Last night (2024.2.23) uni pulled the market in an instant, and the price rose from 7 to US$7 in an instant. 11USD.
The compound lending agreement allows users to mortgage other currencies (such as usdc) to borrow uni. Within a short period of time after this uni instant pull, compound was not updated in time< The price of span lang="en-US">uni results in the agreement that collateral with low uni value can be used to borrow uni.
This was discovered by a very small number of people, who borrowed a large amount of uni against usdc and then sold it Drop uni and turn it into usdc, and then you will find that the amount of usdc it obtains is actually more than the amount of usdc it mortgagedcompoundQuantity.
Let me carefully analyze this attack on the lending agreement. The data source is https://bad-debt.riskdao.org/.
The following four addresses are profitable for attacks
0x6980a47bee930a4584b09ee79ebe46484fbdbdd0
0x5968ada261a84e19a6c85830e655647752585ed4
0x49bc3cec1fb7978746f742a4e485d0d601831cea
0x2f99fb 66ea797e7fa2d07262402ab38bd5e53b12 p>
Now check the balances of these four addresses on debank, you will find thatcompoundIn this protocol, these four addresses have a debt, but the collateral is almost zero, as follows:
This screenshot shows that the address 0x2f99fb66ea797e7fa2d07262402ab38bd5e53b12 mortgaged 1.1503Dai and 0.051715usdc in compound, but borrowed 28702.7973uni.
Collateral is almost0, but the value of the borroweduni is as high as 330,000 U. In this case, this address will definitely not repay the uni debt.
The other three addresses are the same, using almost zero collateral and borrowing hundreds of thousands of uni coins.
These four addresses have borrowed a total of 55,565.9001uni. Currently calculated as 12U, the total value is 55565.9*12=666790.8 usdt, and a loss of 660,000 U.
Why does it happen that you can use almost 0< /span>Collateral, but can you borrow and sell hundreds of thousands of uni coins?
The entire attack logic is as follows:
1.Suppose it isT0At the point in time, the price of uni in the market is7U/uni,compoundThe price feed for uni is normal and also7U/uni
2.Then atT1time point,uniThe price in the market suddenly skyrocketed, instantly reaching 11U/uni11U/uni< span lang="zh-CN">. ButcompoundripairuniThere is an error in the price feed, and it still stays at 7U/uni >.
3.Then someone discovered了compoundYesuniThe price feed was wrong, and I immediately pledged 20Ten thousand span>usdcget incompoundServed as collateral and borrowed unicoins, according to com< /span>pound’s feed price (7u/uni< /span>, and 85% lending rate), You can borrow 20*0.85=170,000 U of uni, 170000/7=24285.7143 uni, that is, you can borrow 24,000 uni.
4.Then change this 2.4Ten thousanduni< span lang="en-US">Sell it in the market (such asuniswap v3) and exchange it for usdc , because the price on the market is 11U/uni, it can be sold for 2.4*11=26.4 wUsdc, which is 64,000 Usdc more than the collateral. This is the profit.
The following transaction https://etherscan.io/tx/0xaee0f8d1235584a3212f233b655f87b89f22f1d4890782447c4ef742b37af58d can see the above logic very clearly
< p style="text-align:center">
It is mortgaged I received 193020 usdc, lent 19748 uni, sold uni to ETH and then ETH to usdc, and finally received 195461 usdc, which was 195461-193020=2441 usdc more than the collateral.
5.etc.compoundChange the correctuniAfter the currency price is fed into the agreement, these debts will definitely be liquidated, and the liquidation will not be clean. Even if the liquidator takes away all the collateral, a large amount of uni debt will still be left. This is bad debt.
compoundWhy does it appear< /span>uniWrong price feed?
CurrentlycompoundA vote to fix thisbug has been initiated.
BecausecompoundThe price setting of unicoin adopts a double Insurance, one uses chainlinkoracle Feed the price, and also use Uniswap TWAP (time weighted average price). But I didn’t check the specific choice between the two price feeds. But judging from the current results, both of them must be normal at the same time for compound to feed prices normally.
When the price of uni suddenly skyrocketed, chainlink’s price feed was normal, but there was a problem with the price of UniswapTWAP. Compound’s protocol gave Got the wrong price.