Introduction to Grace Protocol

Published in

Grace Protocol

13 min readNov 16, 2023

Edit 19/5/2024: Some information about product features presented in this article are outdated. Grace has evolved significantly since this article was authored. Please visit the docs for the most up to date information.

No matter how much is invested in their security and risk management, every lending protocol eventually loses money given an infinite timeline. This thesis is based on the fact that these are risk protocols, where risk is a fundamental property of the product. No matter how secure the smart contracts can be, something as simple as borrowers’ collateral price falling too fast or even their debt price rising too fast can cause bad debt and therefore losses to lenders.

Today’s lending protocols don’t make this assumption in their design. They’re only designed to try and prevent risks, but never expect those risks to actually materialize into losses. Because of that, they’re not designed to distribute losses among lenders when they inevitably occur, resulting in an unfair loss distribution among lenders where the first lenders to withdraw share none of the losses while those unlucky enough to withdraw last may lose everything.

This situation greatly incentivizes a bank run as soon as a protocol experiences any loss no matter how small because even a loss as small as 1% of the protocol’s TVL can cost you 100% of your deposit if you’re the last one to withdraw.

Additionally, in the event of a loss followed by a bank run, a protocol enters a broken state of insolvency and becomes unusable by future lenders because any new lenders entering the pool would be adding exit liquidity for existing stuck lenders, allowing them to transfer their previous losses to the new lenders. Therefore, no one uses a protocol after it suffers a default and it simply dies broken and insolvent.

Some people tried to solve this problem by creating some loss backstop mechanism backed by a governance token or treasury reserves. However, this does not scale because as the lending pool grows larger, more capital will be required to backstop it. This limits the size of the pool based on the backstop capacity. It is also unsustainable because a backstop mechanism can only be used to repay losses that are valued lower than the backstop’s liquidity. As soon as the loss exceeds the backstop capacity, the protocol becomes broken and insolvent and lenders will run for the exits.

A lending protocol needs to expect and be able to absorb any amount of loss for it to be both scalable and sustainable.

This is why I spent the last year and a half trying to solve this problem by looking for a lending protocol design that can gracefully absorb any amount of loss.

Fair loss distribution

Whenever Grace experiences a loss, we distribute it equally among lenders.

In practice, as soon as any borrower gets liquidated to a point where their remaining collateral value is near 0 while they still owe some debt, we write off their remaining debt and instantly socialize that loss among the current lenders.

This solves the problem of equal loss distribution and removes the incentive of bank runs after the loss because by the time lenders may consider exiting, there’s not any downside left to staying in the pool, there’s only potential upside in the form of future interest.

Even if some lenders still try to exit at once, they will no longer increase the loss of the remaining lenders because the loss has already been distributed at that point.

Additionally, new lenders are able to enter the pool without sharing the previous losses of existing lenders. The protocol can continue to serve both borrowers and lenders normally after experiencing any amount of loss, giving it a much better chance of eventually recovering the loss using future interest.

This design would work best in the context of an isolated margin lending protocol, where exposure to each collateral is isolated. However, while isolated margin is very good at isolating and limiting collateral risk, cross-margin protocols such as Aave and Compound have proven themselves to be much more capital and collateral efficient than their isolated margin counterparts.

Collateral value limits

For fair loss distribution to be implemented in a cross-margin protocol, we first need to solve the second problem of unlimited collateral exposure, where the entire protocol is as strong as its weakest collateral. Meaning that if only the weakest of the supported collaterals gets manipulated, then it can be used to borrow and drain up to 100% of the supplied lending liquidity. At that point, it would be useless to try and distribute any losses.

The goal is to combine the risk guarantees of isolated margin with the efficiency of cross-margin.

In order to achieve this combination, we first separate collateral tokens from borrowable tokens and introduce a concept of global collateral value limits where a maximum total deposit value can be set for each collateral in dollar terms. As soon as the limit is reached, whether due to new deposits or a rise in the price of existing deposits, no more deposits can be made. More importantly, when the limit is reached, the oracle price of each unit of collateral is also limited in order to preserve the global collateral value limit based on the deposited number of collateral tokens. This mechanism functions regardless of oracle price, meaning that it is able to control collateral exposure even in the event of oracle price manipulation. The formula below calculates the maximum collateral price based on collateral value limits:

Given:

Pf represents the collateral price from the oracle price feed.
T represents the total amount of collateral tokens deposited.
V represents the limit, which is the maximum value of the total collateral in USD.

We define P, the price of each collateral token as:

Thanks to collateral value limits, cross-margin pools are no longer as strong as their weakest collateral. Exposure to each collateral can be limited without reducing the collateral’s efficiency.

Grace sets two types of limits for each collateral: absolute limits and relative limits. The minimum of the two is used for each collateral.

An absolute limit is the maximum value of collateral deposits in dollar terms. This should typically be set based on the available amount of external market liquidity for each collateral.

A relative limit is the maximum value of collateral tokens relative the total value supplied by lenders. For example, if lenders supplied $100M in total, and a collateral’s relative limit is set to 10%, then the total deposit value of said collateral cannot exceed $10M. The relative limit is readjusted automatically to ensure a constant collateral exposure for each lender, regardless of total supplied. For example, following the example above, each lender only risks losing a maximum of 10 cents on the dollar due to the protocol’s exposure to that collateral.

Edit 19/5/2024: Relative limits have been removed from the protocol in order to simplify the protocol and reduce user gas cost. Only absolute limits have been implemented in the protocol.

When collateral value limits are combined with fair loss distribution, lenders are able to make much more precise risk/reward calculations. They know how much they can expect to lose due to exposure to each collateral vs how much they can expect to earn based on the current interest rate.

Collateral fees

Collateral value limits allow control over how much risk is introduced by each collateral. In order to control the potential reward of the collateral, we also need to be able to charge a different interest rate based on the collaterals that are used by each borrower. This is another problem that cross-margin protocols have struggled to solve and was only possible in isolated margin.

In order to solve this problem, we introduce a concept of collateral fees. In addition to interest payments, borrowers may also pay a variable yearly fee depending on which collaterals they have deposited. This fee is denominated in the each collateral token. This mechanism allows for efficient pricing of collateral risk. For some highly liquid collaterals such as ETH, borrowers may not pay any collateral fees because the collateral risk of ETH is determined to be relatively low. However, for less liquid collaterals or collaterals that are priced by inferior price feeds, borrowers may be charged a higher collateral fee where their collateral balance decreases over time.

This fee is charged in exchange for the protocol’s exposure to the user’s collateral regardless of the user’s debt. The user may be charged additional interest based on the amount of tokens that they borrow.

Debt circuit breaker

As previously seen on FiRM, Grace uses a maximum daily borrow limit as a circuit breaker in order to limit the maximum potential damage by a successful attack in a single day in dollar terms. For example, if the daily borrow limit is set to $1M, no more than $1M in new loans can be borrowed in total across all borrowable tokens in one day.

Pessimistic Price Oracle

Grace improves upon FiRM’s Pessimistic Price Oracle (PPO) design in order to further protect against single and multi block oracle price manipulation attacks.

FiRM’s PPO prevents the borrowing power of each collateral from exceeding the lowest recorded price of the collateral over the past 2 days based on the collateral factor. This removes the incentive of single and multi block attacks because a collateral price inflation attack cannot be profitable regardless of the oracle price originating from the potentially vulnerable price feed.

Grace PPO extends the length of the lowest price measurement window from 2 days to 2 weeks in attempt to cover medium-term manipulation attacks of illiquid markets.

Grace PPO also adds a similar mechanism for pricing debt tokens, where the highest recorded price over the past 2 weeks is used. This prevents a another class of manipulation attacks where an attacker may try to artificially reduce the price of borrowed tokens in order to increase the amount of tokens that can be borrowed per collateral.

This new iteration of PPO renders most flashloan, multi-block and even multi-day collateral inflation and debt deflation attacks ineffective. This allows Grace to dramatically reduce the risk of on-boarding new collateral types and on-chain price feeds that were previously considered too risky.

Exponentially-smoothed utilization curves

Edit 19/5/2024: Exponentially-smoothed utilization curves have been removed in order to simplify the protocol and reduce user gas cost. Instead, interest rate growth is capped on a per-day basis.

Grace relies on the utilization curves to determine borrow rates. This concept was first introduced by Compound. The borrow rate is determined as a function of the utilization of supplied tokens.

However, in traditional utilization curves, sudden spikes in pool utilization can cause large swings in interest rates, causing a lot of rate uncertainty for borrowers and lenders especially at times of high market volatility.

Grace solves this problem by using an Exponential Moving Average function in order to smoothen the rate output of the utilization curve over time. When the utilization rate is changed, the pool targets a new interest rate based on the utilization curve but the effective borrow rate moves towards that target over time. The following EMA formula is used to determine the effective borrow rate:

Given:

U(t) represents the utilization rate of borrowable tokens at time t.
R(U(t)) is the Compound Jump Rate Model function determining the borrow rate based on the utilization rate U(t).
The half-life H is a constant influencing the rate at which the EMA adapts to changes in the borrow rate.

where

This results in a smoothed adjustment of the effective borrow rate EMArate(t) towards the target rate R(U(t)), determined by the current utilization rate U(t), mitigating rapid fluctuations in the borrow rate.

EMA rate curves are also used to price Grace collateral fees, where collateral fees are dynamically set based on a utilization curve. In this case, utilization is a function of deposited collateral value divided by the maximum collateral value limit.

Protobonds

Edit 19/5/2024: The implementation of Protobonds has been delayed to a future release in order to simplify the initial iteration. GRACE token was also renamed to GTR (Grace Tokenized Reserves) which is no longer used to vote in on-chain governance. In this iteration, lenders receive GTR rewards using a traditional staking reward contract without lockups or fixed yield.

In traditional lending protocols, interest paid by borrowers is distributed to lenders. However, in Grace, in addition to interest on debt, borrowers also pay collateral fees denominated in different collateral tokens. These tokens must be distributed among lenders of all supplied tokens in order to compensate them for their collateral risk exposure.

Grace does not pay accrued interest directly to lenders. Instead, it introduces a new concept of Protobonds that are used to distribute both interest and collateral fees among all lenders.

Protobonds are recurring Zero-Coupon Bonds of different maturities that are offered by the protocol to the public in order to attract lending liquidity.

Lenders buy Protobonds during an auction period in exchange for the native GRACE governance token. Once the auction period elapses, lenders receive their GRACE yield upfront and lock-in their liquidity to be lent on Grace until the bond maturity.

The rewarded GRACE tokens can then be burned and redeemed by the lenders for a proportional share of the protocol’s reserve of accrued interest and collateral fees. Instead, some lenders may opt to sell GRACE tokens on the market and let arbitragers do the job of burning it and redeeming GRACE on their behalf.

Grace governance can issue multiple Protobonds for each debt token. For example, there can be simultaneous 1-week, 1-month, 1-quarter and 1-year USDC Protobonds that offer lenders different market-driven GRACE yields.

Protobonds of the same maturity are tokenized and fungible. Meaning that they can be traded on the secondary markets. This allows existing protobond holders to exit their positions prematurely but also allows new potential lenders to enter a Protobond position before the next auction.

Protobonds also automatically rollover. This allows non-sophisticated passive lenders to let their capital accrue yield over multiple consecutive maturities without having to worry about managing their capital or actively participating in bond auctions. Lenders who seek maximum flexibility will likely opt-in for short-term 1-week bonds, while lenders looking for long-term fixed rates will opt-in for long-term 1-year or even multi-year bonds.

Protobonds provide multiple fixed-rate yield offerings to different types of lenders based on their needs. They also provide a predictable lending supply for the protocol, resulting in a stable borrow rate for borrowers.

The ability to set different maturities allows GRACE governance to incentivize its liquidity operations in response to changes in market conditions. For example, during a high interest rate environment, GRACE governance may favor allocating more funding towards short-term bonds over long-term in order to reduce long-term cost of capital. During low-rate environments, governance may favor more funding towards long-term bonds in order to secure a cheap cost of capital for the long term. Governance is also able to use Protobonds to indirectly move liquidity across different pools in order to maximize efficiency. If there’s excessive under-utilized liquidity on one pool, it can reallocate some of its Protobond reward budget towards other more utilized pools in order to maximize interest revenue per GRACE token spent.

Launch Plan

Grace protocol contracts are feature-complete and are only missing some unit tests before being handed to auditors.

While waiting for audits, a testnet launch on Sepolia testnet is planned in December.

Ethereum mainnet launch of the Grace lending protocol and the GRACE on-chain governance is planned sometime during Q1 2024 depending on audit results, hopefully by the end of January. However, GRACE token will remain non-transferrable until governance votes to enable transferrability.

The reason Grace will be deployed on Ethereum mainnet first is because it aims to disrupt the top cross-margin lending players on Ethereum by providing a more efficient and safer alternative. After Grace gains a significant market share on Ethereum, it is likely to be deployed on L2s as well.

Grace will not raise money from investors in order to fund development, neither privately nor publicly. Instead, a public 3-year lending liquidity commitment event will be announced where anyone can commit to lending USDT, USDC and/or DOLA stablecoins on Grace for the next 3 years in exchange for a share of the initial GRACE governance token supply. The locked liquidity will also be to generate additional GRACE rewards for the event participants through Protobonds during the lock-up period.

The purpose of the liquidity commitment event is to bootstrap and maintain lending liquidity for the first 3 years after launch. After the 3 years elapse, participants will be able to withdraw their locked deposit. Participants will also retain the option to sell their locked deposit ahead of time to others in a tokenized form on the secondary market.

More details about the liquidity commitment event, GRACE token and supply distribution will be published in a later announcement.

Conclusion

Grace provides the collateral and capital efficiency of cross-margin lending combined with the safety guarantees of isolated margin thanks to collateral value limits. In the event of bad debt, Grace is able to fairly socialize loss among lenders, making it resilient to shocks including oracle manipulation, collateral or debt volatility and code exploits. Grace collateral fees allow dynamic pricing of collateral risk for the first time in cross-margin lending. An improved Pessimistic Price Oracle provides powerful safety guarantees against flashloan, multi-block and multi-day price manipulation attacks. A debt circuit breaker minimizes potential damage in the event of a successful manipulation attack against Grace lenders. A borrow rate smoothing mechanism provides borrowers with stable borrow rates. Protobonds provide lenders with fixed rate offerings that include short and long term options, and provide the protocol with predictable lending liquidity.

All of these novel features combined are the result of years of learning from work on previous iterations of lending protocols including Frontier (2020), FiRM (2022) and Surge (2023). Grace’s superior risk management, liquidity provisioning and efficient pricing features provide better safety, liquidity and market efficiency for both lenders and borrowers.