Yesterday, Hegic announced the v1 launch of its options protocol, allowing anyone to buy and sell American call/put options on Ethereum.
🛡️ Announcing Hegic Protocol V1:
▫️ $ETH Put Options
▫️ $ETH Call Options
▫️ UI for options writers
▫️ Choose any strike price
▫️ New pricing formula (IV)
▫️ Security audit by @trailofbits
▫️ Sell puts and earn yield on DAI
▫️ Sell calls and earn yield on ETH
— Hegic (@HegicOptions) April 24, 2020
Less then 48 hours later, the team announced a major flaw in a function name which may result in users having their funds locked forever.
‼️ ALERT A typo has been found in the code. Because of that, liquidity in expired options contracts can’t be unlocked for new options. ‼️ Please EXERCISE ALL OF YOUR ACTIVE OPTIONS CONTRACTS NOW. Everyone will be 100% REFUNDED with the amount of premium that you paid for options.
— Hegic (@HegicOptions) April 25, 2020
In this article, we’ll get you caught up on both sides. For one, we believe Hedgic and Ethereum-based options are fantastic additions to the DeFi ecosystem. However, this vulnerability goes to show that audits are as important as ever before, and they should not be rushed or taken lightly. With that, let’s start with the good news.
What is Hegic?
For those unfamiliar, options contracts give you the right to buy or sell a particular asset at a later date at an agreed-upon price (known as the strike price). In essence, options contracts are a leveraged bet on whether or not the price of an asset will go up or down within a certain period of time. For Hegic, the protocol is launching with ETH support, allowing anyone to access a leveraged bet on the price of Ether in either direction.
For users wanting to bet the price will go up, you can purchase Hegic’s call options. For users wanting to bet the price will go down, you can purchase put options. Like any trade, there’s always someone on the other side. Hegic allows anyone to sell options contracts and earn premiums in an automated fashion. With that, you can deposit ETH into Hegic’s non-custodial ETH pool to “mint” call options on Ether. On the other hand, users can deposit DAI into Hegic’s non-custodial liquidity pool to earn yields on by selling ETH put options. If the contract is not exercised and it expires, sellers (also known as liquidity providers) earn the premium for selling the contract and committing to honor the strike price if redeemed.
What’s interesting about Hegic that differentiates it from other similar options protocol (like Opyn) is the pooled risk when selling the contracts. Traditionally, when traders sell an options contract, they’re only exposed to the risk for that specific contract. However, with Hegic, that risk is diversified across all liquidity providers for a given pool. Therefore, sellers share the risk and reward for all contracts issued out of the respective pool.
Here’s how this plays out as outlined in the Hegic Whitepaper:
What Went Wrong?
Shortly after launch, it was discovered that one Hegic’s function’s optionIDs was misspelled – where it should have read optionsIDs. What this meant is that those who provided liquidity to the protocol may be unable to retrieve when the function was called – resulting in those funds being lost forever.
Update: It’s NOT a security issue. It’s an incorrect function name (optionIDs instead of optionsIDs). This function unlocks liquidity in expired contracts. If it doesn’t work, funds are just forever locked. It can’t be used by a malicious actor. @trailofbits did their job well.
— Hegic (@HegicOptions) April 25, 2020
As a result, Hegic is urging users to stop opening new contracts in light of issuing new and improved code in the coming days. However, the larger story here is that of the audit itself. While the audit was performed by the highly reputable Trail of Bits, it recently came to light that the audit was conducted less than a week prior to launch within a 16-hour time frame – all of which included a number of issues which raise flags. An excellent thread on the implications of this particular audit, and on the implications of audits being performed in such a manner is attached below.
For those too lazy to open a PDF, heres the "audit"
For those who don't know wtf this is:
1. It's an audit summary.
2. There are red flags in summary.
3. You need to read between the lines a bit whenever looking at an audit. Actually easier to do the summary. https://t.co/WuvnUqct6S pic.twitter.com/7NvCUaI26o
— beta.mycrypto.com (@MyCrypto) April 25, 2020
The TLDR version is that it was quite clear there were still a number of outstanding issues when Hegic went live. While we all know the risky nature of using new DeFi products, many have suggested that Hegic should more clearly display the alpha nature of the code, further informing users to proceed with caution.
Thankfully for Hegic users, no funds were lost. The contracts will be upgraded and we’re sure the platform will garner traction in the future. What’s important to note here is that audits are increasingly becoming more and more necessary – specifically emphasizing the fact that a number of audits should be performed, and that they are not to be taken lightly or rushed.
An actual audit takes time. It requires careful work by an experienced team. It's not something you want to rush.
— Santiago Palladino (@smpalladino) April 25, 2020
Ending on a more positive note, the ability for any individual to buy and hold ETH-based options contracts (and other major crypto assets) will facilitate more efficient markets for DeFi at large. Moreover, like Opyn, Hegic allows DeFi users to earn high-yielding premiums by becoming liquidity providers to the protocol and depositing ETH or DAI into its non-custodial liquidity pools. It’s important to note that if an option buyer decides to exercise the option, sellers incur a loss. However, unlike most traditional options sellers, that loss will be distributed among the entirety of the liquidity pool and not just the individual who sold the contract.
This is highly important for user experience as options contracts are already a complex asset class for many to wrap their heads around. By diversifying risk, becoming an options seller becomes increasingly more attractive for the individual.
All in all, it’s great to see more derivatives platforms in DeFi and it’s clear that the expanding opportunities for earning passive income are becoming more and more pronounced.
For daily updates on this new options protocol, make sure to follow the team on Twitter.
For all things DeFi, sign up for our newsletter!