013

/

May 18, 2022

Insurance for Your Crypto Assets

with

Krishna Sriram, Managing Director at Quantstamp

Apple podcast logoSpotify logoSpotify logo

In this episode we sit down with Krishna Sriram, the Managing Director of Quantstamp, to discuss insurance in crypto.

Why? Because over the past year, billions of dollars have been locked in DeFi protocols. Yet more and more hacks seem to be occurring, and in the first four months of 2022 alone $1.3 billion was stolen. That's an enormous number and it's critically relevant to traders and LPs who might lose money. That’s why this episode seeks to break down common vulnerabilities within the crypto space, how insurance works within the crypto industry, and how traders can protect themselves with existing crypto insurance solutions.

Krishna Sriram is the ManagingDirector at Quantstamp, a Web3 security-auditingprotocol that has protected over $200B in digital asset risk from hackers.Krishna has a multidisciplinary background in technology and digitalmedia, having previously worked on AR and web projects for brands such asMicrosoft and TELUS. Krishna is an angel investor in over 15 startups, helpedbuild Ethereum Vancouver, and is a chapter co-lead at the DeFi Alliance.

Mark Lurie:

Welcome to WTF Crypto, where we explore the crypto universe to understand what's really going on and how it affects you and your portfolio. I'm your host, Mark Lurie of Shipyard Software. And as a caveat, nothing in this podcast is legal or investing in advice. Today we're talking about security and insurance in crypto with Krishna Sriram, managing director of Quantstamp. Welcome Krishna. Thank you so much for joining us.

Krishna Sriram:

Thank you for having me.

Mark Lurie:

So over the past year, billions of dollars have been locked in DeFi protocols. And in the past year alone, over a billion dollars, $1.3 billion was hacked. That's an enormous number. And it's critically relevant to traders and LPs who might lose money in these hacks. It's also important that these traders understand how they can protect themselves, in particular with things like insurance. And for that, they need to understand what the vulnerabilities are, how insurance works, what it is and whether it will be available to them. And so today we're speaking with Krishna about this, to understand it more deeply so that you, the listener, can take advantage of it and understand what you're getting into. So Krishna, thank you again for joining us. I'd love to start by understanding a little bit about your background and what makes you such a credible guide on this issue?

Krishna Sriram:

Sure. So my name is Krishna. I've been with Quantstamp ever since the very beginning, part of the founding team, and help launch Quantstamp into a leader in blockchain, cyber security and smart contract cyber security. So we've basically at this point secured over $200 billion in smart contract and crypto risk.

Mark Lurie:

Great. And so Quantstamp, for example, is one of the leading technical auditors. So you will put a team of security, cyber security researchers to see if there's any vulnerabilities in a new DeFi protocol before they actually launch. And you've actually done that for us, for Shipyard Software as well, you were one of our auditors. So that's great. So you have a deep understanding of the technical risks involved in these smart contracts. You can actually diligence them from a technical perspective, and you also can span the traditional insurance industry and put together an insurance package for people, because even once you audit, it sounds like there's no guarantee that there's not going to be a vulnerability, that's just one check in balance.

Krishna Sriram:

That's right. When you get an audit, it's not a completely bulletproof outcome. I don't think that guarantees that your app is secure, because a lot of the time people tend to change things in their code, and you're basically getting an audit usually at one point in time, or for one version of the code base. And what we're emphasizing on more these days is the concept of continuous security, getting new updates, new versions of the code audited as well as really thinking deeply about also who the project integrates with. So a lot of the time, one of the things that happens is the problem is not in a project's code itself, it's in what they integrated, and if they made an incorrect assumption about someone else's code that they're reliant on.

Krishna Sriram:

So the field of smart contract security is very complex. And I think the notion that, generally speaking, getting an audit is a guarantee of security has been proven false multiple times. And security is a lot more holistic and because you don't have any guarantees, and that's why insurance comes into play as one of the key primitives in actually scaling trust for users.

Mark Lurie:

I see. Interesting. So, people are very focused on making sure their code is good, but one of the things we talk about in crypto and DeFi is composability where you can take these Lego blocks of financial instruments and put them together and chain them together to create new financial instruments. And what you're saying is that exposes new vulnerabilities each time. It sounds like in traditional tech, you have the operating system like Windows, and then you have an application on top of the operating system. And then you have maybe an application that integrates with that, and actually there's interaction effects. It's not like those are pure walled gardens, and each of those creates security exploits which... That's almost an impossible combinatorial problem of interactions, which is very difficult to really fully defend against.

Krishna Sriram:

And when I talk to folks from the Web 2 cyber world, or Web 2 VCs, for example, they really don't understand that Web 3 security is a lot higher stakes exactly because of what you just described. There's not just a lot of composability in DeFi, there's the inherent non-custodial and non-reversible nature of the asset itself. Long story short, when you're a hacker and you manage to discover an exploit in someone's code and you decide to hack them, you can basically take that money and it's going to be very difficult for either the project or law enforcement to go after the hacker, because they've gotten hold of a non-custodial asset. And if you look at some of the large hacks that happen, for example, the Dow, finally they caught the Dow hacker, but it took them five years, and sometimes they never cast these hackers.

Krishna Sriram:

So that lack of recourse is really what makes Web 3 security so high. And a lot of these programs are very complex. So, if you have a very basic error in the math, you're exposed, or even if the project that you're integrating has a very, very nuanced error in the math, or parameters that they're using. It's hard for developers who want to balance being super secure with also moving with the market and being able to launch their application in time to capture a market share. So I think the combination of all these forces just makes Web 3 security extremely high stakes, and that's also why insurance ends up becoming important. And also having a sense of continuous security rather than security at one given point in time, or overly bit, relying on one single instance of an audit being a sufficient.

Mark Lurie:

Interesting, super interesting. And one example of this, wasn't there, correct me if I'm wrong, wasn't there a recent hack on Solana, where someone hacked a protocol using bug in the underlying Solana code, or am I imagining that?

Krishna Sriram:

Yeah, so I think you might be talking about wormhole.

Mark Lurie:

Ah, yes. That might be the one.

Krishna Sriram:

So it was a very interesting exploit because it didn't really result from, they actually already knew what the fix was to that bug and they had pushed it in their public GitHub. And I think that's one of the reasons why the hacker might have actually had asymmetric information, it's not really asymmetric information, it was actually public information that there was something wrong with the code and that they were also able to see what the fix was exactly for. So they could now use that knowledge to basically exploit the protocol. And then that's also another dependency, when you talk about integrations, one of the things that's very popular is a cross chain bridge or swaps platform.

Krishna Sriram:

And that's what wormhole essentially is. And in this case, it basically created this derivative of Ether, a wrapped form of Ether on Solana. And it almost rendered all of the Ether on Solana worthless unless someone else would come in and plug that gap by making the protocol, or the Ether and Solana solvent. So it's very interesting how, just because you can't really have a native asset, which is actual Ether be on another chain like Solana. So now you have to create all these derivatives and they tend to have problems when you have a cross chain attack like.

Mark Lurie:

And each time it just layers up the complexity.

Krishna Sriram:

Yeah. Yeah. And I think cross chain in particular is highly dangerous just because, you can't have, for example, the native version of one asset on layer X being also native on layer Y, on a different blockchain. So, that's also a problem where you're creating this systemic risk across chains. And yeah, I think that's one of the things that is also going to be a huge, huge trend in the next few years, obviously, in terms of development, people are going to focus on cross chain, interoperability and applications, and it's going to be a multiplier on how much risk there is in people's code basically.

Mark Lurie:

Got it. And so how is this affecting DeFi adoption, and in particular, institutions coming in putting their capital to work? I guess if I were a traditional institution, I'd be a little scared that some developer anywhere in the world, or in their mom's basement, could identify code and steal all this money that I'm supposed to be a steward of on behalf of my LPs.

Krishna Sriram:

Yeah. That's a great question. So one of the things that you see is that the market's already voting in this direction, which is, if you look at DeFi TVL, there's a huge parallel to it, about more than 80% of the TVL flows through five platforms. For example, Maker, Compound, Uniswap, Aave, Curve, Terra, Anchor, these are the platforms that institution generally like to use. There are a lot of crypto hedge funds who have that internal security knowhow, or they contract someone externally to be able to get that info, or they at least know how to read an audit report, or get a rough idea of what are the risks in this smart contract.

Krishna Sriram:

And they are savvy enough to navigate the long tail protocols in the space, for example, new protocols that are just in the beta stage, or protocols launched by anonymous teams that might not have a lot of info about the background of the team that built them. At least, then you have a data point, which is like, hey, I can look at the code. And if I understand security, I can understand what's the rough level of risk in this code. A lot of hedge fund teams that are native to the crypto space have those capabilities. There are a lot of technically savvy, excellent hedge funds in the space. But when you look slightly outside in, which is what are institutions that have nothing to do with crypto, how are they thinking about it?

Krishna Sriram:

So a lot of them want to come into crypto. They want to earn yield on their US dollars. They want to participate in a lot of these protocols, but they have certain not just constraints from, or concerns from a security point of view, but it's also from a compliance point of view, because when they go into protocol, their compliance teams are looking at it and being like, okay, is there a KYC, AML capability here where I can just log into a separate dashboard and basically do my KYC, do my AML process. And also is there insurance for this? Because they don't want to have principle loss stemming from a security issue. And essentially, if they're going out to earn 5%, if they have chance of a 20%, 30% principle loss, they want to hedge against that.

Krishna Sriram:

So those are two of the huge barriers. And I think that's why if you look at institutions, or at least the traditional institutions that are entering the space, they're doing it, not through the long tail protocols, they're doing it through solutions like Compound Treasury and Aave Arc, which are institution friendly versions of Compound and Aave. And those are catering more to their concerns. But a lot of these are still uninsured. And that's the problem that we're also trying to solve.

Mark Lurie:

What insurance does exist today in DeFi.

Krishna Sriram:

Yeah, that's a great question. There are multiple insurance marketplaces and protocols. And I would roughly look at it as, I would say all of them are mostly unregulated except probably one, which is Nexus Mutual. So Nexus Mutual is one way of creating a marketplace for insurance, which is creating a mutual where the people buying into the mutual are the same people who are also providing capital to it. And that's why it's called mutual. If you look at the other protocols, it's- [inaudible 00:13:42].

Mark Lurie:

It's like self-insurance.

Krishna Sriram:

... Stuff like with... Exactly. And you've got a bunch of people who are all pulling in capital and they're all insuring each other. In this case, Nexus Mutual has taken a really innovative approach to insuring smart contract risk, but if you look at all the other marketplaces, they usually have some supply side where there are capital providers who are providing the risk capital needed to underwrite these smart contract insurance policies. And these providers generally incentivize liquidity providers with either the yield from premiums that they collect and, or additional yield that comes from having a native token, for example. And I think apart from Nexus Mutual, most of the others are unregulated. And there are some problems with the current models that these marketplaces-.

Mark Lurie:

Yeah. Wait, so just so I understand. So, what you're describing is an insurance marketplace model where people pay premiums for the insurance. So let's say, a DeFi protocol's hacked, they would get paid out. And that insurance, those premiums go to liquidity providers who are staking a bunch of capital, and that's the capital that would go to make up for the losses if an insurable event happens. Well, first of all, is that right?

Krishna Sriram:

That's right.

Mark Lurie:

Okay. So you speak about regulated insurance providers and unregulated insurance providers. Why does it matter that insurance provider is regulated?

Krishna Sriram:

Well, I think it's less of a matter of whether is regulated for the sake of getting regulated, but insurance is probably the most regulation heavy vertical within finance, insurance regulations are hugely jurisdiction specific. And I think why a lot of it exists is because as an insurer, you're basically underwriting maybe billions, or even sometimes, hundreds of billions, trillions of dollars in risk. And if someone's buying insurance they need the peace of mind that when they make a claim, and if it's a valid claim, number one, it will get paid out. And if it doesn't get paid out, they can take someone to court and basically arbitrate, and basically undergo some sort of dispute resolution, or similar process to determine if the claim was in fact valid. And if it was valid, it should be paid out and that's decreed by a court of law.

Mark Lurie:

So, the reason that insurance is so regulated is because in some sense, lack of regulation, it's especially open to fraud. Basically I could start an insurance company. If it's unregulated, I could go around, tell everyone, I'll insure their house. They just pay me monthly or yearly for that. And I don't have to do anything, but then if a hurricane comes through, I could just throw up my hands and be like up, I'm bankrupt. And then I've collected all this free money and never have to do anything. And so the risk of that is why it's so regulated.

Krishna Sriram:

Yeah. You hit the nail on the head. So, usually the point where unregulated insurance breaks is when there's a large enough loss event. So if there's a large enough loss event, let's just think like, okay, there's a systemic hack in DeFi where for some reason a lot of these protocols have more claims to pay out than they have cash, or Bitcoin, or Ethereum on the balance sheet. Now what happens is they're under no obligation legally to pay out the claim. So there's a bunch of people who paid them huge premiums, people are paying 7% to 10% for insurance on terror. You could end up paying them for years. And obviously, they might pay out some small, small policy, some small claims. So, say there was a million dollar hack or a million dollar claim, they would just pay it out. But the problem is over time, you have no data of whether these platforms are going to pay out hundreds of millions of dollars in insurance.

Mark Lurie:

And so if traditional insurers are getting into this game though, there's monster insurers out there, that insure all the property, every home in the United States has insurance. And so these are incredibly well capitalized insurance companies, but do they really even understand what they're getting themselves into, if they're insuring DeFi?

Krishna Sriram:

Well, they're pretty competent people working at these companies. They understand the paradigm, they understand on a comprehension level, how DeFi works. And they understand how the system works, but understanding that, and pricing the risk are two different things. Insurance is really a business where two things really matter, one is your ability to source capital. The other is your ability to basically price risk. And that's how you underwrite policies in a profitable way. And for a lot of these companies, they have a lot of capital. They have a ton of capital. Insurance companies are some of the most well capitalized companies on earth, but for them to come in and understand the security nuances of what we spoke about earlier is incredibly difficult. That means years and years of building knowledge and debt of these systems. And it's also much more difficult to underwrite, because it's not like underwriting car insurance, where you have a lot of data and it's like very statistically significant.

Krishna Sriram:

And each smart contract is unique. The safety features of each smart contract is extremely different, and it changes throughout time. So, how do you basically price that risk? You can't price that risk if you're not having that security expertise in-house. And that security expertise generally, even crypto has been very, very hard to come by. Security engineers are some of the most sought after people. So I think it's a human capital problem. It's also a data and information problem where they don't have the years of information and pattern recognition that blockchain cybersecurity companies do.

Mark Lurie:

Okay. Got it. All right. So, how is it being solved? And we touched on this a little bit more, but there must be a few different models of insurance that are trying to solve this problem. You described one, which is, I guess, the Nexus Mutual example. What are the other approaches here?

Krishna Sriram:

Yeah. So, there's Nexus Mutual, there's Risk Harbor. They're not mutual, they're a regular marketplace where people can provide capital on the supply side to insure these smart contracts, and people on the other side just simply buy it based on whatever premium is determined. And I think right now the premiums are determined in an arbitrary way. So the pricing of risk is usually fairly centralized. They're Sherlock who are using a pool of security experts to basically underwrite insurance. And the other liquidity providers can follow on and provide capital to that pool based on the fact that there is some trust on the security provider, or a security expert to basically underwrite the insurance in an accurate way. So those are the three main models.

Mark Lurie:

And so if you're a buyer, what do you look for? What are good and bad about each of those? Should I be buying insurance?

Krishna Sriram:

You should definitely be buying insurance. There are a few problems. So should we start with, I don't know, Nexus Mutual?

Mark Lurie:

Sure.

Krishna Sriram:

Yeah. So Nexus Mutual is basically, what they're essentially doing is creating this mutual, so this pool of people who want to contribute capital to this mutual and also buy insurance, essentially. So when you look at the Nexus model, there's this token called NXM, which is what capitalizes the pool. And NXM is basically backed by Nexus Mutual's balance sheet, which consists of mainly Ether. And say, Nexus Mutual has $500 million of Ether on its balance sheet, then the protocol has essentially $500 million of capacity to insure new kinds of risks. The token that you use to buy in is Eth, but you get NXM in return, which is the token that represents the protocol governance and the staking mechanism. So capital providers and different participants in the protocol can basically stake their NXM tokens and basically vote on whether policies will get paid out, what kind of risks we should insure and govern the claims process.

Mark Lurie:

Got it. And do you think that works, are the claims make sense?

Krishna Sriram:

That's the biggest question with it. They have paid out claims in the past. I'm not sure, there hasn't been a big enough event, again, there hasn't been a big enough loss event to determine if, for example, NXM holders would basically vote to pay out 80% of the capital pool out to people, if there's a massive systemic hack. And so, one of the things is the payout is subject to vote of a committee. So you have to be okay with that, if you're a buyer of their insurance. Now, they have an interesting, I think, and pretty elegant way of siloing risks. So they basically assume that risk across smart contracts and different platforms is uncorrelated. So they basically silo the risk, which means limit the maximum amount of the dollar value of policies that they can underwrite against one specific platform.

Krishna Sriram:

So, let's just assume that the capital pool's like one billion. They say, for example, we can only underwrite $50 million of risk for each platform, so that if there is a loss event and we lose the whole of the $50 million, because all these platforms are uncorrelated in terms of their risk profile, it's unlikely that one half on one platform would affect everyone else. They basically assume that siloing the risks is the way to limit their exposure to having huge, huge losses and payouts that will basically make them insolvent. So that's the way that they approach the problem, which is elegant. It also limits obviously naturally the amount of policies that they can underwrite for one particular protocol. Let's just say one particular protocol is like 80% of the market share. You wouldn't be able to service the market with this model basically.

Mark Lurie:

Yeah.

Krishna Sriram:

Another weakness is obviously, there's a human element in it. With insurance companies, generally there has to be a human element, because someone's got to be the Oracle of whether to pay out a claim or not. In this case, it's the governance. So, you're subject to vote by committee. So I would say that's another weakness, but we have spoken about some of the strengths and I think overall it's an interesting model, but it hasn't been able to scale the amount of supply available. And it's harder for me as a large fund who wants to buy $200 million of insurance to go buy it on any of these platforms.

Mark Lurie:

Makes sense. Okay. So, what are the other approaches and how should I decide which to go with?

Krishna Sriram:

There's the Sherlock approach. Their whole idea is to have a marketplace where security experts are the underwriters, and security experts will stake some small amount of capital themselves to show skin in the game. And you, as a capital provider, can follow that. So, that's how they bootstrap supply. And then on the user side, it's the same. You just go in like you buy a policy to cover yourself.

Mark Lurie:

And are there any critical weaknesses of that?

Krishna Sriram:

It does depend on Sherlock's ability to aggregate good security engineers, and basically vet them to make sure that they are underwriting risk in a safe and profitable way for their capital providers. So it's, you have to basically vet the security experts. You have to make sure that they're well incentivized, not have them optimized for short term gains and make the economics work for them too. That's the point of trust that you have to assume as a user, and you have to work with that assumption that they're doing a good job there.

Mark Lurie:

Huh. And so, we talked about regulation and being able to take someone to court. In underlying all this is a philosophical question, which is, should insurance in DeFi be centralized or decentralized? And I struggle with that, because on the one hand, philosophically decentralized is more aligned, but from a risk perspective, if there's a systematic risk event in crypto, then probably the decentralized insurance protocols are going to have a problem as well. And so it almost seems like the best way to get risk in crypto is to go outside crypto, because that's their solvency is less correlated. How do you think about philosophically, which approach makes sense and which will win over the next several years?

Krishna Sriram:

On the basis of insurance, there's always going to be some level of like CeFi meets DeFi, and there's going to be always some level of centralized finance meeting it, just because like you said their solvency is uncorrelated. And also, when I think about decentralization of insurance, it's really, really hard to make that happen and also run an insurance company in an effective way and have buyers of confidence, because voting also makes things slow. A lot of decentralization makes things slow. And when people have these loss events, they don't want slow, they ideally want someone who has that obligation to pay out, so they will pay out and if they don't pay out they know that if they do something wrong, they're going to get sued and they're going to lose in court.

Krishna Sriram:

So, that's always a strong incentive to pay out. And that's generally how insurance companies in the real world operate. There are some benefits of meeting in the middle, which is, hey, not only do I have this regulated platform where you have the confidence as a buyer, but on the other hand we're also using smart contracts for sourcing capital from liquidity providers who are using smart contracts to manage the registering of policies and the settlement of claims and administering the whole process, which is also a big overhead that insurance companies actually have. I think there's some level of those two worlds meeting and it's possible that we will see regulated protocols that allow you to buy insurance as a user, but on the other side, their counterparty who's providing liquidity to that might actually be TradFi.

Krishna Sriram:

So I actually see that you could get the benefits of both worlds as a user. I think one of the beautiful things about crypto infrastructure is that it allows you to basically aggregate capital in more of a frictionless way. And basically have that all sit in this pool that you can see. One of the great things that DeFi is I can go to compound, I can pull a smart contract. I want to block Explorer. I can see exactly how much money is in it. And I believe there might be a future where insurers actually deposit a bunch of, a hundred million, 500 million USDC into one of these pools. And very similar to a lot of the marketplaces now, you as a user care about buying good insurance, you care about getting a good rate, competitive rate, you care that someone can pay you out.

Krishna Sriram:

Now, if you get that, plus you get the ability to verify that this pool is solvent, which is one of the great features of crypto, and the great features of DeFi, I think it's likely that users will also opt for something like that, because now they have both the assurance, but also the benefits of DeFi and crypto, which is that frictionless nature, which is that ability to aggregate capital, which the ability to show a proof of solvency and the ability to quickly be able to administer claims, quickly be able to get a payout. And that's the way where it's almost like Web 2 meets Web 3, where traditional insurance and crypto insurance, I think the lines start to get blurred a little bit.

Mark Lurie:

So, the capital insolvency would be on chain, but the insurance policy and enforcement of that might be off chain. And so you can take advantage of the, I guess, adjudication process that works pretty well in the traditional insurance company. But you also get the benefits of composability, transparency, in some ways, well, just the ability to make sure someone can put their money where their mouth is on the policy.

Krishna Sriram:

Yeah, that's right. The user really doesn't care whether the capital on the other side for paying out the insurance comes from TradFi, comes from DeFi. At the end of the day, capital is capital, money is fungible. So, if there's a fixed incomes fund on the other side which is, or hedge fund on the other side, that's providing that liquidity, they have an agreement with the protocol. I don't think that's necessarily a bad thing for the user. The user just cares that they're getting a good user experience.

Krishna Sriram:

And I think Web 3 is going to move in that more pragmatic direction. And we're already seeing a lot of regulations come into play, and we're definitely going to have a number of options for users based on their philosophical preference. One thing is certain for me, which is insurance and crypto is going to become more and more regulated rather than less so. And I think the other thing that's very certain is, we're going to see a lot more blurring of these lines, between TradFi and DeFi. So it's natural to me that this solution would come into place.

Mark Lurie:

Interesting. Tough question. But in 90 seconds, can you just, since we're bringing TradFi insurance into DeFi, can you explain how TradFi insurance actually works? I know there's reinsurers, and there's a few big ones, but what's the actual market structure for traditional insurance?

Krishna Sriram:

When you look at the insurance company itself, it has some balance sheet capital that it's using in order to basically be able to underwrite risks and pay out claims. Depending on the level license that they have, they might be allowed to under collateralize and run a fractional reserve based on their pricing of risk. They can determine if, for example, one is to five ratio, or if the regulator things, what they're underwriting is very risky, they might have to be fully collateralized. So, that's the way that insurance companies are normally capitalized. And it's usually, if you're a licensed insurance company, it's almost a sure thing that you need to get a reinsurer. So you need to pay a reinsurer part of the money that you're collecting from your premiums in order for them to be willing to take that transfer of risk is that, bring your risk into their books basically.

Krishna Sriram:

So, that's the way that generally insurance companies work, obviously they collect premiums from users or institutions, or whoever's on the buying side of the policy and that's their revenue. And they might also utilize their float in some way, which is their balance sheet to earn some yield on it, or-.

Mark Lurie:

So basically you have some brokers who will actually sell and work with the customer. And then you have the insurer who will pay out claims and maybe little claims and actually process issues that come up, and they have some capital. And then some of the risk they're reselling to almost a wholesale insurer who doesn't really interact with the customer, but interacts with the other insurance companies. And if a big claim happens, they'll pay that out. And then they reinsure presumably gets their capital either by securitizing it and selling it on the markets, or they're a big fund and they take all that capital that's sitting there and they invest it in equities, or so on, so forth, I guess, Warren Buffet, a lot of his money comes from GEICO and then just reinvesting that for the yield.

Krishna Sriram:

Yeah, that's exactly right.

Mark Lurie:

Is that right?

Krishna Sriram:

There's a huge complex of securitization around insurance, like you mentioned. In a way, DeFi is trying to build that in a decentralized way. You've got in a traditional space, all these kinds of insurance linked securities. So say I need $500 million dollars to insure something, or reinsure something. I can now go to the markets and say, hey, let me package this for you. Here's a product where, if you contribute to this pool, like 10 million, 50 million each between 10 institutions, you can buy this product that roughly offers this amount of yield, and this is the risk profile of it, and this is the credit rating of this security.

Krishna Sriram:

Similar to that, I think you're just seeing DeFi liquidity pools be a mirror of that in a sense, but I can almost see a world where those TradFi liquidity providers also start to use DeFi structure products, maybe some of these like CeFi meets DeFi insurance companies, or protocols can basically offer a product that's for TradFi or DeFi. So I think the two worlds are going to meet and market structure wise, I don't think DeFi insurance is going to be wildly different. I think we're also going to see the blooming of new kinds of almost securitization in DeFi too, that's very similar to what you described earlier.

Mark Lurie:

So the future has practical problems, and the practical solutions are probably going to be some mix of CeFi and DeFi, there's no real inherent need for it to be ideologically all one way or the other. And it sounds like there's good reasons why we can take the best of both. That's great to hear. And it sounds like that's the 10 year vision for how this plays out.

Krishna Sriram:

Yeah. The builders might be more philosophically aligned to make a protocol like decentralized, but yeah, that doesn't come without problems. It obviously comes with some benefits is that you get to raise capital in a very easy way. You can move fast because you don't have the regulatory obligations that a lot of insurance companies do. Insurance is very slow moving space. If you wanted to get a license for each jurisdiction in the world, if I were to do that, I would definitely not be alive by that point. But there are, there are ways to get past that. And there are different kinds of brokers and different kinds of entities that help you regionally offer your insurance, but it does have costs associated with it. It is not time efficient.

Krishna Sriram:

So from that perspective, there are going to be some decentralized insurance protocols, like Nexus Mutual. Nexus Mutual is actually licensed, but it's licensed to be a mutual. But you're going to have protocols like that like a global user base, maybe sometimes users can't purchase regulated insurance that's specific to three or four jurisdictions, because they don't live in that jurisdiction, or they don't have access to it. And maybe there's a slightly more inefficient model of decentralized insurance that can service those users. So I wouldn't go as far as to say there's no market for it. I just think that it's obviously constrained by a lot of the factors that we spoke about, but there are going to be multiple solutions on the decentralization spectrum that serve to different kinds of users and philosophical interests.

Krishna Sriram:

Just like we have solutions in crypto today that are obviously more CeFi oriented, and then we've got solutions that are just fully, fully decentralized and market based, which is like, I don't know, Uniswap or SushiSwap versus a hybrid exchange, which is, I don't know, FTX has both FTX and Serum. So you've got different solutions on the spectrum and I feel like that's exactly what's going to happen here. I'm just aligned that the one that will truly scale to, I don't know, GEICO size would be something that's more similar to CeFi meets DeFi, because it's the efficient frontier.

Mark Lurie:

Makes sense. And as you've said earlier, the ability to scale insurance will unlock one of the major barriers to institutional adoption, which will be a driving force of DeFi coming into its own and crypto rising generally. So Krishna, thank you so much for joining us and sharing your wisdom with us. You've been an excellent guide. If people want to learn more about you or follow you, how can they do that?

Krishna Sriram:

They can try at Twitter. So my Twitter is twitter.com/KICSR basically.

Mark Lurie:

Great. Well, thank you so much again, you've been very generous with your time. We really appreciate it.

Krishna Sriram:

Yeah. Thanks so much, Mark, for having me. And I hope everyone watching this got some value out of it. If you want to, I guess chat more about the security insurance side or just have general questions about, for example, what we're doing at Quantstamp, feel free to reach out to me via Twitter and we can take it from there. Thanks.

Mark Lurie:

Awesome. Thanks, Krishna.

Listen to WTF, Crypto on your favourite podcast platform.

Apple Podcasts logoSpotify logo
See more platforms