Bitcoin, the original blockchain, was specifically designed to offer trustless permissionless and censorship-resistant transactions.

Ethereum’s smart contracts were developed specifically to apply the same principles to computer programs.

Not all smart contracts can be trusted, however. Crypto networks and protocols are simply code that can fail on occasion, resulting in losses of deposited coins and market to market losses of the relevant governance/utility tokens. 

Smart contract failure can be unintentional, and then exploited by hackers, the failure can be specifically designed into the contract to allow malicious behavior by the developers, or those with the multisigs (control) can just take over the protocol and keep the assets for themselves.

Nexus Mutual, the first to offer a type of insurance called “protocol cover”, breaks down the risks of loss in a smart contract as follows:

1. smart contract exploits/hacks

2. oracle manipulation or failure of oracle to correctly reflect market pricing

3. economic failures resulting in unintended confiscation of deposited tokens

4. governance failures / “rug pulls” 

Hartmann Capital recognizes that both the complexity and open-source nature of smart contracts can result in losses, and seeks to mitigate such risks wherever possible.

1. Exploits/Hacks

Exploits or hacks differ from governance failures in that the former are the result of unintentional flaws in the code. The biggest risk is in DeFi protocols that hold large amounts of token deposits. When a DeFi DApp that has token value locked in the eight, nine or even ten figures, the results can be catastrophic.

Beside tokens that can be lost to hackers within the protocol, the native tokens can get absolutely decimated after an exploit. After the PancakeBunny attack, the BUNNY token fell to 1/20th of its earlier price (already down more than 50% from the highs). $10,000 in April became $244 in May.

Hartmann Capital’s first lines of defence against such attacks are (1) smart contract audits, preferably multiple, (2) a focus on protocols built on Ethereum, (3) cautious allocations to new and untested protocols, and (4) insuring against exploits when smart contract exposure is deemed too high.

Audits

More than half of the top 20 hacks were unaudited and only two had more than one. In Q2, only one protocol with more than one auditor was hacked. We view high-value protocols without audits very skeptically.

Layer 1

BSC accounted for half of the top 10 exploits as measured by losses. Given Ethereum is the dominant layer 1 for DeFi, it is encouraging to note that it accounted for less than one quarter of the top ten losses, with the first one being number 5. Alpha Finance, at number 5, was an untested protocol at the time; having just launched. It is highly likely that, as Ethereum protocols season and prove themselves, reliability increases. 

Diversification

Hartmann Capital is more comfortable with well-tested protocols on Ethereum, which is where the larger DeFi DApps have chosen to live. Nevertheless, opportunities exist elsewhere, and even Ethereum-based protocols have been exploited. The key, as it is in many cases, is to limit exposure to any one untested protocol. 

Insurance/cover

There are now a wide variety of providers of smart contract exploit cover. Nexus Mutual has the widest coverage, but does have several less attractive characteristics. The stakers get to decide whether or not an exploit qualifies, and the coverage is actually too broad for our purposes. AMMs, for example, can’t suffer oracle attacks, and enduring protocols are unlikely to have the rug pulled.

When we at Hartmann Capital feel over-exposed to one particular protocol yet the returns are high enough to justify the allocation, we will purchase cover. When earning 100%+ APYs on Bancor, for example, we will purchase exploit (only) cover from Unslashed Finance, currently at much less than 1% per year.

Exploits as opportunities

When confidence falls in a protocol and/or its token after an exploit, there are often trading opportunities into its competitors. THORChain, for example, had proceeded carefully in its limited launch but, unfortunately, it was not audited at the time of its exploits. As the hacker said, “audits are not a nice to have”.

With two back-to-back hacks of $5 million each and a major flaw in the RUNE token contract, it seemed obvious to us at Hartmann Capital that Ren, a wrapper of Bitcoin (renBTC) and competing cross-chain bridge provider, would have the most to gain, especially given two other competitors, Anyswap and Chainswap, had also recently been hacked.

Ren did indeed outperform Rune in the next few days, resulting in a quick profit.

It’s not that we don’t believe in cross chain bridges, or that RUNE is not going to make it. As a hedge fund, it is our job to profit from pair trades, however, and RUNE/REN is the type of short term opportunity that differentiates us from indexes or VCs.
On the more positive side to an exploit, Hartmann Capital got involved in RGT post-hack, as we believed in the founder Jai Bhavnani, the team and their ability to recover.

Hartmann Capital initiated a long at $2 early in 2021. We doubled our position post-exploit in May this year as we saw it as a temporary correction. Of course, most of DeFi has languished post-May correction, but we are bullish on the token in the long term.

As previously documented in our blog, we also took advantage of the hack on Nexus Mutual founder Hugh Karp’s metamask to buy into a project and founder we believed in.

2. Governance Failures / Rug Pulls

Governance attacks occur when the team or related entities “pull the rug” out from users, either through an exploit or by exerting undue control over what should be a decentralized protocol.

There are many famous examples of token and protocol rug pulls, and even examples where devs and insiders without lockups or upon vesting dump on unsuspecting buyers.

In three years of trading, Hartmann Capital has never been a victim of a governance attack. This may be because we do our due diligence, even to the point of getting personal information from anonymous/pseudonymous founders. 

Betting on Founders

At Hartmann Capital, we often take a fundamental view on a protocol/token and if we believe an exploit or other bad news is either a temporary setback or irrelevant to the longer-term viability we view any correction as an opportunity to go long or add.

The May 2021 correction tested the resilience of many protocols, and stablecoins especially.  Tokens such as FEI and UST fell to as low as 95% of their USD pegged value, but quickly recovered. 

Terra’s ecosystem was unlikely to be stopped by anything short of a full meltdown of its centrepiece stablecoin, UST. At Hartmann Capital, we choose to view the rebound to par as evidence of resilience. We bought into Terra’s native token LUNA just above $4, a prescient move in hindsight with LUNA at 3x since then.

On the whole we look for founders and teams we believe we can trust, and protocols and tokenomics we believe in. 

Avoiding rug pulls, letting protocols season, diversifying risk and purchasing insurance are all methods we use to minimize our exposure to exploits and governance attacks.  When we believe in the protocol/token in the long term, however, bad news can make for attractive entry points.