Digital Insurance

Smart contract risk permeates the on-chain economy and remains one of the primary limitations on wider adoption of blockchains today. In this chapter, we review three different paths through which the smart contract insurance industry can grow and mature.

  • Download

Introduction

Much of the on-chain economy runs on smart contracts. The automation provided by smart contract operation is sometimes said to offer “trustless” solutions, meaning that the absence of a third-party intermediary who is performing a function obviates the need to trust someone for effective, accurate and timely performance.

Automatically executing code fulfils this instead. Decentralized finance applications, non-fungible tokens, decentralized identity solutions, stablecoins, oracles that bridge real-world information to the blockchain and a variety of other aspects of on-chain activity rely on smart contracts functioning as intended. As a result, “smart contract risk” – the risk that smart contracts do not function as intended (whether as a result of a bug, hack, external dependency failure or something else) – permeates the on-chain economy. “Trustless” can become untrusted very quickly when an issue arises and disintermediated automation means there may be no party available or able to step in and prevent a failure.

This is one of the primary limitations on wider adoption of blockchains today. Despite the systemic importance of this risk, the market for insurance and insurance-like solutions covering smart contract risk is relatively small and immature. Instead, smart contract risk is primarily mitigated by technical mechanisms (like smart contract audits) and incentive mechanisms (like bug bounties). The widespread availability of insurance to cover losses caused by smart contract failure could clearly help build better trust, and below we consider three different paths through which the smart contract insurance industry can grow and mature.

Bug bounties are rewards offered to third party security researchers (sometimes called “white hat hackers”) for finding and reporting protocol vulnerabilities.    

Quote

Smart contract risk is primarily mitigated by technical mechanisms (like smart contract audits) and incentive mechanisms (like bug bounties).

Quote

In certain circumstances, it may be more efficient to insure the smart contract itself or, at least, to offer end-users the ability to opt into the insurance simultaneously with the primary smart contract interaction.

Insuring the smart contract 

Currently, most smart contract insurance is purchased by the end-user. An individual or organization that holds tokens deposited in a smart contract might, for example, purchase insurance cover to protect against those assets being drained through an error in the code. The user is insured, but the smart contract usually is not. In certain circumstances, however, it may be more efficient to insure the smart contract itself or, at least, to offer end-users the ability to opt into the insurance simultaneously with the primary smart contract interaction.  This “insurance by default” model should result in more risk being covered and, consequently, create a larger market that is more attractive for insurers to participate in. 

Additionally, insuring the smart contract itself gives the insurer greater control over the risks it is covering. Most reputable protocols subject the protocol’s smart contract code to one or more smart contract audits to identify and fix bugs or other vulnerabilities in the code. Insurers that propose to cover the smart contract itself can partner with the smart contract development teams prior to launch and participate in the auditing process. This early involvement would aid the insurer’s underwriting process, make integrating insurance into the protocol more economically viable and ultimately provide an effective, low cost trust solution to smart contract risk.

Increasing specialization

Participants in the traditional insurance market are highly specialized. Different insurance companies service different lines of business and have geographically distinct market focus. There are also reinsurers, brokers, agents and other industry participants that specialize in serving different clients, risks, geographies and layers of the risk stack. The smart contract insurance market has not yet developed this specialization. Instead, a single insurer may bear the entire risk of loss for a variety of adverse events that could occur with respect to a single smart contract.

However, smart contract risk is not a single type of risk. Consider three recent prominent loss events:

  • the Euler Finance hack, which is generally thought to be the result of a vulnerability in the design of the smart contract’s source code;
  • the Curve Finance exploit, which was the result of a compiler bug (rather than a bug in the source code); and
  • the collapse of Terra Luna and its associated stablecoin, which is generally blamed on an economic attack or a weakness in the design of the protocol itself.

The expertise needed to underwrite the risk of the particular loss event that occurred in each case was different. The smart contract insurance market will mature as different participants specialize in underwriting different risks, as reinsurers enter to provide the capital necessary to cover those risks and as brokers emerge to facilitate the placement of a comprehensive insurance product.  

Compiler risk is the risk that a vulnerability exists in the program that translates (“compiles”) the source code for a protocol into machine-readable code. As many different protocols may rely on the same compiler, compiler vulnerabilities have the potential to result in more systemic losses than source code vulnerabilities (which, generally, will affect only an individual protocol). However, the underwriting burden of assessing compiler risk should also be substantially lower than it is for source code risk as the assessment would not need to be duplicated for each protocol.

  

Obtaining legal clarity

Although legislation, regulation and case law regarding digital assets and on-chain activity is developing in different jurisdictions, there remains significant uncertainty regarding how the industry will be integrated with the traditional legal system. Consider the following:

  1. Are insurers that advise on the audits conducted for a protocol responsible for ensuring that the protocol functions consistently with anti-money laundering laws? What if the insurers underwrite the insurance embedded in the protocol?
  2. If a smart contract insurer holds governance tokens in the protocol or votes on decisions affecting the protocol, is the insurer part of a general partnership and liable for the protocol and the acts of other participants? What if insurance is integrated into the protocol itself and the insurer is only making coverage decisions?

The answers to these questions and a variety of others are unclear in many jurisdictions. Given this legal uncertainty, it is unsurprising that the smart contract insurance market has been slow to mature.

Converging paths

We expect that progress in the digital assets market with more comprehensive insurance, increased specialization and enhanced legal clarity will reinforce and build upon each other. As disparate court decisions are harmonized or superseded by a comprehensive legislative framework for on-chain activity, for instance, insurance market participants will be encouraged to work more closely with protocols. As those protocols integrate insurance coverage, the overall market for smart contract insurance will grow and, in turn, create an opportunity for insurers to specialize in different aspects of the market. Of course, this progress is not inevitable and it requires the efforts of a wide variety of contributions to create trust and efficiencies as the fuel in the machine. We need smart contract engineers to develop viable products, confident financiers to fund them, insurers that make those products safe to finance and use, brokers and reinsurers that facilitate the placement of that insurance and lawyers and regulators that work to foster the many different participants in that market.

Custodial risk mitigation in traditional and decentralized finance in the UK and US

Read more

Key recommendations

1

Insurance by default

It may be more efficient to insure the smart contract itself, or offer end-users the ability to opt into the insurance simultaneously with the primary smart contract interaction. Insurers covering the smart contract itself can partner with the development teams to aid the insurer’s underwriting process.

2

Increasing specialization

The smart contract insurance market will mature as different participants specialize in underwriting different risks, as reinsurers enter to provide the capital necessary to cover those risks and as brokers emerge to facilitate the placement of a comprehensive insurance product.

3

More legal and regulatory clarity required

Obtaining legal and regulatory clarity in more jurisdictions will undoubtedly help the insurance market in this field to mature.

Key contacts

Nicola Evans

Partner

vCard download

Nicola Evans

Partner

Bryony Widdup

Partner

vCard download

Bryony Widdup

Partner

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG.  For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.