1/ 📈Over $1B TVL in DeFi and flash loans combined have drawn new eyes to #DeFi.
📖 Check out this academic examination of a potential DeFi crisis written by researchers from the Imperial College London🇬🇧 arxiv.org/pdf/2002.08099…
20 page research paper too long? Here's a TLDR
📖 Check out this academic examination of a potential DeFi crisis written by researchers from the Imperial College London🇬🇧 arxiv.org/pdf/2002.08099…
20 page research paper too long? Here's a TLDR
2/ Abstract:
- DeFi's complex and intertwined nature puts it at risk of meltdown
- flash loans could "allow an attacker to steal the Maker collateral within just two transactions and without the need to lock any tokens"
- damages could range from $145M to in excess of $246M
- DeFi's complex and intertwined nature puts it at risk of meltdown
- flash loans could "allow an attacker to steal the Maker collateral within just two transactions and without the need to lock any tokens"
- damages could range from $145M to in excess of $246M
3/ Introduction:
- Blockchain sought to remedy mistrust created by 2007-08 financial collapse
- DeFi requires large deposits to guard against 1) misbehavior and 2) black swan-like drops in asset value
- interconnected nature of DeFi creates "possibility of financial contagion."
- Blockchain sought to remedy mistrust created by 2007-08 financial collapse
- DeFi requires large deposits to guard against 1) misbehavior and 2) black swan-like drops in asset value
- interconnected nature of DeFi creates "possibility of financial contagion."
4/ The paper is broken into sections:
- Formal modeling of DeFi protocols
- Stress-testing of DeFi
- Maker attack
- DeFi contagion
Note: the paper's results were shared in Feb 2020 with @MakerDAO team agreed with findings
Section 2 defines many concepts re: blockchains and DeFi
- Formal modeling of DeFi protocols
- Stress-testing of DeFi
- Maker attack
- DeFi contagion
Note: the paper's results were shared in Feb 2020 with @MakerDAO team agreed with findings
Section 2 defines many concepts re: blockchains and DeFi
5/ Section 3 sets out to mathematically model a DeFi lending protocol factoring in..
- price volatility
- liquidity constraints
- need for overcollateralization
- the ability of protocols like Maker to print MKR as last resort
- counterpart risks such as governance mechanisms
- price volatility
- liquidity constraints
- need for overcollateralization
- the ability of protocols like Maker to print MKR as last resort
- counterpart risks such as governance mechanisms
6/ Section 4 entitled 'Stress-Testing DeFi Lending' simulates a stress test framework, designed after ones conducted by central banks, on the model from the last section
- With data from Jan 2018 to Feb 7, 2020 researchers forecast of ETH prices over the next 100 days from Feb 7
- With data from Jan 2018 to Feb 7, 2020 researchers forecast of ETH prices over the next 100 days from Feb 7
7/ They then took the simulation corresponding to the lowest ETH/USD price after 100 days and measured the impact to the collateral margin of a DeFi lending protocol
Figure below shows the total collateral margin (collateral+reserve asset) over time as the prices decline
Figure below shows the total collateral margin (collateral+reserve asset) over time as the prices decline
8/ parameters:
- at the start of the sell-off, it's possible to sell 30,000
ETH/day w/o having an impact on price
- the amount of protocol reserve asset is fixed at 1m units
- debt levels range from $100m to $400m,
seeking to approx reflect the levels of capital
escrowed in DeFi
- at the start of the sell-off, it's possible to sell 30,000
ETH/day w/o having an impact on price
- the amount of protocol reserve asset is fixed at 1m units
- debt levels range from $100m to $400m,
seeking to approx reflect the levels of capital
escrowed in DeFi
9/ takeaways:
- Regardless of liquidity, collateral margin does
not become negative for systems w/ $100M Debt
- At higher levels of debt, margin gets closer to 0
- And once over $400M debt the protocol becomes undercollateralized
- less reserve asset correlation bolsters margin
- Regardless of liquidity, collateral margin does
not become negative for systems w/ $100M Debt
- At higher levels of debt, margin gets closer to 0
- And once over $400M debt the protocol becomes undercollateralized
- less reserve asset correlation bolsters margin
10/ "Figure 3 shows that for a given amount of debt, as the liquidity parameter increases the margin becomes negative more quickly.
Vice versa, it also shows for a given liquidity parameter, the more system debt there is, the more quickly the margin will become negative."
Vice versa, it also shows for a given liquidity parameter, the more system debt there is, the more quickly the margin will become negative."
11/ "We find that for a liquidity parameter of 0.025 and a debt of 750m USD, the margin can become negative within 40 days."
12/ Section 5. 'Governance Attack on Maker' analyzes the feasibility of a malicious contract being elected to run @MakerDAO allowing them to steal all the collateral
13/ Maker has two outlined defenses:
Governance Security Module - a time delay before elected contracts take control (currently set to 0)
and
Emergency Shut Down - an action which halts Maker but requires a constant pool of 50k MKR tokens, worth +30M USD
Governance Security Module - a time delay before elected contracts take control (currently set to 0)
and
Emergency Shut Down - an action which halts Maker but requires a constant pool of 50k MKR tokens, worth +30M USD
14/ The threat is established as:
- "An adversarial executive contract can steal the Maker collateral and mint new MKR tokens. Those can then be traded until the MKR price crashes and effectively destroy the Maker system"
- adversary will only execute the attack if they profit
- "An adversarial executive contract can steal the Maker collateral and mint new MKR tokens. Those can then be traded until the MKR price crashes and effectively destroy the Maker system"
- adversary will only execute the attack if they profit
15/ Adversary can acquire the necessary MKR in two ways:
1) Crowdfunding - A dark pool of MKR could be used bribed to facilitate the attack
2) Liquidity pools and flash loans - using undercollateralized flash protocols like @AaveAave potentially without having to lock up tokens
1) Crowdfunding - A dark pool of MKR could be used bribed to facilitate the attack
2) Liquidity pools and flash loans - using undercollateralized flash protocols like @AaveAave potentially without having to lock up tokens
16/ The researchers then analyze the txs to the governance contract of MakerDAO since its launch in May 2019.
When a contract becomes the executive contract, the staked amount is distributed almost equally briefly between contracts, reducing the tokens required by more than 50%.
When a contract becomes the executive contract, the staked amount is distributed almost equally briefly between contracts, reducing the tokens required by more than 50%.
17/ Crowdsourcing the MKR to attack:
Inspecting the amount of MKR transferred between Jan 1, 2020 and Feb 8, 2020 the average was ~9k MKR per day, a rate at which researchers determine an attacker could accumulate enough MKR to perform such an attack in a timely manner.
Inspecting the amount of MKR transferred between Jan 1, 2020 and Feb 8, 2020 the average was ~9k MKR per day, a rate at which researchers determine an attacker could accumulate enough MKR to perform such an attack in a timely manner.
18/ "At an average rate of 1k MKR per day, it would take less than 2 months. ... At present there are 5k accounts, holding a total of slightly more than 272k MKR tokens."
Attackers would likely hide large accumulation by spreading the MKR across many addresses to avoid suspicion
Attackers would likely hide large accumulation by spreading the MKR across many addresses to avoid suspicion
19/ With the GSM's 0 delay an adversary only needs 2 blocks.
#1: Attacker fills block #1 with necessary votes
#2: "In the second block, the attacker can finish voting for his malicious contract and execute the attack from the contract, which would leave only one block to react"
#1: Attacker fills block #1 with necessary votes
#2: "In the second block, the attacker can finish voting for his malicious contract and execute the attack from the contract, which would leave only one block to react"
20/ Liquidity pools method:
Flash loans make it so the attacker doesn't need to amass the 50k MKR
The attacker could perform the attack as detailed below within 2 transactions utilizing flash loans from @AaveAave
Flash loans make it so the attacker doesn't need to amass the 50k MKR
The attacker could perform the attack as detailed below within 2 transactions utilizing flash loans from @AaveAave
21/ The researchers then assessed how realistic such an attack was as Feb 14, 2020.
At the time, the attacker could have acquired the necessary 50k MKR tokens from three different DEXs (Uniswap, Kyber, and Switcheo) by borrowing 378,940 ETH from Aave's lending pool.
At the time, the attacker could have acquired the necessary 50k MKR tokens from three different DEXs (Uniswap, Kyber, and Switcheo) by borrowing 378,940 ETH from Aave's lending pool.
22/ As of February 14, 2020 Aave had around 13,670 ETH available in its liquidity pool and was growing at a rate of ~219.5 ETH per day.
At that assumed linear rate, it would take ~1,663 days for the pool to be large enough to execute the attack without owning any tokens.
At that assumed linear rate, it would take ~1,663 days for the pool to be large enough to execute the attack without owning any tokens.
23/ Taking into account the 5.18% growth rate of Aave at the time, it would only take 66 days until enough liquidity.
Also, if DEX liquidity increased, the attacker could acquire the ETH at cheaper rates and would need to borrow less.
Also, if DEX liquidity increased, the attacker could acquire the ETH at cheaper rates and would need to borrow less.
24/ Profitability analysis of crowdsourced attack:
With $20 worth of gas, "the attackers can take away
the currently 434,873 ETH in collateral in MakerDAO
plus the 145m DAI. This amounts to a net profit of
$263M" which could be split evenly among attackers.
With $20 worth of gas, "the attackers can take away
the currently 434,873 ETH in collateral in MakerDAO
plus the 145m DAI. This amounts to a net profit of
$263M" which could be split evenly among attackers.
25/ Profitability analysis of flash loan attack:
The attacker pays gas and repays 378,940 ETH loan plus 0.35% interest
"by the end of the attack, the attacker
has around 55k ETH, 50k MKR, and 145m DAI. This
amounts to a net profit of $191M"
+The TX reverts if it's unprofitable
The attacker pays gas and repays 378,940 ETH loan plus 0.35% interest
"by the end of the attack, the attacker
has around 55k ETH, 50k MKR, and 145m DAI. This
amounts to a net profit of $191M"
+The TX reverts if it's unprofitable
26/ Composability and Contagion:
- both price drops and governance attacks can result in an debt assets becoming undercollateralized affecting other protocols
- Other assets can then become undercollateralized when their underlying collateral becomes undercollateralized
- both price drops and governance attacks can result in an debt assets becoming undercollateralized affecting other protocols
- Other assets can then become undercollateralized when their underlying collateral becomes undercollateralized
27/ Rational actors try to sell undercollateralized assets aka 'liquidity sweeping'
"A special sub-case occurs in
the governance attack scenario where the attacker can
additionally mint an unlimited supply of the debt asset
to buy up all the available liquidity of other assets."
"A special sub-case occurs in
the governance attack scenario where the attacker can
additionally mint an unlimited supply of the debt asset
to buy up all the available liquidity of other assets."
28/ "Contagion occurs when the undercollateralized debt asset is used to 'soak-up' as much liquidity as possible, before buyers of the debt asset are able to react."
A vicious cycle continues as collateral evaporates or liquidity swept into other assets.
A vicious cycle continues as collateral evaporates or liquidity swept into other assets.
29/ The researchers then attempt to quantify the effects of the attacker absorbing liquidity using the stolen DAI and potentially printing unlimited DAI (see image)
30/ Researchers also assess maximum systemic loss for protocols that use a crashing debt asset as collateral with users leveraged to the max and different overcollateralization parameters
31/ Crisis:
As rational actors exit their over-collateralized positions, the effects spread across other DeFi lending protocols.
A larger enough DeFi crisis could spread across other blockchains and even centrally-back assets like USDT, assets which viewed as uncorrelated
As rational actors exit their over-collateralized positions, the effects spread across other DeFi lending protocols.
A larger enough DeFi crisis could spread across other blockchains and even centrally-back assets like USDT, assets which viewed as uncorrelated
32/ END TLDR /
Kudos to the researchers for such a thorough analysis!
Luckily, Maker's GSM now has a 24hr delay. 😅
It's important we recognize future risks and attempt to mitigate as a community.
Thanks for reading! And please retweet for reach!!
Kudos to the researchers for such a thorough analysis!
Luckily, Maker's GSM now has a 24hr delay. 😅
It's important we recognize future risks and attempt to mitigate as a community.
Thanks for reading! And please retweet for reach!!
