DeFi has had a rough two years. During the halcyon days of DeFi Summer 2020, it promised to build an alternative to banks and the traditional financial system. Two years later, bad actors have stolen billions of dollars through a series of hacks, scams, and pyramid schemes and many are questioning how decentralized DeFi really is — or ever was.
Returning to the word “decentralized,” many critics now view the descriptor as misleading. Is a DeFi protocol actually decentralized if it has, say, fewer than 50 liquidity providers, fewer than 50 controlling voters, or fewer than 50 Discord participants? What about if it has fewer than 50 GitHub commits or fewer than 50 administrators selecting governance topics and tabulating Snapshot.org votes?
By any of those standards, only a small handful of DeFi protocols would qualify.
Maker’s leadership team makes the important decisions
Most DeFi protocols don’t actually satisfy the definition of their leading descriptor: decentralized. Central development teams still control most DeFi protocols.
For example, $7.8 billion in value is locked within the ecosystem of Maker’s “Decentralized” Autonomous Organization (DAO). Maker backs one of the world’s most popular stablecoins, DAI, which has a market capitalization of more than $5 billion.
Rather than keeping the liquidity that backs DAI on public blockchains, MakerDAO instead pays centralized asset managers who are signatories to off-blockchain investments. These include an expansive bond portfolio, real estate, and an assortment of commercial contracts. As signatories to these assets and the proposers of other investments, Maker’s leadership makes critical investment decisions on behalf of the community’s treasury.
What’s more, approximately half of Maker’s collateral is USDC which is a permissioned stablecoin redeemable at only one issuer, Circle, that has unilaterally censored particular USDC tokens. USDC and its variants like PSM-USDC-A make up approximately one-third of its collateralization. Maker’s collateralization chart divides things by asset, debt ceilings, and stability fee. It has “ETH-A,” “ETH-B,” and “ETH-C” categories that all use ETH but have different stability fees and debt ceilings.
Frax fails an audit, appears barely decentralized
Another allegedly decentralized stablecoin, the $1 billion FRAX, also has a large bag of USDC. Indeed, USDC comprises an overwhelming 93% of the assets locked in Frax’s smart contracts and liquidity protocols.
Worse, a September audit turned up major trust issues with Frax’s leadership, including administrators having special, little-known powers. Their elite privileges include the ability to mint unlimited amounts of frxETH, change the state of the frxETHminter protocol, and withdraw funds from frxETHminter. (Frax’s frxETH is a proprietary version of Ethereum whose liquidity and peg underpins the peg of FRAX.)
Administrators could also set any address as a validator — even their own. They also flagged potential security flaws that could lead to a malicious validator using a front-running attack.
All of these findings highlight the centralized decision-making and trust needed for an ostensibly decentralized stablecoin to maintain its peg. Auditors rated admin privileges for Frax Finance as “Medium Risk.”
DeFi darling Aave doesn’t look any better
Some DeFi apps like Aave might get around the risk of a single rogue admin by requiring multiple parties with access to a multi-signature wallet to agree to make changes. Aave currently has nine owners of its multi-signature wallet, however, just three can approve a change. Moreover, multi-signature wallets are not foolproof, especially if a few owners collude to make a change without permission from others.
Uniswap pretends to be community-governed
Many DeFi protocols have governance tokens distributed to multiple voters. However, DeFi apps like UniSwap use a voting model that gives more power to entities that hold more tokens (or at least, can convince token holders to delegate their tokens to the voting pool that they control). This wealth-based voting model allows entities that can afford to buy more tokens to have a controlling influence over the protocol.
Administrators can also make decisions without consulting voters. For example, UniSwap removed 100 tokens from its website without any public vote at all. It insisted that the tokens were only being removed from its website interface and not the protocol, yet almost all UniSwap users interact with the protocol from the website.
How much is decentralized in DeFi?
DeFi uses branding to distract retail investors — promising decentralized governance that rarely exists in practice. Typically, a very small group owns multi-signature wallets, controls admin functions, leads code development, and selects the issues that are put up for vote. The ICO craze might have died down years ago, but governance token issuances are remarkably similar. DeFi promoters still entice retail investment by promising high returns or pitching visions of a better future with bank-free decentralized finance.
Most of these protocols will likely fail to become truly decentralized, however. The developers will likely still control them or give most of the power to big investors. Auditors could even find flaws in the code that could give administrators control of the smart contracts. In all, it seems that the many shortcomings of DeFi turn the promise of decentralization into a disingenuous branding exercise.