Earning yield on crypto assets has been a fairly hot topic for the past year. There are many options for doing so, such as via traditional custodians or via less traditional smart contract based systems.
I'm not affiliated with any of the services in this post; I conducted this testing independently for my own curiosity. To be clear, I am not endorsing or discouraging the usage of any of the services mentioned. Not your keys, not your bitcoin - don't deposit more money with a custodian than you're willing to lose.
Read the fine print - you may lose everything. Lenders can and will go belly-up.
ELIGIBLE DIGITAL ASSETS ARE NOT LEGAL TENDER. <COMPANY> IS NOT A BANK OR DEPOSITORY INSTITUTION, AND YOUR WALLET IS NOT A DEPOSIT ACCOUNT. ELIGIBLE DIGITAL ASSETS IN YOUR WALLET ARE NOT HELD BY <COMPANY> AS A CUSTODIAN OR FIDUCIARY, ARE NOT INSURED BY ANY PRIVATE OR GOVERNMENTAL INSURANCE PLAN, AND ARE NOT COVERED BY ANY COMPENSATION SCHEME.
For the purposes of my testing, mobile apps were tested on the latest version of GrapheneOS - a hardened version of Android with all Google services removed. GrapheneOS is an edge case OS that few folks run and thus it ends up being a great option for testing mobile apps to see how thoroughly they have worked on compatibility. Web apps were tested on Ubuntu 20.10 in Brave Browser 1.17.73 with the Brave Shields (ad blockers) enabled. Both devices were behind VPNs at all times.
The annual yield offered by the different services I tested is in a pretty tight range. Crypto.com is an outlier while BitLeague's top option requires a 3 year lock-up, which is a really long time in Bitcoin terms.
Abra 4.5% BitLeague 5.8% - 9% BlockFi 6% (max 0.5 BTC) Celsius 3.5% CoinLoan 5.2% Crypto.com 1.5% - 4.5% Hodlnaut 6.2% Ledn 6.15% (max 2 BTC) Luno 4% Midas 17% MyConstant 4% - 7% Nexo 4% - 7% Vauld 6.7% Voyager 6.25% Youhodler 4.8%
Given that you are risking a 100% loss of your funds in return for a ~6% annual ROI, it's prudent to do plenty of diligence before using any services like this. There are lots of reviews online that dig into the companies and the folks running them; my reviews will be more technical in nature. Let's commence the search for red flags.
Abra's app complained about not having Google Play services available, though it let me go through the signup and KYC process with a bit of brute force. I got errors while trying to verify my phone number but eventually after several tries I received a text message.
One thing I'm not a fan of is that Abra only supported KYC via driver license rather than a passport. Initially my KYC with their back end partner, Prime Trust, was rejected. It wasn't explained why they rejected my documents. I tried resubmitting several times and even sent additionally requested documents, but it wasn't clear in the app if the resubmission was even working. Ultimately, I don't know if the failure was with Prime Trust or with the Android app.
Abra reached out 2 days after publication to let me know my account was approved and I confirmed it in the app. They also informed me that I was performing my testing as they were rolling out support for KYC via passport, which may have caused additional complications.
The signup process went pretty smoothly via their web app. Similar to Abra, it did not allow me to use a passport and required a driver license.
Remember that I'm on the lookout for any red flags that show a service provider is not paying attention to detail. Multiple misspellings do not inspire confidence:
I also noted that the Android app hasn't been updated in nearly 3 months. Software that isn't being actively developed is a yellow flag to me, as there is no such thing as perfect software - if you aren't improving then you're degrading.
Finally, I noticed that their referral program says it ended in 2019. Seems like someone is asleep at the wheel.
BitLeague's loans are for set maturity dates; if you want to withdraw your funds before maturity then you forfeit all accrued interest. As far as I can tell, they are the only provider who operates with these more rigid terms - other providers seem to pay out your interest weekly or monthly and allow you to withdraw without penalty.
The signup and KYC process is very smooth; I'm sure they've fine tuned it given the volume of customers they've onboarded.
Note that the withdrawal process can be a bit onerous in comparison to other services.
This isn't necessarily a red flag as it means your funds are more secure against being withdrawn by an attacker. Though I do believe I've seen folks be unable to withdraw their own funds because this verification process failed, thus it's noteworthy.
Celsius was a tough one. Celsius offers several ways to sign up via oAuth on different social media accounts, though I opted for the more traditional email based signup.
My first attempt signing up resulted in an error: "We are experiencing issues with our external authorization provider." After several failures, I gave up.
The next day I tried to sign up again and said I already had account. So I tried to log in and the app said my password was wrong. Thus I requested a password reset email to be sent, but never received an email.
Finally, I signed up with different email; I can only assume that my original account was halfway created and somehow corrupted. Account creation and KYC via my passport went smoothly on the new email address. A few minutes later I got an email saying I was approved and could start using my account. So then I tried to get a bitcoin deposit address and was met with another concerning error:
This was odd indeed, as my state is clearly set and displayed in my account. I opened a support ticket asking for clarification; that was 4 days ago and I have yet to receive a response.
This service feels a lot smaller than BlockFi / Celsius and perhaps a bit sketchier. The app has fewer than 10,000 downloads on Google Play; their Twitter account has ~10,000 followers, and their Android app hasn't been updated in 4 months at time of writing. It's also hard to tell from their web site and blog who the humans are that are running the company - this point in particular bothers me, as they are expecting me to enter into a relationship where I hand over personal data to KYC, but I'm not allowed to know who my counterparty is?
On the plus side, I did not have to disable my ad blockers in order to complete their KYC process. Interestingly, I got a KYC rejection for only including the bottom page of my passport, which is what I've used for every other service with which I've KYC'd.
I decided to dig in to the company a bit more because they tout using BitGo to secure their funds and I spent 3 years working at BitGo myself; I recall running across a number of fraudulent scams that would claim to use BitGo when they didn't actually. It turns out the claim is legitimate, per this BitGo blog post.
Turns out CoinLoan raised ~$3.2M in a 2017 ICO in order to get up and running. It was founded by Alex Faliushin and Max Sapelov.
CoinLoan touts that deposits are covered by BitGo's insurance. Though I'm pretty sure the $100M coverage is the total for all of BitGo's clients who have funds under custody, so a sufficiently catastrophic disaster would not ensure your funds are fully covered.
Interestingly, CoinLoan's Terms of Service do not reflect any insurance...
13.2 Your Account is not a checking, savings or any other type of account, and is therefore not covered by any insurance against losses.
Their Android app refused to run on my GrapheneOS phone and gave the following errors:
"Please install Crypto.com App in Play Store"
"Warning, your phone without Play Services could may occur some secure problems and functions"
Neither the Google services dependency nor the poor grammar are particularly confidence inspiring.
This service also touts its use of BitGo. Interestingly, they don't stretch the claim of BitGo's insurance like some other services, and instead have a separate insurance policy for their funds through Nexus Mutual. However, once again, the Terms of Service do not reflect any sort of guarantee that funds are covered by insurance.
The Company does not provide any assurances or make any representations whatsoever as to the usability, stability and security of the Website and the User’s Digital Assets stored in his User Account(s).
Signup and KYC was smooth except for the last step which involved facial recognition via webcam. After several failures I figured out that it was a lighting issue I was able to fix by shining a light on my face.
However, while all the other services would send me a KYC acceptance email within 15 minutes, it has been several days now and I haven't heard anything from Hodlnaut.
Every time I log into the app it directs me to resubmit the final step in their KYC process with passport and selfie, then says my submission was successful.
Hodlnaut seems to be using Jumio for their KYC, so I'd expect verification to also be automatic and timely.
UPDATE: my verification arrived 4 days later (on a Monday) and I was told that it usually takes 1-2 business days to approve a new account, thus the weekend caused further delays.
This service is via web app only. I did have to disable my browser's ad blockers in order to complete KYC verification. The process was otherwise quite smooth and only took a few minutes. There's not much else to say (which is a good thing) - I'd put Ledn in the same bucket as BlockFi with regard to user experience.
Android app won't run without google play services. Can't log in at all on GrapheneOS, just get an infinite spinner.
I was able to log into the web app, at which point I was notified that Luno doesn't serve US residents.
At a rate of 17% APY, Midas already sounds too good to be true. Based upon their web site it sounds like they take the funds you give them and then perform a bunch of DeFi yield farming / trading in order to earn a profit, which sounds incredibly risky. A number of other red flags stuck out at me:
Some of the grammar / spelling on the web site is not great.
$21M in deposits is actually quite tiny.
They made an amateur mistake of issuing a self signed Let's Encrypt SSL certificate for their blog and didn't set up the renewal daemon, so I got a nasty "invalid certificate" error when I viewed it. This also suggests to me that they don't have any monitoring on their blog to alert them of problems like this.
The founder / CEO seems to be totally unknown on Twitter.
The signup process only asked for my email address and didn't have any AML/KYC requirements, which was also suspicious. I finally hit a roadblock when I got to the funds deposit screen.
The signup confirmation went to spam; not a great start since you can't continue onboarding without verifying your email address. According to their web app it takes 3 business days to verify KYC via passport. However, upon completing the process the site displayed a warning:
"Your ID was changed to the manual review as a problem, please wait at least 1 week for the verification"
The next day I received an email stating "We couldn’t verify your ID automatically, so your KYC documents are in manual review. It might take a little longer to verify you but no more than 7 business days."
It has been 5 business days thus far and I've yet to hear anything further.
I did my initial signup via their web app. I once again had to disable ad blockers to complete KYC verification, but had no other onboarding issues.
I then also installed the Android app and it claimed that it wouldn't run, which I've seen happen with a number of apps on GrapheneOS.
But this error was incorrect - I was able to log in and use the app without any issues.
On the signup form I noticed that the telephone country prefix dropdown was alphabetized by country name; this was an awkward UX choice. Also, for some reason my password manager did not automatically save the password when I submitted the signup form and thus I had to immediately perform a password reset. Oddly enough I ended up having to disable ad blockers in able to submit the password reset form.
After those hiccoughs it was smooth sailing; KYC Verification via passport happened within minutes after submission.
Setup and KYC was painless via their Android app.
I noticed the bitcoin wallet deposit address is P2PKH - this is a yellow flag to me because it means they are using outdated Bitcoin tech. Also, be aware that they won't allow you to withdraw more than $25,000 per day!
Doesn't appear to be available for US citizens; at least the signup form doesn't have that country as an option. Company claims to be based in Cyprus.
Onboarding Success Summary
A 64% success rate ain't great.
First and foremost, none of these yield generators are going to allow you to earn interest without performing KYC on you. But some of them go even further than that.
Abra - 10 trackers, 19 app permissions
BitLeague - o trackers, 7 app permissions
BitLeague web app - 2 trackers
BlockFi - 4 trackers, 25 app permissions
BlockFi web app - 4 trackers
Celsius - 12 trackers, 29 permissions
CoinLoan - 9 trackers, 26 app permissions
CoinLoan web app - 3 trackers
Crypto.com - 14 trackers, 15 app permissions
Hodlnaut web app - only uses google analytics
Ledn web app - google analytics and zendesk
Luno: 10 trackers, 17 permissions
Luno web app - 4 trackers
Midas web app - 4 trackers
MyConstant web app - 4 trackers
Nexo - 3 trackers, 34 app permissions
Nexo web app - only uses google analytics
Vauld web app - 3 trackers
Voyager - 7 trackers, 19 app permissions
YouHodler web app - 2 trackers
In general it seems the web apps are a bit less privacy invasive.
Most (5 of 9) of the mobile apps try to get your precise geolocation via GPS.
Most also ask to read your contact list, presumably for referral programs.
For some reason Celsius, Luno, & Nexo even ask for audio recording permission...
My favorite is Celsius which includes "UXCam" which is described as "captures every micro interaction on your app, allowing you to replay, analyze and optimize the user experience."
I'm not going to hand my precious bitcoin over to a third party unless I believe they are highly trustworthy. You don't want to get GOX'd (hacked custodian) nor do you want to get Quadriga'd (exit scammed) nor do you want to get Cred'd (implosion due to poor lending practices.)
I'd argue that using lending services is inherently riskier than leaving your funds on an exchange. An exchange can keep 95%+ of its funds in cold storage and thus limit the risk of loss. A lender has to keep funds moving out of their control into the hands of third parties upon whom they must actively manage risk of default.
Manage your risks.
Do your due diligence.
Don't complain if you risk it all and get rekt.