- This research paper presents evidence showing how a financial crisis could occur in the DeFi ecosystem.
- (1) The researchers demonstrate a flaw in Maker’s governance, which if exploited could have caused a general meltdown (this flaw has since been patched);
- (2) The authors use a simulation based on historical ETH prices to show how a stylized protocol with USD$400 million in loans, backed by ETH, could become undercollateralized in just 19 days.
- L. Gudgeon, D. Perez, D. Harz, B. Livshits and A. Gervais, “The Decentralized Financial Crisis,” 2020 Crypto Valley Conference on Blockchain Technology (CVCBT), Rotkreuz, Switzerland, 2020, pp. 1-15, doi: 10.1109/CVCBT50464.2020.00005.
Core Research Question
- How can design weaknesses and price fluctuations in DeFi lending protocols lead to a decentralized financial crisis?
- Decentralized finance (DeFi) comprises a set of (some-what) decentralized financial protocols running on a given blockchain network. Examples include lending platforms (e.g., Maker, Aave, Compound), decentralized exchanges (e.g., Uniswap, Kyber, dYdX), and derivative market protocols (e.g., Synthetix).
- DeFi protocols are essential “Money legos”; returns from one protocol can be fed to another protocol, and so on and so forth, creating an intricate money flow network. Failure in any of these components potentially causes a cascading effect, a.k.a financial contagion.
- At the heart of DeFi are liquidity providers, holders that provide their own crypto as liquidity to lending, exchanges, and other platforms. With time, liquidity providers accrue earnings from fees paid out by users.
- In DeFi, lenders cannot be mapped to the actual actors borrowing money; hence, lending protocols require lenders to provide a security risk deposit known as collateral. Borrowing against one’s own crypto, given as collateral, allows lenders to quickly gain liquidity in another coin or have spending power while potentially deferring government taxes.
- Flash loans are one particular loan type that does not require collateral. The catch, however, is that borrowers must pay the full loan amount in the same transaction where the loan is granted; otherwise, the transaction is reverted. Lending platforms make a profit by charging a lending fee on each flash loan. The lending fee must also be paid in the same transaction as the loan grant. Among others, flash loans allow borrowers to take advantage of arbitrage opportunities with little upfront investment.
- To fine tune protocol as a means to adjust to community demands and/or values, DeFi protocols often rely on some form of governance. Governance itself could be fully decentralized, as in Maker, or rely on a centralized figure—e.g., as in Compound.
- To be able to cast a vote, one must hold governance tokens. In the case of Maker, the token is MKR; one’s voting right is directly proportional to the amount of MKR locked in Maker’s voting system. In Maker, an executive contract is granted control over the entire system as long as it has more staked MKR than the current executive contract. If a malicious actor holds such an amount, he can elect a malicious executive contract to steal all the ETH backing Maker’s algorithmic stable coin: DAI. The malicious executive contract could proceed to mint as much DAI as wanted; the attacker could then use the minted DAI as collateral in lending platforms supporting DAI, effectively getting loans that would never be honoured. The latter would then trigger a cascading effect on many other DeFi components; a generalized meltdown would likely follow.
- To prevent the latter scenario from ever occurring, Maker implemented a delay period preventing any action from a chosen executive contract, giving time for anyone with enough MKR to trigger a global settlement of the system if needed be.
- The authors present two perspectives on how a decentralized financial crisis could occur.
- First, they present a real-world case where a design flaw in the Maker governance could have allowed a malicious actor with enough MKR tokens to elect an executive contract to take control over the entire Maker system, while stealing funds from systems relying on DAI-collateralized loans. Essentially, Marker’s governance allowed an elected executive contract to immediately perform any action, i.e., the safety delay period was set to zero. If elected, the malicious executive contract could immediately transfer all the ETH collateral in Maker to the attacker’s account, as well as minting as much DAI as wanted. With the latter, the attacker could take DAI-collateralized loans that would never be honored, depleting the funds in any DAI-supported lending platforms and decentralized exchanges. If executed when the paper was published, just the ETH collateral in Maker would give the attacker an estimated net profit of $190 million dollars.
- Second, the authors present a stylized DeFi lending protocol that abstracts over the main lending market protocols at the time, namely Maker, Compound, Aave, and dYdX. The stylized lending protocol takes ETH as collateral and provides loans in a USD pegged stable coin, with a collateralization ratio of 1.5, i.e., for every 1 dollar given in the loan, borrowers provide 1.5 dollars worth of ETH as collateral. Furthermore, the protocol starts with an extra reserve of 1 million tokens of a generic governance token, initially pegged to the same price of ETH for simulation purposes. System debt (amount of loans given) was initially taken to be between $100 million and $400 million dollars, seeking to reflect the same debt levels as found in major DeFi lending protocols at the time the paper was written. Taking parameters from the historical ETH/USD price data between Jan. 1st/2018 and Feb. 7th/2020, the authors use Monte Carlo simulation to estimate the ETH price at each point in time in the next 100-day period; additionally, the authors simulate the decline in liquidity over time. Overall, they show that if the stylized protocol starts with $400 million given in loans, undercollaterization could happen in just 19 days. Since the given loans would be worth more than the locked collateral, borrowers would have a financial incentive to pay back their loans.
- Empirical analysis and simulation.
- The attack on Maker’s governance would have been possible, but it would have required a large sum of money (over USD$20 million at the time of the paper was written); hence, the attack would either need a supporting whale (one holding large sums of valuable crypto), a crowdfunded pool, or a flash loan. Following a flash loan approach, the attacker should operate as follows:
- In one transaction (t1), deploy the malicious governance contract and the flash loan contract.
- In a second transaction (t2):
- Acquire a flash loan whose ETH amount is enough to buy the MKR amount to elect an executive contract. At the time the paper was written, this was estimated to be 50,000 MKR (about 379,000 ETH).
- Upon granting the flash loan, the lending platform invokes the flash loan contract, whose logic executes the following steps:
- Swap the given ETH to MKR. Then, use the 50,000 MKR to vote to replace the executive contract with the malicious one. Through the latter, mint as much DAI as wanted, setting the attacker as the beneficiary. Invokes the executive contract so as to get a hold of Maker’s entire ETH collateral. Last, pay back the ETH loan.
- In a third transaction (t3), provide the minted DAI as collateral to any DAI-X market, where X is any coin for which a lending platform pairs with DAI-backed loans. For instance, if X = USDC, the market is DAI-USDC; the attacker provides DAI and gets a loan in USDC.
- For each loan of coin type X (or a batch of coin types), have a transaction depleting all X tokens from the target lending platform. Continue this step for as many lending platforms as wished, or until the value of DAI drops to zero.
- The outlined attack was not possible at the time the paper was written, as lending platforms did not have enough ETH liquidity. However, it would only take 66 days for Aave to accumulate enough funds to cover the required flash loan. As of today (March 6th, 2021), both Aave and Compound hold enough ETH liquidity: over 513,000 and 1.2 million, respectively.
- As for the second perspective brought by the authors, the simulation of the stylized protocols shows that:
- If the initial amount of loans is USD$400 million, the protocol can be undercollateralized in just 19 days. This occurs when the governance asset strongly correlates with the collateral coin; i.e, their prices follow similar directions.
- A governance asset that weakly correlates with the collateral asset delays or prevents undercollaterization; if strongly negatively correlated (e.g., collateral coin value is low, while reserve coin value is high, or vice-versa), the protocol can back the given loans.
Discussion & Key Takeaways
- The Maker governance system had defined a delay period before any elected executive contract could make any action, but the delay was initially set to zero. This shows that the governance contract lacked basic input sanitization. The latter could have been coded to reject any delay period equal to zero.
- A governance token whose value weakly correlates or negatively correlates to the collateral coin increases the chance of lending protocols to back its loans upon price drops in the collateral price.
- Under certain assumptions, lending protocols could be undercollateralized in less than a month time.
Implications & Follow-ups
- The flaw in Maker’s governance contract highlights the importance of auditing smart contracts. The flaw was disclosed to the team and developers eventually fixed it.
- The paper shows evidence that a financial crisis in the DeFi space is indeed possible; since protocols are intertwined, undercollaterization in one protocol could cause financial contagion across the entire ecosystem. Faulty governance and security flaws exposing funds could also lead to such contagion.
- Governance token economic designers should consider the correlation implications with collateral coin price as a means to prevent undercollateralization.
- Simulations such as the one performed by the authors could be made standard across the DeFi ecosystem; protocol designers could use them to assess the risk of undercollaterization and whether the economic security triggers in place would work as expected; investors could rely on the same simulations to assess investment risk.