. The Bitcoin returned to you from a crypto finance company will not be the exact Bitcoin you sent them, but its quantity will be the same.
As noted above though, if a bank fails, you’ll get your money back. If a crypto lender fails, they have your crypto locked with their private keys, and you cannot retrieve it.
For a decentralized organization like Compound or AAVE, when you make your deposit the crypto moves out of your wallet into a kind of limbo in a smart contract. This is called a lending pool, and your crypto is mixed with others. The DAO doesn’t actually take possession of your Bitcoin, but what happens to it is governed by the terms of the smart contract. If X happens, then the crypto goes here, if Y happens, then it goes somewhere else. In a perfect world, the smart contract should execute as planned and both parties to the contract will get what they are expecting.
But smart contracts are vulnerable. The market could be manipulated and the value of your crypto might fall dramatically – forcing your loan to be liquidated. Perhaps somebody wanted this to happen because they had ‘shorted’ that cryptocurrency. Or whoever wrote the code for the smart contract may have built a ‘backdoor’ into it so they could extract your funds. Sadly, code hacks and smart contract exploits in the DeFi space remain commonplace. For many Bitcoin investors, the potential risk of total loss in the event of a platform collapse or wallet error has been addressed recently by the launch of Bitcoin ETFs in the US, which has removed most of the security challenges faced.
How do crypto lenders protect your collateral?
All this is not to say that crypto lenders aren’t trying to protect your funds, and many of them (Nexo and YouHodler for example) have done a good job of it so far. So how do they do it?
Most reputable crypto finance businesses have a similar ‘belts and braces’ approach to protecting your crypto. First the belt. In the case of a centralized organization like Crypto.com, the most important thing they can do is store your cryptocurrency in a ‘cold’ wallet. A cold wallet is a vault for your crypto that is not connected to the internet. It is offline. This means internet hackers can’t ‘crack the vault’ and take your coins. These companies will keep a small percentage of their crypto in a hot wallet – which is connected to the internet – to cover day-to-day operations, but typically 95% of all the assets will be in cold storage.
Next the braces. This relates to who has access to the private keys and how they have access. Typically, any major movement of funds will be done from a MultiSig wallet. This means that at least two and sometimes 3 to 5 people will have to agree to the transfer and input their codes in order for the money to move. Other security protocols in the mix will include data encryption, two-factor authentication, and wallets that can only move funds to pre-designated ‘white-labeled’ addresses.
For decentralized lenders, like AAVE and Compound Finance, the security is all in the smart contract. They never actually take possession of your crypto, instead, it is held in the smart contract and moves when and where the code of the contract says it should. The major risk here is that the code of the contract has been compromised – either through negligence or purposefully – and the contract sends your crypto to someone it shouldn’t. To mitigate this, decentralized organizations offer Bug Bounty programs, their smart contract code is security audited by blockchain security specialists like Trail of Bits and OpenZeppelin, and things like pre-designated addresses can be included in the code as well. Despite this, smart contracts compromised by bugs are a regular occurrence. Compound, for example, recently revealed that a bug in a contract code upgrade allowed users to claim millions they weren’t entitled to.
So are your deposits safe?
Unfortunately, while they are reasonably secure, none of these methods are guaranteed to be 100% safe and the businesses should be upfront about telling you that. For example, at the bottom of its security page, before it went into bankruptcy, Celsius said “circumstances may arise where losses or damages incur. In that event, we will use our balance sheet to cover damages.” They didn’t. Similarly, BlockFi’s security page said “This is not a risk-free product and loss of principal is possible.” More than possible as it turns out. Both BlockFi and Celsius were centralized organizations.
In the case of the decentralized ones like Cake and AAVE, the security statements are less upfront and they merely state the efforts they have made to provide security. For example, Cake says “Our storage is set up such that it can only be accessed by very highly trusted individuals, currently only the executive team of Pool by Cake, and under surveillance. The keys are also backed up and held separately by trusted individuals should the executive team become unreachable.” In essence, they’re saying ‘trust us’. This is far from ideal.
What about insurance?
Many of the failed platforms above talked a lot about insurance on their websites. But don’t be misled, insurance is very hard to come by in the crypto-finance space. Given its anonymous nature, cryptocurrency is an attractive target for cybercriminals and there have been countless hacks of crypto exchanges and related businesses. To make matters worse, the bad actors are often internal and there have been numerous ‘inside jobs’ where a founder or other staff member (typically a “highly trusted individual”) with access to private keys, has drained all the customer accounts and disappeared never to be seen again. For this reason, insurance is expensive and cover is very limited.
In fact, the best-case scenario is that a provider has purchased coverage for assets in its hot wallets (as these are the most vulnerable) from companies like Aon, Marsh or Coincover. Cold wallets are typically uninsured. Insurance is also very restricted in its scope and policies, so even if it is available it may not cover employee theft, for example.
The good news is that the insurance situation is evolving and new providers are entering the market with a wider range of policies and coverage. Nonetheless, if insurance is important to you, understand that many providers don’t have any, and for those that do, the policies aren’t comprehensive – so read the small print in the terms of service.
Conclusion
In 2024, deposit rates for savings accounts from legacy banks are still low, but they have moved up since 2020, with APYs of 3-6 percent available on some savings accounts. At the same time, crypto-finance businesses are offering lower rates than they were in 2021 and 2022, with 5-8 percent being average and double digits only available for a select few coins.
For those for which that still sounds attractive, investors need to understand that for now the cryptocurrency sector still remains largely unregulated, volatile, and very high risk. It is likely to remain so for some time to come, so anyone looking for a high yield from cryptocurrency should remember the words of the now-bankrupt BlockFi “this is not a risk-free product and loss of principal is possible.”