90 million US dollars were liquidated. What should we pay attention to when borrowing on DeFi platforms?

On the afternoon of November 26, the decentralized lending platform Compound was hacked, and crypto assets worth about $90 million were forcibly liquidated by the system . In addition to users who lent DAI with non-stable crypto assets such as ETH, users who borrowed DAI with other stablecoins were also affected.

Compound pioneered DeFi liquidity mining this year. The total locked crypto assets on the platform are currently as high as 1.47 billion US dollars, slightly higher than Aave but lower than Maker, ranking second among DeFi lending platforms.

Figure: TLV ranking of DeFi lending platforms; Source: https://defipulse.com

The culprit for Compound’s huge liquidation was not a code vulnerability in the project itself, but an oracle data source that many people overlooked. In fact, in the past few years, the proportion of hacker attacks due to code vulnerabilities has decreased, but vulnerability attacks based on price oracle manipulation are gradually increasing.

Whether you are a developer or an ordinary user, you need to pay attention to the data source of the oracle and attach importance to the security of the oracle. In this article today, we will use easy-to-understand language to lead you to understand:

1. What is an oracle?

2. How did hackers manipulate the oracle data source to cause huge liquidations on Compound?

3. How can ordinary users protect themselves?

01
What is an oracle?

When it comes to Oracle, the first thing that comes to mind is the prediction market. In fact, Oracle does not make any predictions. Instead, it is just a bridge that provides data and information.

Let’s take a common example in life. You just woke up in the morning and opened your eyes. You want to know if it is raining outside. You say to your iPhone, “Hi Siri, what is the weather like today? Will it rain?” The voice assistant Siri replies, “Master, it is drizzling outside now. Please remember to bring an umbrella when you go out.”

In this example, Siri plays the role of an oracle, acting as a bridge between the real world and you, through which you know that it is raining outside.

In the blockchain field, the most common thing we see is price oracle, which provides price information of encrypted assets for blockchain applications.

It should be noted that the oracle itself does not have data. It collects data from different channels and then processes it. Other applications call the data information processed by the oracle. Just like in the example above, Siri itself does not know the weather conditions outside. It collects real-time weather data from the weather service provider, and we call the weather data obtained by Siri.

Price oracles can be divided into two types according to the way they obtain prices: one is to obtain the real-time price of crypto assets through the API of centralized exchanges and bring this off-chain price data to the blockchain; the other is to directly read the real-time data of decentralized exchanges (DEX) to obtain prices. Both methods have their own advantages and disadvantages.

This time, Compound triggered a huge liquidation due to the sharp fluctuations in the price of DAI. The oracle it used was the price information of DAI collected from centralized exchanges.

02
Why did Compound experience huge liquidations?

Before introducing how hackers manipulated the oracle data source to cause Compound to trigger a huge liquidation, let us first understand the lending rules of the DeFi lending platform.

Whether it is Compound, Maker, or Aave, the main business is mortgage lending, that is, you need to have crypto assets as collateral before taking out a loan. This is easy to understand. In real life, when you go to a bank to take out a loan, you also need collateral (such as a house, car, etc.). If you cannot repay the bank's loan, the bank will auction your collateral (house, car, etc.) and use the auction money to repay your debt. The same is true for DeFi lending platforms. If you cannot repay, the platform will sell your collateralized crypto assets to repay your debt.

DeFi is a decentralized application that is automatically executed by smart contracts. In order to prevent risks, these DeFi lending platforms will set up:

Mortgage Rate

Liquidation threshold

The collateral ratio refers to the proportion of other assets that you can loan out after you pledge your crypto assets. Different crypto assets may have different maximum collateral ratios due to different volatility and market acceptance. For example, on Compound and Aave, the maximum collateral ratio of ETH is 75%, that is, if you pledge $100 worth of ETH to Compound or Aave, you can borrow up to $75 worth of other crypto assets; the maximum collateral ratio of UNI (Uniswap's token) is 60% on Compound and 40% on Aave, that is, if you pledge $100 worth of UNI on Compound, you can borrow $60 worth of other crypto assets, while on Aave you can only borrow up to $40.

The liquidation threshold refers to the situation where the ratio between your debt and your pledged assets reaches a certain value, and the platform will force you to sell your pledged assets to repay your debt. Similarly, different crypto assets may have different liquidation thresholds due to different volatility and market recognition. For example, the liquidation threshold of ETH on the Aave platform is 80%, which means that when your debt (loan + interest) reaches 80% of the value of your pledged assets, the system will sell your pledged assets to repay your debt.

When liquidation occurs, the lending platform will reward the liquidator to motivate the liquidator to repay the debt on behalf of the borrower and prevent subsequent risks. For example, the liquidation reward of ETH on Aave is 5%. Wang next door pledged 1ETH (assuming the price was 500USDT at the time of pledge) and borrowed 300DAI (worth 300USDT, with a pledge rate of 60%). After a few days, the price of ETH fell to 375USDT, and Wang next door's pledge rate reached 80%, and he was about to be liquidated. As a liquidator, Kuang Kuang purchased 1ETH worth 375USDT liquidated by the system at a preferential price of 356.25USDT, a 5% discount. After the system received the payment, it deducted Wang next door's debt of 300DAI and returned the remaining 56.25USDT to Wang next door. This example does not take interest into account for the convenience of calculation. In actual operation, due to the existence of interest, ETH will be liquidated before the price falls to 375USDT.

Next up is the massive Compound liquidation that happened yesterday.

The DAI price on Compound comes from an oracle, and the DAI price of the oracle is collected from a single exchange, Coinbase Pro. According to current analysis, hackers manipulated the price of DAI on Coinbase Pro. As shown in the figure below, the price of DAI rose to 1.34 USD in a short period of time.

The rise in the price of DAI on the Coinbase Pro exchange has increased the debt of users on Compound who borrowed DAI by pledging other assets. Some users with high leverage (including a large user) triggered the liquidation threshold and were liquidated by Compound. The hacker then played the role of liquidator and obtained the 5% liquidation reward given by the system, ultimately making a profit of approximately US$3.55 million.

Sam Priestley analyzed in a tweet: When your account is being liquidated, the liquidator can choose to accept any of your collateral in exchange for repaying your debt. So the liquidator (the hacker in this case) took the DAI. Borrow DAI from Uniswap, repay the DAI debt, get more DAI from the liquidation, repay Uniswap, and collect the profit.

03
How should we ordinary people protect ourselves?

Compound experienced a huge liquidation, mainly because the oracle only collected the price of DAI from a single exchange. DAI on other lending platforms, such as Aave, avoided this accident because they used Chainlink oracle, which used quotes from multiple operators.

For ordinary people like us, when using a lending platform, we must first understand the oracle data source of the lending platform. The more data sources there are, the more difficult it is for hackers to manipulate the oracle, and the safer it is relatively.

In addition, when taking out collateral loans, it is recommended to appropriately lower your collateral ratio. Crypto asset prices fluctuate drastically, and hackers can manipulate prices or crash the market in just a few minutes. If the collateral ratio is high, many people simply do not have time to increase their asset collateral, and the only result they face is liquidation.

Finally, and most importantly, don’t borrow on the exchange if you can borrow off the exchange. There are countless examples of on-exchange borrowing and leverage being maliciously manipulated and liquidated.

Risk warning : The content of this article is only the author’s personal opinion, does not represent the views or position of Zhikuang University, and does not constitute any investment opinion or recommendation.

References: 1. "Compound suddenly saw a huge liquidation of $90 million, and the security of the oracle should be taken seriously"
2. "Compound liquidated more than $90 million in one day. Is Coinbase Oracle to blame?" 3. "Counting DeFi Oracle attack routines, you need to know these six security measures" 4. "What is a Blockchain Oracle"