Is Crypto Lending Safe?

Are Crypto Deposits Safe
Share on twitter
Share on facebook
Share on linkedin

As large amounts of capital is being channelled into crypto finance projects, more people are asking if their crypto collateral is safe? The answer is a definite ‘sort of’

In 2020 the average interest rate for savings accounts in the US was 0.04% APY. It no surprise then that investors are looking to crypto to provide a better return. It is important to understand, however, that the risk profile with crypto platforms is very different to that of legacy financial institutions. 

There are currently two types of entities operating in the crypto finance space. One is centralized businesses of the type that most people are familiar with. They have a head office, identifiable managers, a legal incorporation structure and they’re usually easy to contact in case of any issues. 

The others are ‘decentralized’ organizations. They are sometimes referred to as DAOs which stands for decentralized autonomous organizations. They often don’t have offices or CEOs or a traditional legal corporate structure. Instead, their structure is provided by sets of smart contracts on a blockchain. These smart contracts are essentially computer code that governs how the business operates, how decisions are made, and how money passes from one cryptocurrency wallet address to another.

BlockFi and Celsius are centralized organizations. Sometimes referred to as CeFi. Compound and AAVE, on the other hand, are DeFi. They are very different types of entities – and where they differ the most relates to the subject of ‘custody’. 

Who has custody of your cryptocurrency? 

The question of who has custody of your cryptocurrency is critical to any assumption about its safety. Bitcoin and all other cryptocurrencies are entries on a distributed ledger called a blockchain. When you purchase Bitcoin, you have it sent to your Bitcoin wallet address and you can access it using your private key. 

In the case of a centralized organization, if you deposit Bitcoin to earn interest with a crypto finance company like Celsius or BlockFi, you send your Bitcoin to their wallet. It is now an entry on their ledger and they have the private key. They have agreed to pay you interest on the Bitcoin you have deposited. When you request to withdraw your Bitcoin, you stop earning interest and they return it to your wallet. 

This is similar to a normal bank. When you put cash in a bank savings account, they take the money into their vaults and agree to return the money to you. The notes they return to you are not the exact notes you deposited, but the quantity is the same. The Bitcoin returned to you from a crypto finance company will not be the exact Bitcoin you sent them, but its quantity will be the same.

What is different is that if your money is stolen from a bank, it is insured by the Federal Deposit Insurance Corporation (FDIC) if you are in the United States – and by similar organizations in most other modern economies. This means that if your savings are stolen or the bank goes out of business, you will still have your money returned. In contrast, if your money is stolen from a crypto finance company, having it returned is not guaranteed, as there is no government insurance for cryptocurrencies.

For a decentralized organization like Compound or AAVE, when you make your deposit your crypto moves out of your wallet into a kind of limbo in a smart contract. This is called a lending pool, and your crypto is mixed with others. The DAO doesn’t actually take possession of your Bitcoin, but what happens to it is governed by the terms of the smart contract. If X happens then the crypto goes here, if Y happens then it goes somewhere else. In a perfect world, the smart contract should execute as planned and both parties to the contract will get what they are expecting. 

But smart contracts are vulnerable. The market could be manipulated and the value of your crypto might fall dramatically – forcing your loan to be liquidated. Perhaps somebody wanted this to happen because they had ‘shorted’ that cryptocurrency. Or whoever wrote the code for the smart contract may have built a ‘backdoor’ into it so they could extract your funds. Incidents like code hacks and market manipulation are a regular occurrence in the crypto sector. 

How do crypto lenders protect your collateral? 

All reputable crypto finance businesses have a similar ‘belts and braces’ approach to protecting your crypto. First the belt. In the case of a centralized organization like BlockFi, the most important thing they can do is store your cryptocurrency in a ‘cold’ wallet. A cold wallet is a vault for your crypto that is not connected to the internet. It is offline. This means internet hackers can’t ‘crack the vault’ and take your coins. These companies will keep a small percentage of their crypto in a hot wallet – which is connected to the internet – to cover day to day operations, but typically 95% of all the assets will be in cold storage.

Celcius Crypto Security Process

The best practice approach to security is typically a multi-layered one.

Next the braces. This relates to who has access to the private keys and how they have access. Typically any major movement of funds will be done from a MultiSig wallet. This means that at least two and sometimes 3 to 5 people will have to agree to the transfer and input their codes in order for the money to move. Other security protocols in the mix will include data encryption, two-factor authentication and wallets that can only move funds to pre-designated addresses.

For decentralized lenders, the security is all in the smart contract. They never actually take possession of your crypto, instead, it is held in the smart contract and moves when and where the code of the contract says it should. The major risk here is that the code of the contract has been compromised – either through negligence or purposefully – and the contract sends your crypto to someone it shouldn’t. To mitigate this, decentralized organizations like AAVE offer Bug Bounty programs, their smart contract code is security audited by blockchain security specialists like Trail of Bits and OpenZeppelin, and things like pre-designated addresses can be included in the code as well. Despite this, smart contracts compromised by bugs are a regular occurrence. Compound, for example, recently revealed that a bug in a contract code upgrade allowed users to claim funds they weren’t entitled to. 

So are your deposits safe? 

Unfortunately, while they are reasonably secure, none of these methods are guaranteed to be 100% safe and the businesses should be upfront about telling you that. For example, at the bottom of its security page, Celsius says “circumstances may arise where losses or damages incur. In that event, we will use our balance sheet to cover damages.” Similarly, BlockFi’s security page says “This is not a risk-free product and loss of principal is possible.” Both BlockFi and Celsius are centralized organizations.

In the case of the decentralized ones like Cake and AAVE, the security statements are less upfront and they merely state the efforts they have made to provide security. For example, Cake says “Our storage is set up such that it can only be accessed by very highly trusted individuals, currently only the executive team of Pool by Cake, and under surveillance. The keys are also backed up and held separately by trusted individuals should the executive team become unreachable.” In essence, they’re saying ‘trust us’. This isn’t ideal.

What about insurance? 

Insurance is hard to come by in the crypto-finance space. Given its anonymous nature, cryptocurrency is an attractive target for cybercriminals and there have been countless hacks of crypto exchanges and related businesses. To make matters worse, the bad actors are often internal and there have been numerous ‘inside jobs’ where a founder or other staff member (typically a “highly trusted individual”) with access to private keys, has drained all the customer accounts and disappeared never to be seen again. For this reason, insurance is expensive and cover is very limited.

Coincover Insurance

Insurance is possible, but very limited in its scope

A best-case scenario is that a provider has purchased coverage for assets in its hot wallets (as these are the most vulnerable) from companies like Aon, Marsh or Coincover. Cold wallets are typically uninsured. Insurance is also very restricted in its scope and policies, so even if it is available it may not cover employee theft, for example.

The good news is that the insurance situation is evolving and new providers are entering the market with a wider range of policies and coverage. Nonetheless, if insurance is important to you, understand that many providers don’t have any, and for those that do, the policies aren’t comprehensive – so read the small print in the terms of service.

Conclusion

Today, most traditional banks are offering APYs of less than one percent on savings accounts, whereas crypto-finance businesses are offering anything from 5% to 15% and more. Although that sounds attractive, investors need to understand that the cryptocurrency sector is largely unregulated, volatile, and very high risk. It is likely to remain so for some time to come, so anyone looking for a high yield from cryptocurrency should remember that “this is not a risk-free product and loss of principal is possible.”