The Trustlessness of DeFi's Top 10 Richest Products
Re-ranking DeFi Pulse's top 10 projects by their trustlessness & decentralization.
Is there any correlation between the trustlessness of a DeFi project and the amount of wealth that is entrusted to it?
Today, let’s take DeFi Pulse’s Top 10 by Total Value Locked (TVL) and re-rank those projects in order of their trustlessness & decentralization.
Disclaimer: Things in the DeFi space move faster than the speed of light. If you know of any reliable information that conflicts with what I am reporting here, please let me know.
Here’s how the Top 10 by TVL is looking as of Monday, November 23, 2020:
Maker | $2.71b
WBTC | $2.27b
Compound | $1.62b
Aave | $1.39b
Uniswap | $1.37b
Curve | $.91b
Synthetix | $.81b
Harvest | $.65b
SushiSwap | $.63b
Yearn | $.43b
Now… let’s go ahead and see how they look when re-ranked by trustlessness (with their TVL rank in parentheses, for reference).
Uniswap (5)
Compound (3)
Maker (1)
Curve (6)
Aave (4)
Synthetix (7)
Yearn (10)
WBTC (2)
SushiSwap (9)
Harvest (8)
And finally, on to my rationale:
1/ Uniswap (#5 by TVL)
Uniswap may currently be in 5th place by TVL, but it definitely is the most trustless DeFi product on the list.
Not only does Uniswap not have any admin keys, but its smart contracts are not upgradeable at all. They are immutable, autonomous, and can never be altered or stopped.
There is a token (UNI) voting DAO, however the DAO does not have any power over the core Uniswap smart contracts. UNI voters mainly have control over the UNI economy, as well as the determination of how Uniswap’s trading fees are divided up between liquidity providers and token holders. Those powers do not create any trust issue between the protocol and end-users.
Uniswap is the reigning champion of DeFi trustlessness, even if not TVL.
Key Link:
2/ Compound (#3 by TVL)
Compound has no admin key, and all governance powers have been transitioned to token holders. Token holders to have the ability, via on-chain governance votes, to affect the core logic of the smart contract.
There is a very strong likelihood that the core team, venture-backed investors, and whales still dominate the Compound voting system (as they dominate all token voting systems). Distribution of the COMP token is displayed on the Compound website, however trust is required as anonymous holdings are possible and probable. These factors create a trust requirement when it comes to these team members & investors acting in the best interests of users.
Compound does have a vote delegation system which increases the ability to create pseudo-whales out of otherwise inconsequential voters. This, in addition to an easy-to-view timelock page which displays governance actions before they are actually implemented, gave Compound the edge over Maker.
Key links:
3/ Maker (#1 by TVL)
Maker may be the current champion of TVL, however they only ranked #3 on my trustlessness list.
Compound and Maker have much in common as far as their governance approaches go. Both rely on token holders to make key decisions regarding the smart contract ecosystems, and both allow executable code to be proposed. Both also have questionable token distribution and weak participation relative to their overall user base.
Maker falls a bit short in certain areas of transparency where Compound has stepped up - namely Compound’s easy-to-access timelock page, as well as a clear list of top token holders. Compound also offers users an easy delegation system, where Maker still does not.
Additionally, MakerDAO has an Emergency Shutdown Module, which makes it seamless for MKR holders to shut down the entire smart contract system. While this would be incredibly useful in a worst-case scenario, it also requires a good amount of trust in token holders to act reasonably and responsibly.
Key links:
4/ Curve (#6 by TVL)
With Curve at number 4 in these trustlessness rankings, things start to get a little more interesting.
Curve, like Maker and Compound, also has token voting via CRV. However they have also introduced a token called veCRV, which stands for “vote escrowed CRV”. Basically, if you want to accrue more voting power, you can lock up your CRV for a set amount of time. The longer you lock up your CRV, the more voting power it gains. This is intended to take some power away from whales and give it to smaller, more committed token holders.
Whether or not veCRV reduces or increases trustlessness is a debatable matter. On the one hand, giving smaller token holders a way to accrue more voting power is a good way to decentralize. However, if whales can turn their already large voting power into exponentially larger voting power, then it’s probably not serving the goal of trustlessness. Looking any deeper at veCRV in detail is outside the scope of this post, but it’s something we should consider doing in a future post or video.
Finally, as a strike against trustlessness, Curve also has an “Emergency DAO” which consists of just 9 members. The power of this DAO is comparable to Maker’s Emergency Shutdown Module, except the Emergency DAO can stop all activity in the Curve ecosystem without a token holder vote. If this happens, CRV & veCRV holders can vote to turn it back on.
Key links:
5/ Aave (#4 by TVL)
Up until just a few weeks ago, Aave operated solely under a very powerful admin key. If this post had been written a month ago, Aave would have appeared in the bottom half of this list.
However, in late October, Aave transitioned its governance power to a token voting DAO powered by AAVE token. This system will ultimately operate similarly to Maker, Compound and Curve, however at launch it’s in an early state that Aave is calling “genesis governance”.
“Genesis governance” basically means that rather than token holders being able to propose executable code that is pushed to prod upon approval, token holders can make proposals which will be subject to code implementation by the “genesis team”, which is essentially the Aave core team.
In addition, Aave runs similar risks to other DeFi protocols with regard to its voting power being heavily consolidated with original team members, investors and whales.
So, while Aave no longer operates under an admin key, it still does hold considerable power over both what votes are passed and the actual implementations of successful votes.
Key links:
6/ Synthetix (#7 by TVL)
As we enter the bottom half of these rankings, Synthetix is the first product to appear on this list that is in possession of a centralized admin key.
The Synthetix community recently switched its voting system from a simple vote in the chat app Discord over to the off-chain signalling mechanism, Snapshot. Another change is planned shortly to move to a proxy voting system labeled “Spartan Council” which will require users to vote for 7 representatives who will have sole voting power. The most important takeaway here is that Synthetix voting does not happen on-chain.
Once a proposal is approved through voting, users must trust Synthetix’s protocolDAO to make the modification to the protocol. protocolDAO is a fancy way of describing a 4-of-8 multisig admin key. However, action by the protocolDAO is in no way technically connected to the off-chain voting that occurs. Therefore, users must trust the protocolDAO to act responsibly and skillfully.
In addition, any one member of the protocolDAO has the ability to pause the entire Synthetix system in the case of an emergency. No vote is required, and no other members of the DAO have to be involved for one member to do this.
As stated in this Synthetix blog post, the protocolDAO members could indefinitely stop Synthetix from operating by continually shutting it down over and over. Users must trust the 8 DAO members to act with integrity.
While Synthetix does have a powerful admin key and significant trust requirements, its voting mechanism and strong community place it above other admin key protocols.
Key links:
7/ Yearn (#10 by TVL)
Andre Cronje’s Yearn project is still one of the most buzzed about DeFi endeavors with a highly enthusiastic community.
However, as of today, while it does offer on-chain voting, it also still operates under a supremely powerful admin key. It’s documentation is a bit misleading, though.
On July 28, 2020, this info was released:
According to this, yearn/YFI’s 6-of-9 multisig, comprised of a mix of known & anonymous keyholders, only has the limited function of setting “minters”.
However, on August 24, 2020, this proposal was passed:
So, it appears that the multisig can “temporarily” do much more than just set minters. Notice that line in there about “Continue executing yVault strategy changes…”? It’s vague and subtle powers like this that gives an admin key far more power than it would appear to have at face value.
It’s safe to assume that the yearn multisig admin key is extremely powerful, at least until its “temporary” powers are removed. Once those temporary powers are removed (or further refined), it will likely move significantly up this list. It’s concerning when it’s so difficult to find accurate information on such an important topic.
Key links:
8/ WBTC (#2 by TVL)
Ah, good ole Wrapped Bitcoin. The ERC-20 that everybody loves to hate. Sure, you know that 1 WBTC represents the value of 1 BTC, but do you really know how it works?
And, hopefully at this point you’re also asking - how could it possibly be higher in trustlessness than a “DeFi” project like SushiSwap?
WBTC is controlled by a multisig admin key. Keyholders include many DeFi projects that you’ve heard of - including Compound, MakerDAO, Ren and Gnosis.
As you can see in the above list, these keyholders are labeled by their project names. However, there is an actual Ethereum wallet that represents each of these keys. If the project holds the key, then where does the signing key actually exist? Someone must be responsible for it. This list of projects doesn’t help us understand who is actually protecting each key, nor does it give us assurance that the keys themselves are securely stored.
The multisig is capable of adding & removing WBTC’s “Merchants” and “Custodians”. In simple terms, a “Merchant” can mint and burn WBTC tokens on Ethereum, and a “Custodian” is responsible for holding the actual BTC collateral. It is worth noting that all of the Merchants and Custodians are also signers on the multisig.
Sounds like a pretty solid system, right? Well, it is, aside from the question about how the keys are actually secured.
But trust is inherently built into this system. As WBTC mentions in its own whitepaper:
The only reason to believe that the multisig signers, merchants and custodian will act in users best interests is because users trust them to do so. Without trust, this project falls apart.
So, why is it higher than SushiSwap & Harvest? As you’ll see in a moment, Sushi doesn’t only require trust - but it requires trust in anonymous individuals. This isn’t just trust - it’s reckless. Let’s check it out.
9/ SushiSwap (#10 by TVL)
Similarly to Synthetix, SushiSwap voting happens off-chain on Snapshot. Users get voting power by providing liquidity to the SUSHI-ETH liquidity pool.
After a proposal is passed, it must be signed off on using a 3-of-5 multisig admin key with 5 anonymous keyholders. This is called the Operations multisig, and it is also listed as having the power of making “overall changes to the smart contracts”. This is generally code for “it can do anything it wants”.
There is a 48 hour timelock on modifications made by the Operations multisig. This timelock can be modified by a different multisig called the Treasury multisig. Keyholders for the Treasury multisig include several known individuals in DeFi.
As stated previously, SushiSwap’s governance model doesn’t differ too much from Synthetix’s. However, with anonymous keyholders, the risk of trust exponentially increases. When you know who is holding the keys, their reputation is on the line, and they run legal risk if acting maliciously. But when the keyholders are anonymous, that risk dissipates and users must begin trusting in completely irrational ways.
SushiSwap seems open to making changes that will reduce the trust required from users. Hopefully they do find a way to move up in these rankings.
Key links:
Which leads us to the bottom of the barrel…
10/ Harvest Finance (#8 by TVL)
If you read my post last month Hunting Harvest’s Admin Keys then you already know how I came to realize that Harvest not only has a very powerful admin key, but it is held by one anonymous individual, somewhere in the world, with unknown security.
And that one admin key is capable of draining every last penny from Harvest’s smart contracts.
Trust is required to put money into any of the DeFi projects on this list (aside from Uniswap). But with Harvest, it’s more than trust that is required - insanity is required as well.
When you put money into Harvest, you are trusting one anonymous person, in an unknown part of the world, with every penny that you deposit. You don’t know whether or not they’re a criminal. You don’t know whether or not their government is about to rain hell down on them. You don’t know if they are securing the admin key in any way at all. When trust reaches this level, it becomes sheer recklessness.
Hope you enjoyed this deep dive! Do you disagree with any of my rankings? Leave a comment below and tell me what you think.
This post has inspired me to put together more resources for you on the admin key and governance situations of the many DeFi protocols that exist. Just getting the info to write this post alone was a monstrous task, and things are changing daily, making it even harder to stay on top of things! Stay tuned to Surviving DeFi for more organized and targeted posts on these topics in the near future.