DAI Liquidation Event

DAI Liquidation Event
The Compound protocol uses Coinbase Oracle for account liquidity calculations, anchored to within 20% of the Uniswap time-weighted average price. Any Ethereum address can post the signed/reported price on-chain, which allows for a permissionless and autonomous price feed that rapidly de-risks accounts.

From approximately 12:00am to 1:00am PT on Thanksgiving morning, the price of DAI on Coinbase Pro began trading at increasing prices and volume across the DAI/USDC, DAI/USD, and ETH/DAI pairs, reaching as high as $1.30. This coincided with a decline in ETH prices globally, of approximately 8% during the same time period.

Incident DAI:USDC1038×858 36.2 KB

Incident ETH:DAI1038×858 33.6 KB

During this period, 85.2m DAI were repaid by liquidators, who seized collateral from addresses borrowing DAI. In the largest liquidation, an address “yield farming” had 46.2m DAI repaid, and 49.8m DAI seized.

In total, 124 addresses of 225,793 were impacted; there are no under-collateralized accounts in the protocol; and all markets are healthy. However, addresses that were liquidated feel that the risk parameters & price feed were too aggressive / onerous.

Data

• List of addresses liquidated during event

Analysis
Fundamentally, the protocol and price feed performed as designed; real trading, on America’s largest exchange, was used to aggressively reduce the risk of borrowers in the protocol. What was unexpected was the adverse market condition that occurred, how quickly it occurred, and for many users, that it could occur at all.

The DAI market on Compound, with 1.6 billion DAI supplied and 1.3 billion DAI borrowed, has grown far larger and more rapidly than anyone had anticipated. The Compound DAI market eclipses both the underlying DAI market, the liquidity on exchanges, and the global trading volume of DAI by a vast margin. This exact risk is at the core of the Gauntlet Market Risk Assessment.

Next Steps
This liquidation event should be a wake-up call to calibrate the protocol, which has scaled rapidly over the summer. I recommend that the community discuss what steps, if any, should be taken to prevent similar liquidations from occurring in the future.

Broadly, potential changes could include:

1. Modifying the DAI market parameters, including the Borrowing Cap, to reduce the size of the DAI market relative to trading venues
2. Modifying the DAI price feed by either tightening the anchor bounds, capping the price (e.g. to 1.05), or utilizing additional reporters
3. Removing the reporter in some/all cases and relying only on Uniswap, or taking an entirely different approach

Additionally, impacted addresses have been vocal about being compensated for their liquidation costs–the governance process is capable of allocating COMP, and should analyze whether this is reasonable.

Do you think it would be a good idea that we use comp reserves to reimburse people? Then again, that is treating comp like cash.

It seems disingenuous at best to say the platform worked as intended. The DAI price traded no higher than $1.03 anywhere else GLOBALLY. This was an exploit plain and simple. The adverse market condition was only on the single oracle that Compound used. The market did not price DAI at $1.30. The Compound protocol was attacked by someone who manipulated the DAI price up on Coinbase for the purpose of liquidating people at a discount.

Not only should most of these liquidations not have happened, folks that had non-DAI collateral lost ~30% of value of their collateral in the liquidation process due to the erroneous oracle allowing the collateral to be seized at an adverse and improper exchange rate.

I do hope the community at least partially reimburses the losses as this was clearly not intended behavior by the protocol, and borrowers following the UI “safe max” found themselves liquidated due to a protocol exploit. Not real market conditions that occur due to normal volatility.

Users that got liquidated should be compensated imo. They borrow stablecoin because it’s the least volatile among all other assets but got liquidated anyway because of sudden 30% rise of borrowed asset. I’ve seen many platforms(comparably smaller) like pickle and harvest that were exploited, they come into a resolution to pay back the losses of their users. Hence, the responsibility falls on the platform.

Compound is one of the biggest players in crypto space, if the smaller fish returned the funds, we expect compound can also do it. Otherwise, the community and the crypto world will view compound as greedy and incapable of accountability. We should add more source for pricing, especially decentralized ones. For now, we should avoid using coinbase price feed considering their recent status according to this tweet:
@AdamScochran

"So:

Binance had lag.
ByBit had liquidity crisis wicks.
FTX had UI disconnect.
Uniswap had gas overload.

Coinbase? The biggest player?

They had their 3rd major outage in three months, while also tweeting randomly about negative regulation and internal scandals."

You were warned and you ignored the warning, People told you for months that this is a weak point in the design and you guys deliberately ignored it and now you get exactly what was predicted.
However its not too late to throw the centralized Coinbase Oracle into the garbage and replace it with decentralized Chainlink ones. acknowledge your mistake or watch this sh*tshow happen again.

good luck you gonna need it.

My previous comment got deleted here, and I am not sure why. I am a Compound user and I hold and farm COMP. Yet I can’t voice my opinion because someone doesn’t want to hear it? This is very unfortunate and not a good sign for a proper community communication. Fix your flawed design.

Imagine not using link oracles in 2020

I lost well into 6 figures off this mistake. Naturally, losing large amounts of money has me researching the reasons behind this colossal error. In my pursuit of the truth, I discovered that compound received its price feed from Coinbase. Obviously this is a very risky strategy since Coinbase can have an error or other issues with their exchange, as we saw today. The thing that I am most curious about is why the compound team decided not to use chainlink, which pulls data from multiple sources and aggregates them, preventing mishaps like this

I think the team has some explaining as to why they allowed such an easily preventable exploit to occur due to their own negligence. I feel that I should be personally reimbursed since this was no fault of my own, but the team itself’s fault due to either gross negligence or gross stupidity. Either way, it is unacceptable and I demand to be reimbursed.

Dear GoldenBull,
like you I came to the same end that this was clearly gross negligence and preventable but I wouldn’t count on reimbursement, thats why we should all organize (all 124 affected) and join in on a Class Action Lawsuit against the Compound Protocol.

Sincerely,
Yehuda Leib

I’m posting this from the perspective of a programmer who has been in the business for 30 years with the past 5 of those years being spent working on blockchain/smart contract related projects. It is easy to see the “chinks” in your armor so to speak. The protocol is only as strong as it’s weakest point. The weakest point is glaringly the oracle system you decide to use. I don’t have the time to explain the intricacies of how and why as I am not a paid developer on this project but hopefully an event where the weaknesses in the protocol were so easily exploited will let your own team realize the flaws.
If your team chooses not to use a secure oracle (no coinbase does not provide a secure oracle) the attacks will continue.
There is good money in taking the funds from users in your protocol and you cannot blame the “smart contract hackers” who chose to do so.

I have no problem take responsibility when i am wrong but this event is market manipulation. Some people those who have not suffered losses are made smart but imagine in the future manipulation where price of DAI will be 2$. In that case every borrower will go through liquidation. I am using only compound.finance but if this case stay unsolved i will move to alternative. I am miner and i am using this dapp for business liquidity and when I pay equipment 1 DAI is around 1$ not 1.3$…that is why it is called stablecoin. I would not complain that my positions were liquidated due to the volatility of ethereum or bitcoin, but due to stablecoin - that is unacceptable. This makes this product pointless and unusable.

I agree with you and i am in the same problem, but please be smart and dont talk about racism because we dont see each other skins in this game - only public keys and usernames.
Good luck

1. Modifying the DAI market parameters, including the Borrowing Cap, to reduce the size of the DAI market relative to trading venues

agree.

2. Modifying the DAI price feed by either tightening the anchor bounds, capping the price (e.g. to 1.05), or utilizing additional reporters

I think that it is not good idea to set capping DAI level because it is designed to accept some volatility and balance its stability with the incentive mechanism.

if we reduce anchored Uniswap bounds into 10% and it has not enough incentive for liquidators(considering 8% premium), it could bring the insolvent situation.

so…in the addition to Coinbase Pro, using an average price from multiple price feed sources is better for reducing this kinds of risk.

btw, adding OKEx feed into designated reporter in UniswapAnchoredView is required to create new proposal? This is one of urgent action we need to avoid potential same types of issues.

3. Removing the reporter in some/all cases and relying only on Uniswap, or taking an entirely different approach

operating only single point of price feed system is not a good idea. (in AMM, LP has no loyalty)
I don’t have any good idea excepting increasing more reporters in the current open price feed model.

For compensation, I agree that we can support some amount of COMP for impacted wallet addresses. As COMP holders, we had to take more interested to make enhanced price feed system rather than leaving only single point of external exchange reporter(coinbase pro).

Chainlink is the way to go. If you want to see the difference to the open oracle, check here. The DAI/ETH price is delivered by 9 oracles and is aggregated (averaged), so large deviations like the one of Coinbase are ironed out. Integration is very easy.

This would also come with two other benefits:

1. When adding new coins to Compound you are not limited to the coins which are offered by the Coinbase API. Chainlink offers prices for a much large range of coins.
2. You are no longer dependent on volunteers to post the current prices to the blockchain, which leads to outdated prices. With Chainlink prices are updated regularly automatically.

Earlier, I shared a brief summary of my thoughts on this matter in Discord. Below, I share an extended perspective.

Summary of the Exploit :

It is clear that this event was a target exploit of the Compound protocol through a manipulated oracle, which the Compound system used to drive liquidation events. The broad market DAI price was roughly $1.03 on all major exchanges except very briefly on the two exchanges which Compound uses for its oracle input, where the price was manipulated to a value of roughly $1.30, causing this cascade of liquidations. The protocol functioned as written, however it cannot be said that the protocol was functioning as intended, as I do not believe that the intention of the Compound protocol was to have mass liquidations due to faulty inputs. In software engineering, this is called a bug and these bugs often lead attack vectors such as the one that currently exists in Compound.

Remedies:

Compound is a leader in this space. Accordingly, all eyes will be on the Compound community and the steps we collectively decide to take. Whether Compound remains a leader into the future, or fades, will depend on some key community decisions.

Community:

For the long-term health of the Compound protocol (and by extension the value of the COMP token), it makes sense to compensate victims of this recent attack. The reputation of Compound—the goodwill and trust of users—is paramount to the success of the protocol. Damaging this relationship would be damaging to the protocol.

Precedent for providing a remedy has been seen in previous DeFi incidents where a faulty protocol weakness was exploited (e.g., Yearn, Harvest, etc). Historically, maintaining this goodwill strengthened these projects technically and from a community perspective. Accordingly, a minor dilution of the COMP token to maintain this goodwill is worthwhile in the long run. By way of example, maintaining a good community relationship effectively saved Harvest . These precedents can be used as a basis to kickstart compensation discussion.

Technical:

The oracle vulnerability is still a gaping hole that needs to be addressed. Can an attacker still manipulate the price of assets reported by the Compound oracle beyond their current fair market value? If an attacker can still perform this exploit, resolving this issue should be an immediate priority. Moreover, if this exploit is still performable, Compound should not be used by anyone. Additional price feeds are a band-aid solution but may be appropriate in the short term if diverse enough. This is a deeper discussion for the Compound community. If this exploit uniquely affects DAI, then disabling DAI is another option.

A long-term solution requires investment into a robust oracle system, which is another deeper discussion for the Compound community.

Another wise investment may be an insurance fund which may be deployed in the case of unanticipated protocol attacks, however, this is also a deeper discussion.

The Compound community should act in the interest of the community . It is wise to proceed strategically, thinking of the long term and what will both remedy the technical issue and promote community health going forward.

There is another aspect to consider here as far as reimbursements go. If all the affected people who are yield farming, kept their COMP, they would actually have decent amount of votes to vote for a good resolution for themselves. (Especially pretty large yield farmer with >30 million supply).

However, if most of the affected people were selling COMP directly into the market they wont actually have any influence on the direction of the protocol, hence can’t really get the resolution that they want.

This is a good demonstration that if you are doing riskier things with Compound with large amount of capital, it is a good idea to keep the COMP that you are earning, because you will need it to resolve issues in your favor down the line. (This won’t be the first, or last large issue that protocol will run into)

I’m very sympathetic to those who were affected in this event.

I sense three trends of discussions in the comments that were brought up already:

1. What happened?
2. How do we prevent it?
3. Incurred losses

Without fully understanding the event itself, it would be extremely tough to tackle the other two issues. For the interest of risk management, I recommend that we first focus the discussion on gathering data and fully understanding the event with the goal of turning the discussion into swift actionable items for governance to prevent this from happening again.
It would be wise to separate these two tracks to allow the discussion around incurred losses receive the attention it deserves while we can remain swift about risk management.

price1824×590 156 KB

Per the public doc, the pricing oracle should follow price within Coinbase oracle and Uni (20% weighted average), but seems DAI @1.3 u is highly likely to go beyond range of sanity check, can u pls correct if any misunderstanding here.

Also, when is the potential change plan to take place?

Thanks

In whose favor should COMP token holders vote? Systems like Compound are created so that everyone votes in their favor because they have “skin in the game”. (Correct me if I’m wrong)
As for sell pressure I agree with you - maybe some lock period for the affected address would be the solution - of course with COMP use case on Compound(collateral).

Absolutely agree with everything written here. Defending Compound’s solvency is obviously a primary goal, but so should be defending the users of the protocol. The market price of DAI was never over $1.03. Coinbase Pro’s price was off market, and manipulated. What happened here was clearly an exploit. And Compound’s users lost. It is a small price for Comp token holders to take a bit of dilution and make this situation right for the users of the protocol. As 4d mentions, there is precedent for this. It is further salt in the wound that the Compound interface declares using 80% of borrowing capacity as “safe”, when clearly this exploit made that not the case.

On the technical front, in the event that there are disparate prices, I would argue the protocol should use the lowest liquid price available for borrowed assets and the highest prices available for supplied assets. Why? Because defending Compound’s users should also be a top priority in conjunction with defending the protocol’s solvency. If there were DAI available on the market for $1.01 or $1.03, then we would presume that these could be sourced to repay the loans. We wouldn’t presume a reasonable actor would wish to find the most expensive DAI in order to repay and make their position whole.

In this case, the protocol failed, and used an off-market, high, illiquid price to price the borrowed assets and this resulted in the seizure of assets at a 22% discount, plus the 8% penalty, resulting in a 30% loss of deposited collateral on positions that should never have been liquidated.