November 26 was another extraordinary day. After many days of advancing, the cryptocurrency market suddenly retreated sharply today. The quote pages of major exchanges are scarlet, and mainstream currencies such as BTC, ETH, and XRP have appeared two times. The percentage drop above the digits, the 24-hour contract liquidation was as high as 1.373 billion US dollars.
However, the story does not end there.
House seemingly endless rain
Before the tears of the leeks were wiped away, new bad news came again. Debank data shows that the DeFi lending leader Compound suddenly appeared in clearing data of up to $87,837,568 this afternoon.
Hongbo, the founder of Debank, told Odaily Planet Daily that the huge liquidation of Compound was actually caused by the dramatic fluctuations in the DAI price of the oracle data source Coinbase Pro. Short-term price manipulation can be achieved by manipulating the information source that the oracle relies on. To mislead the price on the chain.
Chengdu Lian’an also stated that this liquidation event has nothing to do with Compound’s own contract, and it is suspected that offline oracle data sources have been attacked. Among them, the DAI of Coinbase Pro fluctuates greatly, which exceeds the fluctuation range of other exchanges.
Interestingly, in addition to the impact of users who borrowed DAI with non-stable assets such as ETH, users who borrowed stablecoins with stablecoins were also affected.
Debank Xu Yong posted a user who was greatly affected by the liquidation incident. The data shows that the user borrowed stablecoins (DAI+USDC+USDT) by depositing stablecoins (DAI+USDC+USDT) in Compound In-house COMP mining, although theoretically speaking, using stablecoins to borrow stablecoins is generally not affected by currency price fluctuations and the liquidation risk is relatively small, but extreme situations still occur.
A picture circulated in the community shows that the price of the USD stable currency DAI in Compound’s quotation system has reached an abnormal value of $1.22.
On Coinbase Pro, the price of DAI/USD began to climb gradually from 15:30, reaching a peak of 1.34 US dollars.
The large fluctuations in the price of stablecoins have led to large fluctuations in the mortgage rate (debt value/collateralized asset value) that usually seems safer, and thus triggers the liquidation line-the minimum requirements for the mortgage rate of different currencies in Compound are different , DAI is generally 75%.
For example, if a user uses 200 DAI + 100 USDC to lend 200 DAI + 10 USDC (mainly for COMP mining), if the prices of DAI and USDC can be stabilized at about 1 USD, the mortgage rate is 70%, but if DAI rises to 1.5 US dollars, then the value of its mortgaged assets and borrowing value will change, and the mortgage rate at this time will rise to about 77.5%.
What will happen after liquidation?
The liquidation happened, what does it mean?
First of all, it needs to be clear that the liquidation procedure is actually a fixed part of the loan agreement. It is designed to ensure that the withdrawal and lending of funds always have an excess cash capacity, while protecting the borrower from the risk of default.
In Compound’s liquidation mechanism, there will be a special identity called a liquidator, and anyone can become a liquidator. As long as the liquidator finds that the mortgage rate of a certain loan is too low, the liquidation process can be triggered. At this time, the liquidator can take away the mortgaged assets of the borrower at a certain discount price, and the funds paid are equivalent to repaying the loan for the borrower. To avoid bad debts on the platform and maintain solvency.
PeckShield gave an example to illustrate this incident. For example, a user borrowed 750,000 US dollars of DAI from the Compound with a house worth 1 million US dollars. At this time, the price of DAI unexpectedly increased, and the user needed to deposit more. More collateral can guarantee a 75% mortgage rate, if not, the liquidation process can be triggered. After the liquidation is executed, the house mortgaged by the user is no longer owned by the user. The liquidator can take out a normal price of Dai from another place to help the lender repay the money, and then take the house away.
Hongbo explained that in this incident, the attacker could play the role of liquidator and get the 5% discount on mortgage assets provided by the Compound system as an incentive.
The oracle control attack is raging
This is not the first recent attack on the quotation system.
Chengdu Lian’an also pointed out earlier that, in fact, the essence of the recent “lightning loan attack” that has ravaged Amber is to manipulate the oracle, causing internal and external price differences and arbitrage. Lightning loans are just a new type of financial tool used by attackers.
At the end of October, the DeFi project Harvest Finance was attacked. The hackers used only 20 ETH (mainly used to pay for gas, to facilitate the rapid completion of the attack) to leverage $30 million in revenue. This protocol uses the Curve y pool as the price feed source when fToken mints. Attackers manipulate price data and control the number of coins through huge exchanges, thereby arbitrage multiple times.
Last week, the Value DeFi protocol was also attacked. Hackers manipulated the price of the Curve asset pool through a series of inter-protocol operations, which eventually caused Value DeFi to lose more than $7 million.
There are countless similar examples. Cheese Bank and Origin Protocol have recently been attacked by hackers.
Judging from the example of Compound, the fundamental reason for the huge liquidation is that the data source of the oracle price is too single.
In this regard, Chengdu Lianan suggests that DeFi developers should strengthen targeted testing of oracles, especially before the project goes online, try to simulate various scenarios of price manipulation attacks as much as possible, find problems in time and find solutions, and effectively improve the project’s resistance to predictions The ability to attack aircraft.
After the project goes live, developers should also choose to access third-party oracle services, security testing services, etc. according to the situation; organize related bug bounty activities to timely check for deficiencies, optimize the overall structure, and minimize similar incidents The possibility of happening again.
