Blockchain technology emerged as a response to the Financial Crisis of 2007–8 [nakamoto2008bitcoin]111The first Bitcoin block famously outlines: “The Times 03/Jan/2009, Chancellor on brink of second bailout for banks”.. The perception that banks had ‘misbehaved’ resulted in a deterioration of trust in the traditional financial sector [earle2009trust]. The causes of the crisis were several, but arguably chief among them was a lack of transparency regarding the amount of risk major banks were accumulating. When Lehman Brothers filed for bankruptcy, it had debts of 613bn USD, bond debt of 155bn USD and assets of 639bn USD [bbc]. Central to its bankruptcy was its exposure to subprime (i.e. bad quality) mortgages. This exposure was compounded by the fact that the bank had a leverage ratio222Defined as ; the total assets were more than 30 times larger than what shareholders owned, indicating substantial debt. of 30.7x in 2007 [secinfo].
From their inception, blockchain-based cryptocurrencies sought to provide a remedy: facilitating financial transactions without reliance on trusted intermediaries, shifting the power, and therefore, the ability to cause crisis through the construction of opaque and complex financial instruments, away from banks and financial institutions [nakamoto2008bitcoin]. Ten years later, a complex financial architecture—the architecture of Decentralized Finance (DeFi)—is gradually emerging on top of existing blockchain platforms. Components in this architecture include those that pertain to lending, decentralized exchange of assets, and markets for derivatives (cf. Table 9) [makerdao, compoundfinance, synthetix, uniswap, dydx, instadapp].
At present, DeFi protocols assume that participating agents have weak identities, since the underlying blockchain operates with weak identities. Consequently DeFi architectures for lending require agents to post security deposits to fully compensate counter-parties for the disappearance of the agent. We will assume that agents are economically rational such that if the agent faces a choice between repayment of a debt or loss of collateral, the agent will choose the least cost option. These security deposits serve to guard against (i) ‘misbehavior’ of agents, where the action that would maximize individual utility does not maximize social welfare, and (ii) external events, such as large exogenous drops in the value of a particular cryptocurrency [harz2019balance]. Of all DeFi protocols, those with the most locked capital are for lending: the biggest, Maker, has (as of January 2020), 57% of all capital locked in DeFi, corresponding to 473.2m USD [defipulse].
Governance is another crucial facet of DeFi protocols and we observe differing degrees of governance decentralization. For example, Maker uses its own token MKR to allow holders to vote on a contract that implements the governance rules. In contrast, Compound, the third largest protocol by market share is centrally governed and a single account can shut down the system in case of a failure [compoundcentral]. Moreover, as in traditional finance, these protocols do not exist in isolation. Assets that are created in Maker, for example, can be used as collateral in other protocols such as Compound, dY/dX, or in liquidity pools on Uniswap. Indeed, the composability of DeFi — the ability to build a complex, multi component financial system ontop of crypto-assets — is a defining property of open finance [money-legos]. However, if the underlying collateral assets fail, all connected protocols will be affected as well: there is the possibility of financial contagion.
This paper is the first to quantitatively assess the financial security of DeFi protocols to the risks posed by a sharp downturn in cryptocurrency prices—including the resulting financial contagion—as well as attacks on their governance architectures.
The first security risk arises when, in the context of lending, security deposits become smaller than the issued debt. Assuming rational economic agents, in such an under-collateralization event, the borrower would default on their debts, since the amount they have borrowed has become worth more than the amount they escrowed. In this paper, we formally model these security constraints for DeFi lending platforms, and simulate their behavior. We find that for plausible parameter ranges, a DeFi lending system could find itself undercollateralized. To the extent that other DeFi protocols allow agents to lend or trade the undercollateralized asset, financial contagion would result.
The second security risk relates to governance concerns, and in particular the possibility of an agent seizing control of a DeFi lending platform and stealing the funds.
We introduce two governance attack strategies on Maker that would enable an attacker to steal all funds in the protocol (0.5bn USD).
The first attack strategy inspired by [maker-governance-attack], covertly executed, is feasible within two blockchain blocks and requires the attacker to lock c. 27.5m USD of collateral.
The second attack strategy is a novel contribution and allows an adversary to amass the Maker collateral within two transactions, with an upfront collateral requirement of a few US dollars to pay for gas fees.
Formal modeling of DeFi protocols. We provide definitions for economically-resilient DeFi protocols, introducing overcollateralization, liquidity, and counter-party risk as formal constraints.
Stress-testing of DeFi. We develop a methodology to quantitatively stress-test a DeFi protocol with respect to these security constraints, inspired by risk assessments performed by central banks in traditional financial systems. We simulate a price crash event with our stress-test methodology to a generic DeFi lending protocol that closely resembles the largest DeFi protocols to-date, by volume: Maker, Synthetix, and Compound. We find, for plausible parameter ranges, the manifestation of undercollateralized DeFi protocols.
Maker attack. With specific focus on the largest DeFi project by market share, Maker, we show that it is feasible to successfully steal the funds locked in the protocol covertly and within two blocks or within two transactions. By exploiting recent flash loan pool contracts, we show how an attacker with no capital (besides gas fees), under the assumption of sufficient market liquidity, would be able to execute such an attack.
DeFi contagion. We present two transmission mechanisms for DeFi contagion, which would serve to propagate the effects of under-collateralization or the Maker attack into other protocols.
We have shared our findings with the MakerDAO team in February 2020 and they generally appear to agree with the possibilities described in this paper.
First, Section 2 provides an overview of DeFi. Focusing on DeFi lending, Section 3 presents a formal system model and the constaints that DeFi lending protocols operate under. Section 4 then provides the simulation results of such a lending protocol, and assesses the potential damage due to financial contagion. Turning specifically to Maker, Section 5 considers the feasibility of an attack on the governance mechanism of the largest DeFi protocol. Section 6 considers transmission mechanisms between composable protocols in a DeFi crisis. Section 7 presents related work and Section 8 concludes.
2 Overview of Decentralized Finance
This section provides a working definition of DeFi, before considering three core properties of a DeFi architecture: (i) the types of identities the participating agents have, (ii) the types of agents in the protocol and (iii) the existence of economic cycles.
DeFi is an emergent field, with 1.06bn USD of total value locked into DeFi protocols as of 12 February 2020 [defipulse]. Appendix A.1 Table 9 presents a categorization of DeFi protocols, providing the three largest by locked USD in each case [defipulse]. We observe that Maker dominates the DeFi projects with over 0.5bn locked USD. DeFi protocols mostly emerge for uses such as lending, decentralized exchange and derivatives. We define Decentralized Finance (DeFi) as follows.
Decentralized Finance: a peer-to-peer financial system which leverages distributed ledger based smart contracts to ensure its integrity and security.
2.1 Blockchain Model
A DeFi protocol operates on top of a layer-one blockchain, which provides standard ledger functionality [badertscher2017bitcoin, badertscher2018ouroboros, david2018ouroboros, pass2017analysis]. We assume that the underlying blockchain is able to provide finality [Castro1999, Miller2016a], construed as a guarantee that once committed to the blockchain a transaction cannot be modified or reversed. We further assume that given participants in a consensus protocol, the maximum number of Byzantine faults is such that . Finally, we assume that the blockchain offers sufficient protection from selfish mining attacks and that fewer than of the miners are malicious [eyal2014majority].
We define identity notions as follows333While the authors are unaware of these definitions formally stated elsewhere, credit is due to Rainer Böhme for providing a similar set of definitions [identity]..
Definition 2.2 (Weak identity).
Where the mapping between an agent and an online identity is not one-to-one, and in particular may be many-to-one and change through time.
Definition 2.3 (Strong identity).
Where the mapping between an agent and an online identity is one-to-one and does not change through time.
In traditional finance, agents have strong identities. The declaration of bankruptcy does reputational damage, affecting an agent’s ability to access credit again in the future as well as affect the interest rates they pay. However, in DeFi as it currently stands, weak-identities prevail444As DeFi develops, it is foreseeable that agents could have strong-identities. This would have significant ramifications, including potentially removing the requirement for overcollateralization, as agents would have reputational incentives to behave in desirable ways. While reputation systems for crypto-economic protocols have been designed (e.g. [harz2019balance]), strong identities could permit such systems to allow under-collateralization. In the present work, we consider DeFi protocols as they currently are, featuring agents with only weak-identities.. As a result, no such costs are attached to the act of defaulting: an agent can simply leave a protocol and rejoin with a new identity 555Identities are also not compositional: if an agent defaults in one protocol, the agent can re-use the same identity in another protocol without suffering any reputation damage. In traditional finance, if an agent is bankrupt, it generally may affect any future interaction with institutions that are required to follow KYC and AML legislation..
2.3 Agent Types
We adopt the BAR model of agents [Aiyer2005BARmodel] with the extension of private valuations [harz2019balance] resulting in three agent types:
Honest: An honest agent type will act in the interest of the protocol independent of their private motivations or external payments.
Rational: A rational agent type will choose a course of action based on maximizing their expected utility. However, rational agents generally follow the rules of the protocols.
Adversarial: An adversarial agent type will maximize their payoff in any way possible, including by deviating from the protocol rules as well as adopting their behavior as a response to protocol changes and other agents behaviors.
In DeFi, the combination of weak identities and rational agents (i.e. expected utility maximizers) requires that the borrower must give the lender something of at least equal value—a security deposit —as the amount they wish to borrow .
2.4 DeFi Composability
DeFi protocols do not exist in isolation. Their open nature allows developers to create new protocols by composing existing protocols together. Some compare this approach with “Money Lego” [money-legos]. As such, assets created through lending in one protocol can be reused as collateral in other protocols in any kind of fashion. This creates a complex and intertwined system of assets and debt obligations that is hard to understand. Moreover, a failure of a protocol that serves as backing asset to other protocols has a cascading effect on others. Indeed, a hallmark of financial crisis is that such events do not take place in isolation, but rather financial contagion takes place, where a shock affecting a few institutions spreads by contagion to the the rest of the financial sector, before affecting the larger economy [allen2000financial].
3 DeFi Lending Protocols
This section provides a formal system model for a DeFi lending system and characterizes system constraints.
3.1 DeFi Lending Protocol Model
Our primary assumption is the existence of a set of protocols for overcollateralized borrowing. Overcollateralized borrowing allows an agent to provide an asset A as collateral to receive or create another asset B, of lower value, in return. The asset B, typically together with the payment of a fee, can be returned and the agent redeems its collateral in return. However, borrowed asset B typically has different properties to asset A: for example, an agent might provide a highly volatile asset A and receive a price-stable asset B in return. Furthermore, a third asset C can serve as a governance mechanism. Holders of asset C are able to influence the rules of the DeFi lending protocol. In absence of a governance asset, DeFi lending protocols typically replace this function with a central privileged operator introducing counter-party risk.
At the agent level, a DeFi lending protocol permits agents to escrow units of cryptocurrency , and borrow (or issue) units of another cryptocurrency against that value. Both the escrowed and the borrowed cryptocurrency are quoted with reference to a third source of value, e.g. USD. For example, the price of the collateral asset(s) is given by the pair , e.g. 150 USD per unit of , and the price of the borrowed cryptocurrency is given by . At the system level, a DeFi protocol is the aggregation of these individual acts of borrowing by agents, such that the system collateral of type is given by for agents. We formally define an economically secure DeFi lending protocol as follows:
Definition 3.1 (Economically Secure DeFi lending protocol).
Assuming rational agents, a DeFi lending protocol is economically secure if it ensures that , with reference to a basis of value (e.g. USD), the total value of the system debt at time is smaller than the total value of all backing collateral types () at time .
Given the assumption of rational agents with weak identities, this definition connects to the notion that if the agent is faced with a choice between keeping their borrowed funds or retrieving their escrowed collateral , since the agent will renege on their commitment to repay the debt. Whether a DeFi protocol satisfies this definition depends on market conditions, and in particular on the relative values of and with respect to a common price. In addition:
Volatility. Since the value of the collateral asset is not fixed in terms of the USD basis of value, the value may fall sharply against the USD.
Liquidity. In an illiquid market, liquidating the collateral asset may only be possible with a significant haircut, where the collateral is sold at at a discount.
These considerations motivate overcollateralization, which we define as follows.
Definition 3.2 (Ove-collateralization).
When escrowed collateral has a greater value with respect to a basis of value than the issued loan .
Denoting the overcollateralization factor as and the price and quantity of an asset as and respectively, the margin of overcollateralization at time at the system level is as follows.
Clearly, . Should , then the margin of overcollateralization is negative and therefore the system as a whole is undercollateralized. However, a protocol may have an additional pool of reserve liquidity available, enabling it to act as a lender of last resort. For example, one such pool of collateral could be constituted by governance tokens for the protocol itself 666MKR tokens in the case of Maker.. In a DeFi protocol, participants can have voting power in proportion to the number of governance tokens they hold. The total value of this pool of collateral is given by , and thus adding this into the margin of overcollateralization for the system yields:
Typically, the reserve asset would be considered the collateral type with the least risk, similar to a senior tranche in traditional finance: the reserve asset is only touched once the riskier tranches have lost their value [fender2005structured]. A protocol designer faces a trade-off. If the parameter is too low, volatile and illiquid markets may mean that the protocol becomes undercollateralized. However, if it is too high, then there is significant capital market inefficiency, with more capital than necessary in escrow, leading to opportunity costs of capital.
3.2 Overcollateralization Constraint
Whether the debt will be redeemable for $ depends on the value of the reserve of the collateral asset held. At the system level, the necessary condition for overcollateralization of is as follows.
In the event that , the reserve asset of a protocol is used as a “lender of last resort” to buy the collateral value. If equation 3 does not hold, it means that even liquidation of all of the primary collateral asset and reserve asset would be insufficient to cover the total system debt. This would constitute a catastrophic system failure, since given rational agents with weak identities, the borrowed funds would become worthless as they would no longer be redeemable. Note that in this formulation, and are expressed as functions of each other, accounting for the possibility of correlation in the price of the collateral asset and the price of the reserve asset 777There is evidence that crypto-assets display high intra-class correlation, limiting the advantage of diversification [koutsouri2019].. If collateral and reserve assets are positively correlated, this would serve to limit the ability of the reserve asset to recapitalize the system.
3.3 The Liquidity Constraint
Following [nikolaou2009liquidity], we define market liquidity as follows.
Definition 3.3 (Market liquidity).
A measure of the extent to which a market can facilitate the trade of an asset at short notice, low cost and with little impact on its price.
The liquidity available in a market implies a security constraint: in expectations, over a certain time horizon, DeFi marketplaces can offer enough liquidity that in the event of a sustained period of negative price shocks, a protocol will be able to liquidate its collateral quickly enough to cover its outstanding debt liabilities.
For a time interval this can be expressed as:
where denotes the total notional traded value, i.e. the (average) price multiplied by the quantity for each trade. For a given trade of size , ; aggregating these trades for a total number of trades provides . denotes the maximum notional value that could be sold off during a period of distress in the financial markets.
3.4 The Counterparty Risk Constraint
In practice, DeFi lending protocols are not fully decentralized on account of, for instance, the possibility of oracle attacks (which could cause a flash-crash), as well as privileged access to the smart contracts. Therefore it is necessary to either assume the “operator” of the protocol is honest, or that the operator only offers the services of the protocol provided they are profitable for them. We formally model this counterparty risk by assuming that its existence in a given protocol creates a risk premium, , such that for an agent deciding between earning a return in a DeFi lending protocol vs elsewhere, the expected return in the DeFi protocol (), once adjusted for the risk premium (), must be higher than an outside return . Formally, we have participation constraint:
There exists an inherent trade-off in counterparty risk. On the one hand, governance mechanisms implemented through voting allow for a certain degree of decentralization whereby multiple protocol participants can influence the future direction of a protocol. Depending on the distribution of tokens, this may reduce the risk of one party becoming malicious. However, it also opens the door to attacks on the voting system, as we introduce in Section 5. On the other hand, a single “benevolent dictator” who controls the governance mechanism can prevent the attacks introduced in Section 5. Yet this requires trusting that this central entity does not lose or expose its private keys controlling access to the smart contracts governing the protocol and that this central party cannot be bribed to behave maliciously.
4 Stress-Testing DeFi Lending
This section considers the financial security of a generic DeFi lending protocol, stress-testing the architecture to quantitatively assess its robustness as inspired by central banks [bankofenglandstresstest, fedstresstest].
4.1 Stress-Testing Framework
Central banks conduct stress tests of banking systems to test their ability to withstand shocks. For example, in an annual stress test, the Bank of England examines what the potential impact would be of an adverse scenario on the banking system [bankofenglandstresstest]. The hypothetical scenario is a ‘tail-risk’ scenario, which seeks to be broad and severe enough to capture a range of adverse shocks 888For example, in its most recent stress-test of the UK financial system, the Bank of England considers the impact of a UK specific risk premium shock, which causes sharp falls in UK asset prices alongside a 30% depreciation of sterling [bankofenglandstresstest]. Following such best practice, we devise and implement a stress-test of the DeFi architecture.
4.2 Simulation Approach
We leverage the generic DeFi lending protocol architecture as developed in Section 3.1. The results here should be considered relevant to all lending protocols which rely on overcollateralization by volatile collateral and reserve assets. We make the following assumptions about the initial state of the system.
The lending protocol allows users to deposit ETH as their single source of collateral .
The lending protocol has 1m tokens of a generic reserve asset, which at the start of the simulation has the same price as ETH but with exactly half of the historical standard deviation of ETH taken over the sample period.
By arbitrage among borrowers, before the crash the lending protocol as a whole is collateralized to , i.e. just above the minimum collateralization ratio.
At the start of the crisis, the protocol has a collateralization ratio of exactly 150%, such that every USD of debt is backed by 1.50 USD of collateral.
Each unit of debt maintains a peg of 1:1 to the US dollar, allowing us to abstract from the dynamics of maintaining the peg.
Next, we detail the methodology we follow to obtain our simulation results.
Price simulation. Firstly, we obtain OHLCV data at daily frequency Compare [cryptocompare], focusing on the period 1 January 2018 to 7 February 2020, incorporating the large fall in the ETH price in early 2018. Taking parameters from this historical data, we use Monte Carlo simulation to capture how the ETH and reserve prices may be expected to evolve over the next 100 days. Monte Carlo simulation leverages randomness to produce a range of outcomes of a stochastic system. We simulate 5,000 randomly generated paths, using a geometric Brownian motion, specified with the following equation.
denotes a Wiener process [wiener1976collected], denotes the mean of the log returns and
denotes the standard deviation. The shocks are drawn from a standard normal distribution. However, given the possibility of the behavior of the different asset prices being correlated, we explicitly incorporate a strong positive correlation structure between the log returns of ETH and the reserve asset into the simulation by correlating these random shocks as they are generated999We consider weak positive and strong negative correlations in the Appendix. . Of the 5,000 simulations, our subsequent analysis is focused on the iteration which yields the lowest price after 100 days. By focusing on this worst-case, we test the DeFi lending protocol with a ‘black-swan’ event, representing a severe challenge to its robustness.
System simulation. In the event of such a severe price crash, since by assumption the protocol is collateralized to , the protocol will seize 100% of the debt value from the collateral pool, and seek to sell this collateral as quickly as possible on a market pair to the debt asset. Once a buyer has traded the debt asset for the collateral, the protocol then burns the debt , effectively taking it out of circulation, offsetting the liability. Therefore, the impact that our scenario has on the DeFi lending protocol, and how quickly it materializes, depends on liquidity available on all collateral/debt pairs. However, an common feature of crashes in financial markets is the drying-up of liquidity. In the event of a liquidity crisis, the demand for liquidity outstrips supply 101010Indeed, such liquidity crises were at the heart of the Financial crisis of 2007-8, as the value of many financial instruments traded by banks fell sharply without buyers [guardian_2012]., such that the constraint in Section 3.3 is binding. Thus a liquidity crisis occurs when this constraint is binding: there are not enough buyers in the market to buy the ETH that is for sale. We propose a simple model for the decline in liquidity over time as follows.
where denotes the initial amount of ETH that can be sold per day. Intuitively, this equation captures the notion that in the event that the protocol attempts to sell large volumes each period, the amount of liquidity available in the next period will be lower.
In this simulation approach, we make a simplification by not modeling the impact that selling large volumes of collateral will have on the price of the collateral asset. It is highly likely that in such a sell-off scenario, the selling of large volumes would serve to endogenously push the price lower. Therefore what we present here represents an upper bound on the price behavior: in reality, the price drop may be even worse than the one we examine.
4.3 Simulation Results
We start with the Monte Carlo simulation of the correlated asset paths, before considering the impact this would have on a DeFi lending protocol and an ecosystem of multiple lending protocols.
4.3.1 Monte Carlo Price Simulation
We use data on the price of ETH/USD over the period 1 January 2018 to 7 February 2020 111111See corresponding plot in Appendix 12. Perhaps the most notable element is the decline in the ETH/USD price over the course of 2018, with the price of ETH falling from an all-time-high of $1,432.88 to c. $220 as of 7 February 2020. With reference to Section A.2, we consider such a downtrend can be a period of reversion after excessive debt has been accumulated in the financial system, culminating in a bubble.
To capture the effects of different correlations between the collateral asset and the reserve asset, we consider three different extents of correlation between the collateral and reserve asset: (i) strong, positive correlation (0.9), (ii) weak, positive correlation (0.1) and (iii) strong negative correlation (-0.9). We then generate correlated asset paths during the Monte Carlo simulation process. In this section we report results for strong correlation, but include those for weak correlation and strong negative correlation in the Appendix.
Figure 1 shows the results of 5,000 runs of the Monte Carlo simulator for the ETH price, and Appendix A.3 Figure 11 shows the results for the reserve asset price in the presence of strong positive correlation in the asset price returns. The starting prices of assets as used in the simulator is the close price of ETH/USD on 7 February 2020.
We isolate the simulation in which the ETH/USD price is the lowest at the end of 100 days 121212We plot the co-evolution of the asset price paths for strong correlation in Appendix A.3 Figure 12.. In Figure 12 it is clear that in this worst case scenario for the ETH/USD price, the price of the reserve asset similarly falls. This illustrates the risk of using a reserve asset which is positively correlated with the collateral asset: if the price of the collateral asset falls, relative to the same basis of value the reserve asset value is likely to fall, limiting the ability of a DeFi lending protocol to recapitalize itself.
4.3.2 Impact on Collateral Margin
We take the simulation corresponding to the lowest ETH/USD price after 100 days and consider the impact this would have on the collateral margin of a DeFi lending protocol.
Negative margins. The main results of this are presented in Figure 2. Plotted with solid lines is the evolution of the total collateral margin (comprising the collateral and the reserve asset) over time as the prices of the collateral asset and reserve asset decline. The dashed lines indicate how the amount of system debt evolves through time, on the assumption that at the start of the 100 day period, the protocol seeks to sell off all of the debt. The speed at which the debt can be liquidated through the sale of its backing collateral in turn depends on the available liquidity in the market for which we consider 3 cases: (i) constant liquidity (such that it is possible to sell a constant amount of ETH every day at the average daily price); (ii) mild illiquidity (where the illiquidity parameter is arbitrarily set to some low level ); and (iii) , such that the market becomes relatively illiquid.
In particular, this figure makes the following parameter assumptions.
at the start of the sell-off, it is possible to sell 30,000 ETH per day without having an impact on price 131313This assumption is based on the 24-hour volume of ETH/DAI across markets listed on CoinGecko on 7 February 2020, and as such is only a rough proxy for the market liquidity. We use this figure only as a baseline for paramerization and to highlight the theoretical possibility of illiquidity causing default..
the amount of reserve asset is fixed at the start of the sell-off at 1m units.
Where the initial system debt level is 100m USD regardless of the liquidity parameter the collateral margin does not become negative. However, at higher levels of debt, we see that the margin gets closer to 0, and once the debt level reaches $400m does indeed fall below 0, such that the protocol is undercollateralized overall. In the fourth panel of Figure 2 we see that after just over 50 days of the protocol attempting to liquidate as much debt as possible, due to illiquidity it is unable to liquidate in time and the margin becomes negative. This would constitute a crisis in a DeFi protocol: each unit of debt would not have sufficient collateral backing, and rational agents with weak identities would walk away from the protocol without repaying their debt. Notably, the results presented in the Appendix A show that a weakly correlated reserve asset is able to prevent the collateral margin from becoming negative (see Appendix A Figure 15) while a strongly negative correlation between the assets is actually able to bolster the collateral margin (see Appendix A Figure 17)
The effect of liquidity on margin. Given a set of parameters, where the collateral and reserve assets are strongly positively correlated we consider how quickly a crisis may materialize (i) for varying values of liquidity parameters in Figure 3, and (ii) for varying starting values of the amount of ETH that can be liquidated in Appendix A.3 Figure 13 141414The selection of these particular value ranges of debt is on the basis of providing ranges of values from which meaningful insights can be drawn..
Figure 3 shows that for a given amount of debt, as the liquidity parameter increases the margin becomes negative more quickly. Vice versa, it also shows for a given liquidity parameter, the more system debt there is, the more quickly the margin will become negative. We find that for a liquidity parameter of 0.025 and a debt of 750m USD, the margin can become negative within 40 days.
5 Governance Attack on Maker
In this section, we turn to a specific attack on an extant DeFi protocol—Maker [makerdao]. In particular, we present and analyze in depth a potential attack on the Maker governance model. Although the basic idea of attack had been briefly presented in a blog post [maker-governance-attack], the feasibility of the attack has not been analyzed. We use a representation of the current state of the Ethereum main network and the Maker contract to simulate as realistically as possible how such an attack could take place.
5.1 Background and Threat Model
The governance process relies on the MKR token, where participants have voting rights proportional to the amount of MKR tokens they hold. MKR can be traded on exchanges [mkr-coinmarketcap].
Executive voting. Using executive voting, participants can elect an executive contract, defining a set of rules to govern the system, by staking their token on it. Executive voting is continuous, i.e. participants can change their vote at any time and a contract can be newly elected as soon as it obtains a majority of votes. The elected contract is the only entity allowed to manipulate funds locked as collateral. If a malicious contract were to be elected, it could steal all the funds locked as collateral.
Defense mechanisms. Several defense mechanisms exist to protect executive voting. The Governance Security Module encapsulates the successfully elected contract for a certain period of time, after which the elected contract takes control of the system. At the time of writing, this period is set to zero [mkr-vote-failed] despite efforts to try to increase this delay to 24 hours [maker-gsm]. Another defense mechanism is the Emergency Shut Down, which allows a set of participants holding a sufficient amounts of MKR to halt the system. However, this operation requires a constant pool of 50k MKR tokens, worth 27.5M USD at the time of writing151515For consistency, we use the price of MKR on 2020-02-01, which was 550 USD.
Threat model. An adversarial executive contract can steal the Maker collateral and mint new MKR tokens. Those can then be traded until the MKR price crashes and effectively destroy the Maker system. We assume the existence of an adversary with at least one (external) account in the Ethereum blockchain. The adversary is rational, i.e. would only engage in the attack if the potential returns are higher than the costs. There are currently circa 150k MKR tokens used for executive voting and the current executive contract has 76k MKR tokens staked. We observe that the amount of stake changes relatively often and the amount of tokens staked on the elected contract often drops below 50k MKR tokens (eq. 27.5M USD). At the time of writing, there are around 470M USD worth of ETH locked as collateral of the DAI supply, which an executive contract can dispose of freely.
5.2 Crowdfunding and Flash Loans
An adversary can choose between the two following options to amass the capital required for the governance attack.
Crowdfunding. Crowdfunding MKR tokens may allow users to lock their tokens in a contract and program the contract so that when the required amount of MKR tokens is reached, it stakes all its funds on a malicious executive contract. This would allow multiple parties to collaborate trustlessly on such an attack, while keeping control of their funds and being assured that they will be compensated for their participation in it 171717An (admittedly informal) poll on Twitter from late 2019161616See Appendix A.6 Figure 18 conducted by a user soon after this attack shows that several participants may be interested in such an attack.
Liquidity pools and flash loans. A shortcoming of the crowdfunding attack is the required coordination effort between the participants and the likely alerting of benevolent MKR members. Instead, an attack could use liquidity pools offering so called “flash-loans” [aave]. A flash-loan is a non-collateralized loan that can be valid within one transaction only. In the EVM, a transaction can be reverted entirely if a condition in one part of the transaction is not fulfilled. A flash-loan then operates as follows: A party creates a smart contract that (i) takes out the loan, (ii) executes some actions, and (iii) pays back the loan with interest.
The interesting aspect for our purposes is that if in step (ii) the execution of the actions fails or step (iii) the payment of the loan cannot be completed, the EVM treats this loan as it never took place. Hence, under the assumption there is enough liquidity available in protocols like Aave [aave-pools], an attacker could execute the MKR governance attack in step (ii), and, if successful, pay back the flash loan with interest in step (iii). Since the flash-loan requires no collateral, the capital lock up cost for the attacker is significantly reduced. If there is enough liquidity available in these pools, the attacker might even not have to lock any tokens. Furthermore, the liquidity provider also profit from the execution of the attack as they receive the 0.35% fee required in step (iii).
5.3 Practical Attack Viability
In this section, we use empirical data to show how such an attack could potentially take place, and what would be the different shortcomings. We first analyze all the transactions received by the current governance contract of Maker DAO: 0x9ef05f7f6deb616fd37ac3c959a2ddd25a54e4f5. Since the deployment of this contract, in May 2019, there have been a total of 24 different contracts which have been elected as executive contract (cf. Figure 4). When a contract becomes the executive contract, the staked amount is distributed almost equally for a short period of time between the previous and the new executive contract, which reduces the amount of required tokens by more than 50%. This is particularly visible at the end of November 2019 (80k MKR to 40k MKR) or at the middle of January 2020 (120k MKR to 45k MKR) 181818We note the sudden increase of MKR by an executive contract from about 75k to nearly 160k MKR in the beginning of December 2019 (the increase happened one day after a first blog on this topic was published [maker-governance-attack]). A token holder [maker-voting-distribution] injected a very large volume of tokens — around 66k MKR — to potentially help prevent an attack from occurring. It is unclear if the token holder was the Maker Foundation or some other party; in our discussion with Maker they states they knew the identity of the token holder. The holder staked his token to the currently elected contract, making the attack more difficult to execute, before releasing the tokens it staked about one month later. The token holder had vastly more than the necessary amount to execute the attack, and if he would have been malicious could have stolen the funds..
5.4 Attack Steps
We note that an attacker is also able to combine crowdfunding and flash loans to achieve a successful attack.
5.4.1 Crowdsourcing MKR Liquidity
. We observe that on most days the amount is somewhere between 4k and 6k tokens but there are some days when a vastly larger amount of MKR tokens is transferred: more than 18k tokens on February 7, for instance. This results in a mean of roughly 9k MKR tokens traded per day. This corresponds roughly to the estimate provided by other sources[mkr-coinmarketcap], and is enough liquidity for an attacker to accumulate tokens in a timely manner.
Given a liquidity of on average 9k MKR per day, an attacker could accumulate enough MKR to perform such an attack in a timely manner. At an average rate of 1k MKR per day, it would take less than 2 months. However, accumulating all the tokens in a single account would likely attract attention. Indeed, from our discussions with the Maker DAO team, the large MKR token holders are known. A potential strategy is to accumulate tokens without perceptibly changing the distribution of MKR tokens. At present there are c. 5k accounts, holding a total of slightly more than 272k MKR tokens 202020Excluding the holders with a low balance (less than 1 MKR token), and a large balance (more than 5k MKR tokens). It is possible for an attacker to accumulate tokens while spreading the wealth in many accounts with this range of wealth. Given that the attack is possible with 50k tokens, an adversary could spread his wealth across 100 accounts, say, with an average of 500 tokens each. One of the drawbacks of this approach is the requirement to vote from these 100 accounts. This vote should happen in the shortest time frame as possible to reduce the chance of MakerDAO preventing the attack by introducing a non-zero delay on new governance contracts becoming effective [maker-gsm]. Voting for a contract costs on average 69k gas, which means that filling half of a block with voting transactions would allow to vote from more than 72 contracts. Filling half-a-block with transactions costs a mere c. 10 USD [perez2019broken] at the current Ethereum gas price, which means that an attacker could easily perform the whole attack in two blocks. In the second block, the attacker can finish voting for his malicious contract and execute the attack from the contract, which would leave only one block — or less than 15 seconds — for anyone to react to the attack.
5.4.2 Liquidity pools
To execute the attack without amassing tokens, the attacker can utilize liquidity pools to borrow the required tokens via a flash-loan (e.g. via Aave [aave]212121Aave is a protocol deployed on the Ethereum mainnet on January 8, 2020, https://etherscan.io/tx/0x4752f752f5262fb11733e0136033f7d53cdc90971441750f606cf1594a5fde4f). The attacker performs the following steps within two transactions (cf. Fig. 5).
- Transaction 1:
Deploy the malicious governance contract and deploy the attack contract.
- Transaction 2:
Call the attack contract deployed in step 1 that executes the following steps.
Take out a flash loan that allows to convert enough MKR from Aave in the currency with the highest liquidity.
Convert the ETH loan into 50k MKR tokens on a decentralized exchange(s) with enough liquidity.
Vote with the 50k MKR tokens to replace the current MakerDAO governance contract with the malicious contract deployed in step 1.
Take out enough ETH from the MakerDAO system to repay the flash loan with interest.
Repay the flash loan with the required 0.35% interest to Aave.
Now, we argue how to realistically construct this attack and give an analysis of the costs involved. Any information given in the steps below with regard to currencies is based on information obtained on February 14, 2020.
Required funds. Aave’s lending pool prevents reentrancy, i.e. the attacker needs to obtain enough liquidity to obtain the required 50k MKR tokens within a single flash loan. Hence, the attacker should select ETH, as the asset with the largest liquidity. In a naive approach, we could utilize the exchange rate for ETH to MKR to obtain that an attacker requires 114,746 ETH to execute the attack. However, this approach would fall short of the reality of exchange fees: to obtain such large quantities of MKR, the attacker needs to pay a premium. As of 14 February 2020, an attacker could source 50k MKR tokens from three different DEXs with a token split of 38k MKR from Kyber, 11,500 MKR from Uniswap, and 500 MKR from Switcheo for a total of 378,940 ETH222222For current liquidity and rates see https://dexindex.io/.. The attacker thus has to obtain more than an additional 250k ETH from Aave.
Time to attack. As of February 14, 2020 Aave has around 13,670 ETH available in its liquidity pool and is growing with a rate of around 219.5 ETH per day. If we estimate a similar constant growth of the available liquidity pool, it would take about 1,663 days for the pool to be large enough to execute the governance attack without the attacker requiring to own any tokens. However, currently the ETH growth rate of Aave is 5.18% per day. Assuming this growth rate continues, it would only take 66 days until enough liquidity is available in Aave. We also note that if the liquidity of MKR on the observed DEXs increases, the attacker can obtain a better exchange rate. Thus, less ETH needs to be borrowed to attack, decreasing the time until the attack is possible.
5.5 Profitability Analysis
Crowdsourcing. With the crowd funding strategy, the profits from the attack could be split equally between the funders. The only cost are the 20 USD for including the transactions. In return, the attackers can take away the currently 434,873 ETH in collateral in MakerDAO plus the 145m DAI. This amounts to a net profit of 263m USD.
Liquidity pools and flash loans. Assuming Aave’s liquidity pool has accumulated the required 378,940 ETH to execute the attack, we can calculate the profitability as follows. The attacker obtains a total of 434,873 ETH in collateral from Maker as well as the 50k MKR tokens and the 22m DAI currently in circulation. The attacker needs to repay the 378,940 ETH loan with a 0.35% interest (1,326.29 ETH). Furthermore, the attacker needs to pay for the gas fees for the two transactions. The second transaction involves various function calls to other contracts and will cost around 15 USD equivalent of gas. However, by the end of the attack, the attacker has around 55k ETH, 50k MKR, and 145m DAI. This amounts to a net profit of 191m USD. Moreover, the attacker can design the attack smart contract such that the transaction is reverted if it becomes unprofitable. This makes the attack risk free from a cost perspective for the attacker.
6 Composability and Contagion
The possibility of financial contagion in the context of DeFi is of particular importance given the unrestricted composability of protocols [money-legos]. In Sections 4 and 5, we considered an exogenous price drop and a governance attack in each case on a single protocol. Now we argue why these two design weaknesses can lead to contagion to other protocols that might ultimately lead to a decentralized financial crisis.
Both weaknesses, exogenous price drops and governance attacks, result in the debt asset being under-collateralized. Assuming rational agents with weak-identities, it is not individually rational for agents to settle their debts, and thus, the under-collateralized asset eventually reaches a value of 0. Hence, an agent holding such an asset can execute a strategy called liquidity sweeping to use his existing holdings to buy other assets while the price is not yet 0. A special sub-case occurs in the governance attack scenario where the attacker can additionally mint an unlimited supply of the debt asset to buy up all the available liquidity of other assets.
Further, any protocol that uses the now under-collateralized asset as a collateral asset to issue another asset, also becomes under-collateralized. Consider the example of MakerDAO and Compound: MakerDAO uses ETH as a collateral to issue DAI. Compound allows agents to collateralize DAI to issue a cDAI token. As DAI becomes under-collateralized, cDAI loses its debt-backing. We refer to this as evaporating collateral. Holders of any composed assets like cDAI then have to essentially also buy up existing liquidity once they are aware that individually rational agents will not settle their debts. We illustate this cycle in Figure 6 and give a total estimate of the financial damage in Figure 7.
|Under-collateralization (price crash) of MakerDAO||$145m|
|Under-collateralization (governance attack) of MakerDAO||$211m|
|Contagious under-collateralization (price crash) of MakerDAO||$180+m|
|Contagious under-collateralization (governance attack) of MakerDAO||$246+m|
Liquidity sweeping. Contagion occurs when the under-collateralized debt asset is used to “soak-up” as much liquidity as possible, before buyers of the debt asset are able to react. There are two cases: First, if, as detailed in Section 4, the debt asset is under-collateralized due to an exogenous price crash, the agent can trade all their under-collateralized debt (such as DAI) for other assets on DeFi lending protocols which offer liquidity pools such as Compound [compoundfinance], Uniswap [uniswap], and Aave [aave]. This way the agent can dispose of the debt asset if it assumes the debt asset will fall to 0. Second, if, as detailed in Section 5, an attacker gains the ability to create new tokens without collateral backing, the attacker can use these tokens to buy all existing liquidity on available exchanges.
However, both cases assume that the price of the under-collateralized debt asset is not 0 at least as long to complete the trades. We support this assumption with the halting of the IOTA cryptocurrency network that occurred on February 13–15, 2020 [iota-status]. Following a security incident, the IOTA foundation stopped the centralized coordinator such that the IOTA network was not able to process transactions containing value and advised its users to not access their funds in their wallets [iota-halt]. On February 15, the attack is still ongoing [iota-status]. During the incident, the trading volume on exchanges of IOTA feel from 41m USD to 21m USD. Notably, the price of IOTA only moved from 0.34 USD to 0.31 USD within 14 hours of the announcement and recovered back to around 0.32 USD after another two hours. Hence, the inability to transfer the IOTA cryptocurrency and access funds on the IOTA network for an extended period of time, caused only a maximum price drop of 9%.
To quantify the impact of liquidity sweeping, we took an instantaneous snapshot of major marketplaces offering a DAI pair at approximately noon (GMT+8) on 15 February, as presented in Figure 20. In the price crash case, agents could trade the whole of their $145m holdings. However, an agent who had successfully undertaken the governance attack would be able to soak up all of the order book liquidity, since with in effect an unlimited DAI supply they can pay any price to acquire other assets. We estimate the total USD value, aggregating across markets and pairs, to be c. $211m232323See Appendix A.7 Figure 20.
Evaporating collateral. Liquidity sweeping is not contained to agents that participate in a single lending protocol if the assets of the protocol are used in others as well. Rather, a vicious cycle occurs where any debt-backed asset issued in another protocols, e.g. where DAI would be used to issue cDAI on Compound, loaned in Aave, and used as a margin trading collateral in dY/dX. If we consider the DAI example in the price crash case, $145m of DAI would be exchanged as well as $35m of cDAI and any other protocol that uses DAI as backing collateral.
Collateral composition. As a stylized example, assume that there are protocols, with different minimum collateralization ratios, that each use as collateral. In the event of this collateral itself becoming less than 100% collateralized, we assume that the value of the debt would quickly fall to 0. We further assume that agents choose a particular protocol for reasons exogenous to the system, and that each agent obtains the maximum leverage they can on a certain protocol by using their issued debt to purchase additional collateral, which in turn is used to issue more debt. To reflect heterogeneity in collateralization ratios among protocols, we assign each of the
protocols a collateralization ratio based on randomly sampling from a uniform distribution over a specified range. The maximum possible leverage for a given protocolwhen an agent allocates units of collateral to it is given by . Therefore the maximum systemic loss is given by .
Figure 8 demonstrates how for three different maximum overcollateralization parameter ranges, namely (101–105%), (101–150%), and (101–300%), what the maximum system wide losses could be, assuming that the protocol in which the crash occurs has a debt of 400m USD, and the liquidity parameter is . As the minimum overcollateralization ratio falls, the maximum potential losses for the system grow: from right to left, as the minimum overcollateralization requirement falls from (or 300%) to (101%), the maximum possible loss increases. Given our uniform splitting of debt, what also emerges is that the result is driven by the minimum collateralization ratio.
Crisis. Agents seek to exit their under-collateralized asset positions by buying other available assets. Individually rational agents should seek assets that are uncorrelated with the asset they are disposing of. However, this leads to a spread of the initial DeFi lending protocol failure to any other asset that is available for trading on exchanges that accept the initial lending asset. Hence, the DeFi crisis can spread across multiple blockchains and also affect centrally-backed assets like USDT [tether].
7 Related Work
There is a paucity of directly related work. However, existing work can be divided into the following categories.
Deleveraging spirals and pegged assets.
A series of fundamental results in relation to the ability of non-custodial stablecoins to maintain their peg is provided in [klages2019stability]. It is shown that stablecoins face deleveraging spirals which cause illiquidity during crises, and that stablecoins have ‘stable’ and ‘unstable’ domains. The model primarily involves the assumption of two types of agents in the marketplace: the stablecoin holder (who wants stability), and the speculator (who seeks leverage). The authors further demonstrate that such systems are susceptible to tail volatility. While unpublished, [cao2018] uses option pricing theory to design dual-class structures that offer fixed income stable coins that are pegged to fiat currency. [pentland2018digital] considers how one might build an asset-backed cryptocurrency through the use of hedging techniques.
Identity and rationality.
In [ford2019rationality] consideration is given as to how a system that is designed to be secure only against rational adversaries cannot be considered secure more generally, these systems only become so if they remain secure even when participating parties behave in a fully Byzantine way. In building the argument, the authors rely on a distinction between ‘weak’ and ‘strong’ identities, similar to our work.
This paper presents two mechanisms through which a decentralized financial crisis could manifest. After providing formal constraints on the robust operation of a DeFi lending protocol, we use Monte Carlo simulation to show how, for a range of parameters, a DeFi lending protocol may find itself critically under-collateralized.
We then consider a governance attack on Maker, and show that provided an attacker is able to lock 27.5m USD of governance tokens, they can steal all 0.5bn USD worth of collateral within two blocks. We present a novel strategy that would enable an attacker to steal the collateral within two transactions, without the need to even escrow any assets.
These two sources of weakness in a DeFi protocol are inter-related, and could serve to reinforce each other. In the event that the collateral and reserve assets of a DeFi lending protocol experience a sharp decline in price, tending towards under-collateralization, the cost of acquiring enough governance tokens to undertake the governance attack would also likely fall. Conversely, should an actor undertake a governance attack, this would plausibly send shockwaves through the DeFi ecosystem, serving to reduce the price of the collateral asset, in turn making under-collateralization more likely.
A clear lesson from the Global Financial Crisis of 2008 is the role that financial contagion can play [allen2000financial]. We consider transmission mechanisms for contagion in DeFi, mechanisms which, in the event of any of the DeFi weaknesses we identify manifesting, could precipitate a decentralized financial crisis.
Appendix A Appendix
a.1 Existing DeFi protocols
|token Sets [tokensets]||4.8m||Ethereum|
a.2 Economic Cycles and Credit
Whether in the context of DeFi or traditional finance, a core feature of economies is a fluctuation between periods of economic expansion and contraction. One of the main reasons for such cycles is credit. To spur healthy growth, markets allow borrowers to take on debt from lenders in the form of credit. Credit is generally considered positive, if the borrowed money is used productively, and the lender avoids granting excessive credit [dalio2018principles]. While credit can thus be used for good purposes, the market may also abuse such capital injection. To (dis)incentivize borrowing, central banks and policy makers can adjust the interest rate. A higher interest rate renders borrowing more expensive, while a lower interest rate encourages lenders to give out credit. An abuse of excessive credit typically leads to debt defaults—i.e. a borrower no longer is able to repay its debt. Lending creates a self-reinforcing upward movement: the more credit is available and affordable, the more lenders take on credit to expand their business and thus the economy expands as a whole. This upwards trend however, necessarily must reverse at some point to repay and equate debt. Due to this dynamic, we observe cycles, with upward and downward trends. The literature differentiates among short-term (roughly every years) and long-term (every years) debt cycles [howtheeconomicmachineworks]. A debt crisis, such as the Financial Crisis of 2007-8, commonly occurs when debt and interest payments rise faster than the income that is supposed to pay back the debt. Once debt is no longer paid back and too much debt accumulated, policy makers (e.g. central banks) should intervene.
a.3 Strong positive correlation
Figure 13 shows that for a given amount of debt, the lower the starting liquidity (i.e. the amount that can be sold within 24 hours), the faster a negative margin precipitates. Similarly, for a fixed initial starting liquidity, the more debt there is in the system the faster the margin will become negative, down to below 40 days.
a.4 Weak positive correlation
Figure 14 shows the evolution of the ETH and reserve asset price to USD when the correlation of these assets is positive but weak (0.1).
Figure 15 shows the evolution of the collateral margin and debt in the presence of weak positive (0.1) correlation between the returns of the collateral asset and the reserve asset.
a.5 Strong negative correlation
Figure 16 shows the evolution of the ETH and reserve asset price to USD when the correlation of these assets is strong and negative (-0.9).
Figure 17 shows the evolution of the collateral margin and debt in the presence of strong negative (-0.9) correlation between the returns of the collateral asset and the reserve asset.
a.6 Governance Attack on Maker
a.6.1 Possible Remedies
Although some remedies have been discussed, no improvement has been deployed yet to the network. In this section, we discuss fixes that have been discussed and other potential way to improve the current state.
Governance security module.
One of the major issues is that there is currently absolutely no delay between the moment a new contract is elected and the moment it can control all the locked ETH. The most straightforward fix for this issue is to add a delay, during which participants could review the code of the new contract and eventually trigger an emergency shutdown if the contract looks clearly malicious or vulnerable to attacks. However, this results in another problem: security patches currently go through the same executive vote process and the Governance Security Module, which means that if a 24-hour delay were to be added, the vulnerability would be exploitable for the whole time. Given that both the patched source code would be available as well, it would make it very easy for an attacker to exploit the contract. This creates a large trade-off between protecting against governance attack and keeping the contract secure in case vulnerabilities are discovered.
Principle of least privilege. Another cause of this major issue is the excess of privilege that the executive contract is granted. The contract is currently designed to represent the state of the whole system [governance-risk]. Although this makes the governance process much simpler, as a user simply needs to vote on a single contract, it also gives an immense level of privilege to this contract, most of which should never be necessary under normal circumstances. This goes against the principle least privilege which has been crucial principle to secure software systems [kern2007foundations].
Although there are technical challenges to dividing privileges in such a system, adding a layer of control, which could obey different voting rules, on the locked collateral could make such an attack vastly more difficult to orchestrate. Many multi-signature wallets [pilkington2016blockchain] have the notion of threshold, over which more parties need to give their approval in order to allow a withdrawal. A similar approach could be taken to ensure that locked collateral cannot be stolen at once.
|for DAI (USD)|
|VCC Exchange [vccexchange]||21,000|
|Bamboo Relay [dexindex]||979,000|