Formal process for new collateral assets

I encourage the Compound community to adopt a more formal process for adding new collateral assets. Each new asset adds existential risk to the entire protocol, yet in some cases the governance discussion has omitted important security questions.

Before creating a governance proposal (like #56) to add new collateral, at a minimum we should answer the following questions about the asset:

  • Who audited the collateral token contract? What security issues were raised in the collateral token’s audit reports? Are any of these relevant to its use as collateral in Compound?
  • Can the collateral token contract be upgraded? Who is authorized to make an upgrade? Can an upgrade happen instantly or is there a time-lock delay? Under what scenarios could an unauthorized upgrade occur? How many people or organizations would need to be compromised?
  • Does the collateral token contract have a fixed supply? If new tokens can be minted, are there any scenarios where tokens can be minted without proper authorization? (For example, centralized wrapped assets like WBTC and USDC may be vulnerable to insider collusion or external hackers.)
  • Are there any large token holders? Who are they and what security procedures protect their accounts? If a single holder owns enough of the token to use it as collateral to borrow a significant fraction of Compound assets, then a hacker who steals these tokens may be able to “sell” them on Compound by supplying them as collateral and “borrowing” clean assets. The existence of this exit ramp may in itself increase the incentive to hack such large wallets.
  • How much CEX and DEX liquidity exists for the collateral asset? This liquidity supports the liquidation process when the collateral asset is seized (and probably sold). Deep liquidity also defends against market price manipulation with the intent of triggering a cascading liquidation event.

For reference, recent examples of collateral discussion:

4 Likes

second. …

I agree.

What is the threshold for ‘large’?

It seems relative to the asset’s liquidity.

If the asset has lots of slippage on DEXs, a hacker may use Compound to exit.

If hackers use Compound, the hack may not greatly impact the price of the underlying asset. If there’s enough liquidity across exchanges, liquidators could exit without damage to Compound.

Likelihood of hacker using Compound depends on DEX slippage.
Damage of hacker using Compound depends on liquidity across all exchanges.

So, what is the threshold for ‘large’?

1 Like

You are right, what matters isn’t whether there are “large” holders but whether the Compound liquidation system can protect its suppliers if such a holder were hacked. The liquidation system is vulnerable to a price decline that is so large and so fast that borrower positions become insolvent before they can be liquidated. For example, if an asset has a collateral factor of 70%, then a sudden price drop of more than 30% can create underwater positions. These positions will be repeatedly liquidated until no collateral remains, but their debt will not be fully repaid.

The scenario I have in mind: A project treasury (or exchange hot wallet, etc) holding token XYZ is hacked. The hacker sells whatever they can via DEXes, causing a 30% price decline. The hacker supplies the remaining XYZ tokens as collateral to Compound, borrows ETH worth 70% of their value (at the old price), and walks away from the XYZ collateral.

Now the question is how the market responds to the instantaneous 30% drop in price on DEXes. If the global market price is resilient, then liquidators will be able to repay all the XYZ-backed debts without needing to seize all the XYZ collateral. However, during this process sales of seized XYZ will cause further downward pressure on global XYZ prices, possibly creating insolvent positions and protocol losses.

So deciding what is “large” means guessing how the market would react to a cascading liquidation event that dumps XYZ on the market from both the hacker’s abandoned position and from innocent XYZ-backed borrowers whose positions are suddenly vulnerable due to the event. It could be that the market could absorb the hacker’s position alone, but is overwhelmed by the subsequent avalanche. This depends on both global market liquidity and patterns of collateral use in Compound (and other) borrowing markets.

I don’t have a good answer. In the end I think it a subjective decision based on as much objective evidence as we can find.

1 Like

On Coingecko they list a market depth of +/-2% in price. For 70% CF, maybe we would care about +/-30% market depth.

Somehow Coingecko (also other sites like coinmarketcap) has information for -2% market depth. Maybe they could tell us -30% market depth?

That may be impossible – they don’t know what new orders will be placed as prices drop. Most limit orders are likely near the current price, which would allow them to get an idea of +/-2% market depth.

Pause Risk
Pausable tokens represent a risk to Compound because a pause of token transfers could prevent liquidation.

If pausing happens because of a vulnerability, the pause could coincide with a price decrease. During the pause, Compound would not be able to liquidate bad debt. This is a risk to all markets.

The size of the risk is the collateral factor times the current value of the paused market’s collateral. The risk is likely to be focused on stable coins because they are the most frequently borrowed. But, even though volatile assets may not be the primary assets borrowed, they could also be at risk if their reserves are low.

Pause risk might be limited by a Collateral Cap or Supply Cap.

If a market is paused during a downturn, the result would look like slow liquidation.

The price drops. Debts are not repaid. The difference between the value of the collateral and the borrowed assets represents the damage to the reserves. If the difference exceeds the reserves, this could lead to a bank-run.

See the reserves per asset to know the size of Supply Cap/Collateral Cap needed to mitigate this risk.

Who can pause the asset?
Under what circumstances would they pause?

1 Like