Mitigating credit fraud in the world of web3
DeFi users are pseudonymous by default, so how do you prevent someone building up a good credit score, taking out a loan and then never repaying?
TLDR: where appropriate we verify identity!
With our focus on quantifying on-chain lending risk, we’ve had various flavours of this question, and it’s a good question!
We use proprietary on-chain analytics to mitigate fraud and partner with leading identity verification and attestation protocols to support the credit decisioning process. In addition, we’re also actively exploring privacy-preserving identity attestation approaches which combine security and pseudonymity. Let’s take a look.
Blockchains are distributed ledgers that record open, fair and transparent data. We’ve built enterprise-scale data ingestion infrastructure to read, interpret, analyze and model on-chain activity and last year, we produced one of the world’s first predictive web3 credit scores. Our score is associated with the activity of a single address, but we can also score collections of addresses together to evaluate the activity of a single beneficial owner, what we call “identity-based scoring”.
While credit scores can be useful in their own right:
- Qualifying access to products — for example, a lending pool may only be accessed by accounts with an “Excellent” credit score or a yield aggregation protocol may only offer specific pools to accounts with credit scores over 800.
- Personalizing product experiences — user experiences may be aligned with a user’s asset level and creditworthiness, whether high or low. Product capabilities may be promoted that are popular with account owners with similar levels of creditworthiness.
- Engaging and educating users — The first thing people want to know as soon as they have a credit score is, “how do I make it better”? Users recognize that “creditworthiness” enables them to access financial products on beneficial terms and they’re looking for guidance on healthy web3 and DeFi behaviour.
When it comes to lending, credit scores may be used in isolation (the “qualifying access” scenario described above), but most frequently they’re part of a credit decisioning process. If credit scoring is used to reduce the collateral requirements of over-collateralized loans, enabling capital-efficient loans, it may be that no other credit, asset or identity verification is needed. Fraud vectors, where a user intentionally defaults on a loan are mitigated because they’ve still supplied collateral with a higher value than the loan.
When we enter into the territory of under-collateralized, and un-collateralized loans (for example BNPL loans), additional credit decisioning factors are most likely needed: Is the loan applicant qualified? If so, what’s the maximum amount of loan that may be offered? What recourse is available if the user fails to repay? What pricing reflects the risk of the applicant?
Loan qualification and amount may be informed by credit score and credit reporting respectively. An account with an “Excellent” credit score should probably not be offered a 1000 USDC loan if their total assets are close to 1000 USDC, however they may be eligible if their total assets are worth 100,000 USDC — there is reasonable expectation that the account holder has the resources to fulfill their loan obligation.
Currently in DeFi lending, accounts are assumed to be unscorable and pseudonymous. The question of what recourse is available if a user fails to repay is answered by over-collateralization and smart contracts. This mechanism is “safe”, however, it restricts the productive use of capital and excludes common lending scenarios where users want access to finance beyond their current resources.
Recourse in under-collateralized lending usually happens by identifying the borrower, enabling the lender to take remedial action (note: other recourse mechanisms could involve escrow facilities, sanctions or other reputational consequences). The nature of identity attestation depends on the credit decisioning process and context:
- Permissioned pool — the borrower’s account has already been KYC’d in order to participate in the pool.
- Wallet — the wallet may already be associated with a form of identity, for example the Valora wallet is associated with a user’s mobile phone number.
- Lending pool access — initial qualification may require a level of authentication, such as “proof of identity” however, to streamline the process this may not yet be a full KYC process.
- Loan issuance — at the point of issuing the loan, a fully KYC’d identity may be required to provide off-chain recourse.
Identity may be attested through a variety of mechanisms — typically the choice of the lending venue or the lender themselves. Users who prioritize anonymity may have to accept limitations on their access to under-collateralized lending products or accept less favorable terms for those products (note: there are exciting developments in ZK proofs which may enable credit risk assessment and anonymity, stay tuned!). Cred Protocol supports the full range of identity attestations from pseudonymity to full KYC, as appropriate:
- NFT — for example Quadrata’s Passport or Goldfinch’s UID.
- Soul Bound Token — such as Masa Finance’s Soul Bound Identity.
- ZK proof — such as those offered by Oasis Protocol.
- Wallet — such as those offered by Valora or Coinbase Wallet.
- Off-chain verification — for example used with Aave’s ARC permissioned pool.
Mitigating fraud isn’t a single activity, it’s a process of layering defenses to make “fraud” as costly as possible. We at Cred Protocol have in-house capabilities including on-chain analytics, transaction graph analysis, machine learning techniques, on-chain identity attestations and we also partner with an ecosystem of identity and KYC/AML specialists including:
Coinbase, Quadrata, Masa Finance, Oasis Protocol, (Consensys) MetaMask, (Celo) Valora (please reach out if we should be talking!)
If you’d like to engage our team, hop in our Discord or drop us a line at team@credprotocol.com or follow @cred_protocol to learn more.