Suppose you have 500,000 DAI, would you choose to deposit in Compound?

Translator's Foreword: The current DeFi ecosystem is developing very fast. No, Coinbase has just announced a $1 million stable currency in the loan agreement Compound and dYdX . Does this mean that these agreements are safe and can we participate in investment?

Of course, it is not that simple. The CEO mentioned below is attracted by the high interest rate of Compound borrowing. It has 500,000 DAI in his hands. However, after doing a detailed investigation, he chose to wait and see.

what on earth is this kind of happenings?

Here is the translation of the article he wrote:

• Facebook Libra applies for payment system license to Swiss Finance Authority (FINMA)
• Shouldn't you go to the main network in 2019? The data shows that a large number of tokens are negatively growing
• The employee remotely steals 100 bitcoins from Bitland and was sentenced to one year and three months in prison.

You may have heard of Compound, they built compound.finance on Ethereum, which allows you to lend money to ETH, DAI, USDC and some other ERC20 tokens, and then earn interest.

Today, DAI's lending annual income on this platform is 10%, which is high enough for Ethereum fans to look back (see below).

As the CEO of SpankChain, my job is to manage the company's reserves, which also includes 500,000 DAI. Based on 10% annual interest, if we don't put these DAIs into the Compound, then the monthly book will cost $4,000. This is an opportunity cost, but keep in mind that there is no free lunch in the world, all investments are risky, and financial management on Compound is no exception .

Last month, I spent some time evaluating several risks associated with managing money on Compound:

1. Contract security risk;
2. Single point of failure risk;
3. Run risk

I divide the survey into the following categories, but the most important ones are:

1. Its smart contract security seems to be guaranteed;
2. Compound is a managed system. If their management private key is leaked, all the funds in the loan pool may disappear.
3. When you are lending on Compound, you can't withdraw money at any time. If you try to withdraw money and all the money is locked in the outstanding loan, your withdrawal transaction will fail;

I hope these lenders understand these risks…source:https://defipulse.com/compound

First, contract security

In fact, many well-known smart contract security companies in the industry have audited the compound contract.

1. OpenZeppelin audit report ;
2. Trail of Bits audit report ;
3. Certora audit report ;

In addition, Compound provides up to $250,000 in vulnerabilities for critical vulnerabilities (defined as the ability to steal more than 1% of funds, or freeze more than 10% of funds). As far as I know, there is no independent security company. The researcher got the bonus.

These contracts also hold $20 million in funds for more than six months, hold $50 million for more than two months, and currently hold more than $100 million in contractual holdings. Personally, the most important measure of contract security is the total amount of money held in the contract* the time the contract is held. So far, the performance of the Compound is worthy of recognition.

Based on the above factors, I think Compound's smart contract is safe.

Second, the risk of single point of failure

I am not a smart contract professional myself, so I found Samczsun to help. He was famous for finding a key vulnerability in the 0X contract (although the 0X contract was audited by top security companies), then he Received $100,000 in compensation.

Then, the professional gave a single point of failure risk for Compound (my focus):

Compound v2 has four different management locations, which are set to three different addresses:

1. Each cToken has an administrator. Currently, all cToken managers are set to 0x8B8592E9570E96166336603A1B4BD1E8DB20FA20;
2. Each cToken also has an auditor (comptroller), currently set to 0x3d9819210A31b4961b30EF54bE2aeD79B9c9Cd3B. This unitroller also has a manager, which is set to 0x8B8592E9570E96166336603a1b4bd1E8Db20fa20;
3. The current price oracle has an anchor management (anchor admin) and poster, respectively set to 0xF06e41aDD8A7E7A8aD81a07C0ACA291E4573ca50 and 0x3c6809319201b978D821190Ba03fA19A3523BD96;

By accessing cToken management rights, an attacker can replace the auditor (comptroller) implementation, which will allow them to perform one or more of the following operations:

1. Prevent the transfer of an existing cToken by returning a 'false' value from transferAllowed;
2. Transfer the cToken as a collateral by returning a 'true' value from transferAllowed ;
3. Prevent the generation of a new mintAllowed returning a 'false' value from mintAllowed;
4. Prevent redemption of existing redeemAllowed returning a 'false' value from redeemAllowed;
5. Prevent the return of existing borrowing by returning a 'false' value from repayBorrowAllowed ;
6. Prevent liquidation of borrowing by returning a 'false' value from liquidateBorrowAllowed;
7. Stealing the user's cToken by returning a 'true' value from seizeAllowed;
8. Prevent borrowing of underlying assets by returning a 'false' value from borrowAllowed ;
9. Deplete all underlying assets by returning a 'true' value from borrowAllowed ;

By accessing the cToken's management rights, the attacker can also replace the interest rate model, which will allow them to do the following:

1. Increase the borrowing rate to 0.0005% per block.

And by accessing the current Unitroller agent's administrative rights, an attacker can:

1. Replace the implementation of Unitroller, if they can replace the cToken auditor, this will allow them to perform the same attack, but this is the cToken (100%) for all using Unitroller;
2. Change the clearing bonus, which will allow the attacker to obtain a disproportionate token during the liquidation;
3. Change the price oracle, which will allow the attacker to provide low prices for existing cTokens (such as ETH, WBTC, etc.) and borrow at a low price;
4. Changing the cToken's side factor, when combined with the ability to add a new cToken and the ability to change the price of oracle, an attacker can exhaust all assets by borrowing the token they created;

And through the anchor admin access to the price oracle, the attacker can:

1. Deviating the price of an asset from its true value by 10%;

And through the poster access to the price oracle, the attacker can:

1. Deviate the price of an asset from its storage value by 10% per hour;

And by simultaneously accessing the anchor admin and the poster of the price oracle, the attacker can:

1. Set the asset price to any value;

Summarize the report of Samczsun: Compound's protocol design allows the central manager to modify it. Important contracts only point to a single contract address, which has their implementation logic, and the administrator has the right to change these address pointers at will. Because all cTokens use the same manager, if the manager key is compromised, all assets stored in the Compound will be easily exhausted .

Sam also mentioned some of the more awkward attacks, but in reality, attackers are more likely to choose to take money instead of pursuing more sophisticated attacks.

OpenZeppelin has a useful description of this in their Compound audit summary :

“However, when the authority is in the hands of a malicious or compromised manager, they can freeze the market, review the transaction, or steal all assets from the system. Similarly, after controlling the price feed, the attacker can steal large from the system. Some, if not all, of the assets. Currently, all active market managers are the same account."

Interestingly, these are not mentioned in the report audited by the Trail of Bits team. In addition, Compound's FAQ page also deliberately played down the administrator's permissions, and did not alert you to the possibility that funds may be exhausted:

"Compound Labs, the development team of the agreement, currently controls the Ethereum address 0x8b8592e9570e96166336603a1b4bd1e8db20fa20, which is the protocol manager. The manager address has the right to support additional assets, upgrade price feed oracle, upgrade interest rate model and risk model for the upgrade agreement."

Another point to note is that the current hosting settings of the compound itself will not make their system unsafe. They are very active in protecting the security of the management keys and may work with a16z-led hosting providers. However, before I decide whether to deposit 500,000 DAI, I still need to think twice.

Run risk

The following tweet comes from the chief operating officer of Dharma, a competing lending platform. He asked me to jump into a rabbit hole and then want to know what the risk of the run on Compound looks like.

The usage rate mentioned in the quoted tweet is 98.62%, which means that 98.62% of the DAIs deposited by the lenders were loaned to the borrower. Only 1.38% of DAI is available for withdrawals, so only a small percentage of lenders can withdraw DAI if they wish.

If enough DAI lenders (cDAI holders) wish to take back DAI at the same time, their withdrawals may exhaust the available DAI, increasing utilization to 100% and preventing any further withdrawals. Lenders trying to exit will only see their transactions fail and will be forced to wait until more borrowers have paid off their loans before they can withdraw.

Because there may be trapped in cDAI, people are worried about it, and once they have concerns, it will lead to problems . That is to say, in the event of a run, a group of cDAI holders try to withdraw their DAI all at once, and this may simply be because there are enough cDAI holders to worry about this happening.

Lenders caught in cDAI runs either choose to wait for their DAI, or choose to sell their cDAI, and then exchange for DAI, which will incur transaction costs. If many other lenders also sell cDAI at the same time, cDAI may occur. The price plummeted. If the lender chooses to wait and holds cDAI, they will still generate interest during this period.

How does Compound solve this problem?

The Compound team is very honest about this liquidity risk, and they clearly stated in the white paper:

“The agreement does not guarantee liquidity. Instead, it relies on an interest rate model to motivate liquidity. During periods of extreme demand for assets, the liquidity of the agreement (tokens that can be withdrawn or borrowed) will fall; when this happens, Rising interest rates, stimulating supply, and then inhibiting borrowing."

Compound determines the borrower's interest rate for each cToken based on the cToken-specific "interest rate contract." The contract currently implements the interest rate model of cDAI, and its formula is:

Borrower's annual interest = benchmark interest rate + (multiplier * utilization)

For cDAI, the benchmark interest rate = 5% and the multiplier = 15% (the value is hard-coded into the contract). At 100% utilization, the interest paid by the borrower is 20%. This means that when DAI is used to its fullest extent, borrowers will only be motivated to repay the loan at a 20% interest rate – if they think ETH (used as loan collateral) will rise by more than 20% in a year, then They have no incentive to repay the loan. This may make many cDAI holders… hold cDAI for a long time.

The only tool that Compound can solve this problem is to use a central management account to upgrade their interest rate model, which is what they did when they increased utilization to ~99% six weeks ago.

In summary, if the utilization rate reaches the maximum, there is a liquidity crisis, and when the run-off risk increases, all lenders can only hope that Compound can use its own strength to update and raise the borrower's interest rate to motivate them to repay the loan. People who want to quit provide mobility.

to sum up

Protocols like Compound, wandering between centralization and decentralization, weighed the ability to quickly upgrade and the centralized point of failure they had to introduce.

I don't blame Compound for choosing to lead their products in a centralized way (it's obvious that it's working, otherwise I won't write this article), but I really want their smart contracts to achieve the highest Standards, especially they should clearly indicate the risks to the user.

Basically, we should encourage the project side to do the opposite of Robert Leshner (Compound CEO):

Technically, this may be true, but we all know that the administrator account may be abused by other means…

I have not decided to save my DAI to Compound. Maybe I should start with 100,000 DAI? In that case, I can only choose to trust Compound.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!