I remember this in documentation too. I assumed that the TWAP used an interval window that was a little longer- if the price registered at 1.23 like @blck noted it seems like the time window over which average price is calculated is a bit too short. Might be good to have it a bit longer so that the window covers a peak volume time and/or integrate a volume weighted element to the feed [ie do a VWAP over the extended time window, or calculate the average price of the last $1mm in transacted].
I’m generally more in the dakeshi camp on this one, but I see your point. Given that one might be okay with neglecting the trade price for a few hours if it seems “nonsensical” [since we might be willing to cap the rate at 1.1 given that price really shouldn’t be above that level for more than a few hours], perhaps a more straightforward approach might be to use a longer time interval for the TWAP calculation. This way you allow for the vol/stability of the trade price to get baked in as dakeshi advocates, plus you get some stickiness in price to help it weather some odd short term moves that might take some time to get arbed away through minting etc (may take especially long if network is congested), which is what the cap sort of gets at.
To fix this problem at its core, Compound needs to integrate Chainlink Price Feeds. I am writing this as a daily DeFi user and as someone who only wants the best for the DeFi ecosystem as a whole, especially as the value secured rises. The false liquidation of ~$90M in user funds today was a serious issue that was directly caused by Compound’s centralized oracle solution which pulls market data from only a single exchange, Coinbase, with Uniswap TWAP used as a backstop. Compound’s price feeds provide data that only reflects a small subset of the total crypto trading market and fundamentally cannot provide sufficient market coverage. This in turn lowers the cost of market manipulation and exposes the protocol to inaccurate pricing from large trades.
Specifically, Coinbase has an extensive history of downtime and flash crashes, so I am surprised this was not immediately seen during development as being a huge single point of failure. Using Uniswap TWAP as a backstop is better than no backstop in this situation, but it introduces a false sense of security as it too can trivially be manipulated (as we saw during this event). This lack of market coverage allowed a malicious actor to manipulate just two exchanges to skew the price data delivered to the Compound protocol and falsely liquidate users and yield farmers using DAI as debt or collateral. The core issues of price feeds without market coverage are covered extensively in this blog post here which provides context about the importance of data quality for oracles.
Coinbase was the only major exchange that experienced such a drastic price deviation, other major exchanges were unaffected.
However, none of this information I mention above is new, as I have previously pointed out the numerous and specific vulnerabilities in the design of Compound’s oracle that were not and still have yet to be fixed. Here is a tweet thread I wrote on July 21st 2020 on my concerns regarding the Compound oracle and the likelihood of Coinbase experiencing market manipulation/flash crashes, the ability to manipulate Uniswap TWAP, and why taking a simple median across pre-selected exchanges does not solve the issue adequately either. Compound’s price oracles are still highly vulnerable to these issues as we speak, leaving over $3B in user deposited funds at risk of further catastrophic losses, and needs to be fixed immediately. Compound’s price oracle simply does not provide adequate market coverage as it exists today. Moreover, because it requires exchanges to change their API infrastructure to provide signed data that is compatible with Ethereum, the Compound oracle will continue to be inherently limited in the amount of market coverage it can ever achieve.
Chainlink Price Feeds provide an immediate solution to this problem, allowing the Compound protocol to fully mitigate these oracle related issues going forward. Aave, another decentralized money market on Ethereum experienced no price oracle issues during this event or any false liquidations. There is a very simple reason for this; instead of rolling their own oracle, exposing them to wide range of nuanced attack vectors, they simply integrated Chainlink oracles, which has successfully provided Aave users with the true market wide price of both DAI and every other asset on the platform since launch, as well as during this Coinbase/Uniswap outlier flash crash. I implore you to consider the following sections as I describe how Chainlink is resilient to these attack vectors.
Chainlink’s Decentralized Price Feeds are highly accurate and resistant to exchange distortions because they provide full market coverage by using multiple layers of aggregation that smooth outliers and prevent manipulated data from being delivered to smart contracts. This ensures market manipulation on a select few exchanges have no effect on the final data point generated and delivered to contracts. Specifically, Chainlink has three levels of aggregation to prevent the exact issues Compound’s price oracles experienced today.
- Firstly, Chainlink uses professional data providers (CoinGecko, BraveNewCoin, Amberdata, Kaiko, CryptoCompare, Alpha Vantage, CoinApi, CoinPaprika, CryptoAPIs, and more) who whose entire business model revolves around generating high quality data using refined aggregation methodologies. These data providers produce reference prices for cryptocurrencies that reflect the market-wide price by tracking hundreds of exchanges (both on-chain DEXs and off-chain CEXs), taking into account volume, liquidity, time, and other shifting differences across exchanges, preventing any single source of truth.
- Secondly, there are the security reviewed Chainlink node operators (T-Systems, LinkPool, Certus.One, Stake.fish, Chainlayer, Chorus,one, SNZ, Huobi, and dozens more) operated by professional DevOps and blockchain infrastructure teams who aggregate price data from multiple data aggregators and take the median off-chain before delivering the data point on-chain, preventing any single source of truth. These Chainlink nodes are paid for their services in LINK, not only covering their gas costs, ensuring timely and incentivized updates, but providing a source of profit. This creates crypto-economic security by creating a large opportunity cost for malicious activity. Additionally, multiple data providers already operate their own Chainlink oracle node and provide cryptographically signed data.
- Thirdly, there are the Chainlink oracle networks (feeds.chain.link) which are on-chain reference contracts that aggregate data from multiple node operators, again preventing any single source of truth. Each Price Feed is updated based on a threshold deviation and a heartbeat frequency, ensuring fresh data that follows market volatility is always available to contracts. These Price Feeds are a shared public good funded by many DeFi projects and already secure over $4B in user funds.
What I am proposing here is quite simple. By integrating Chainlink Price Feeds as the primary oracle solution for the Compound protocol, these market coverage issues simply disappear and users can be assured they will not be falsely liquidated (just as Aave can today). Chainlink already supports all of the price feeds the Compound protocol needs on mainnet and integration would be straight-forward, only requiring a few lines of code (docs.chain.link). Additionally, Chainlink Price Feeds can also be used in replacement of Uniswap as the backstop, providing a much more tamper-resistant solution, though being the primary oracle is ideal as it would completely stop these exploits from occurring and ensure there is no period without accurate data. I am writing this as a concerned DeFi user who does not want to see more user funds falsely liquidated due to entirely preventable oracle issues. We are all in this together and I believe that the DeFi community can come together to ensure all protocols are using oracle solutions that are sufficiently secure for the value they secure.
Please take what I say with consideration as the value locked in DeFi continues to grow in orders of magnitude. By fixing the issue at its source now, Compound development and governance can focus on and innovate around what assets should be listed and the risk parameters, rather than worrying about how to refund users in the wake of another price oracle exploit.
I have created a discussion for this proposal here.
Coinbase looked at the data from many different angles and concluded that not only were there no price manipulation alerts in our trade surveillance software, but we did not find any evidence of collusion or single actors that pushed the price higher. We believe our books properly operated according to the availably liquidity at the time which, in stablecoin markets, may become thin as price moves away due to the collateralized nature of these markets. And, Coinbase Price Oracle accurately reported data throughout the DAI price increase.
Head of Trade Surveillance and Market Health
Thank you, for the report, Pete. The thing is that even if we take as a given that price, reported by Coinbase oracle was accurate for the actual market conditions on particular Coinbase market and wasn’t a result of error or manipulation, it wasn’t relevant to actual price of DAI, as other market’s, in particular, Uniswap have not experienced and reported such price. Since it’s critical for Compound to have accurate price at every time, event proved, that Coinbase Price Oracle is not enough by itself to achive that goal. That doesn’t mean that price reported by Coinbase isn’t important data source, but it looks like just by itself, it’s not going to do the trick.
Thank you for chiming in. While I find your discoveries hard to believe, I appreciate you coming here to share your perspective.
First, it is widely understood that the market price was $1.03 during this incident. There were millions of DAI available for sale at this price across nearly every exchange in these moments. Can you please comment on how and why the Coinbase Oracle failed to reflect true market value despite three promised layers of protection against off market data?
Specifically I’d like your comment on point #2, off-chain filtering. Everyone knows DAI should trade near $1, and given that it was clear that in this moment, there was a liquidity crisis on Coinbase and Coinbase alone, why was $1.30 allowed to be printed on the oracle? Especially since it was only sustained for a few minutes. The oracle should be smarter.
This is completely unacceptable for Coinbase to be so cavalier about reporting local market prices on an narrow illiquid slice of the market when everyone knows the real purpose of the oracle is to report true market value. Your blog post says as much. Again it states “it is important to address various scenarios in which a data point to be signed does not reflect an actual market price of an asset”.
What sanity checks did the oracle perform? Did it check to see if Coinbase was off-market relative to other exchanges? In this case, every other exchange. I’d like to know how this oracle failure happened. I’d also like a full disclosure of how many accounts participated in driving the price of DAI to $1.30 and keeping it there. Please disclose whether there was anything suspicious or any patterns amongst these accounts.
Thanks for this.
Was there anything out of the ordinary with regard to the DAI-USDC designated market makers? Specifically:
- Were the market markets operating normally?
- What kept them from bringing back down the price by buying DAI on the Coinbase DAI-USD book and selling on DAI-USDC?
- The price dislocation against the wider market lasted for about an hour, so I think market makers would have had time to source liquidity even from other exchanges. Why didn’t they?
- Are you planing on increasing market makers on DAI-USDC to prevent other such liquidity crunches? I analyzed the relevant trades for this event, and buying about 360,000 DAI with a total cost of about 21K USD (paying above $1) is what was required to move the price to $1.3.
I’m a long time Compound user, but not integrating Chainlink at this point would be a mistake. It’s been mentioned in this thread many different ways already, but if you aren’t getting full market coverage, us users are taking on unnecessary risk. This recent problem with the DAI price being manipulated is proof of that. What would be a good reason NOT to integrate Chainlink price feeds?
MakerDAO offered liquidity against USDC, TUSD and PAX with up to ~99% LTV (100x leverage) and no liquidations, so it seems like it should be impossible for the price to diverge this much if deposits and withdrawals were operating normally.
Can you comment on the existence of any deposit/withdrawal issues during the time period covered? If there were issues, were they caused by technical faults or did Coinbase restrict transfers purposefully?
Thank you for your consideration.
Esteemed kybx86 has created a thread “Compensation Proposal: Distribute COMP to Affected Users in the DAI Liquidations” - I suggest everybody to move there, to that thread for the discussion of the specifics.
Hi @cryptoguy123. I’ve been following your work, and I agree that Coinbase’s filtering was poor judgment and candidly frustrating. I was also one of the affected users and I’ve been working with the community on compensation. Not sure if you’ve seen it, but I deployed a proposal to compensate users. It needs the community’s votes to pass. You can view the full details under this forum post: Compensation Proposal: Distribute COMP to Affected Users in the DAI Liquidations
Ideation for a new proposal that addresses objections with the initial has been occurring in the thread for the previous proposal Compensation Proposal: Distribute COMP to Affected Users in the DAI Liquidations
1- My thought is that it’s not the role of governance token to compensate for liquidations or failed liquidations
2 - In case there is a reserve build( the DAI reserve) it might be used after a vote to compensate for that day, even if it is not in this case a failed liquidation, but it should be voted whether or not the insurance fund should cover it
3- in case the vote would be to cover it, the coverage shouldnt go higher than the insurance fund taken at the time of the event, should the loss be higher.
insurance fund(dai reserve) is there to insure for failed liquidation
comp token was there to distribute a governance power to the right persons, not here to be used as an insurance fund, if this changes, it must be decided in the future and not related to a specific event
here is my opinion
I’d say I agree that deployment of an insurance fund makes perfect sense for covering platform failure / false liquidations over distributing governance tokens. I’d prefer the former over the latter.
(That being said my #1 preference would be returning the assets seized in false liquidation but I do not know the feasibility of that)
I don’t believe the return of the tokens is feasible because I’m pretty sure they’re liquidated by third parties who agree to pay the gas fee (not 100%).
I wonder if someone has done a more detailed analysis or researched DAI LIQUIDATION EVENT more deeply? (I do not mean individuals but providers of these types of services - ex. Gauntlet).
I don’t think it’s more about “peanut compensation” than explaining to damaged users where, how, and why the error occurred.
I think as members of the Compound community and protocol users we deserve some meaningful explanation. This event is ignored by the big token holders, who even claim that everything worked properly.
Given the current losses (ETH - $ 1000), an explanation would be a decent gesture.
@rleshner - You and the team from Gauntlet have refrained from voting on the compensation proposal. Can we get some real arguments about the liquidation event?
So this is just being ignored? Nothing being done? No oracle changes, and no compensation to people who got screwed by Compound’s crappy price oracle?
We can find that crappy oracle in new COMPOUND CHAIN WHITEPAPER. I don’t want to call out people but Compound.finance is obviously in a strong partnership with Coinbase.
I expected the team from Bankless and the Daily Gwei podcast to comment on the situation but everyone seems to avoid commenting on that.
Bull market is on the way and everyone is happy and euphoric and that distracts them from the real problems that exist in the DeFi sector (which is anything but DeFi).
Agreed, I have asked for some more details on how the oracle in the Compound Chain is going to operate (I know the node operators will be posting data, but I assume the reporter is still CB pro) but have not gotten a clear picture.
It would be a real shame if the lack of attention to fixing the oracle is simply because of the partnership you mention. I can’t imagine the community at large thinks that is a good idea. The silence is becoming rather frustrating, especially since I’m seeing DAI still prone to volatility on the CB pro market. Here is it today. Clearly this needs to be addressed ASAP.
Compound looks like an abandoned project. Nobody seems to care. Luckily there are other options out there.