Paper Author: Lewis Gudgeon, et al.
Decentralized finance (DeFi) protocols are a recently developed alternative to central banking. These protocols are implemented on top of standard blockchains and provide users the ability to trade financial assets such as currencies, debt, and derivatives. The main advantage of DeFi is its transparency, and is a safeguard against opaque lending practices which caused the 2008 market crash. Although DeFi is fully transparent, complex dependencies still arise, and a lack of stress testing can expose vulnerabilities. This paper exposes a vulnerability in the governance mechanism of the largest DeFi token (Maker), and provides simulations of various price volatility scenarios. The governance attack exposed by this paper was patched by Maker in advance of publication.
- Decentralized Finance (DeFi): a peerto-peer financial system, which leverages distributed ledger-based smart contracts to ensure its integrity and security. Examples of transactions on DeFi are loans, decentralized exchanges, and derivatives trading.
- security deposits : when a loan is created, the borrower provides collateral which is lost if he does not repay the loan. A rational borrower would choose the least costly option between abandoning a loan and repaying it.
- under collateralized debt: when the value of the collateral is lower than the amount they borrowed, a rational agent will choose to abandon the debt.
- governance : mechanisms for making decisions and implementing rules on a DeFi protocol. Maker has a voting system, Compound is fully centralized.
- composability**: DeFi protocols can be combined in a modular fashion. For example, assets created by one protocol can be used as collateral in another. This allows for a lot of flexibility but can expose system-wide failures since a failure in one protocol can have an effect on many others.
This paper studies two scenarios of vulnerability:
- Attacks on the governance mechanism
- Effects of “black swan” financial scenarios.
The authors design an attack scenario on the governance system of the Maker token, and then simulations to stress test the DeFi ecosystem in the event of price volatility.
Governance Attacks on Maker
- Participants in Maker (MKR) governance process are given votes proportional to the number of their MKR tokens locked in the voting system.
- executive contracts: a set of rules to govern the system. Elected by voters who lock tokens in the contract. Voters can change their vote at any time until a majority is achieved. The contract decides how the locked funds are spent. If a malicious contract is elected, it could steal all the locked funds. A safeguard was put in place where the contract is only activated 24 hours after its election, and group of members with at least 50k MKR (approx 30M USD) would be able to withdraw it.
The first attack is termed a “crowsourcing attack”, and it consists of a community of users to coordinate and fund a mailicious contract which would mint new tokens, or funnel the contract deposits to some account. The main challenge is to spread the funds to multiple addresses to prevent detection, while coordinating many accounts.
The second attack is the “flash loan” strategy. The main gist here is that one party borrows the necessary 50k MKR to trigger a governance contract using a flash loan. Flash loans are uncollateralized loans which are revoked if the lan is not paid back within a certain time window. The malicious party would take out a flash loan for 50k MKR, vote in a the malicious contrat to mint DAI tokens which are used to pay back the flash loan. The only cost here is the gas and the .09% interest on the flash loan.
The potential gain from these attacks is up to 191 million USD.
Stress testing DeFi
The second part of the paper look at simulations of the DeFi system under various conditions of asset price volatility.
The typical lending procedure in Maker involves two agents, and goes as follows:
- Alice borrows asset \(B\) from Bob
- To ensure that Alice will pay Bob back for \(B\), she puts up another asset, \(A\), as collateral. If she does not repay \(B\), she loses \(A\), according to some smart contract.
Typically, B is known as the collateral, and its value should exceed that of A. Otherwise Alice would just walk away and never repay the debt.
The degree to which the value of B should exceed that of A is known as the overcollateralization factor, \(\lambda\).
INSERT: Use case
The problem arises when the total amount of collateral in the system is exceeded by the amount of debt. This can come about in times of sharp fluctuations in the price of collateral assets.
The authors formalize this as the Margin of Overcollateralization which is positive if the total system debt is sufficiently collateralized, and negative otherwise.
Of course, the sysem could pick a very large \(\lambda\) to ensure that each debt is backed by a substantial amount of collateral to account for large price fluctuations. However, this would lead to system inefficiencies as useless collateral is an opportunity cost which can be otherwise used to finance more loans.
By running various simulations on the price of collateral assets, and market liquidity scenarios, the authors find that in many scenarios, price volatility would lead to a collapse of the DeFi lending system.