#DeFi is beginning to gain real traction which means more and more users are using the features of the space. We think it’s really important to understand the risks, especially as smart contracts are still experimental.

To interpret the risks involved we are writing a series based on a high level framework — largely influenced by established risk management techniques and adapting them for the DeFi community.

What will follow is a series of posts which use the framework we set out and apply it to a variety of projects and points of interest. We would love to hear your views and comments on this work-in-progress.

Risk Framework

Our framework is grounded in established risk management techniques and uses a high level qualitative approach to ratings. To start, we classify risk into 3 main categories:

1. Technical Risk

This is the risk of the smart contracts not behaving as intended by the developers. It is very hard to code error free so there is always some level of technical risk that exists. Audits, extensive testing, formal verification as well as how “battle-tested” the contract are factors that can reduce technical risk.

2. External Risk

This is the risk of external information influencing how the smart contracts operate to the detriment of other users. For example, an oracle could provide malicious data, and administrator could change a system parameter or governance procedures could be co-opted.

3. Economic Incentive Failure Risk

Many smart contract systems, especially in the DeFi space rely on economic incentives to encourage network participants to perform certain actions. These incentives could fail to encourage the right behaviour or not be adequate enough leading to other users being adversely impacted. For example, the incentives in the MakerDAO smart contracts could be too aggressive and the DAI <> USD peg could break if the ETH price drops too far, too quickly.

It’s important to acknowledge that these three categories of risk are in addition to the regular usage of the particular smart contract. For example, if you’re using a gambling application there is clearly a risk you lose your money through the normal usage of the system. We are focused on the more severe risks here, not risks involved in standard use where everything operates as expected.

Risk Framework

To assess the risk of using each smart contract system we have used a standard qualitative method that scores risk in each of the 3 risk categories. Importantly, the ratings are subjective and the categories are deliberately broad. The goal is not to imply accuracy but instead to conceptually understand the level of risk involved. The framework breaks down each risk category into two elements: