Formal process for new collateral assets

I encourage the Compound community to adopt a more formal process for adding new collateral assets. Each new asset adds existential risk to the entire protocol, yet in some cases the governance discussion has omitted important security questions.

Before creating a governance proposal (like #56) to add new collateral, at a minimum we should answer the following questions about the asset:

  • Who audited the collateral token contract? What security issues were raised in the collateral token’s audit reports? Are any of these relevant to its use as collateral in Compound?
  • Can the collateral token contract be upgraded? Who is authorized to make an upgrade? Can an upgrade happen instantly or is there a time-lock delay? Under what scenarios could an unauthorized upgrade occur? How many people or organizations would need to be compromised?
  • Does the collateral token contract have a fixed supply? If new tokens can be minted, are there any scenarios where tokens can be minted without proper authorization? (For example, centralized wrapped assets like WBTC and USDC may be vulnerable to insider collusion or external hackers.)
  • Are there any large token holders? Who are they and what security procedures protect their accounts? If a single holder owns enough of the token to use it as collateral to borrow a significant fraction of Compound assets, then a hacker who steals these tokens may be able to “sell” them on Compound by supplying them as collateral and “borrowing” clean assets. The existence of this exit ramp may in itself increase the incentive to hack such large wallets.
  • How much CEX and DEX liquidity exists for the collateral asset? This liquidity supports the liquidation process when the collateral asset is seized (and probably sold). Deep liquidity also defends against market price manipulation with the intent of triggering a cascading liquidation event.

For reference, recent examples of collateral discussion:

6 Likes

second. …

I agree.

What is the threshold for ‘large’?

It seems relative to the asset’s liquidity.

If the asset has lots of slippage on DEXs, a hacker may use Compound to exit.

If hackers use Compound, the hack may not greatly impact the price of the underlying asset. If there’s enough liquidity across exchanges, liquidators could exit without damage to Compound.

Likelihood of hacker using Compound depends on DEX slippage.
Damage of hacker using Compound depends on liquidity across all exchanges.

So, what is the threshold for ‘large’?

1 Like

You are right, what matters isn’t whether there are “large” holders but whether the Compound liquidation system can protect its suppliers if such a holder were hacked. The liquidation system is vulnerable to a price decline that is so large and so fast that borrower positions become insolvent before they can be liquidated. For example, if an asset has a collateral factor of 70%, then a sudden price drop of more than 30% can create underwater positions. These positions will be repeatedly liquidated until no collateral remains, but their debt will not be fully repaid.

The scenario I have in mind: A project treasury (or exchange hot wallet, etc) holding token XYZ is hacked. The hacker sells whatever they can via DEXes, causing a 30% price decline. The hacker supplies the remaining XYZ tokens as collateral to Compound, borrows ETH worth 70% of their value (at the old price), and walks away from the XYZ collateral.

Now the question is how the market responds to the instantaneous 30% drop in price on DEXes. If the global market price is resilient, then liquidators will be able to repay all the XYZ-backed debts without needing to seize all the XYZ collateral. However, during this process sales of seized XYZ will cause further downward pressure on global XYZ prices, possibly creating insolvent positions and protocol losses.

So deciding what is “large” means guessing how the market would react to a cascading liquidation event that dumps XYZ on the market from both the hacker’s abandoned position and from innocent XYZ-backed borrowers whose positions are suddenly vulnerable due to the event. It could be that the market could absorb the hacker’s position alone, but is overwhelmed by the subsequent avalanche. This depends on both global market liquidity and patterns of collateral use in Compound (and other) borrowing markets.

I don’t have a good answer. In the end I think it a subjective decision based on as much objective evidence as we can find.

2 Likes

On Coingecko they list a market depth of +/-2% in price. For 70% CF, maybe we would care about +/-30% market depth.

Somehow Coingecko (also other sites like coinmarketcap) has information for -2% market depth. Maybe they could tell us -30% market depth?

That may be impossible – they don’t know what new orders will be placed as prices drop. Most limit orders are likely near the current price, which would allow them to get an idea of +/-2% market depth.

Pause Risk
Pausable tokens represent a risk to Compound because a pause of token transfers could prevent liquidation.

If pausing happens because of a vulnerability, the pause could coincide with a price decrease. During the pause, Compound would not be able to liquidate bad debt. This is a risk to all markets.

The size of the risk is the collateral factor times the current value of the paused market’s collateral. The risk is likely to be focused on stable coins because they are the most frequently borrowed. But, even though volatile assets may not be the primary assets borrowed, they could also be at risk if their reserves are low.

Pause risk might be limited by a Collateral Cap or Supply Cap.

If a market is paused during a downturn, the result would look like slow liquidation.

The price drops. Debts are not repaid. The difference between the value of the collateral and the borrowed assets represents the damage to the reserves. If the difference exceeds the reserves, this could lead to a bank-run.

See the reserves per asset to know the size of Supply Cap/Collateral Cap needed to mitigate this risk.

Who can pause the asset?
Under what circumstances would they pause?

3 Likes

Personally i think as long as the collaterals are based on cryptos then they are always vulnerable to hackers, therefore the risks you mentioned cannot be avoided entirely. But what about collaterals based on real world asset (RWA)? Many including our team believe RWA might be the next big opportunity to unleash the full power of DeFi liquidity. It would be definitly an interesting and rewarding to see assets such as corporate bridge loans, pledges of equities, investment margins, etc to be enlisted on Compound.

1 Like

Let me know if there’s any assistance I can offer for this one. I’ve been pretty hands on with RWA at Maker and also seen what a lot of the unexpected pitfalls are.

Sounds good! Our platform is called EntroFi and we launched last month; it is designed to connect DeFi capitals directly with loan borrowers who use real world assets (account receivables, real estate properties, pledges of securities, etc.) or existing NFTs as collaterals. We envision a world where liquidity and assets alike flow freely between on chain and off chain, and therefore would love to work with anyone team or platform who share such vision with us.

This could be the beginning of something truly extraordinary.

It would be great to merge this with a few other suggested onboarding steps I posted here: Asset Onboarding Framework

@TylerEther I saw you link to this thread on @stefan’s post, but I think answering both sets of questions might make decision making easier for voters. I haven’t gotten a chance to work on the framework too much since the initial post, but I would be open to helping another community member work towards a clearer process for adding new assets.

3 Likes

Thanks for linking me to this; totally missed it!

I have been working on extending Compound’s asset onboarding framework with Stefan’s help. The goal is to include as many data points as possible, then eventually find a way to grade the data and establish minimum requirements.

It would be great to collaborate with you @jmo and @getty on this!

3 Likes