Paternalism Versus The Invisible Hand in the Risk Management of Lending Protocols


Suppose a lending protocol allows borrowers to use USDC as collateral to take out loans of ETH. What is the maximum amount of ETH that can be borrowed with the USDC collateral?

Asked in terms of protocol risk management, what is the correct loan-to-value (LTV) ratio the protocol should adopt for such a trade?

A straightforward answer is that it is the LTV that maximises the risk/reward payoff for lenders. Unfortunately, knowing what this is at any given point in time is practically impossible to calculate, especially on-chain. Not only does the optimal LTV for a protocol depend on the expected price volatility of underlying assets, but also on liquidity, the exposure of the protocol to other assets, the number of open positions on other protocols, the rate of market arbitrage, and many other factors. The true optimal LTV therefore not only changes from moment to moment, but it needs extensive calculations to be able to verify its value at each of those moments.

Given these challenges, lending protocol design always requires heuristics and pragmatic choices. These choices mean that there is no one-size-fits-all solution when it comes to lending protocols. Significant trade-offs exist between different designs, especially when it comes to the degree to which a lending protocol is supposed to be able to adapt to changing external conditions. In this article, I divide the major design patterns into three classifications (Fig 1) and highlight some of their trade-offs.

Figure 1 | Liquidity and risk management models. In A, under global paternalism, lenders all deposit to a single governed pool. The collateral factor setting the required loan-to-value (LTV) ratio for borrowers is determined globally in a paternalistic manner. If the risk environment deteriorates, then governance may opt to lower the LTV for the entire protocol from a higher value (Before) to something lower (After). This model allows lenders, and to some degree borrowers, to hold open positions in a relatively passive manner. In B, under the invisible hand, lenders deposit directly into a range of pools with different fixed risk parameters. In this model, if the risk environment deteriorates, lenders must actively pull deposits from higher risk pools themselves (Before) and manually move them to lower risk pools (After). This model allows lenders maximum flexibility into where they put their deposits, and helps them avoid fees and the risks of bad governance, but still requires borrowers to actively manage opening and closing loans across different pools. In C, under local paternalism, lenders deposit into pools with different fixed risk parameters via an aggregator. The aggregator may opt to put a small percentage of their liquidity into higher risk pools and some in lower risk pools. Aggregators compete against each other for deposit customers based on their ability to manage risk and deliver a reward. If the risk environment deteriorates, they will pull deposits from higher risk pools (Before) and move them to lower risk pools (After). This model allows lenders to deposit passively into the aggregator of their choosing and have risk/reward managed for them, but still requires borrowers to actively manage opening and closing loans across different pools.

Global Paternalism via DAO Governance

One of the most popular solutions for risk management of lending protocols has been a mechanism of governance over key risk parameters by decentralised autonomous organisations (DAOs) and their risk management associates (specialist risk manager organisations like Gauntlet, Chaos and Warden). I call this the ‘paternalistic’ model of risk management (Fig 1). It is ‘global’ as opposed to ‘local’ paternalism (see below), because risk is managed globally for the entire protocol and its users, not for a subset of pools or users.

This model has been used by so-called ‘monolithic’ lending protocols, like Euler v1, Compound v2, Aave v2/v3 and Spark, where LTV ratios are generally set conservatively, but not too conservatively, at some value at which every user deposit goes into. If the environment becomes less favourable for lending, then it is the responsibility of governance or governance-appointed risk manager to move the protocol-wide LTV ratios for all users from risk-on (Fig 1A — Before) to a more risk-off setting (Fig 1A — After).

Governance of risk parameters allows risk specialists to monitor on-chain activity and risk factors and adjust governed pools in a paternalistic fashion as the environment changes. It also helps prevent a fragmentation of liquidity because liquidity converges inside a single governed pool. Importantly, monolithic lending protocols are also capital efficient for borrowers, because they allow them to earn yield on their collateral, reducing their net borrowing costs. These kinds of protocols were the first to find product-market fit in DeFi and have helped brands like Compound and Aave establish themselves as early market leaders, serving as useful tools for 80% of users even if not providing a perfect risk/reward match for any given user.

However, governance-based risk management also has a number of drawbacks. DAOs are often composed of people with varied skill sets, many of whom may not be qualified to vote directly on risk parameters themselves. Delegation of voting power can help put control in more qualified DAO member hands, but this only helps to centralise decision making over a large number of parameters in the hands of a few individuals, who often end up wielding considerable power. Even when these specialists make ‘good’ decisions, DAO governance takes time and decisions might not be implemented sufficiently quickly if the environment changes rapidly. Governance also forces protocol users to accept or reject a single risk/reward outcome, when in reality users have very different tolerances. It also arguably trains users to expect that risk will be managed for them paternalistically, so that they are ill-equipped to take responsibility for managing their own risk/reward decisions.

The Invisible Hand via (Immutable) Isolated Pools

The other major class of lending protocol relies on more free market principles to allow lenders to choose a risk/reward suitable for themselves and live or die by their decisions. The philosophy behind these models is that the ‘invisible hand’ will manage risk for the market. Lenders have more freedom with respect to risk/reward under this model, but they must be prepared to take more of an active role in the management of their deposits. Free market models generally have lenders depositing into a range of different, typically ungoverned, isolated pools. They can do this either directly themselves (Fig 1B) or sometimes through an aggregator (Fig 1C, see below).

Variants of this model have been used by protocols like Kashi, Silo, Compound v3, Morpho Blue, Ajna and FraxLend. With many pools to choose from, users are free to lend across a wide range of possible LTV ratios (and other risk parameters). Some might take a cautious approach, lending at low LTV ratios, but attracting fewer borrowers, whilst others might be more open to risk, lending at higher LTV ratios, attracting more borrowers and people taking on leveraged positions. As users express their own preferences, a distribution of risk/reward tolerance emerges, which might have a central tendency, but has no single value to suit everyone (Fig 1B). If the environment becomes less favourable for lending, then it is the responsibility of individuals to move their liquidity from more risk-on pools (Figs 1B — Before) to more risk-off pools (Figs 1B — After).

Free market risk management allows lenders and borrowers maximum flexibility with respect to managing their own risk/reward tolerance. This, in turn, allows different use-cases for lending and borrowing to emerge. Borrowers taking short-term trades may be happy to pay a very high interest rate for a few days, whilst borrowers looking to collateralise their crypto assets might seek lower cost, longer-term borrowing opportunities. These different types of users can seek out similarly-minded risk/reward lenders. At the protocol layer things are often somewhat simpler with free market models too. The absence of governance allows immutable primitives to be constructed that can be used by anyone. Complexity and product-specifics can be pushed to an aggregation-layer or user-interface layer (see below). Whilst this does not necessarily reduce the complexity of the system overall, it does simplify the complexity of the trusted codebase for the subset of users who are happy to manage their own risks. Ultimately, for most users, system complexity is like a bubble under the carpet: it can be minimised and moved, but never entirely removed.

There are a number of drawbacks with free-market systems too, however. Perhaps the most important of these is the impact on capital efficiency that liquidity fragmentation brings. New isolated markets often struggle to compete with paternalistic lending protocols due to the costs of use for lenders and borrowers alike. Isolated pools not only make it harder for lenders and borrowers to find one another, but they often also make borrowing more expensive (even when users are able to find a match). That’s because in most isolated lending market protocols borrowers must use collateral which earns them no yield (see Morpho Blue, Compound v3, FraxLend). In contrast, in monolithic lending protocols borrowers can simultaneously use an asset as collateral and lend it out at the same time. This can substantially reduce the costs of borrowing, and even make borrowing profitable, enabling interest-rate arbitrage (via “carry trades”). And with more borrowing, comes more yield for lenders. Note that there is no free lunch here. Lenders are exposed to rehypothecation risks on monolithic lending protocols in a way that they are not on isolated lending protocols.

Local Paternalism via Aggregators

The major drawback of isolated lending markets is that they may require lenders to take their life into their own hands and manage their own risks. This will simply not be practical for many lenders. This is where aggregators can be useful. Aggregator protocols allow users to deposit assets into a single managed pool, where risk management is delegated to a local risk manager (which may be an organisation or an automated smart contract) who further deposits assets into isolated downstream lending markets (Fig 1C). Note that aggregators are therefore a layer above the lending protocol layer and can be used in conjunction with monolithic lending protocols and isolated lending markets simultaneously.

Aggregators today come in several flavours. There are free market aggregators, like Yearn and Idle, which are generally agnostic about the downstream lending markets they deposit into. They simply try to maximise the risk/reward payoff for their users, regardless of how rewards are achieved. And there are aggregators, like MetaMorpho, that are more opinionated about where the yield comes from. They generally try to preserve capital inside their own ecosystem products. In either case, the goal of aggregators is for a defined risk manager (which may be an organisation or an automated smart contract) to construct a portfolio of lender deposits in pools with different risk properties. If the environment becomes less favourable for lending, then it is the responsibility of the risk manager to construct a new portfolio for the lenders it serves by moving liquidity from more risk-on pools (Figs 1C — Before) to more risk-off pools (Figs 1C — After).

Aggregators are especially useful for lenders because they help them to access a wide range of risk/reward opportunities across a variety of different pools or protocols in a relatively passive manner. They can also limit the gas costs of constant risk/reward optimisation, especially for smaller depositors. On the downside, aggregators will often charge additional fees for their services. Being paternalistic in nature, they also suffer many of the same drawbacks as paternalistic governance too.

It is also often claimed that aggregators help to solve the liquidity fragmentation problem associated with isolated pools, since the isolation is largely abstracted away for lenders. However, lenders are only half the equation here. Even when lenders use aggregators, the picture for borrowers is still fragmented. Borrowers will generally still need aggregator systems of their own to manage their risks, and may therefore continue to prefer using monolithic lending protocols whose liquidity is typically larger and less volatile (especially when borrowers can earn yield on their collateral). Otherwise borrowing from illiquid pools can make for a particularly poor experience for borrowers, whose cost of borrowing can become unpredictable during supply side shocks, and even drive them towards liquidation.

Scaling lending protocols

In order for DeFi lending to compete with traditional finance, we should accept that there is no one-size-fits-all solution to building a lending protocol. DeFi needs a lending ecosystem with modularity at its core, in which different protocol designs serve different user needs.

Governed monolithic lending protocols provide DeFi users today with unparalleled capital efficiency, but have significant drawbacks when it comes to providing diverse risk/reward opportunities and exposing users to the many risks of governance. Isolated lending markets relying on the flow of the free market help provide a wide range of choice for users, and may form primitives on top of which custom products can be built, but often lack capital efficiency and expose users to risks that they may not be able to manage sufficiently well or in a cost-effective manner. They may also make life more difficult for borrowers.


To truly scale lending in DeFi requires development of an agnostic ecosystem in which different types of lending protocols can flourish alongside one another. This requires increased composability and connectedness of diverse collateral types from different protocols. True freedom is not about choosing between paternalism vs the invisible hand; it is about being able to switch seamlessly between whichever kind of model you prefer at any time you want.

This is why we’re building Euler v2: a modular platform allowing users to create and use a suite of highly customizable lending vaults tailored to their needs. Built on top of the Ethereum Vault Connector (EVC), Euler will bridge the gap between monolithic lending protocols and isolated pools. It will recognise that different users have different risk/reward appetites and enable users to deploy and link together their own customised lending vaults in a permissionless manner. With this flexibility, any type of pre-existing or future lending protocol — monolithic or otherwise — can be recreated inside the Euler ecosystem and connected to vaults from elsewhere in the ecosystem.

The EVC and Euler v2 will be a 0 to 1 moment for the composability and connectedness of collateral in DeFi. Together, they will provide vault creators with unparalleled opportunities for innovation and growth via network effects as more and more diverse vault types are deployed within the Euler ecosystem.

Join the Community

Follow us on Twitter. Join our Discord. Keep in touch on Telegram (communityannouncements). Check out our website.

This content is provided by Euler Labs, Ltd., for informational purposes only and should not be interpreted as investment, tax, legal, insurance, or business advice. Euler Labs, Ltd, is an independent software development company.

Neither Euler Labs, Ltd. nor any of its owners, members, directors, officers, employees, agents, independent contractors or affiliates are registered as an investment advisor, broker-dealer, futures commission merchant or commodity trading advisor or are members of any self-regulatory organization.

The information provided herein is not intended to be, and should not be construed in any manner whatsoever, as personalized advice or advice tailored to the needs of any specific person. Nothing on the Website should be construed as an offer to sell, a solicitation of an offer to buy, or a recommendation for any asset or transaction.

Euler Labs Ltd, does not represent or speak for on or behalf of Euler Finance or the users of Euler Finance. The commentary and opinions provided by Euler Labs Ltd., are for general informational purposes only, are provided “AS IS,” and without any warranty of any kind. To the best of our knowledge and belief, all information contained herein is accurate and reliable, and has been obtained from public sources we believe to be accurate and reliable at the time of publication.

All content provided is presented only as of the date published or indicated, and may be superseded by subsequent events or for other reasons. As events markets change continuously, previously published information and data may not be current and should not be relied upon.

2024 Euler © All Rights Reserved

Press enquiry:

[email protected]