Risky Business of DeFi, Compound Token Vote, $8 Million Loan
Good morning defiers! Here’s what’s going on in decentralized finance: Compound gets audited by Zeppelin Users vote to add two new tokens on Compound New CDP tracker shows largest Dai loans Don’t Underestimate DeFi Risk Compound Finance’s audit should...
Good morning defiers! Here’s what’s going on in decentralized finance:
- Compound gets audited by Zeppelin
- Users vote to add two new tokens on Compound
- New CDP tracker shows largest Dai loans
Don’t Underestimate DeFi Risk
Compound Finance’s audit should give all of DeFi users a bit of pause.
Smart contract security firm Zeppelin audited Compound, the biggest decentralized lending platform after Maker, and published its findings yesterday. There was no critical vulnerability, but the report should serve as a reminder of the risks users are dealing with in decentralized finance.
Risks that jumped out at me the most from the report are:
1) A group of centralized administrators decide how the protocol works, which assets can be loaned, the interest rate model for each asset, collateral requirements, etc.
“In the hands of a malicious or compromised administrator, these privileges contain the ability to trivially freeze markets, censor transactions or steal all assets from the system,” the report said.
2) Compound team maintains its own price feed.
“Control of the price feed can be used to steal most, if not all, assets from the system.”
3) Humans write smart contract code. Humans make mistakes
In the second-largest project in DeFi with more than $100 million in smart contracts, Zeppelin found two high severity issues (and no critical issues).
- It’s possible for a borrower to take out a small, short-term loan without having to pay any interest, which can be scaled up to a large loan by consolidating many small loans into a single account. This attack is only profitable for miners as it requires a large amount of gas.
- Compound’s liquidation incentive is intended to encourage behavior that moves all borrowers toward solvency. Under most conditions this works as intended. However, we found that there are circumstances under which liquidation moves the borrower closer to insolvency.
To address 1) and 2) the Compound team intends to replace the existing administrator role with a more decentralized governance mechanisms, and it plans to change its price feed with a system built on its proposed “open oracle system.”
These risks are of course not unique to Compound and users should be extremely careful when using these products. Good questions to ask are: Have the smart contracts been audited? How does governance work? Can the price feed be manipulated?
The oracle issue seems to be the trickiest one because there aren’t many decentralized alternatives. Chainlink is an increasingly popular one. Maker, the biggest DeFi project, uses its own oracle system.
“Maker oracles have been working for more than two years and they’re the most decentralized that I know, but we also have defense mechanisms, just in case,” said MakerDAO’s Mariano Conti, who designed the system. “We have 14 different, independent price sources for the smart contract, and we’ll be adding many more for multi-collateral Dai.”
Still, he says, oracles are many systems’ “weak point.”
Vote on New Compound Assets Started
Compound Finance users are voting on which two new assets will be added to the protocol. Tokens added will be able to earn interest or be used as collateral to borrow other supported tokens, such as Ether or Dai. Users are voting among 12 tokens, including TrueUSD, Tether, Maker and Paxos. The vote will last for 14 days and each vote is weighted by usage of the protocol, to prevent big whales swaying the vote.
Chris Blec did a good overview of the different tokens on his YoutTube channel, and he also made a good point: It seems that lenders using proxy wallets like InstaDApp and Argent can’t participate in the vote. That’s something for all of DeFi dapps to consider: what functionality will users be missing by using third party dapps and potentially, how to avoid that.
* Update: Argent replied to Chris, saying users don’t interact with a proxy wallet but interact directly with Compound.
The Biggest Loan on Maker is for $8 Million in Dai
Etherscan added new functionality that compiles all outstanding collateralized-debt positions on MakerDAO. The biggest loan was created about a year ago and had issued about 8.3 million Dai, worth about the same in USD. It has a huge collateral ratio of 371 percent and a liquidation price of just under $70, so there’s no imminent risk of liquidation there.
The second-biggest loan is for 4.6 million Dai and there are only 15 loans of over $1 million. About the risks I mentioned above, at least it’s good to know there aren’t that many huge Dai loans out there.