Vitalik: Uniswap v2 Price Predictor Can Withstand Lightning Loan Attacks

Recently, after the bZx attack , the discussion about "oracles", "lightning loans" and "management keys" has become more and more, and the DeFi ecosystem is experiencing a short period of pain.

In this regard, Ethereum co-founder Vitalik Buterin also had to stand up and maintain stability. He retweeted a tweet from Uniswap founder Hayden Adams today and commented:

"The planned Uniswap v2 price predictor is designed to withstand recent lightning strikes."

• Take Mentougou as an example: Do investors in FCoin have a future?
• Coin price soared, 51% attack, "destruction" and "reputation" on the way of reducing Bitcoin Cash (BCH) production
• Don't blame "Lightning Loan", bZx is attacked by it

Is it really so?

Let's take a look at the recommended article in this tweet, " When will Uniswap be a good oracle ?" 》

The author is a member of the security analysis platform Gauntlet and a Stanford doctoral student Guillermo Angeris.

The following is the translation:

Uniswap has become a very popular alternative to traditional order book exchanges, and it has also become a common method of measuring the relative price between two currencies (commonly known as the 'price oracle'). It's a bit surprising that, although the basic idea of ​​Uniswap is very simple, its actual effect is quite good: In the "real world", Uniswap seems to accurately estimate compared to a much larger exchange. The relative price of two assets.

Uniswap's stability is also surprising because it does not seem to be affected by bad actors who try to manipulate prices for private gain. These results may be the intuition of Uniswap users, as they have seen it perform in the wild. For skeptics, our analysis creates a mathematical framework for the condition that "Uniswap is a good oracle." In a recently published paper that has been accepted by Cryptoeconomic Systems 2020, we performed an analysis of Uniswap and hope to share some results with a wider audience before the conference.

Constant-product markets

Uniswap is a special example of a constant product automatic market maker (commonly referred to as the constant product AMM). The idea is as follows: we have a contract (or exchange) that has a reserve of some tokens "A" (containing tokens like R) and a reserve of some tokens "B" (containing tokens like R ') .

An agent who wants to buy the token "B" Δ'coin must invest enough tokens "A" to keep the reserve product constant. In other words, if the agent wants to buy the token "B" Δ'coin from the reserve, the agent must put the Δcoin of the "A" token into the reserve so that the new reserve product is the same as the old reserve product:

Equation (1) can be easily used to derive the quantity we will use. For example, the Uniswap price mᵤ of the coin "A", relative to the definition of the coin "B", is the marginal price of buying the coin "A" with a certain amount of coin "B".

This is equivalent to the average price of buying an infinitely small number of coins "A" with coin "B", we can plot it as the slope of the price at Δ = 0:

In the next section, we will associate the marginal price of Uniswap with the real market price (spoiler: they are equal without charge and under general assumptions).

Note: As of now, the constant product formula (equation (1)) does not include any transaction costs. For simplicity, we will assume for the remainder of this article that this case is free, but most of the statements we make here are basically consistent with expectations in the fee case.

Arbitrage and what it tells us

To show that Uniswap's price should be relative to the price of the reference market, we need to assume how these markets interact.

In financial mathematics, a very common and simple method is to say that there is no arbitrage. In other words, we will assume that it is impossible to make money for free by trading between these two markets without bearing any risk.

Therefore, we can prove that if mᵤ ≠ m (where m is the reference market price), then there must be a transaction small enough for the agent to obtain a positive profit, which means that mᵤ = m under this assumption.

To prove this, we assume that mᵤ> m, then, by defining mᵤ, there is a sufficiently small coin "A" input, such as Δ, like this:

Given the Δ of the coin "A", Δ 'is the output of the coin "B".

Similarly, for the market, there are transactions small enough that mΔ ≈ Δ '', but since Δ '' <Δ '(because mᵤ> m), we can easily pass Δ' 'on the open market. Trade Δ for easy profit, then trade Δ 'in Uniswap with Δ, that is, our profit is positive (because Δ' '-Δ'> 0). Note that although this derivation is not completely rigorous, it basically follows a mathematical proof.

Since we can make a similar statement when mᵤ <m, we conclude that mᵤ = m without arbitrage. This means that if we assume no arbitrage and transaction fees, then the market price of Uniswap must be equal to the real market price ! Of course, the no-arbitrage assumption is only roughly true in practice, so Uniswap may deviate from the real market price, especially within a block or a small number of blocks . A more detailed analysis shows that under many market models, the real market price will be very close to the Uniswap price, which is verified by agent-based simulations. For more information, see section 2 of the paper. Note: Similar (but weaker) statements apply when there are transaction costs: γm ≤ mᵤ ≤ γ⁻¹m, where (1-γ) is a percentage of the transaction fee. As mentioned earlier, for more information, see section 2 of the paper.

Uniswap's excellent characteristics

Uniswap also has some nice features that reinforce our belief that it is likely to be a good oracle in practice.

More specifically: (a) it is not possible to deplete Uniswap's reserves simply by trading coins in the market ; (b) increasing liquidity to the market is the right approach because it reduces the transaction costs of specific coins and increases The cost of manipulating the oracle.

Boundaries of reserves

It is not difficult to prove that no transaction can drain Uniswap's coins. Since k = R'R, then through the AM-GM inequality (mean inequality) we get:

This immediately means that the sum of the possible reserves is bounded by the square root of the product k. By definition, k is always constant after each transaction, so the sum of reserves is always far away from zero.

Increase liquidity and reduce transaction costs

There are several ways to prove this fact, but the simplest point is that, given the input Δ of the coin "A", we get:

Using the fact that R = m = R 'without arbitrage, the output of coin B is equal to:

For a fixed marginal price mᵤ, it increases in R '(note that the denominator decreases as R' increases). Therefore, the higher the available reserves, the greater the output for a given input. This is very intuitive for many users who use the Uniswap protocol. With more liquidity pools, they will see less slippage.

Price manipulation is expensive (when making large changes)

In fact, the cost of manipulating the Uniswap price to any fixed amount is linearly related to the amount of reserves and the number of blocks, which can be expensive in many practical situations, although we have noticed that there is very little or short-term disturbance to the price Will be relatively cheap . Now, suppose the attacker wishes to manipulate the price of Uniswap mᵤ to a certain amount p> m (where m is the market price), then the cost of this single operation (for example, for a single block) is at least:

(For derivation, see Appendix E of the paper), if we assume p ≥ (1 + ε) m and ε> 0, then since C (p) is increased in p (p> m), we get at least the cost Yes:

As far as we know

as well as

Where K is at least 1 / (32√2). Finding this lower bound for C (ε) is a bit tricky, and relevant arguments can be found in Appendix E of the paper. As mentioned earlier, this lower bound is related to a constant factor, but the constant K given here is a very weak lower bound (thus, this particular choice should be used only as a rule of thumb, not as an exact number).

In fact, the linear relationship between cost and reserve R illustrates the importance of large liquidity pools for robustness . On the other hand, since ε is small and the cost is squared, it is possible for an attacker to manipulate the price reported in Uniswap for a long period of time without spending too much .

For example, if R = 1000 ETH in the reserve pool, the attacker can manipulate the price by ε = 1%, which is approximately C (.01) ≈ 0.025 ETH per block (the lower bound here is quite weak, giving C (.01) ≥ 0.002 ETH).

Please note that this manipulation is possible in practice, so we will warn that any protocol should not rely on very small changes in the prices reported by these oracles, nor should it depend on a very short period of time Price reported within .

In other words, manipulations can quickly become expensive when trying to make major price adjustments, which is one of the reasons we have not observed large-scale manipulations of the Uniswap market.

in conclusion

Although Uniswap is relatively simple, it seems to have good theoretical properties, which shows that in practice, it can have stability as a decentralized market and price predictor. Furthermore, the statement above does underscore the importance of having a large reserve pool in Uniswap, as all results depend on it in some way.

As mentioned before, the above is only a small part of the statement in the full paper, and readers interested in details and proofs should look at the paper!

appendix

When the bZx attack occurred on February 15, 2020, the attacker used a loophole in the bZx smart contract logic to consume contract funds. We must reiterate the importance of the above conclusions.

As far as we know, this attack does not rely on oracle operations, but involves multiple transactions executed in a single block.

In particular, if the attack can be performed in a block, the cost of manipulation is very small (the cost is basically just the transaction cost), so it is quite feasible in most cases, because the boundaries given above do not apply .

This underscores the importance of our warnings in the "high cost of manipulation" section:

(a) it may be unwise for the contract to rely on a small change in Uniswap price (this attack proves that the cost is quite cheap); (b) the contract should not be based on the price reported by Uniswap for a short period of time; Judging from the content of the article, it seems that the conclusion that V God "is able to withstand the lightning loan attack" seems a bit exaggerated. He may just want to express that he is optimistic about this solution.

What do you think?

We will continue to update Blocking; if you have any questions or suggestions, please contact us!