We have presented you with the story of the $CRV short saga, of which we focused on the details of liquidation transactions and liquidators. This time, in the research report we will share with you, we’d like to put on the hat of financial researchers to dissect the event using a thorough analysis of token flows.
In this way, we will reveal one of the emerging risks in DeFi — risk associated with liquidity budding from features of DeFi, i.e., flash loans. And we’d like to propose how to monitor and control such risk.
You must already be familiar with the story: a crypto whale failed miserably against a short squeeze and left an uncovered debt on the lending platform AAVE.
Here are the key takeaways from the report:
A crypto whale dumped the CRV market with 92 million CRV borrowed from AAVE. This action resulted in a precise short squeeze attack costing the crypto whale an estimated $20 million and creating a bad debt on AAVE worth about $1.6 million.
The two pull-ups in CRV prices successively caused the shorter’s AAVE position to trigger the liquidation and insolvency threshold. 385 liquidations by 21 unique addresses emptied 63.596 million USDC collateral, leaving 2.456 million CRV unpaid.
AAVE utilizes quotes fed by on-chain oracles to calculate whether the liquidation threshold is triggered, which has a lag of about 10 minutes compared to Binance’s price information.
In between the two price pulls, there were more than 3 hours when the liquidation condition was not triggered due to a temporary price drop. At this stage, AAVE may have missed the best time to adopt a contingency strategy.
We believe the root cause of this event is the transparent nature of a blockchain makes financial information easily accessible, giving attackers more advantages.
However, the current lending protocols are not designed with a risk control mechanism based on timely adjustment according to both price and liquidity information.
We propose creating a feedback control system for DeFi based on safety cushions and liquidity sensors to better address risk in the long term.
The figure below illustrates the dumping steps:
And here is the token flow between Ethereum and OKX:
How did bad debts occur? The following figures merge the facts significant in analyzing the cause of bad debts during the liquidation process.
Where did those liquidators find their capital sources? We manually sort them out with the help of our visualization tool EigenTx. The results are shown in the following tables.
AAVE’s bad debt is not a unique case in terms liquidity risk. Recently, in the BSC ecosystem, the Ankr platform was hacked to issue a large number of aBNBc out of thin air due to a vulnerability, resulting in more than a dozen protocols’ associated pools, including Pancake and Helio, suffering heavy damage.
The moral of these stories is: an asset’s level of liquidity and safety margin can change over its life cycle and is also susceptible to contagion risk by associated assets.
To improve the status quo, we propose a feedback system that combines a safety cushion and various sensors based on real-time liquidity vectors to detect defects and respond in time to changes in the market.
There are so much valuable data and information embedded in the report. Please download the research *Report on Code at Risk: An In-depth Analysis of How AAVE’s $1.6 Million Bad Debt Was Created *and leave your comments and questions.
You can also check out the video we made for the saga:
Follow us via these to dig more hidden wisdom of DeFi: