With the FTX events, following the 3 Arrows Capital and Luna/Terra downfall, I thought it would be appropriate to discuss risk management in crypto.
The amount of money that people have lost by having too much placed at one venue, or allocated to one coin or ecosystem, is remarkable and sad.
I luckily have not been directly affected by any of these events. I've been both lucky, but have improved my odds by practicing basic risk management. It is a matter of time until I get rugged somehow. The goal is to reduce the likelihood and impact when it happens.
Here are the principles I practice. Astute DeFi users may skip the wallet and software basics and move onto the portfolio risk management section.
- Use a hardware wallet. Trezor and Ledger are most popular. Lattice1 gets rave reviews. Only buy these directly from the manufacturers.
- Add a passphrase to these wallets for additional security. As a result, one hardware wallet can have different wallet paths for different passwords. This is convenient from a user perspective, but makes for easy diversification (one can have multiple cold wallets via one hardware wallet private key, via passwords).
- For the browser wallet, only use open source software that has broad community adoption. For EVM chains, Frame and MetaMask are great, which support the aforementioned hardware wallets.
- Split or shard your seed phrase. A 2/3 split schema is a good start. Store these in physical format in different locations. Ideally broadly distributed enough so that if something tragic happens like a bombing event, you can still access 2/3. Note that if someone gets access to a 1/3rd passphrase, your private key will be easier to crack - but should still take decades and will give you ample time to recover and migrate any funds.
- Savvier users with substantial passive holdings (like core BTC, ETH or bluechip NFTs) can set up a Gnosis Safe multisig with a 2/3 ownership schema. Each owner/signer can be a dedicated hardware wallet, of which the seed phrase can be stored in different locations as described above. Benefit is additional cryptographic strength at the expense of additional complexity.
- Spread your funds between different wallets. The wallet you engage in DeFi with should hold little idle assets. Those should be in one or more cold wallets.
- Regularly revoke approvals. Revoke.cash is a great and trusted site for this. Zapper has a decent integration too. I do this monthly across all my wallets, using gashawk to execute these transactions at the lowest gas cost.
- Be incredibly careful with signing gasless messages. These cannot be revoked but can drain assets from your wallet. Another great reason to separate your DeFi and storage wallets.
- If you're extreme, you would only set-up and engage with a wallet on a computer that is isolated from the internet. This is unfeasible for most, however. You can avoid most risk by never writing your seed phrase or passphrases into your computer.
- Use a trusted password manager like Lastpass or 1Password for all your passwords. All your passwords should be auto-generated via these services, with as many characters, number and symbols as possible. This reduces the odds they can be cracked.
- In terms of browsers, Chromium based ones are regularly updated and interacts well with software wallets like Metamask and Frame. Ensure you update your browser whenever a new update comes out. Brave has some decent privacy options.
- There's a growing set of tools that make it easier to interpret blockchain interactions. I've seen Pocket Universe and Trustcheck get traction. These trigger a pop-up whenever you want to interact with a smart contract, which helps you understand in human language what the interaction will do.
- Additionally you must be wary of phishing. There are many scammers who recreate common sites on similar domains to trick you into engaging. WalletGuard is an integration that tends to warn you of such cases.
- Use a trusted anti-virus suite. These are worth paying for. Here's a review of good OSX options.
- If you're an active DeFi user, you should track your positions in written format. A spreadsheet will do. It is likely that if you don't, you'll forget about positions, farms and dust, which in the long run can represent meaningful amounts of money. I find it helpful to track the USD value of my positions weekly, which increases my sensitivity to any de-pegs or anomalies.
- Use Nansen's portfolio tracker (they acquired Apeboard), Zapper or DeBank to track your portfolio on an ad-hoc basis.
- For stablecoins, I hold primarily USDC (most trusted), DAI (decentralised derivative, but mostly made up of USDC) and LUSD (most trustless). The goal is to never be wiped out. I do not hold all my cash in stables and of the stables that I hold, I diversify these across types. Note that DAI will likely fail if USDC does, because of its large USDC collateral.
- The largest amounts should be held on Ethereum Mainnet, the most decentralised and Lindy blockchain. If you are priced out because of gas, and use L2s or alt L1s, diversify your holdings across them. Say you have $100K engaged in stable coin farms outside of Mainnet, I would split this up to at least 2 different chains (e.g. Optimism & Arbitrum).
- Similarly, diversify the protocols and farms that you engage with. Consider contagion risks. For example, Convex is relies on Curve's continued functioning, thus having a Curve and Convex allocation imposes related risks. I aspire to keep at least 4 different farms going, when the returns are appropriate.
- For bet sizing, assuming you are a long-term more passive investor, I would similarly practice diversification. Major coins like ETH and BTC have been Lindy and are unlikely to fail - but unlikely does not mean impossible. Therefore, avoid against going all-in even with assets of such track record. The more knowledge you have of the market and the asset, the more concentrated you can be, and vice versa. Normies probably do better not picking bets but diversifying across ETH & BTC.
- It is important to develop sensitivity around the correlations in crypto however - this market largely moves in synchrony. When diversifying into altcoins from a ETH and/or BTC base, I would suggest monitoring the relative strength of your altcoins to ETH and BTC to determine if they add any additional risk for the extra risk you're taking.
- The allure of DeFi is decentralised, transparent and accessible financial tooling. CEXes are the polar opposite of these, since they are centralised, nontransparent and gatekept.
- Limit your exposure to CEXes to the extent you need to use them. I use them as on/off-ramps to get funds in and out of crypto. For this, I always keep many CEX accounts in good standing, KYCed and AMLed.
- Most traders of spot crypto can do all of their business using DeFi apps. Derivatives, despite US regulatory risks, are improving in sophistication and UI/UX. If you insist on using CEXes however, or are basis trading (capturing funding rates on futures contracts while remaining delta neutral), limit your exposure to each exchange. Ideally, only use exchanges with Proof of Reserves, established in a jurisdiction with a strong regulatory framework and audited books. Unfortunately, only Coinbase (US, listed) and Kraken come to mind for me.
- For your traditional banking, set up multiple accounts, preferably with banks that have a government guarantee schema like FDIC. It may be prudent to have bank accounts in different countries. Register these accounts with your different CEXes so you have a multitude of ways to on & off-ramp.
- You may diversify your fiat currency exposure too, depending on the stability of yours. USD or CHF have been strong anchors for a currency portfolio of late. Few normies realise they can keep say 2/3rds of their cash in a strong currency while keeping 1/3rds for operating expenses in their local, weakening currency. This would have rewarded you well as a European or Japanese spender in the last year, for example.
The philosophy is simple: create conditions in which you can never go to zero. It is much harder to make money back than it is to make more money.
Here's a hilariously simple example why:
You start with $100K.
Making $50K requires a 50% gain.
But if you lose $50K instead, getting back to $100K requires a 100% gain.
And to get to $150K requires a 200% gain.
Succeeding in markets require that you think in bets. The biggest risks are the ones you're unaware of. People losing substantial amounts of their net worth on UST or FTX deposits placed unwarranted trust in those venues, and would have done better limiting their exposure from the outset. Such skepticism may limit upside potential (since you're not betting the farm), but creates staying power (you get to live another day to try again). I expect to be burned and optimize for the latter.
Are you doing anything to mitigate risk that I missed? I'd love to hear about it.
Striking Markets Newsletter
Reflections on blockchain, markets and venture capital.