Risks of Anchor Protocol vs. Nexo, Celsius, BlockFi | Are Crypto Savings Accounts Safe?

DeFi and CeFi crypto savings platforms have been growing in popularity lately. While many traditional savings accounts earn less than 0.05% annual interest in fiat currencies, crypto savings platforms offer 12% to 20% yields on stablecoins. Is it too good to be true? What are the risks? Let’s review this in details.

In this article we will cover the following:

1. Differences Between Centralized (CeFi) & Decentralized (DeFi) Savings Platforms

2. Security Features Of CeFi Savings Platforms Nexo, Celsius & BlockFi

3. Risks of CeFi Savings Platforms

4. Risks Of DeFi Savings Platforms

5. Risks Of The Anchor Protocol

6. DeFi Insurance Options

7. Conclusion

Differences Between CeFi & DeFi Savings Platforms

There are several key differences between Centralized (CeFi) and Decentralized (DeFi) crypto platforms.

One difference between CeFi and DeFi is the presence and absence of the ‘middle men’. CeFi relies on middlemen to regulate transactions, while DeFi uses smart contracts. 

A second difference is that smart contracts are run on computers, which means DeFi can be accessed from anywhere in the world, at any time, and at any location. Smart contracts are unbiased. This makes DeFi transparent, private and reliable. 

The final difference is the custodial status between CeFi and DeFi. This refers to whether a user has full control over their crypto assets. In CeFi, there is still a third party that manages money on behalf of the user. With DeFi, however, the user has full control over their funds. 

Considering these features, DeFi can be considered fascinating but riskier in a way than CeFi. Those who decide to interact with DeFi apps must be aware that nobody can assist them if something goes wrong. In essence, DeFi gives users freedoms over assets with the trust of the blockchain system. This does mean though, that the user is held accountable if problems arise. In CeFi, users transfer their risks to the savings platforms. Therefore, these platforms are in charge to keep users’ funds safe.

Security Features Of CeFi Savings Platforms

Leading CeFi savings platforms, such as Nexo, Celsius, and BlockFi, have rather robust security features aimed to protect users’ funds. Let’s review the highlights of the security protection provided by each of these savings platforms.

Nexo Security

• $375 million insurance on custodial assets
• Nexo uses BitGo as it’s custodian, a company backed by Goldman Sachs and is CCSS Level 3 and SOC 2 compliant
• Ledger’s institutional-grade security system, Ledger Vault, backed by $1 billion in crime insurance.
• Real-Time Reserves Audit
• Assets are stored in military-grade Class III vaults
• 2FA Authentication
• Biometric Identification
• Address Whitelisting
• Nexo only loans your assets to credit lines that are over-collateralized between 200-500%

Read more about Nexo’s security here

Celsius Security

• Security ISO certified
• 2FA Authentication
• Whitelisted withdrawal addresses
• “HODL mode” which can be activated to restrict withdrawals
• Fireblocks and PrimeTrust (their custodians) both provide insurance on digital assets held by Celsius
• Borrowers are required to post collateral of up to 150%
• $30 million in insurance for assets stored in the Celsius wallet app

Read more about Celsius’s security here

BlockFi Security

• Majority of assets kept in cold storage
• All “hot wallet” storage servers have a security rating of FIPS 140-2 Level 3 or higher
• SOC 2 Type 1 security compliant
• Digital asset insurance provided by Gemini protecting against against the loss of cryptocurrency related to security breaches, fraudulent transfers, or employee theft
• Two-factor authentication
• Asset balance sheets only get lent to trusted institutions and corporations
• “Allowlisting” allows you to ban all cryptocurrency withdrawals, or restrict withdrawals to a list of known addresses only

Read more about BlockFi’s security here

Risks of CeFi Savings Platforms

Now when we reviewed the security offered by the leading CeFi platforms, let’s take a closer look at their risks.

1. Third Party Risk

The most significant risk with keeping your funds on a custodial service like a centralized (CeFi) savings or lending platform such as Nexo, BlockFi, and Celsius is that you do not own that crypto. You can be denied access to it at any time.The crypto regulatory landscape is constantly changing, and we have seen a few instances where global authorities demanded that crypto platforms lock people out of their crypto accounts. Centralized platforms need to comply with regulatory lawmakers and the authorities, so if you find yourself on the wrong side of an issue, such as taking part in a peaceful protest that the government decides they do not like, or you live in a country that is suddenly sanctioned, you could be frozen out of your account indefinitely. For example, Nexo issued the following warning to its users amidst the Russia Ukraine conflict:

” Nexo Continues to Comply with International Laws

In light of the recent unfortunate developments in Ukraine, a number of countries have started imposing economic sanctions on Russia, including but not limited to sanctions on major Russian banks. Sanctions have also been imposed on Belarusian banks.

We understand that these actions may cause disruption to our services and we apologize for any inconvenience. Following our constant quest for compliance, we want to reassure you that Nexo is closely monitoring the situation and taking all necessary steps to continue to operate in compliance with international laws.“

We are not here to say these actions were right or wrong, just stating the simple fact that centralized entities can block accounts at any time. We see the same thing with Twitter and YouTube banning accounts, banks blocking user funds and crypto exchanges locking users out of their accounts. Anytime there is a centralized entity, there is a centralized authority who can play judge, jury, and executioner over the customers on the platform.

2. Rapidly changing global laws and regulations

Note that at the time of writing, BlockFi is not available to new signups in the US for their interest-earning accounts as they have recently been handed a fine of 100M dollars from the SEC, which has been paid. However, this will likely be short-lived as BlockFi is eagerly working with the SEC to bring their company within regulatory compliance as soon as possible.

Image via sec.gov

New US-based residents can still access the loan and crypto credit card products if they are located in one of the supported jurisdictions.

Crypto platform Nexo also recently changed the terms for U.S. customers to a product that offers the ability to earn high interest rates on crypto deposits. The decision follows the U.S. Securities and Exchange Commission’s recent settlement with BlockFi Inc. over a similar product. 

In a statement posted to its official subreddit Friday by a moderator who isn’t an employee with the company but says he works “closely” with them, Nexo said the changes are an effort to voluntarily comply in light of BlockFi’s agreement to pay $100 million to federal and state securities regulators to settle allegations that it illegally offered a product that pays customers high rates to lend out their digital tokens. 

Just as BlockFi, Nexo is now planning to register its offerings with the regulator. Nexo’s current U.S. customers won’t be able to earn interest on new deposits, though they’ll be able to continue earning on existing digital-asset balances, the statement said. New clients won’t be able to access the product at all. 

The firm said it eventually intends to make a new offering available that is compliant with the securities laws. The recently announced changes will be in place “until the restructuring of the Earn Interest Product and the registration process with the relevant regulatory bodies are finalized,” according to the statement. Nexo didn’t immediately return a request for comment.

Nexo on its website touts its interest-bearing product as offering up to 20% in annual interest for investors. The firm said non-U.S. clients will remain unaffected by the recent updates. 

Bloomberg reported in January that SEC is scrutinizing Celsius Network, Gemini Trust Co., and Voyager Digital Ltd. over issues similar to the ones raised in the BlockFi settlement.

Celsius also received cease and desist orders from a few US states in recent months, and US-based users are not eligible to earn rewards in the platform’s CEL token for the extra APY bonus. Check if you live in a supported jurisdiction before signing up.

Nexo, Celsius, and BlockFi face fewer restrictions outside of the US and enjoy users from all over the globe aside from sanctioned countries and those countries whose authorities deem these services unlawful. However, be aware that the rules and regulations behind crypto lending platforms and stablecoin APY offering products are rapidly changing, so it is a good idea to keep an eye on the evolving (or devolving, some would say) regulations behind these platforms to make sure you aren’t about to place your funds somewhere that is about to become restricted in your country.

3. Targeted Hacks

Another significant risk with centralized platforms comes in the form of targeted hacks. For example, centralized exchanges are popular targets for hackers as every crypto hacker on the planet is aware of these exchanges and how lucrative a successful attack can be.

This is in contrast to individual users who self-custody their crypto on DeFi platforms. Unless a crypto holder spouts it all over social media, it is unlikely that a hacker will know that Joe Smith holds crypto, nor will they know where or how Joe Smith stores it, or if the amount is even large enough for it to be worth pursuing.

In CeFi, the customers transfer the custody of their holdings to the exchanges. They also provide their private details to these exchanges. In case the exchange is hacked or suffers from a cyber attack, there’s a real chance of losing funds. Even if the funds are safe, there is a risk of compromised privacy.

Risks Of DeFi Savings Platforms

One of the major risks in DeFi space is hacking. Hackers are increasingly targeting DeFi (Decentralized Finance) cryptocurrency platforms, with Q1 2022 data showing that more platforms are being targeted than ever before.

In 2021 alone, about $3.2 billion worth of digital assets were stolen, which was already an explosion compared to previous years.

However, the trajectory for 2022 looks to be even more aggressive, with almost $1.3 billion already stolen during the Q1 alone.

The new report comes from Chainalysis, which is seeing a massive rise in successful cyberattacks against cryptocurrency platforms, with attacks primarily focusing on DeFi platforms.

A whopping 97% of all cryptocurrency stolen this year are from DeFi platforms, leaving a mere 3% to exchanges. While two years ago, DeFi accounted for only 30% of all digital assets stolen.

Most of these attacks relied on exploiting code vulnerabilities or a security breach on the platform allowing cryptocurrency theft.

DeFi platforms are completely decentralized and free of intermediaries, exchanges, and brokers, using a system of smart contracts on a blockchain to offer lending, trading, insuring, and interest-earning.

DeFi platforms need to rely on transparent, open-source development models to convince investors of their trustworthiness, which allows researchers to analyze the smart contracts and services for bugs.

However, this also allows threat actors to examine the same code and potentially find and exploit a bug before its fixed. Unfortunately, there’s commonly a bug that lies undetected and unfixed, which malicious actors can use to siphon people’s funds in a flash.

Another issue with DeFi platform security used to be the possibility to manipulate the market during a loan action, driving the value of the borrowed token down via excess slippage and then repurchasing it at a deflated price.

This special “flash loan attack” unfolds in seconds and may simultaneously involve multiple DeFi platforms.

In 2022, most protocols switched to using decentralized price oracles, which are resistant to manipulation, so the problem appears to have been addressed.

Risks Of The Anchor Protocol

After reviewing risks pertaining to DeFi platforms in general, let’s review risks relevant to the Anchor Protocol in particular.

1. UST Smart Contract Hacking Risk

This is always a risk in every blockchain that there might be a bug in the code that allows a hacker to steal funds. While Anchor has been audited by Certik, so was Poly Network that was hacked for $600,000,000 this year (loot was later returned).

Auditing, while nice to know that a 3^rd party reviewed the code, is not the final say on whether there is a bug that can provide an opportunity for theft of funds. Hackers are always trying to figure out new ways to probe security. Additionally, new major security bugs that span the whole internet come out all pretty regularly, so no bugs in the past does not guarantee no bugs in the future.

The good news is that there is a $1,000,000 bug bounty out for anything critical, which is strong faith from the Terra team that the system is secure today. Furthermore, if a hacker or software engineer does eventually discover something critical, they have an opportunity to get street cred and a legitimate payout without stealing funds.

2. UST De-Pegging Risk

UST is an algorithmic stablecoin. Since UST is determined algorithmically and is only backed by the value of its sister coin LUNA, the conversion ratio can deviate from 1:1 during periods of market stress. Bringing UST back to $1 requires burning LUNA for UST, which makes fewer LUNA available to sell and provides an arbitrage opportunity for when the peg returns for those willing to take the bet.

UST has only been around for a year, so it really hasn’t been battle tested during the worst periods of market volatility. However, back in Dec 2020, the UST lost 15% before recovering later. It also had another episode in May 2021. The real concern is if the recovery does not occur and UST just spirals down to zero.

Read Top 12 Stablecoins Compared, Analyzed And Reviewed For 2022

This actually happened to a similar USD pegged coin IRON, from Iron Finance, over the summer of 2021 that used a similar model of having a sister coin as collateral. Shockingly, 75% of IRON was collateralized by USDC and the system still failed.

3. Crypto Flash Crash

Crypto flash crashes happen pretty regularly where the entire crypto market drops 20% in a day and more over longer periods of time.

Anyone who has borrowed money on the Anchor Protocol by bonding their assets is at risk of losing their collateral when this happens. Furthermore, when these loans are liquidated, the borrowers are no longer paying interest to the depositors which pressures the interest rate.

4. APY Is Unsustainable In The Long Run

This should come as no surprise to anyone that the Anchor Protocol APY is not sustainable in the long run. The greatest investors in the world earned 20% yearly and had to take market risk to do so, so it is unrealistic to think that this would come risk free for a deposit account.

Since its inception in early 2021, Anchor has been paying around 20% APY interest. The rate has been fluctuating in the 19% range for the past several months until Proposal 20 passed in March 2022. According to the Proposal, the interest rate would drop 1.5% per month until an equilibrium that balances the income and expenses of the protocol is reached. The first rate drop started May 1, 2022 and each month it will drop another 1.5%. Currently, the Anchor Protocol has set the Anchor Rate at 18.21% APY.

How does the Anchor Protocol work? Anchor earns income through 3 primary sources: Borrowings, Collateral and 1% of liquidations.

Borrowing

The rate that borrowers are currently charged is about 9.95% APR and there is about $2.2 billion being borrowed.

The deposit amount that the Anchor protocol has to pay interest on has been growing at multiples faster than the borrowings that they can earn income with. This widening gap negatively pressures the interest that can be paid to depositors.

Collateral

Collateralized loans are the only type of loans that can be made in DeFi. Since each loan is a collateralized loan, the Anchor Protocol can turn around and stake or loan these assets and generate income to pay depositors.

The average loan to value (LTV) ratio on the Anchor protocol is about 47% currently and the maximum leverage allowed is 60%.

The Anchor Protocol has $11.1 billion in deposits and would need to payout $2 billion in interest per year. Most of their income comes from bonded assets, but even with the borrowing rates tacked on, herein lies the problem: there would be about $1.7 billion a year deficiency, at today’s rates, deposit and loan levels.

When there is a deficiency, it must pull from the yield reserve. When there is no yield reserve, the deposit rate will be forced to the market clearing rate.

4. Risk Of Yield Reserves Running Out

The yield reserve has been under constant pressure since Anchor was launched because deposits have vastly outrun borrowings as investors clamor for the near 20% interest rate on a stablecoin.

Back in July 2021, Terra Form Labs injected $70,000,000 UST into it because it was at risk of running dry at the time. The yield reserve was projected to last 1.5 years, but deposit assets tripled in only a few months afterwards which drained reserves nearly to depletion. Then Terra was forced to come up with another bailout solution on Feb 18, 2022 to the tune of $470,000,000.

They pulled that rabbit out of a hat, but the depletion continues:

Without a dynamic rate adjustment system, the yield reserve would have run out in less than 2 months after May 2022. The yield reserve is still scheduled to be depleted in June since it is currently blowing through $4 million per day.

DeFi Insurance Options

Inside the Anchor Protocol they link to several third party insurers where you are able to purchase insurance for both depegging and smart contract risk for about 7.32% a year total.

Ultimately the insurer decides what they will pay out and it is currently unclear if these insurers will even have enough solvency to payout to all their holders if the entire system goes under. There’s about $10 billion in UST value but it is unclear how many are insured.

In DeFi, few things are regulated. Can you insure the insurer? And is the 7%+ a year cost worth it to you?

Read more about Decentralized Insurance protocols and how they work

Conclusion

As you can see, there are no options that can guarantee a 100% safety and security of your crypto deposits. Like everything in life, DeFi and CeFi platforms have their tradeoffs. Assess your risks, their impacts and probabilities and choose options that fit your risk tolerance level and financial situation the best. Remember that balance is the key and a healthy dose of diversification never hurts.

Materials from WantFi, CoinBuro, Bloomberg and Bleepingcomputer were used in preparation of this analysis.