Research Summary: The decentralized financial crisis

TLDR

  • This research paper presents evidence showing how a financial crisis could occur in the DeFi ecosystem.
  • (1) The researchers demonstrate a flaw in Maker’s governance, which if exploited could have caused a general meltdown (this flaw has since been patched);
  • (2) The authors use a simulation based on historical ETH prices to show how a stylized protocol with USD$400 million in loans, backed by ETH, could become undercollateralized in just 19 days.

Citation

  • L. Gudgeon, D. Perez, D. Harz, B. Livshits and A. Gervais, “The Decentralized Financial Crisis,” 2020 Crypto Valley Conference on Blockchain Technology (CVCBT), Rotkreuz, Switzerland, 2020, pp. 1-15, doi: 10.1109/CVCBT50464.2020.00005.

Core Research Question

  • How can design weaknesses and price fluctuations in DeFi lending protocols lead to a decentralized financial crisis?

Background

  • Decentralized finance (DeFi) comprises a set of (some-what) decentralized financial protocols running on a given blockchain network. Examples include lending platforms (e.g., Maker, Aave, Compound), decentralized exchanges (e.g., Uniswap, Kyber, dYdX), and derivative market protocols (e.g., Synthetix).
  • DeFi protocols are essential “Money legos”; returns from one protocol can be fed to another protocol, and so on and so forth, creating an intricate money flow network. Failure in any of these components potentially causes a cascading effect, a.k.a financial contagion.
  • At the heart of DeFi are liquidity providers, holders that provide their own crypto as liquidity to lending, exchanges, and other platforms. With time, liquidity providers accrue earnings from fees paid out by users.
  • In DeFi, lenders cannot be mapped to the actual actors borrowing money; hence, lending protocols require lenders to provide a security risk deposit known as collateral. Borrowing against one’s own crypto, given as collateral, allows lenders to quickly gain liquidity in another coin or have spending power while potentially deferring government taxes.
  • Flash loans are one particular loan type that does not require collateral. The catch, however, is that borrowers must pay the full loan amount in the same transaction where the loan is granted; otherwise, the transaction is reverted. Lending platforms make a profit by charging a lending fee on each flash loan. The lending fee must also be paid in the same transaction as the loan grant. Among others, flash loans allow borrowers to take advantage of arbitrage opportunities with little upfront investment.
  • To fine tune protocol as a means to adjust to community demands and/or values, DeFi protocols often rely on some form of governance. Governance itself could be fully decentralized, as in Maker, or rely on a centralized figure—e.g., as in Compound.
  • To be able to cast a vote, one must hold governance tokens. In the case of Maker, the token is MKR; one’s voting right is directly proportional to the amount of MKR locked in Maker’s voting system. In Maker, an executive contract is granted control over the entire system as long as it has more staked MKR than the current executive contract. If a malicious actor holds such an amount, he can elect a malicious executive contract to steal all the ETH backing Maker’s algorithmic stable coin: DAI. The malicious executive contract could proceed to mint as much DAI as wanted; the attacker could then use the minted DAI as collateral in lending platforms supporting DAI, effectively getting loans that would never be honoured. The latter would then trigger a cascading effect on many other DeFi components; a generalized meltdown would likely follow.
  • To prevent the latter scenario from ever occurring, Maker implemented a delay period preventing any action from a chosen executive contract, giving time for anyone with enough MKR to trigger a global settlement of the system if needed be.

Summary

  • The authors present two perspectives on how a decentralized financial crisis could occur.
  • First, they present a real-world case where a design flaw in the Maker governance could have allowed a malicious actor with enough MKR tokens to elect an executive contract to take control over the entire Maker system, while stealing funds from systems relying on DAI-collateralized loans. Essentially, Marker’s governance allowed an elected executive contract to immediately perform any action, i.e., the safety delay period was set to zero. If elected, the malicious executive contract could immediately transfer all the ETH collateral in Maker to the attacker’s account, as well as minting as much DAI as wanted. With the latter, the attacker could take DAI-collateralized loans that would never be honored, depleting the funds in any DAI-supported lending platforms and decentralized exchanges. If executed when the paper was published, just the ETH collateral in Maker would give the attacker an estimated net profit of $190 million dollars.
  • Second, the authors present a stylized DeFi lending protocol that abstracts over the main lending market protocols at the time, namely Maker, Compound, Aave, and dYdX. The stylized lending protocol takes ETH as collateral and provides loans in a USD pegged stable coin, with a collateralization ratio of 1.5, i.e., for every 1 dollar given in the loan, borrowers provide 1.5 dollars worth of ETH as collateral. Furthermore, the protocol starts with an extra reserve of 1 million tokens of a generic governance token, initially pegged to the same price of ETH for simulation purposes. System debt (amount of loans given) was initially taken to be between $100 million and $400 million dollars, seeking to reflect the same debt levels as found in major DeFi lending protocols at the time the paper was written. Taking parameters from the historical ETH/USD price data between Jan. 1st/2018 and Feb. 7th/2020, the authors use Monte Carlo simulation to estimate the ETH price at each point in time in the next 100-day period; additionally, the authors simulate the decline in liquidity over time. Overall, they show that if the stylized protocol starts with $400 million given in loans, undercollaterization could happen in just 19 days. Since the given loans would be worth more than the locked collateral, borrowers would have a financial incentive to pay back their loans.

Method

  • Empirical analysis and simulation.

Results

  • The attack on Maker’s governance would have been possible, but it would have required a large sum of money (over USD$20 million at the time of the paper was written); hence, the attack would either need a supporting whale (one holding large sums of valuable crypto), a crowdfunded pool, or a flash loan. Following a flash loan approach, the attacker should operate as follows:
    • In one transaction (t1), deploy the malicious governance contract and the flash loan contract.
    • In a second transaction (t2):
      • Acquire a flash loan whose ETH amount is enough to buy the MKR amount to elect an executive contract. At the time the paper was written, this was estimated to be 50,000 MKR (about 379,000 ETH).
      • Upon granting the flash loan, the lending platform invokes the flash loan contract, whose logic executes the following steps:
        • Swap the given ETH to MKR. Then, use the 50,000 MKR to vote to replace the executive contract with the malicious one. Through the latter, mint as much DAI as wanted, setting the attacker as the beneficiary. Invokes the executive contract so as to get a hold of Maker’s entire ETH collateral. Last, pay back the ETH loan.
    • In a third transaction (t3), provide the minted DAI as collateral to any DAI-X market, where X is any coin for which a lending platform pairs with DAI-backed loans. For instance, if X = USDC, the market is DAI-USDC; the attacker provides DAI and gets a loan in USDC.
    • For each loan of coin type X (or a batch of coin types), have a transaction depleting all X tokens from the target lending platform. Continue this step for as many lending platforms as wished, or until the value of DAI drops to zero.
  • The outlined attack was not possible at the time the paper was written, as lending platforms did not have enough ETH liquidity. However, it would only take 66 days for Aave to accumulate enough funds to cover the required flash loan. As of today (March 6th, 2021), both Aave and Compound hold enough ETH liquidity: over 513,000 and 1.2 million, respectively.
  • As for the second perspective brought by the authors, the simulation of the stylized protocols shows that:
    • If the initial amount of loans is USD$400 million, the protocol can be undercollateralized in just 19 days. This occurs when the governance asset strongly correlates with the collateral coin; i.e, their prices follow similar directions.
    • A governance asset that weakly correlates with the collateral asset delays or prevents undercollaterization; if strongly negatively correlated (e.g., collateral coin value is low, while reserve coin value is high, or vice-versa), the protocol can back the given loans.

Discussion & Key Takeaways

  • The Maker governance system had defined a delay period before any elected executive contract could make any action, but the delay was initially set to zero. This shows that the governance contract lacked basic input sanitization. The latter could have been coded to reject any delay period equal to zero.
  • A governance token whose value weakly correlates or negatively correlates to the collateral coin increases the chance of lending protocols to back its loans upon price drops in the collateral price.
  • Under certain assumptions, lending protocols could be undercollateralized in less than a month time.

Implications & Follow-ups

  • The flaw in Maker’s governance contract highlights the importance of auditing smart contracts. The flaw was disclosed to the team and developers eventually fixed it.
  • The paper shows evidence that a financial crisis in the DeFi space is indeed possible; since protocols are intertwined, undercollaterization in one protocol could cause financial contagion across the entire ecosystem. Faulty governance and security flaws exposing funds could also lead to such contagion.

Applicability

  • Governance token economic designers should consider the correlation implications with collateral coin price as a means to prevent undercollateralization.
  • Simulations such as the one performed by the authors could be made standard across the DeFi ecosystem; protocol designers could use them to assess the risk of undercollaterization and whether the economic security triggers in place would work as expected; investors could rely on the same simulations to assess investment risk.
3 Likes

Great point about this demonstrating the need and value of audits! It looks like the vulnerability identified by the paper was fixed by Maker and that left me thinking two things that maybe @lnrdpss and others could help me with.

First, do we know how Maker fixed/addressed this vulnerability and how that prevents this type of decentralized financial crisis from happening this way?

And second, it seems like this paper demonstrated a process through which under collateralization can occur, but it looks like it takes a significant amount of cash to pull it off. Do we have any estimates of how likely this is to happen?

Actually, that brings up maybe a third question but I’ll just call it 2.1. Does the emergence of flash loans increase the risk of a decentralized financial crisis? Perhaps not something that they really worked to simulate, but perhaps that would make a change to their model?

2 Likes

@zube.paul Thanks for your comment :slight_smile:

To fix the issue, according to the paper, the safety delay control was set to one day. Hence, an executive contract must wait 24h before it is given full control over Maker. One day gives time for others to trigger a global settlement if the elected governance contract is found to be malicious.

Since Maker’s code is publicly available, one can verify that Maker does indeed implement the change: (1) first, one needs to compile Maker’s source code - this has to be the same version supposed to match Maker’s deployed code; (2) assert that the resulting bytecode matches what is deployed at Maker’s governance address (the actual deployed governance contract); (3) if the two bytecodes match, then the change is in. If not, then the change is not deployed in the network.

As for flash loans, I totally agree with you. They do increase the risk of a decentralized financial crisis. But, the other perspective is that they empower users with money that would not otherwise be ever available to them. Among others, poor actors are now in a position to use flash loans to take advantage of arbitrage opportunities, largely increasing returns that would not have payed transaction costs otherwise.

While it is absolutely true that flash loans can be used for a bad purpose, an unintentional positive side effect is that flash loans forces the entire industry to deeply think and consider best security practices, and learn from its own mistakes. Sadly, this occurs at the expense of liquidity providers, who might loose their funds when locking them in lending protocols. I guess for every investment, there is a risk to consider. Would you agree?

4 Likes

Is anyone aware of any projects attempting to increase the loan terms of a flash loan beyond one block?

Theoretically, it seems possible if lending protocols implement stronger principal clawbacks. In a world where that is no longer a constraint, seems like governance delays become a cat-and-mice game and that additional security layers are required.

3 Likes

I agree with you twice! First, of course, there is risk in every investment opportunity. It would be nice to know the future, of course, but risk is inherent. Second, great insight regarding the empowerment dynamic that flash loans can offer. Seems like this not only helps potential investors but also can help networks become more secure if I’m understanding the research in Why Stake When You Can Borrow correctly.

Back to this paper though! I guess what I was getting at originally in my series of questions is how well does this paper help us understand the risk of a decentralized financial crisis? It looks like they ran a simulation on a known problem that has been fixed (and please correct me if that is an oversimplification!). Demonstrating this risk is valuable but isn’t it a little too limited in scope? I might not be understanding the theoretical position they’re developing here well enough to see it but I’m left wondering if this paper can help us look beyond Maker specifically and help us better identify and evaluate potential decentralized financial crisis red flags in the future? Maybe that’s not what this paper is set up to do and it’s just something I want it to be doing. Am I being too unfair here? Anyone else left wondering the same question?

2 Likes

I’m not aware of any projects attempting to do this at the moment. But since we’re in the land of the theoretical, could you maybe go into a little more detail about what you see that additional security layer having to be and/or accomplish?

1 Like

@zube.paul I believe the paper helps in the following directions:

  • Real-world evidence of a bug that existed in one of the major lending platforms; if exploited, the consequences would have been catastrophic.
  • A simulation of whether a hypothetical lending protocol borrowing the same characteristics of major ones (but simplified in nature for the sake of the experiment) could become undercollaterized; if so, a melt down could occur, as the debt in the lending protocol would surpass its current locked value (collateral). In the latter case, borrowers have no incentive to pay back their loans. Following their experiments, they show that undercollaterization is indeed possible.

While I personally find their contributions enough for what the paper aims to answer, my biggest concern is its Reproducibility and largely (undocumented) methodology. At the very least, I would expect the authors to have published their simulation scripts somewhere so anyone could run them and verify the results. Also, it was unclear to me the criteria of the chosen simulation parameters, which in my humble opinion is a methodology flaw. Having the latter two in place would help other researches build on their results, validate or refute their experiments, etc. That would have helped the entire community towards having reliable models we could all use. @zube.paul What do you think?

3 Likes

I think those are some great observations. I wish I had the answers/information. Perhaps in time we’ll hear from the authors themselves.

Since you brought up criteria, I wonder if you might be willing to go through what you think good criteria would be? Not just for this paper, but overall. Or maybe it would just be easier to point out a paper that has done it really well.

That might be valuable from other forum members also, what are some great examples of related methodologies? Links to papers might be helpful if you’re commenting.

2 Likes

@zube.paul At the core of any paper, reproducibility is a must. For reference, I really like the discussion in here: Reproducibility: A tragedy of errors : Nature News & Comment

As a general set of guidelines, the paper " Scientific Integrity Principles and Best Practices: Recommendations from a Scientific Integrity Consortium" provides a list of principles that apply “broadly across scientific disciplines as a mechanism for consensus on scientific integrity standards and to better equip scientists to operate in a rapidly changing research environment”. Note that this is not entirely tied to paper publishing, but rather takes a more holistic view as how we can have a mature environment as a whole.

This is just a starter and probably deserves its own discussion thread :slight_smile: Let me know if you have other pointers that are worth sharing.

1 Like