Is an on-chain "subprime crisis" already emerging? The path to maturity for DeFi structured products.

Original author: Chaos Labs

Original translation by: AididiaoJP, Foresight News

The Rise of Risk Management and On-Chain Capital Allocator (OCCA)

DeFi has entered a new structured phase, with institutional trading strategies being abstracted into composable and tokenizable assets.

It all began with the emergence of liquidity-staking tokens, and Ethena Labs' tokenized basis trading became a key turning point for DeFi structured products. This protocol packaged a delta-neutral hedging strategy, which required 24-hour margin management, into a synthetic dollar token, allowing users to participate with a single click, thus redefining their expectations of DeFi.

What was once a product reserved for trading firms and institutions has now entered the mainstream. USDe has become the fastest stablecoin to reach a total value locked of $10 billion.

Ethena's success confirms the strong market demand for "institutional strategy tokenization." This shift is reshaping the market structure and has spawned a group of "risk managers" or "on-chain capital allocators" who package complex return and risk strategies into simpler products for users.

What is OCCA (Risk Manager and On-Chain Capital Allocator)?

Currently, there is no unified definition in the industry for "risk manager" or "OCCA". These labels cover a variety of designs, but they all have in common that they repackage interest-generating strategies.

Translator's Note: OCCA is an abbreviation for Onchain Capital Allocator, which can be understood as a professional fund manager or asset administrator in DeFi. They attract user funds by packaging complex strategies into simple products.

OCCA typically offers branded strategy products, while risk managers increasingly utilize modular money markets (such as Morpho and Euler) to generate returns through parameterized vaults. The total value locked in these two types of products surged from less than $2 million in 2023 to $20 billion, an increase of approximately 10,000 times.

This also brings about a series of fundamental problems:

• Where are the deposits invested?
• In which agreements or with which counterparties are the funds exposed?
• Even in the face of sharp fluctuations, can risk parameters be flexibly adjusted? What assumptions are they based on?
• How liquid are the underlying assets?
• What is the exit strategy if there is a large-scale redemption or run on the bank?
• Where exactly are the risks hidden?

On October 10, the cryptocurrency market experienced the biggest altcoin crash in history, affecting centralized exchanges and perpetual contract DEXs, triggering cross-market liquidations and automatic deleveraging.

However, delta-neutral tokenized products do not appear to be significantly affected.

These products mostly operate like black boxes, providing almost no information other than the highlighted APY and marketing slogans. Very few OCCAs will indirectly reveal details of the agreement exposure and strategy, but key information such as position-level data, hedging venues, margin buffers, real-time reserves, and stress testing strategies are rarely disclosed; even when they are, they are often selectively or delayed in disclosure.

Without verifiable traces or transaction history, users struggle to determine whether a product's resilience stems from robust design, luck, or even delayed financial confirmation. Most of the time, they are unaware even of whether a loss has occurred.

We observed four recurring weaknesses in the design: centralized control, re-collateralization, conflicts of interest, and insufficient transparency.

Centralization

Most revenue-generating "black boxes" are managed by multi-signature wallets controlled by external accounts or operators, responsible for the custody, transfer, and deployment of user funds. This centralized control makes them highly susceptible to catastrophic losses should an operational error occur (such as a leaked private key or coerced signer). This also mirrors a common pattern of bridging attacks from the previous cycle: even without malicious intent, a single point of workstation intrusion, phishing links, or abuse of emergency privileges by insiders can cause significant damage.

Re-mortgage

In some high-yield products, collateral is reused across multiple vaults. One vault deposits or lends to another, which then circulates into a third. Investigations have revealed a circular lending pattern: deposits are "cleaned" through multiple vaults, artificially inflating TVL (total value added), forming a recursive chain of "minting-lending" or "borrowing-supplying," continuously accumulating systemic risk.

Conflict of interest

Even if all participants act in good faith, setting optimal supply/lending caps, yield curves, or selecting suitable oracles for a product is no easy task. These decisions involve trade-offs. An overly large or uncapped market may deplete exit liquidity, making liquidation impossible and potentially inducing manipulation. Conversely, excessively low caps can restrict normal activity. Yield curves that ignore liquidity depth can trap lenders' funds. The problem is exacerbated when curators' performance is measured by growth, potentially leading to a conflict of interest with depositors.

transparency

The market cleansing in October exposed a simple fact: users lack effective data to determine risk positioning, risk labeling methods, and whether supporting assets are consistently sufficient. While real-time disclosure of all positions may be impractical due to risks such as front-running and short squeezes, a certain level of transparency is still compatible with the business model. For example, portfolio-level visibility, disclosure of reserve asset composition, and hedging coverage aggregated by asset can all be verified through third-party audits. The system can also incorporate dashboards and verification to reconcile escrow balances, escrow or locked positions with outstanding liabilities, providing reserve verification and access governance while concealing transaction details.

A feasible path forward

The current wave of interest-bearing products is pushing DeFi away from its original intention of being "non-custodial, verifiable, and transparent," and towards an operating model that is closer to that of traditional institutions.

This shift itself is not inherently wrong. The maturation of DeFi has created space for structured strategies, which do require a certain degree of operational flexibility and centralized operation.

But accepting complexity does not mean accepting opacity.

Our goal is to find a viable middle ground that balances the interests of both parties, while enabling operators to run complex strategies and maintaining transparency for users.

Therefore, the industry should move in the following directions:

• Proof of Reserves: It is not enough to just promote APY; the underlying strategy should also be disclosed, along with regular third-party audits and a PoR system, so that users can verify asset backing at any time.
• Modern risk management: Existing solutions can price and manage the risks of structured income products. For example, mainstream protocols such as Aave have adopted risk oracles to optimize parameters through a decentralized framework and maintain the health and security of the money market.
• Decentralization: This is not a new problem. Bridging attacks have forced the industry to confront issues such as escalating permissions, collusion among signers, and opaque emergency permissions. We should learn from these lessons and adopt measures such as threshold signing, key responsibility separation, role separation (proposal/approval/execution), instant financing with a minimum hot wallet balance, whitelisting of withdrawals through escrow paths, time-locked escalations of public queues, and strictly revocable emergency permissions.
• Limiting systemic risk: The reuse of collateral is an inherent characteristic of insurance or re-pledged products, but re-pledge should be restricted and clearly disclosed to avoid the formation of a circular casting-loan loop between related products.
• Make alignment mechanisms transparent: Incentives should be as open as possible. Users need to know the interests of the risk manager, whether there are any related parties, and how changes are approved. This is how a black box can be transformed into an assessable contract.
• Standardization: On-chain encapsulation of interest-bearing assets is already a $20 billion industry. The DeFi sector should establish minimum standards for common classification, disclosure requirements, and event tracking mechanisms.

Through these efforts, the on-chain encapsulated interest market can retain the advantages of professional structure while also protecting users through transparency and verifiable data.

Conclusion

The rise of OCCA and risk managers is an inevitable result of DeFi entering the stage of structured products. Since Ethena proved that institutional-grade strategies can be tokenized and distributed, the formation of a professional allocation layer around the money market has become a foregone conclusion. This layer itself is not the problem; the problem lies in the operational freedom it relies on, which should not replace verifiability.

The solution is not complicated: issue reserve certificates corresponding to liabilities, disclose incentives and related parties, restrict re-collateralization, reduce single points of control through modern key management and change control, and incorporate risk signals into parameter management.

Ultimately, success depends on being able to answer three key questions at any time:

• Is my deposit backed by real assets?
• With which agreements, venues, or counterparties are the assets exposed?
• Who controls the assets?

DeFi does not need to choose between complexity and fundamental principles. The two can coexist, and transparency should expand in tandem with complexity.