When you deposit funds into a lending market, you expect that you will always be able to withdraw the full value of your deposit. Whilst in an ideal world this would always be true, there are several circumstances that can lead to the loss of deposited funds - typically referred to as bad debt.

Bad Debt

Bad debt occurs when an outstanding debt is no longer recoverable. There are several reasons why a lending platform could go into bad debt, including:

• Smart contract vulnerability

• Oracle exploit

• Failed liquidations

• Governance attack

The extent to which bad debt affects lenders depends on the design of the lending platform.

In a shared-pool platform like Aave or Rari Fuse where deposits of all token assets go into a single pool, when one token asset experiences an exploit every single deposit on the platform may be exposed to bad debt. In other words, an exploit to a shared-pool can result in bad debt that is protocol-wide.

In Silo, every token asset gets an isolated pool and is only paired with the bridge asset (ETH). An exploit in Token ABC will only affect lenders of the bridge asset (ETH) in the Token ABC Silo. Basically, an exploit to one pool (silo) is always isolated to that pool and is never protocol-wide

Worked Example

Let’s go through an example to see which parties are affected in the event of bad debt.

Aave/Rari Fuse (Shared-Pool Protocols)

Pretend there is a shared-pool platform that accepts TOKE, UNI, and BAL.

TOKE experiences a price exploit which gives it far greater borrowing power than it should have, allowing a malicious actor with TOKE to withdraw the full amount of UNI and BAL.

TOKE returns to normal price which means that the malicious actor’s position is liquidated. However, since they are borrowing with an inflated TOKE price, they do not care about their TOKE collateral and leave with the UNI and BAL they have borrowed.

In this scenario, bad debt accrues protocol-wide and all lenders lose part or all of their deposits - it is highly unlikely that the remaining Token C collateral is sufficient to compensate them.

Previous exploits in protocols using a shared-pool approach include:

• Rari Finance

• Hundred Finance

• Cream Finance

Silo

Pretend there are the following silos:

• TOKE Silo - silo contains TOKE + ETH, the bridge asset

• UNI Silo - silo contains UNI + ETH, the bridge asset

• BAL Silo - silo contains BAL + ETH, the bridge asset

TOKE experiences a price exploit which gives it far greater borrowing power than it should have. This allows a malicious actor with TOKE to borrow ETH, the Bridge Asset, from the TOKE Silo. This price exploit allows the malicious actor to withdraw the full amount of the Bridge Asset from the Token C Silo causing bad debt to accrue to ETH lenders in the TOKE Silo.

In this scenario, bad debt accrues in an isolated manner to the Bridge Lenders only in the TOKE Silo. UNI, BAL, and any other Token ABC Silo do not accept TOKE as collateral and are protected from any price exploit in TOKE. This applies in the other direction as well. If there was an exploit in BAL instead, because only the BAL Silo accepts BAL, all other silos are safe.

The only party exposed to risk is the Bridge Asset Lender of the exploited silo - these are the risk bearers in Silo’s lending approach. Because of this, it is the responsibility of Bridge Lenders to gauge the risk of the non-bridge token which a silo is paired with.